summaryrefslogtreecommitdiffstats
path: root/src/plugins/kdb/ldap/libkdb_ldap
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2012-07-29 12:03:44 -0400
committerGreg Hudson <ghudson@mit.edu>2012-07-29 12:03:44 -0400
commit95e9155602651e99c987cf08d52b1dfda9e67fe1 (patch)
treeb87ebab2a9dca1e14270108bc47f07e8169638da /src/plugins/kdb/ldap/libkdb_ldap
parent9c2e435d02d91018be41a55e0412b9256b40b583 (diff)
downloadkrb5-95e9155602651e99c987cf08d52b1dfda9e67fe1.tar.gz
krb5-95e9155602651e99c987cf08d52b1dfda9e67fe1.tar.xz
krb5-95e9155602651e99c987cf08d52b1dfda9e67fe1.zip
Remove eDirectory support code in LDAP KDB module
Diffstat (limited to 'src/plugins/kdb/ldap/libkdb_ldap')
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/Makefile.in4
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/deps54
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c32
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h8
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c78
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c58
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c58
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h2
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c4
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c432
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c777
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c588
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h100
13 files changed, 22 insertions, 2173 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
index 2126df616..668f77329 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
+++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in
@@ -47,8 +47,6 @@ SRCS= $(srcdir)/kdb_ldap.c \
$(srcdir)/ldap_misc.c \
$(srcdir)/ldap_handle.c \
$(srcdir)/ldap_tkt_policy.c \
- $(srcdir)/ldap_services.c \
- $(srcdir)/ldap_service_rights.c \
$(srcdir)/princ_xdr.c \
$(srcdir)/ldap_service_stash.c \
$(srcdir)/kdb_xdr.c \
@@ -67,8 +65,6 @@ STLIBOBJS= kdb_ldap.o \
ldap_misc.o \
ldap_handle.o \
ldap_tkt_policy.o \
- ldap_services.o \
- ldap_service_rights.o \
princ_xdr.o \
ldap_service_stash.o \
kdb_xdr.o \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/deps b/src/plugins/kdb/ldap/libkdb_ldap/deps
index c8d2f7e42..37fea12b6 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/deps
+++ b/src/plugins/kdb/ldap/libkdb_ldap/deps
@@ -21,7 +21,7 @@ kdb_ldap.so kdb_ldap.po $(OUTPRE)kdb_ldap.$(OBJEXT): \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
kdb_ldap.c kdb_ldap.h ldap_err.h ldap_krbcontainer.h \
- ldap_misc.h ldap_realm.h ldap_services.h
+ ldap_misc.h ldap_realm.h
kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -35,7 +35,7 @@ kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h kdb_ldap_conn.c \
ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_realm.h ldap_service_stash.h ldap_services.h
+ ldap_realm.h ldap_service_stash.h
ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -50,7 +50,7 @@ ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
ldap_principal.h ldap_pwd_policy.h ldap_realm.c ldap_realm.h \
- ldap_services.h ldap_tkt_policy.h
+ ldap_tkt_policy.h
ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -64,8 +64,7 @@ ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_create.c \
ldap_err.h ldap_handle.h ldap_krbcontainer.h ldap_main.h \
- ldap_misc.h ldap_principal.h ldap_realm.h ldap_services.h \
- ldap_tkt_policy.h
+ ldap_misc.h ldap_principal.h ldap_realm.h ldap_tkt_policy.h
ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -79,7 +78,7 @@ ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT):
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
ldap_handle.h ldap_krbcontainer.c ldap_krbcontainer.h \
- ldap_main.h ldap_misc.h ldap_realm.h ldap_services.h
+ ldap_main.h ldap_misc.h ldap_realm.h
ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -100,7 +99,7 @@ ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \
$(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
ldap_main.h ldap_misc.h ldap_principal.c ldap_principal.h \
- ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
+ ldap_realm.h ldap_tkt_policy.h princ_xdr.h
ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -122,8 +121,7 @@ ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \
$(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
ldap_main.h ldap_misc.h ldap_principal.h ldap_principal2.c \
- ldap_pwd_policy.h ldap_realm.h ldap_services.h ldap_tkt_policy.h \
- princ_xdr.h
+ ldap_pwd_policy.h ldap_realm.h ldap_tkt_policy.h princ_xdr.h
ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -137,7 +135,7 @@ ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h ldap_services.h
+ ldap_pwd_policy.c ldap_pwd_policy.h ldap_realm.h
ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -158,7 +156,7 @@ ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \
$(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \
kdb_ldap.h ldap_err.h ldap_handle.h ldap_krbcontainer.h \
ldap_misc.c ldap_misc.h ldap_principal.h ldap_pwd_policy.h \
- ldap_realm.h ldap_services.h ldap_tkt_policy.h princ_xdr.h
+ ldap_realm.h ldap_tkt_policy.h princ_xdr.h
ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -172,7 +170,7 @@ ldap_handle.so ldap_handle.po $(OUTPRE)ldap_handle.$(OBJEXT): \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.c \
ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_realm.h ldap_services.h
+ ldap_realm.h
ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -186,35 +184,7 @@ ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_realm.h ldap_services.h ldap_tkt_policy.c ldap_tkt_policy.h
-ldap_services.so ldap_services.po $(OUTPRE)ldap_services.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
- ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_realm.h ldap_services.c ldap_services.h
-ldap_service_rights.so ldap_service_rights.po $(OUTPRE)ldap_service_rights.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_err.h \
- ldap_handle.h ldap_krbcontainer.h ldap_main.h ldap_misc.h \
- ldap_realm.h ldap_service_rights.c ldap_services.h
+ ldap_realm.h ldap_tkt_policy.c ldap_tkt_policy.h
princ_xdr.so princ_xdr.po $(OUTPRE)princ_xdr.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -249,7 +219,7 @@ ldap_service_stash.so ldap_service_stash.po $(OUTPRE)ldap_service_stash.$(OBJEXT
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
$(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.h \
ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h \
- ldap_service_stash.c ldap_service_stash.h ldap_services.h
+ ldap_service_stash.c ldap_service_stash.h
kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index 6115bb7e6..b52d088ff 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -422,38 +422,6 @@ krb5_ldap_open(krb5_context context, char *conf_section, char **db_args,
}
srv_cnt++;
-#ifdef HAVE_EDIRECTORY
- } else if (opt && !strcmp(opt, "cert")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message(context, status,
- _("'cert' value missing"));
- free(opt);
- goto clean_n_exit;
- }
-
- if (ldap_context->root_certificate_file == NULL) {
- ldap_context->root_certificate_file = strdup(val);
- if (ldap_context->root_certificate_file == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- } else {
- char *newstr;
-
- if (asprintf(&newstr, "%s %s",
- ldap_context->root_certificate_file, val) < 0) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto clean_n_exit;
- }
- free(ldap_context->root_certificate_file);
- ldap_context->root_certificate_file = newstr;
- }
-#endif
} else {
/* ignore hash argument. Might have been passed from create */
status = EINVAL;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 51a6facb7..b40600780 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -63,11 +63,6 @@ extern struct timeval timelimit;
#define DEFAULT_CONNS_PER_SERVER 5
#define REALM_READ_REFRESH_INTERVAL (5 * 60)
-#ifdef HAVE_EDIRECTORY
-#define SECURITY_CONTAINER "cn=Security"
-#define KERBEROS_CONTAINER "cn=Kerberos,cn=Security"
-#endif
-
#if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
#define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
#endif
@@ -194,9 +189,6 @@ struct _krb5_ldap_server_info {
krb5_ldap_server_handle *ldap_server_handles;
time_t downtime;
char *server_name;
-#ifdef HAVE_EDIRECTORY
- char *root_certificate_file;
-#endif
int modify_increment;
struct _krb5_ldap_server_info *next;
};
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index bfe866792..1dc4afcf7 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -62,9 +62,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
krb5_ldap_krbcontainer_params kparams = {0};
int srv_cnt = 0;
int mask = 0;
-#ifdef HAVE_EDIRECTORY
- int i = 0, rightsmask = 0;
-#endif
/* Clear the global error string */
krb5_clear_error_message(context);
@@ -180,36 +177,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
}
srv_cnt++;
-#ifdef HAVE_EDIRECTORY
- } else if (opt && !strcmp(opt, "cert")) {
- if (val == NULL) {
- status = EINVAL;
- krb5_set_error_message (context, status, "'cert' value missing");
- free(opt);
- goto cleanup;
- }
-
- if (ldap_context->root_certificate_file == NULL) {
- ldap_context->root_certificate_file = strdup(val);
- if (ldap_context->root_certificate_file == NULL) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- } else {
- char *newstr;
-
- if (asprintf(&newstr, "%s %s",
- ldap_context->root_certificate_file, val) < 0) {
- free (opt);
- free (val);
- status = ENOMEM;
- goto cleanup;
- }
- ldap_context->root_certificate_file = newstr;
- }
-#endif
} else {
/* ignore hash argument. Might have been passed from create */
status = EINVAL;
@@ -314,51 +281,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
&mask)))
goto cleanup;
-#ifdef HAVE_EDIRECTORY
- if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
- (mask & LDAP_REALM_PASSWDSERVERS)) {
-
- rightsmask =0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
- for (i=0; (rparams->kdcservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_KDC_SERVICE, rparams->kdcservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->adminservers != NULL)) {
- for (i=0; (rparams->adminservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_ADMIN_SERVICE, rparams->adminservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
-
- rightsmask = 0;
- rightsmask |= LDAP_REALM_RIGHTS;
- rightsmask |= LDAP_SUBTREE_RIGHTS;
- if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
- for (i=0; (rparams->passwdservers[i] != NULL); i++) {
- if ((status=krb5_ldap_add_service_rights(context,
- LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
- rparams->realm_name, rparams->subtree, rparams->containerref, rightsmask)) != 0) {
- goto cleanup;
- }
- }
- }
- }
-#endif
-
cleanup:
/* If the krbcontainer/realm creation is not complete, do the roll-back here */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
index b52ba799b..fabe633ab 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
@@ -112,64 +112,26 @@ krb5_ldap_read_krbcontainer_params(krb5_context context,
}
}
-#ifndef HAVE_EDIRECTORY
-/*
- * In case eDirectory, we can fall back to security container if the kerberos container location
- * is missing in the conf file. In openldap we will have to return an error.
- */
if (cparams->DN == NULL) {
st = KRB5_KDB_SERVER_INTERNAL_ERR;
krb5_set_error_message(context, st,
_("Kerberos container location not specified"));
goto cleanup;
}
-#endif
-
- if (cparams->DN != NULL) {
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
- * not read
- */
- LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
-
- if (st == LDAP_NO_SUCH_OBJECT) {
- st = KRB5_KDB_NOENTRY;
- goto cleanup;
- }
- }
-#ifdef HAVE_EDIRECTORY
- /*
- * If the kerberos location in the conf file is missing or invalid, fall back to the
- * security container. If the kerberos location in the security container is also missing
- * then fall back to the default value
+ /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
+ * not read
*/
- if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
- /*
- * kerberos container can be anywhere. locate it by reading the security
- * container to find the location.
- */
- LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
- if ((ent = ldap_first_entry(ld, result)) != NULL) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
- &(cparams->DN), NULL)) != 0)
- goto cleanup;
- if (cparams->DN == NULL) {
- cparams->DN = strdup(KERBEROS_CONTAINER);
- CHECK_NULL(cparams->DN);
- }
- }
- ldap_msgfree(result);
+ LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
+ if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
+ }
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
- * Kerberos Container is not read
- */
- LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
+ if (st == LDAP_NO_SUCH_OBJECT) {
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
}
-#endif
if ((ent = ldap_first_entry(ld, result))) {
if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 6719d403b..55a8eb57e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -265,21 +265,6 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
goto cleanup;
}
-#ifdef HAVE_EDIRECTORY
- /*
- * If root certificate file is not set read it from database
- * module section of conf file this is the trusted root
- * certificate of the Directory.
- */
- if (ldap_context->root_certificate_file == NULL) {
- st = prof_get_string_def (context, conf_section,
- KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE,
- &ldap_context->root_certificate_file);
- if (st)
- goto cleanup;
- }
-#endif
-
/*
* If the ldap server parameter is not set read the list of ldap
* servers from the database module section of the conf file.
@@ -374,11 +359,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
if (ldap_context->server_info_list[i]->server_name) {
free (ldap_context->server_info_list[i]->server_name);
}
-#ifdef HAVE_EDIRECTORY
- if (ldap_context->server_info_list[i]->root_certificate_file) {
- free (ldap_context->server_info_list[i]->root_certificate_file);
- }
-#endif
if (ldap_context->server_info_list[i]->ldap_server_handles) {
ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
while (ldap_server_handle) {
@@ -416,13 +396,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
ldap_context->service_password_file = NULL;
}
-#ifdef HAVE_EDIRECTORY
- if (ldap_context->root_certificate_file != NULL) {
- krb5_xfree(ldap_context->root_certificate_file);
- ldap_context->root_certificate_file = NULL;
- }
-#endif
-
if (ldap_context->service_cert_path != NULL) {
krb5_xfree(ldap_context->service_cert_path);
ldap_context->service_cert_path = NULL;
@@ -2090,37 +2063,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
goto cleanup;
-#ifdef HAVE_EDIRECTORY
- {
- krb5_timestamp expiretime=0;
- char *is_login_disabled=NULL;
-
- /* LOGIN EXPIRATION TIME */
- if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
- &attr_present)) != 0)
- goto cleanup;
-
- if (attr_present == TRUE) {
- if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) {
- if (expiretime < entry->expiration)
- entry->expiration = expiretime;
- } else {
- entry->expiration = expiretime;
- }
- }
-
- /* LOGIN DISABLED */
- if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled,
- &attr_present)) != 0)
- goto cleanup;
- if (attr_present == TRUE) {
- if (strcasecmp(is_login_disabled, "TRUE")== 0)
- entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- free (is_login_disabled);
- }
- }
-#endif
-
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
index 7166cc6a6..b1583d526 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
@@ -36,8 +36,6 @@
#ifndef _HAVE_LDAP_MISC_H
#define _HAVE_LDAP_MISC_H 1
-#include "ldap_services.h"
-
/* misc functions */
krb5_error_code
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index 54dfbdb67..7ce50b30b 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,10 +54,6 @@ char *principal_attributes[] = { "krbprincipalname",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
-#ifdef HAVE_EDIRECTORY
- "loginexpirationtime",
- "logindisabled",
-#endif
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbExtraData",
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
index 9ab7a0398..45649da02 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
@@ -389,17 +389,7 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
LDAP *ld=NULL;
krb5_error_code st=0;
char **strval=NULL, *strvalprc[5]={NULL};
-#ifdef HAVE_EDIRECTORY
- char **values=NULL;
- char **oldkdcservers=NULL, **oldadminservers=NULL, **oldpasswdservers=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- int count=0;
- char errbuf[1024];
-#endif
LDAPMod **mods = NULL;
-#ifdef HAVE_EDIRECTORY
- int i=0;
-#endif
int oldmask=0, objectmask=0,k=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -421,11 +411,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
rparams->tl_data->tl_data_contents == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
-#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
0) {
st = EINVAL;
goto cleanup;
@@ -518,104 +503,6 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
}
-#ifdef HAVE_EDIRECTORY
-
- /* KDCSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("kdc service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_REPLACE,
- rparams->kdcservers)) != 0)
- goto cleanup;
- }
-
- /* ADMINSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("admin service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_REPLACE,
- rparams->adminservers)) != 0)
- goto cleanup;
- }
-
- /* PASSWDSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("password service object value: "));
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_REPLACE,
- rparams->passwdservers)) != 0)
- goto cleanup;
- }
-
- /*
- * Read the old values of the krbkdcservers, krbadmservers and
- * krbpwdservers. This information is later used to decided the
- * deletions/additions to the list.
- */
- if (mask & LDAP_REALM_KDCSERVERS || mask & LDAP_REALM_ADMINSERVERS ||
- mask & LDAP_REALM_PASSWDSERVERS) {
- char *servers[] = {"krbKdcServers", "krbAdmServers", "krbPwdServers", NULL};
-
- if ((st= ldap_search_ext_s(ld,
- rparams->realmdn,
- LDAP_SCOPE_BASE,
- 0,
- servers,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
- }
-
- ent = ldap_first_entry(ld, result);
- if (ent) {
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldkdcservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldadminservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldpasswdservers, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
- }
-#endif
-
/* Realm modify opearation */
if (mods != NULL) {
if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
@@ -624,148 +511,8 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
}
}
-#ifdef HAVE_EDIRECTORY
- /* krbRealmReferences attribute is updated here, depending on the additions/deletions
- * to the 4 servers' list.
- */
- if (mask & LDAP_REALM_KDCSERVERS) {
- char **newkdcservers=NULL;
-
- count = ldap_count_values(rparams->kdcservers);
- if ((st=copy_arrays(rparams->kdcservers, &newkdcservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldkdcservers && newkdcservers)
- disjoint_members(oldkdcservers, newkdcservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldkdcservers)
- for (i=0; oldkdcservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldkdcservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newkdcservers)
- for (i=0; newkdcservers[i]; ++i)
- if ((st=updateAttribute(ld, newkdcservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newkdcservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- if (newkdcservers)
- ldap_value_free(newkdcservers);
- }
-
- if (mask & LDAP_REALM_ADMINSERVERS) {
- char **newadminservers=NULL;
-
- count = ldap_count_values(rparams->adminservers);
- if ((st=copy_arrays(rparams->adminservers, &newadminservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldadminservers && newadminservers)
- disjoint_members(oldadminservers, newadminservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldadminservers)
- for (i=0; oldadminservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldadminservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newadminservers)
- for (i=0; newadminservers[i]; ++i)
- if ((st=updateAttribute(ld, newadminservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newadminservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
- if (newadminservers)
- ldap_value_free(newadminservers);
- }
-
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- char **newpasswdservers=NULL;
-
- count = ldap_count_values(rparams->passwdservers);
- if ((st=copy_arrays(rparams->passwdservers, &newpasswdservers, count)) != 0)
- goto cleanup;
-
- /* find the deletions and additions to the server list */
- if (oldpasswdservers && newpasswdservers)
- disjoint_members(oldpasswdservers, newpasswdservers);
-
- /* delete the krbRealmReferences attribute from the servers that are dis-associated. */
- if (oldpasswdservers)
- for (i=0; oldpasswdservers[i]; ++i)
- if ((st=deleteAttribute(ld, oldpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error removing 'krbRealmReferences' from "
- "%s: "), oldpasswdservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
-
- /* add the krbRealmReferences attribute from the servers that are associated. */
- if (newpasswdservers)
- for (i=0; newpasswdservers[i]; ++i)
- if ((st=updateAttribute(ld, newpasswdservers[i], "krbRealmReferences",
- rparams->realmdn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- newpasswdservers[i]);
- prepend_err_str(context, errbuf, st, st);
- goto cleanup;
- }
- if (newpasswdservers)
- ldap_value_free(newpasswdservers);
- }
-#endif
-
cleanup:
-#ifdef HAVE_EDIRECTORY
- if (oldkdcservers) {
- for (i=0; oldkdcservers[i]; ++i)
- free(oldkdcservers[i]);
- free(oldkdcservers);
- }
-
- if (oldadminservers) {
- for (i=0; oldadminservers[i]; ++i)
- free(oldadminservers[i]);
- free(oldadminservers);
- }
-
- if (oldpasswdservers) {
- for (i=0; oldpasswdservers[i]; ++i)
- free(oldpasswdservers[i]);
- free(oldpasswdservers);
- }
-#endif
-
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
@@ -790,9 +537,6 @@ krb5_ldap_create_krbcontainer(krb5_context context,
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
- int crmask=0;
-#endif
SETUP_CONTEXT ();
@@ -802,15 +546,10 @@ krb5_ldap_create_krbcontainer(krb5_context context,
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
kerberoscontdn = krbcontparams->DN;
} else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
-#else
st = EINVAL;
krb5_set_error_message(context, st,
_("Kerberos Container information is missing"));
goto cleanup;
-#endif
}
strval[0] = "krbContainer";
@@ -854,47 +593,6 @@ krb5_ldap_create_krbcontainer(krb5_context context,
goto cleanup;
}
-#ifdef HAVE_EDIRECTORY
-
- /* free the mods array */
- ldap_mods_free(mods, 1);
- mods=NULL;
-
- /* check whether the security container is bound to krbcontainerrefaux object class */
- if ((st=checkattributevalue(ld, SECURITY_CONTAINER, "objectClass",
- krbContainerRefclass, &crmask)) != 0) {
- prepend_err_str(context, _("Security Container read FAILED: "), st,
- st);
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
- goto cleanup;
- }
-
- if (crmask == 0) {
- /* Security Container is extended with krbcontainerrefaux object class */
- strval[0] = "krbContainerRefAux";
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
- }
-
- strval[0] = kerberoscontdn;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbcontainerreference", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- /* update the security container with krbContainerReference attribute */
- if ((st=ldap_modify_ext_s(ld, SECURITY_CONTAINER, mods, NULL, NULL)) != LDAP_SUCCESS) {
- int ost = st;
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message(context, st,
- _("Security Container update FAILED: %s"),
- ldap_err2string(ost));
- /* delete Kerberos Container, status ignored intentionally */
- ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL);
- goto cleanup;
- }
-#endif
-
cleanup:
if (rdns)
@@ -929,15 +627,10 @@ krb5_ldap_delete_krbcontainer(krb5_context context,
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
kerberoscontdn = krbcontparams->DN;
} else {
- /* If the user has not given, use the default cn=Kerberos,cn=Security */
-#ifdef HAVE_EDIRECTORY
- kerberoscontdn = KERBEROS_CONTAINER;
-#else
st = EINVAL;
krb5_set_error_message(context, st,
_("Kerberos Container information is missing"));
goto cleanup;
-#endif
}
/* delete the kerberos container */
@@ -975,9 +668,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
-#ifdef HAVE_EDIRECTORY
- char errbuf[1024];
-#endif
char *realm_name;
SETUP_CONTEXT ();
@@ -990,11 +680,6 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
((mask & LDAP_REALM_POLICYREFERENCE) && rparams->policyreference == NULL) ||
-#ifdef HAVE_EDIRECTORY
- ((mask & LDAP_REALM_KDCSERVERS) && rparams->kdcservers == NULL) ||
- ((mask & LDAP_REALM_ADMINSERVERS) && rparams->adminservers == NULL) ||
- ((mask & LDAP_REALM_PASSWDSERVERS) && rparams->passwdservers == NULL) ||
-#endif
0) {
st = EINVAL;
return st;
@@ -1096,100 +781,12 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
}
-#ifdef HAVE_EDIRECTORY
-
- /* KDCSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_KDCSERVERS) {
- /* validate the server list */
- for (i=0; rparams->kdcservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->kdcservers[i], "objectClass", kdcclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("kdc service object value: "));
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbkdcservers", LDAP_MOD_ADD,
- rparams->kdcservers)) != 0)
- goto cleanup;
- }
-
- /* ADMINSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_ADMINSERVERS) {
- /* validate the server list */
- for (i=0; rparams->adminservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->adminservers[i], "objectClass", adminclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask,
- _("admin service object value: "));
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbadmservers", LDAP_MOD_ADD,
- rparams->adminservers)) != 0)
- goto cleanup;
- }
-
- /* PASSWDSERVERS ATTRIBUTE */
- if (mask & LDAP_REALM_PASSWDSERVERS) {
- /* validate the server list */
- for (i=0; rparams->passwdservers[i] != NULL; ++i) {
- st = checkattributevalue(ld, rparams->passwdservers[i], "objectClass", pwdclass,
- &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, "password service object value: ");
-
- }
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdservers", LDAP_MOD_ADD,
- rparams->passwdservers)) != 0)
- goto cleanup;
- }
-#endif
-
/* realm creation operation */
if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
-#ifdef HAVE_EDIRECTORY
- if (mask & LDAP_REALM_KDCSERVERS)
- for (i=0; rparams->kdcservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->kdcservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->kdcservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-
- if (mask & LDAP_REALM_ADMINSERVERS)
- for (i=0; rparams->adminservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->adminservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->adminservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-
- if (mask & LDAP_REALM_PASSWDSERVERS)
- for (i=0; rparams->passwdservers[i]; ++i)
- if ((st=updateAttribute(ld, rparams->passwdservers[i], "krbRealmReferences", dn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- rparams->passwdservers[i]);
- prepend_err_str (context, errbuf, st, st);
- /* delete Realm, status ignored intentionally */
- ldap_delete_ext_s(ld, dn, NULL, NULL);
- goto cleanup;
- }
-#endif
-
cleanup:
if (dn)
@@ -1209,9 +806,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
krb5_ldap_realm_params **rlparamp, int *mask)
{
char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */;
-#ifdef HAVE_EDIRECTORY
- unsigned int count=0;
-#endif
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
@@ -1349,32 +943,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
ldap_value_free(values);
}
-#ifdef HAVE_EDIRECTORY
-
- if ((values=ldap_get_values(ld, ent, "krbKdcServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->kdcservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_KDCSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbAdmServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->adminservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_ADMINSERVERS;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbPwdServers")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(rlparams->passwdservers), (int) count)) != 0)
- goto cleanup;
- *mask |= LDAP_REALM_PASSWDSERVERS;
- ldap_value_free(values);
- }
-#endif
}
ldap_msgfree(result);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
deleted file mode 100644
index 4bbaa567b..000000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c
+++ /dev/null
@@ -1,777 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * * The copyright holder's name is not used to endorse or promote products
- * derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "ldap_main.h"
-#include "ldap_services.h"
-#include "ldap_err.h"
-
-/* NOTE: add appropriate rights for krbpasswordexpiration attribute */
-
-#ifdef HAVE_EDIRECTORY
-
-static char *kdcrights_subtree[][2] = {
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#ObjectClass"},
- {"2#subtree#","#krbTicketPolicyReference"},
- {"2#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbRealmReferences"},
- {"2#subtree#","#krbTicketFlags"},
- {"2#subtree#","#krbMaxTicketLife"},
- {"2#subtree#","#krbMaxRenewableAge"},
- {"2#subtree#","#krbPrincipalName"},
- {"2#subtree#","#krbPrincipalKey"},
- {"2#subtree#","#krbPrincipalExpiration"},
- {"2#subtree#","#krbPwdPolicyReference"},
- {"2#subtree#","#krbMaxPwdLife"},
- {"2#subtree#","#krbObjectReferences"},
- {"2#subtree#","#krbLastPwdChange"},
- {"2#subtree#","#krbLastAdminUnlock"},
- {"6#subtree#","#krbExtraData"},
- {"2#subtree#","#krbPasswordExpiration"},
- {"6#subtree#","#krbLastFailedAuth"},
- {"6#subtree#","#krbLoginFailedCount"},
- {"6#subtree#","#krbLastSuccessfulAuth"},
- { "", "" }
-};
-
-static char *adminrights_subtree[][2]={
- {"15#subtree#","#[Entry Rights]"},
- {"6#subtree#","#ObjectClass"},
- {"6#subtree#","#krbTicketPolicyReference"},
- {"6#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbRealmReferences"},
- {"6#subtree#","#krbTicketFlags"},
- {"6#subtree#","#krbMaxTicketLife"},
- {"6#subtree#","#krbMaxRenewableAge"},
- {"6#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
- {"6#subtree#","#krbPrincipalExpiration"},
- {"6#subtree#","#krbPwdHistoryLength"},
- {"6#subtree#","#krbMinPwdLife"},
- {"6#subtree#","#krbMaxPwdLife"},
- {"6#subtree#","#krbPwdMinDiffChars"},
- {"6#subtree#","#krbPwdMinLength"},
- {"6#subtree#","#krbPwdPolicyReference"},
- {"6#subtree#","#krbLastPwdChange"},
- {"6#subtree#","#krbLastAdminUnlock"},
- {"6#subtree#","#krbObjectReferences"},
- {"6#subtree#","#krbExtraData"},
- {"6#subtree#","#krbPasswordExpiration"},
- {"2#subtree#","#krbLastFailedAuth"},
- {"2#subtree#","#krbLoginFailedCount"},
- {"2#subtree#","#krbLastSuccessfulAuth"},
- {"6#subtree#","#krbPwdMaxFailure"},
- {"6#subtree#","#krbPwdFailureCountInterval"},
- {"6#subtree#","#krbPwdLockoutDuration"},
- { "","" }
-};
-
-static char *pwdrights_subtree[][2] = {
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#ObjectClass"},
- {"2#subtree#","#krbTicketPolicyReference"},
- {"2#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbHostServer"},
- {"2#subtree#","#krbRealmReferences"},
- {"6#subtree#","#krbTicketFlags"},
- {"2#subtree#","#krbMaxTicketLife"},
- {"2#subtree#","#krbMaxRenewableAge"},
- {"2#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
- {"2#subtree#","#krbPrincipalExpiration"},
- {"2#subtree#","#krbPwdHistoryLength"},
- {"2#subtree#","#krbMinPwdLife"},
- {"2#subtree#","#krbMaxPwdLife"},
- {"2#subtree#","#krbPwdMinDiffChars"},
- {"2#subtree#","#krbPwdMinLength"},
- {"2#subtree#","#krbPwdPolicyReference"},
- {"6#subtree#","#krbLastPwdChange"},
- {"6#subtree#","#krbLastAdminUnlock"},
- {"2#subtree#","#krbObjectReferences"},
- {"6#subtree#","#krbExtraData"},
- {"6#subtree#","#krbPasswordExpiration"},
- {"2#subtree#","#krbLastFailedAuth"},
- {"2#subtree#","#krbLoginFailedCount"},
- {"2#subtree#","#krbLastSuccessfulAuth"},
- {"2#subtree#","#krbPwdMaxFailure"},
- {"2#subtree#","#krbPwdFailureCountInterval"},
- {"2#subtree#","#krbPwdLockoutDuration"},
- { "", "" }
-};
-
-static char *kdcrights_realmcontainer[][2]={
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#CN"},
- {"2#subtree#","#ObjectClass"},
- {"2#subtree#","#krbTicketPolicyReference"},
- {"2#subtree#","#krbMKey"},
- {"2#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbSubTrees"},
- {"2#subtree#","#krbPrincContainerRef"},
- {"2#subtree#","#krbSearchScope"},
- {"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbKdcServers"},
- {"2#subtree#","#krbAdmServers"},
- {"2#subtree#","#krbPwdServers"},
- {"2#subtree#","#krbTicketFlags"},
- {"2#subtree#","#krbMaxTicketLife"},
- {"2#subtree#","#krbMaxRenewableAge"},
- {"2#subtree#","#krbPrincipalName"},
- {"2#subtree#","#krbPrincipalKey"},
- {"2#subtree#","#krbPrincipalExpiration"},
- {"2#subtree#","#krbPwdPolicyReference"},
- {"2#subtree#","#krbMaxPwdLife"},
- {"2#subtree#","#krbObjectReferences"},
- {"2#subtree#","#krbLastPwdChange"},
- {"2#subtree#","#krbLastAdminUnlock"},
- {"6#subtree#","#krbExtraData"},
- {"2#subtree#","#krbPasswordExpiration"},
- {"2#subtree#","#krbDefaultEncSaltTypes"},
- {"6#subtree#","#krbLastFailedAuth"},
- {"6#subtree#","#krbLoginFailedCount"},
- {"6#subtree#","#krbLastSuccessfulAuth"},
- { "", "" }
-};
-
-
-static char *adminrights_realmcontainer[][2]={
- {"15#subtree#","#[Entry Rights]"},
- {"6#subtree#","#CN"},
- {"6#subtree#","#ObjectClass"},
- {"6#subtree#","#krbTicketPolicyReference"},
- {"2#subtree#","#krbMKey"},
- {"6#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbSubTrees"},
- {"2#subtree#","#krbPrincContainerRef"},
- {"2#subtree#","#krbSearchScope"},
- {"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbKdcServers"},
- {"2#subtree#","#krbAdmServers"},
- {"2#subtree#","#krbPwdServers"},
- {"6#subtree#","#krbTicketFlags"},
- {"6#subtree#","#krbMaxTicketLife"},
- {"6#subtree#","#krbMaxRenewableAge"},
- {"6#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
- {"6#subtree#","#krbPrincipalExpiration"},
- {"6#subtree#","#krbPwdHistoryLength"},
- {"6#subtree#","#krbMinPwdLife"},
- {"6#subtree#","#krbMaxPwdLife"},
- {"6#subtree#","#krbPwdMinDiffChars"},
- {"6#subtree#","#krbPwdMinLength"},
- {"6#subtree#","#krbPwdPolicyReference"},
- {"6#subtree#","#krbLastPwdChange"},
- {"6#subtree#","#krbLastAdminUnlock"},
- {"6#subtree#","#krbObjectReferences"},
- {"6#subtree#","#krbExtraData"},
- {"6#subtree#","#krbPasswordExpiration"},
- {"6#subtree#","#krbDefaultEncSaltTypes"},
- {"2#subtree#","#krbLastFailedAuth"},
- {"2#subtree#","#krbLoginFailedCount"},
- {"2#subtree#","#krbLastSuccessfulAuth"},
- {"6#subtree#","#krbPwdMaxFailure"},
- {"6#subtree#","#krbPwdFailureCountInterval"},
- {"6#subtree#","#krbPwdLockoutDuration"},
- { "","" }
-};
-
-
-static char *pwdrights_realmcontainer[][2]={
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#CN"},
- {"2#subtree#","#ObjectClass"},
- {"2#subtree#","#krbTicketPolicyReference"},
- {"2#subtree#","#krbMKey"},
- {"2#subtree#","#krbUPEnabled"},
- {"2#subtree#","#krbSubTrees"},
- {"2#subtree#","#krbPrincContainerRef"},
- {"2#subtree#","#krbSearchScope"},
- {"2#subtree#","#krbLdapServers"},
- {"2#subtree#","#krbKdcServers"},
- {"2#subtree#","#krbAdmServers"},
- {"2#subtree#","#krbPwdServers"},
- {"6#subtree#","#krbTicketFlags"},
- {"2#subtree#","#krbMaxTicketLife"},
- {"2#subtree#","#krbMaxRenewableAge"},
- {"2#subtree#","#krbPrincipalName"},
- {"6#subtree#","#krbPrincipalKey"},
- {"2#subtree#","#krbPrincipalExpiration"},
- {"2#subtree#","#krbPwdHistoryLength"},
- {"2#subtree#","#krbMinPwdLife"},
- {"2#subtree#","#krbMaxPwdLife"},
- {"2#subtree#","#krbPwdMinDiffChars"},
- {"2#subtree#","#krbPwdMinLength"},
- {"2#subtree#","#krbPwdPolicyReference"},
- {"2#subtree#","#krbLastPwdChange"},
- {"2#subtree#","#krbLastAdminUnlock"},
- {"2#subtree#","#krbObjectReferences"},
- {"6#subtree#","#krbExtraData"},
- {"6#subtree#","#krbPasswordExpiration"},
- {"2#subtree#","#krbDefaultEncSaltTypes"},
- {"2#subtree#","#krbLastFailedAuth"},
- {"2#subtree#","#krbLoginFailedCount"},
- {"2#subtree#","#krbLastSuccessfulAuth"},
- {"2#subtree#","#krbPwdMaxFailure"},
- {"2#subtree#","#krbPwdFailureCountInterval"},
- {"2#subtree#","#krbPwdLockoutDuration"},
- { "", "" }
-};
-
-static char *security_container[][2] = {
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#krbContainerReference"},
- { "", "" }
-};
-
-static char *kerberos_container[][2] = {
- {"1#subtree#","#[Entry Rights]"},
- {"2#subtree#","#krbTicketPolicyReference"},
- { "", "" }
-};
-
-
-/*
- * This will set the rights for the Kerberos service objects.
- * The function will read the subtree attribute from the specified
- * realm name and will the appropriate rights on both the realm
- * container and the subtree. The kerberos context passed should
- * have a valid ldap handle, with appropriate rights to write acl
- * attributes.
- *
- * krb5_context - IN The Kerberos context with valid ldap handle
- *
- */
-
-krb5_error_code
-krb5_ldap_add_service_rights(krb5_context context, int servicetype,
- char *serviceobjdn, char *realmname,
- char **subtreeparam, char *contref, int mask)
-{
-
- int st=0,i=0,j=0;
- char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
- LDAP *ld;
- LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
- LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
- char *realmdn=NULL, **subtree=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
- int subtreecount=0;
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL)) {
- st=-1;
- goto cleanup;
- }
-
- if (subtreeparam != NULL) {
- while(subtreeparam[subtreecount])
- subtreecount++;
- }
- if (contref != NULL) {
- subtreecount++;
- }
-
- if (subtreecount) {
- subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
- if(subtree == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
- if (subtreeparam != NULL) {
- for(i=0; subtreeparam[i]!=NULL; i++) {
- subtree[i] = strdup(subtreeparam[i]);
- if(subtree[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- }
- }
- if (contref != NULL) {
- subtree[i] = strdup(contref);
- }
- }
-
- /* Set the rights for the realm */
- if (mask & LDAP_REALM_RIGHTS) {
-
- /* Set the rights for the service object on the security container */
- seccontclass.mod_op = LDAP_MOD_ADD;
- seccontclass.mod_type = "ACL";
-
- for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
-
- asprintf(&seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
- security_container[i][1]);
- seccontclass.mod_values = seccontacls;
-
- seccontarr[0] = &seccontclass;
-
- st = ldap_modify_ext_s(ld,
- SECURITY_CONTAINER,
- seccontarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(seccontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(seccontacls[0]);
- }
-
-
- /* Set the rights for the service object on the kerberos container */
- krbcontclass.mod_op = LDAP_MOD_ADD;
- krbcontclass.mod_type = "ACL";
-
- for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
- asprintf(&krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
- kerberos_container[i][1]);
- krbcontclass.mod_values = krbcontacls;
-
- krbcontarr[0] = &krbcontclass;
-
- st = ldap_modify_ext_s(ld,
- ldap_context->krbcontainer->DN,
- krbcontarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(krbcontacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(krbcontacls[0]);
- }
-
- /* Construct the realm dn from realm name */
- asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
- realmclass.mod_op = LDAP_MOD_ADD;
- realmclass.mod_type = "ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
- asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
- realmclass.mod_values = realmacls;
-
- realmarr[0] = &realmclass;
-
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- }
- } /* Realm rights settings ends here */
-
-
- /* Subtree rights to be set */
- if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
- /* Populate the acl data to be added to the subtree */
- subtreeclass.mod_op = LDAP_MOD_ADD;
- subtreeclass.mod_type = "ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
-
- subtreearr[0] = &subtreeclass;
-
- /* set rights to a list of subtrees */
- for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
-
- subtreearr[0] = &subtreeclass;
-
- /* set rights to a list of subtrees */
- for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
- subtreeclass.mod_values = subtreeacls;
-
- subtreearr[0] = &subtreeclass;
-
- /* set rights to a list of subtrees */
- for(j=0; subtree[j]!=NULL && j<subtreecount;j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- }
- } /* Subtree rights settings ends here */
- st = 0;
-
-cleanup:
-
- if (realmdn)
- free(realmdn);
-
- if (subtree)
- free(subtree);
-
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-
-/*
- This will set the rights for the Kerberos service objects.
- The function will read the subtree attribute from the specified
- realm name and will the appropriate rights on both the realm
- container and the subtree. The kerberos context passed should
- have a valid ldap handle, with appropriate rights to write acl
- attributes.
-
- krb5_context - IN The Kerberos context with valid ldap handle
-
-*/
-
-krb5_error_code
-krb5_ldap_delete_service_rights(krb5_context context, int servicetype,
- char *serviceobjdn, char *realmname,
- char **subtreeparam, char *contref, int mask)
-{
-
- int st=0,i=0,j=0;
- char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
- LDAP *ld;
- LDAPMod realmclass, subtreeclass;
- LDAPMod *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
- char *realmdn=NULL;
- char **subtree=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
- int subtreecount = 0;
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
- || (ldap_context->krbcontainer->DN == NULL)) {
- st = -1;
- goto cleanup;
- }
-
- if (subtreeparam != NULL) {
- while(subtreeparam[subtreecount])
- subtreecount++;
- }
- if (contref != NULL) {
- subtreecount++;
- }
-
- if (subtreecount) {
- subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
- if(subtree == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- memset(subtree, 0, sizeof(char *) * (subtreecount + 1));
- if (subtreeparam != NULL) {
- for(i=0; subtreeparam[i]!=NULL; i++) {
- subtree[i] = strdup(subtreeparam[i]);
- if(subtree[i] == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- }
- }
- if (contref != NULL) {
- subtree[i] = strdup(contref);
- }
- }
-
-
- /* Set the rights for the realm */
- if (mask & LDAP_REALM_RIGHTS) {
-
- asprintf(&realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
-
- realmclass.mod_op=LDAP_MOD_DELETE;
- realmclass.mod_type="ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
- kdcrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
- adminrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
- asprintf(&realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
- pwdrights_realmcontainer[i][1]);
- realmclass.mod_values= realmacls;
-
- realmarr[0]=&realmclass;
-
- st = ldap_modify_ext_s(ld,
- realmdn,
- realmarr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(realmacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- free(realmacls[0]);
- }
- }
-
- } /* Realm rights setting ends here */
-
-
- /* Set the rights for the subtree */
- if ((mask & LDAP_SUBTREE_RIGHTS) && (subtree != NULL)) {
-
- /* Populate the acl data to be added to the subtree */
- subtreeclass.mod_op=LDAP_MOD_DELETE;
- subtreeclass.mod_type="ACL";
-
- if (servicetype == LDAP_KDC_SERVICE) {
- for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
- kdcrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
-
- subtreearr[0]=&subtreeclass;
-
- for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_ADMIN_SERVICE) {
- for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
- adminrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
-
- subtreearr[0]=&subtreeclass;
-
- for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- } else if (servicetype == LDAP_PASSWD_SERVICE) {
- for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
- asprintf(&subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
- pwdrights_subtree[i][1]);
- subtreeclass.mod_values= subtreeacls;
-
- subtreearr[0]=&subtreeclass;
-
- for(j=0; subtree[j]!=NULL && j<subtreecount; j++) {
- st = ldap_modify_ext_s(ld,
- subtree[j],
- subtreearr,
- NULL,
- NULL);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
- free(subtreeacls[0]);
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
- }
- free(subtreeacls[0]);
- }
- }
- } /* Subtree rights setting ends here */
-
- st = 0;
-
-cleanup:
-
- if (realmdn)
- free(realmdn);
-
- if (subtree)
- free(subtree);
-
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c
deleted file mode 100644
index 13abd0d6e..000000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.c
+++ /dev/null
@@ -1,588 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_services.c */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * * The copyright holder's name is not used to endorse or promote products
- * derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "ldap_main.h"
-#include "kdb_ldap.h"
-#include "ldap_services.h"
-#include "ldap_err.h"
-
-#if defined(HAVE_EDIRECTORY)
-
-static char *realmcontclass[] = {"krbRealmContainer", NULL};
-
-/*
- * create the service object from Directory
- */
-
-krb5_error_code
-krb5_ldap_create_service(krb5_context context,
- krb5_ldap_service_params *service, int mask)
-{
- int i=0, j=0;
- krb5_error_code st=0;
- LDAP *ld=NULL;
- char **rdns=NULL, *realmattr=NULL, *strval[3]={NULL};
- LDAPMod **mods=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
- char errbuf[1024];
-
- /* validate the input parameter */
- if (service == NULL || service->servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message (context, st, "Service DN NULL");
- goto cleanup;
- }
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- /* identify the class that the object should belong to. This depends on the servicetype */
- memset(strval, 0, sizeof(strval));
- strval[0] = "krbService";
- if (service->servicetype == LDAP_KDC_SERVICE) {
- strval[1] = "krbKdcService";
- realmattr = "krbKdcServers";
- } else if (service->servicetype == LDAP_ADMIN_SERVICE) {
- strval[1] = "krbAdmService";
- realmattr = "krbAdmServers";
- } else if (service->servicetype == LDAP_PASSWD_SERVICE) {
- strval[1] = "krbPwdService";
- realmattr = "krbPwdServers";
- } else {
- strval[1] = "krbKdcService";
- realmattr = "krbKdcServers";
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- rdns = ldap_explode_dn(service->servicedn, 1);
- if (rdns == NULL) {
- st = LDAP_INVALID_DN_SYNTAX;
- goto cleanup;
- }
- memset(strval, 0, sizeof(strval));
- strval[0] = rdns[0];
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
-
- if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_ADD,
- service->krbserviceflags)) != 0)
- goto cleanup;
- }
-
- if (mask & LDAP_SERVICE_HOSTSERVER) {
- if (service->krbhostservers != NULL) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_ADD,
- service->krbhostservers)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("'krbhostserver' argument invalid"));
- goto cleanup;
- }
- }
-
- if (mask & LDAP_SERVICE_REALMREFERENCE) {
- if (service->krbrealmreferences != NULL) {
- unsigned int realmmask=0;
-
- /* check for the validity of the values */
- for (j=0; service->krbrealmreferences[j] != NULL; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
- realmcontclass, &realmmask);
- CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: "));
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_ADD,
- service->krbrealmreferences)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("Server has no 'krbrealmreferences'"));
- goto cleanup;
- }
- }
-
- /* ldap add operation */
- if ((st=ldap_add_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_ADD);
- goto cleanup;
- }
-
- /*
- * If the service created has realm/s associated with it, then the realm should be updated
- * to have a reference to the service object just created.
- */
- if (mask & LDAP_SERVICE_REALMREFERENCE) {
- for (i=0; service->krbrealmreferences[i]; ++i) {
- if ((st=updateAttribute(ld, service->krbrealmreferences[i], realmattr,
- service->servicedn)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- _("Error adding 'krbRealmReferences' to %s: "),
- service->krbrealmreferences[i]);
- prepend_err_str(context, errbuf, st, st);
- /* delete service object, status ignored intentionally */
- ldap_delete_ext_s(ld, service->servicedn, NULL, NULL);
- goto cleanup;
- }
- }
- }
-
-cleanup:
-
- if (rdns)
- ldap_value_free (rdns);
-
- ldap_mods_free(mods, 1);
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-
-/*
- * modify the service object from Directory
- */
-
-krb5_error_code
-krb5_ldap_modify_service(krb5_context context,
- krb5_ldap_service_params *service, int mask)
-{
- int i=0, j=0, count=0;
- krb5_error_code st=0;
- LDAP *ld=NULL;
- char **values=NULL, *attr[] = { "krbRealmReferences", NULL};
- char *realmattr=NULL;
- char **oldrealmrefs=NULL, **newrealmrefs=NULL;
- LDAPMod **mods=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
-
- /* validate the input parameter */
- if (service == NULL || service->servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, _("Service DN is NULL"));
- goto cleanup;
- }
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- if (mask & LDAP_SERVICE_SERVICEFLAG) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbserviceflags", LDAP_MOD_REPLACE,
- service->krbserviceflags)) != 0)
- goto cleanup;
- }
-
- if (mask & LDAP_SERVICE_HOSTSERVER) {
- if (service->krbhostservers != NULL) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbhostserver", LDAP_MOD_REPLACE,
- service->krbhostservers)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message (context, st, "'krbhostserver' value invalid");
- goto cleanup;
- }
- }
-
- if (mask & LDAP_SERVICE_REALMREFERENCE) {
- if (service->krbrealmreferences != NULL) {
- unsigned int realmmask=0;
-
- /* check for the validity of the values */
- for (j=0; service->krbrealmreferences[j]; ++j) {
- st = checkattributevalue(ld, service->krbrealmreferences[j], "ObjectClass",
- realmcontclass, &realmmask);
- CHECK_CLASS_VALIDITY(st, realmmask, _("realm object value: "));
- }
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbrealmreferences", LDAP_MOD_REPLACE,
- service->krbrealmreferences)) != 0)
- goto cleanup;
-
-
- /* get the attribute of the realm to be set */
- if (service->servicetype == LDAP_KDC_SERVICE)
- realmattr = "krbKdcServers";
- else if (service->servicetype == LDAP_ADMIN_SERVICE)
- realmattr = "krbAdmservers";
- else if (service->servicetype == LDAP_PASSWD_SERVICE)
- realmattr = "krbPwdServers";
- else
- realmattr = "krbKdcServers";
-
- /* read the existing list of krbRealmreferences. this will needed */
- if ((st = ldap_search_ext_s (ld,
- service->servicedn,
- LDAP_SCOPE_BASE,
- 0,
- attr,
- 0,
- NULL,
- NULL,
- NULL,
- 0,
- &result)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_SEARCH);
- goto cleanup;
- }
-
- ent = ldap_first_entry(ld, result);
- if (ent) {
- if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &oldrealmrefs, count)) != 0)
- goto cleanup;
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("'krbRealmReferences' value invalid"));
- goto cleanup;
- }
- }
-
- /* ldap modify operation */
- if ((st=ldap_modify_ext_s(ld, service->servicedn, mods, NULL, NULL)) != LDAP_SUCCESS) {
- st = set_ldap_error (context, st, OP_MOD);
- goto cleanup;
- }
-
- /*
- * If the service modified had realm/s associations changed, then the realm should be
- * updated to reflect the changes.
- */
-
- if (mask & LDAP_SERVICE_REALMREFERENCE) {
- /* get the count of the new list of krbrealmreferences */
- for (i=0; service->krbrealmreferences[i]; ++i)
- ;
-
- /* make a new copy of the krbrealmreferences */
- if ((st=copy_arrays(service->krbrealmreferences, &newrealmrefs, i)) != 0)
- goto cleanup;
-
- /* find the deletions/additions to the list of krbrealmreferences */
- if (disjoint_members(oldrealmrefs, newrealmrefs) != 0)
- goto cleanup;
-
- /* see if some of the attributes have to be deleted */
- if (oldrealmrefs) {
-
- /* update the dn represented by the attribute that is to be deleted */
- for (i=0; oldrealmrefs[i]; ++i)
- if ((st=deleteAttribute(ld, oldrealmrefs[i], realmattr, service->servicedn)) != 0) {
- prepend_err_str(context,
- _("Error deleting realm attribute:"), st,
- st);
- goto cleanup;
- }
- }
-
- /* see if some of the attributes have to be added */
- for (i=0; newrealmrefs[i]; ++i)
- if ((st=updateAttribute(ld, newrealmrefs[i], realmattr, service->servicedn)) != 0) {
- prepend_err_str(context, _("Error updating realm attribute: "),
- st, st);
- goto cleanup;
- }
- }
-
-cleanup:
-
- if (oldrealmrefs) {
- for (i=0; oldrealmrefs[i]; ++i)
- free (oldrealmrefs[i]);
- free (oldrealmrefs);
- }
-
- if (newrealmrefs) {
- for (i=0; newrealmrefs[i]; ++i)
- free (newrealmrefs[i]);
- free (newrealmrefs);
- }
-
- ldap_mods_free(mods, 1);
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-
-krb5_error_code
-krb5_ldap_delete_service(krb5_context context,
- krb5_ldap_service_params *service, char *servicedn)
-{
- krb5_error_code st = 0;
- LDAP *ld=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- st = ldap_delete_ext_s(ld, servicedn, NULL, NULL);
- if (st != 0) {
- st = set_ldap_error (context, st, OP_DEL);
- }
-
- /* NOTE: This should be removed now as the backlinks are going off in OpenLDAP */
- /* time to delete krbrealmreferences. This is only for OpenLDAP */
-#ifndef HAVE_EDIRECTORY
- {
- int i=0;
- char *attr=NULL;
-
- if (service) {
- if (service->krbrealmreferences) {
- if (service->servicetype == LDAP_KDC_SERVICE)
- attr = "krbkdcservers";
- else if (service->servicetype == LDAP_ADMIN_SERVICE)
- attr = "krbadmservers";
- else if (service->servicetype == LDAP_PASSWD_SERVICE)
- attr = "krbpwdservers";
-
- for (i=0; service->krbrealmreferences[i]; ++i) {
- deleteAttribute(ld, service->krbrealmreferences[i], attr, servicedn);
- }
- }
- }
- }
-#endif
-
-cleanup:
-
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-
-/*
- * This function lists service objects from Directory
- */
-
-krb5_error_code
-krb5_ldap_list_services(krb5_context context, char *containerdn,
- char ***services)
-{
- return (krb5_ldap_list(context, services, "krbService", containerdn));
-}
-
-/*
- * This function reads the service object from Directory
- */
-krb5_error_code
-krb5_ldap_read_service(krb5_context context, char *servicedn,
- krb5_ldap_service_params **service, int *omask)
-{
- char **values=NULL;
- int i=0, count=0, objectmask=0;
- krb5_error_code st=0, tempst=0;
- LDAPMessage *result=NULL,*ent=NULL;
- char *attributes[] = {"krbHostServer", "krbServiceflags",
- "krbRealmReferences", "objectclass", NULL};
- char *attrvalues[] = {"krbService", NULL};
- krb5_ldap_service_params *lservice=NULL;
- krb5_ldap_context *ldap_context=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
- LDAP *ld = NULL;
-
- /* validate the input parameter */
- if (servicedn == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st, _("Service DN NULL"));
- goto cleanup;
- }
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- *omask = 0;
-
- /* the policydn object should be of the krbService object class */
- st = checkattributevalue(ld, servicedn, "objectClass", attrvalues, &objectmask);
- CHECK_CLASS_VALIDITY(st, objectmask, _("service object value: "));
-
- /* Initialize service structure */
- lservice =(krb5_ldap_service_params *) calloc(1, sizeof(krb5_ldap_service_params));
- if (lservice == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
-
- /* allocate tl_data structure to store MASK information */
- lservice->tl_data = calloc (1, sizeof(*lservice->tl_data));
- if (lservice->tl_data == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- lservice->tl_data->tl_data_type = KDB_TL_USER_INFO;
-
- LDAP_SEARCH(servicedn, LDAP_SCOPE_BASE, "(objectclass=krbService)", attributes);
-
- lservice->servicedn = strdup(servicedn);
- CHECK_NULL(lservice->servicedn);
-
- ent=ldap_first_entry(ld, result);
- if (ent != NULL) {
-
- if ((values=ldap_get_values(ld, ent, "krbServiceFlags")) != NULL) {
- lservice->krbserviceflags = atoi(values[0]);
- *omask |= LDAP_SERVICE_SERVICEFLAG;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbHostServer")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(lservice->krbhostservers), count)) != 0)
- goto cleanup;
- *omask |= LDAP_SERVICE_HOSTSERVER;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "krbRealmReferences")) != NULL) {
- count = ldap_count_values(values);
- if ((st=copy_arrays(values, &(lservice->krbrealmreferences), count)) != 0)
- goto cleanup;
- *omask |= LDAP_SERVICE_REALMREFERENCE;
- ldap_value_free(values);
- }
-
- if ((values=ldap_get_values(ld, ent, "objectClass")) != NULL) {
- for (i=0; values[i]; ++i) {
- if (strcasecmp(values[i], "krbKdcService") == 0) {
- lservice->servicetype = LDAP_KDC_SERVICE;
- break;
- }
-
- if (strcasecmp(values[i], "krbAdmService") == 0) {
- lservice->servicetype = LDAP_ADMIN_SERVICE;
- break;
- }
-
- if (strcasecmp(values[i], "krbPwdService") == 0) {
- lservice->servicetype = LDAP_PASSWD_SERVICE;
- break;
- }
- }
- ldap_value_free(values);
- }
- }
- ldap_msgfree(result);
-
-cleanup:
- if (st != 0) {
- krb5_ldap_free_service(context, lservice);
- *service = NULL;
- } else {
- store_tl_data(lservice->tl_data, KDB_TL_MASK, omask);
- *service = lservice;
- }
-
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-
-/*
- * This function frees the krb5_ldap_service_params structure members.
- */
-
-krb5_error_code
-krb5_ldap_free_service(krb5_context context, krb5_ldap_service_params *service)
-{
- int i=0;
-
- if (service == NULL)
- return 0;
-
- if (service->servicedn)
- free (service->servicedn);
-
- if (service->krbrealmreferences) {
- for (i=0; service->krbrealmreferences[i]; ++i)
- free (service->krbrealmreferences[i]);
- free (service->krbrealmreferences);
- }
-
- if (service->krbhostservers) {
- for (i=0; service->krbhostservers[i]; ++i)
- free (service->krbhostservers[i]);
- free (service->krbhostservers);
- }
-
- if (service->tl_data) {
- if (service->tl_data->tl_data_contents)
- free (service->tl_data->tl_data_contents);
- free (service->tl_data);
- }
-
- free (service);
- return 0;
-}
-
-krb5_error_code
-krb5_ldap_set_service_passwd(krb5_context context, char *service, char *passwd)
-{
- krb5_error_code st=0;
- LDAPMod **mods=NULL;
- char *password[2] = {NULL};
- LDAP *ld=NULL;
- krb5_ldap_context *ldap_context=NULL;
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_server_handle *ldap_server_handle=NULL;
-
- password[0] = passwd;
-
- SETUP_CONTEXT();
- GET_HANDLE();
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "userPassword", LDAP_MOD_REPLACE, password)) != 0)
- goto cleanup;
-
- st = ldap_modify_ext_s(ld, service, mods, NULL, NULL);
- if (st) {
- st = set_ldap_error (context, st, OP_MOD);
- }
-
-cleanup:
- ldap_mods_free(mods, 1);
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- return st;
-}
-#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
deleted file mode 100644
index ea40af2fd..000000000
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_services.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/kdb/ldap/libkdb_ldap/ldap_services.h */
-/*
- * Copyright (c) 2004-2005, Novell, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * * The copyright holder's name is not used to endorse or promote products
- * derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _LDAP_SERVICE_H
-#define _LDAP_SERVICE_H 1
-
-/* service specific mask */
-#define LDAP_SERVICE_SERVICEFLAG 0x0001
-#define LDAP_SERVICE_HOSTSERVER 0x0002
-#define LDAP_SERVICE_REALMREFERENCE 0x0004
-
-/* service type mask */
-#define LDAP_KDC_SERVICE 0x0001
-#define LDAP_ADMIN_SERVICE 0x0002
-#define LDAP_PASSWD_SERVICE 0x0004
-
-/* rights mask */
-#define LDAP_SUBTREE_RIGHTS 0x0001
-#define LDAP_REALM_RIGHTS 0x0002
-
-/* Types of service flags */
-#define SERVICE_FLAGS_AUTO_RESTART 0x0001
-#define SERVICE_FLAGS_CHECK_ADDRESSES 0x0002
-#define SERVICE_FLAGS_UNIXTIME_OLD_PATYPE 0x0004
-
-/* Service protocol type */
-#define SERVICE_PROTOCOL_TYPE_UDP "0"
-#define SERVICE_PROTOCOL_TYPE_TCP "1"
-
-typedef struct _krb5_ldap_service_params {
- char *servicedn;
- int servicetype;
- int krbserviceflags;
- char **krbhostservers;
- char **krbrealmreferences;
- krb5_tl_data *tl_data;
-} krb5_ldap_service_params;
-
-#ifdef HAVE_EDIRECTORY
-
-krb5_error_code
-krb5_ldap_read_service(krb5_context, char *, krb5_ldap_service_params **,
- int *);
-
-krb5_error_code
-krb5_ldap_create_service(krb5_context, krb5_ldap_service_params *, int);
-
-krb5_error_code
-krb5_ldap_modify_service(krb5_context, krb5_ldap_service_params *, int);
-
-krb5_error_code
-krb5_ldap_delete_service(krb5_context, krb5_ldap_service_params *, char *);
-
-krb5_error_code
-krb5_ldap_list_services(krb5_context, char *, char ***);
-
-krb5_error_code
-krb5_ldap_free_service(krb5_context, krb5_ldap_service_params *);
-
-
-krb5_error_code
-krb5_ldap_set_service_passwd(krb5_context, char *, char *);
-
-krb5_error_code
-krb5_ldap_add_service_rights(krb5_context, int, char *, char *, char **,
- char *, int);
-
-krb5_error_code
-krb5_ldap_delete_service_rights(krb5_context, int, char *, char *, char **,
- char *, int);
-#endif
-
-#endif
generated by cgit (git 2.34.1) at 2026-01-06 03:26:55 +0000