diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-07-06 21:53:23 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-07-06 21:53:23 +0000 |
| commit | 8e78a7eeb7266329891971090d2666f5c6a13ad0 (patch) | |
| tree | b5d8a1827176cd1fdc9da5983181ee25c30b31b8 /src/plugins | |
| parent | 4a1d6a694452122f71d876e39ee335ea7ee022b6 (diff) | |
| download | krb5-8e78a7eeb7266329891971090d2666f5c6a13ad0.tar.gz krb5-8e78a7eeb7266329891971090d2666f5c6a13ad0.tar.xz krb5-8e78a7eeb7266329891971090d2666f5c6a13ad0.zip | |
Remove count parameters from get_principal, put_principal,
free_principal, delete_principal, and get_policy. Make get_principal
allocate the DB entry container. Fold krb5_db_get_principal_ext into
krb5_db_get_principal.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/db2/adb_policy.c | 7 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 26 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 148 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 17 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_xdr.c | 88 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_xdr.h | 16 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/lockout.c | 12 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/policy_db.h | 6 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 3 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 3 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 29 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 8 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1183 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 10 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 5 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 9 |
17 files changed, 736 insertions, 836 deletions
diff --git a/src/plugins/kdb/db2/adb_policy.c b/src/plugins/kdb/db2/adb_policy.c index 2b6c1214f..057f1826f 100644 --- a/src/plugins/kdb/db2/adb_policy.c +++ b/src/plugins/kdb/db2/adb_policy.c @@ -184,7 +184,7 @@ error: */ krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name, - osa_policy_ent_t *entry, int *cnt) + osa_policy_ent_t *entry) { DBT dbkey; DBT dbdata; @@ -194,8 +194,6 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name, OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED); - *cnt = 1; - if(name == NULL) { ret = EINVAL; goto error; @@ -206,8 +204,7 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name, dbdata.size = 0; switch((db->db->get(db->db, &dbkey, &dbdata, 0))) { case 1: - ret = 0; - *cnt = 0; + ret = KRB5_KDB_NOENTRY; goto error; case 0: break; diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index a78bc7510..fe4f6e96d 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -120,27 +120,22 @@ WRAP_K (krb5_db2_unlock, (krb5_context ctx), (ctx)); WRAP_K (krb5_db2_get_principal, (krb5_context ctx, krb5_const_principal p, - unsigned int flags, - krb5_db_entry *d, - int * i, - krb5_boolean *b), - (ctx, p, d, i, b)); + unsigned int f, + krb5_db_entry **d), + (ctx, p, f, d)); WRAP_VOID (krb5_db2_free_principal, (krb5_context ctx, - krb5_db_entry *d, - int i), - (ctx, d, i)); + krb5_db_entry *d), + (ctx, d)); WRAP_K (krb5_db2_put_principal, (krb5_context ctx, krb5_db_entry *d, - int *i, char **db_args), - (ctx, d, i, db_args)); + (ctx, d, db_args)); WRAP_K (krb5_db2_delete_principal, (krb5_context context, - krb5_const_principal searchfor, - int *nentries), - (context, searchfor, nentries)); + krb5_const_principal searchfor), + (context, searchfor)); WRAP_K (krb5_db2_iterate, (krb5_context ctx, char *s, @@ -155,9 +150,8 @@ WRAP_K (krb5_db2_create_policy, WRAP_K (krb5_db2_get_policy, ( krb5_context kcontext, char *name, - osa_policy_ent_t *policy, - int *cnt), - (kcontext, name, policy, cnt)); + osa_policy_ent_t *policy), + (kcontext, name, policy)); WRAP_K (krb5_db2_put_policy, ( krb5_context kcontext, osa_policy_ent_t policy ), (kcontext, policy)); diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index c23b81335..707bf842b 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -850,18 +850,9 @@ destroy_db(krb5_context context, char *dbname) return retval1; } -/* - * look up a principal in the data base. - * returns number of entries found, and whether there were - * more than requested. - */ - krb5_error_code -krb5_db2_get_principal(krb5_context context, - krb5_const_principal searchfor, - krb5_db_entry *entries, /* filled in */ - int *nentries, /* how much room/how many found */ - krb5_boolean *more) /* are there more? */ +krb5_db2_get_principal(krb5_context context, krb5_const_principal searchfor, + unsigned int flags, krb5_db_entry **entry) { krb5_db2_context *db_ctx; krb5_error_code retval; @@ -870,9 +861,7 @@ krb5_db2_get_principal(krb5_context context, krb5_data keydata, contdata; int trynum, dbret; - *more = FALSE; - *nentries = 0; - + *entry = NULL; if (!k5db2_inited(context)) return KRB5_KDB_DBNOTINITED; @@ -898,22 +887,20 @@ krb5_db2_get_principal(krb5_context context, key.size = keydata.length; db = db_ctx->db; - dbret = (*db->get) (db, &key, &contents, 0); + dbret = (*db->get)(db, &key, &contents, 0); retval = errno; krb5_free_data_contents(context, &keydata); switch (dbret) { case 1: - retval = 0; + retval = KRB5_KDB_NOENTRY; + /* Fall through. */ case -1: default: - *nentries = 0; goto cleanup; case 0: contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, entries); - if (!retval) - *nentries = 1; + retval = krb5_decode_princ_entry(context, &contdata, entry); break; } @@ -922,34 +909,18 @@ cleanup: return retval; } -/* - Free stuff returned by krb5_db2_get_principal. -*/ +/* Free an entry returned by krb5_db2_get_principal. */ void -krb5_db2_free_principal(krb5_context context, krb5_db_entry *entries, - int nentries) +krb5_db2_free_principal(krb5_context context, krb5_db_entry *entry) { - register int i; - for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(context, &entries[i]); + krb5_dbe_free(context, entry); } -/* - Stores the *"nentries" entry structures pointed to by "entries" in the - database. - - *"nentries" is updated upon return to reflect the number of records - acutally stored; the first *"nstored" records will have been stored in the - database (even if an error occurs). - -*/ - krb5_error_code -krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, - int *nentries, /* number of entry structs to update */ +krb5_db2_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) { - int i, n, dbret; + int dbret; DB *db; DBT key, contents; krb5_data contdata, keydata; @@ -965,8 +936,6 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, return EINVAL; } - n = *nentries; - *nentries = 0; if (!k5db2_inited(context)) return KRB5_KDB_DBNOTINITED; @@ -980,47 +949,35 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, return retval; } - /* for each one, stuff temps, and do replace/append */ - for (i = 0; i < n; i++) { - retval = krb5_encode_princ_contents(context, &contdata, entries); - if (retval) - break; - contents.data = contdata.data; - contents.size = contdata.length; - retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ); - if (retval) { - krb5_free_data_contents(context, &contdata); - break; - } - - key.data = keydata.data; - key.size = keydata.length; - dbret = (*db->put) (db, &key, &contents, 0); - retval = dbret ? errno : 0; - krb5_free_data_contents(context, &keydata); + retval = krb5_encode_princ_entry(context, &contdata, entry); + if (retval) + goto cleanup; + contents.data = contdata.data; + contents.size = contdata.length; + retval = krb5_encode_princ_dbkey(context, &keydata, entry->princ); + if (retval) { krb5_free_data_contents(context, &contdata); - if (retval) - break; - entries++; /* bump to next struct */ + goto cleanup; } + key.data = keydata.data; + key.size = keydata.length; + dbret = (*db->put)(db, &key, &contents, 0); + retval = dbret ? errno : 0; + krb5_free_data_contents(context, &keydata); + krb5_free_data_contents(context, &contdata); + +cleanup: (void) krb5_db2_end_update(context); (void) krb5_db2_unlock(context); /* unlock database */ - *nentries = i; return (retval); } -/* - * delete a principal from the data base. - * returns number of entries removed - */ - krb5_error_code -krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, - int *nentries) /* how many found & deleted */ +krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor) { krb5_error_code retval; - krb5_db_entry entry; + krb5_db_entry *entry; krb5_db2_context *db_ctx; DB *db; DBT key, contents; @@ -1050,31 +1007,29 @@ krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, switch (dbret) { case 1: retval = KRB5_KDB_NOENTRY; + /* Fall through. */ case -1: default: - *nentries = 0; goto cleankey; case 0: ; } - memset(&entry, 0, sizeof(entry)); contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, &entry); + retval = krb5_decode_princ_entry(context, &contdata, &entry); if (retval) goto cleankey; - *nentries = 1; /* Clear encrypted key contents */ - for (i = 0; i < entry.n_key_data; i++) { - if (entry.key_data[i].key_data_length[0]) { - memset(entry.key_data[i].key_data_contents[0], 0, - (unsigned) entry.key_data[i].key_data_length[0]); + for (i = 0; i < entry->n_key_data; i++) { + if (entry->key_data[i].key_data_length[0]) { + memset(entry->key_data[i].key_data_contents[0], 0, + (unsigned) entry->key_data[i].key_data_length[0]); } } - retval = krb5_encode_princ_contents(context, &contdata, &entry); - krb5_dbe_free_contents(context, &entry); + retval = krb5_encode_princ_entry(context, &contdata, entry); + krb5_dbe_free(context, entry); if (retval) goto cleankey; @@ -1105,7 +1060,7 @@ krb5_db2_iterate_ext(krb5_context context, DB *db; DBT key, contents; krb5_data contdata; - krb5_db_entry entries; + krb5_db_entry *entry; krb5_error_code retval; int dbret; void *cookie; @@ -1142,14 +1097,14 @@ krb5_db2_iterate_ext(krb5_context context, contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, &entries); + retval = krb5_decode_princ_entry(context, &contdata, &entry); if (retval) break; retval = k5_mutex_unlock(krb5_db2_mutex); if (retval) break; - retval = (*func) (func_arg, &entries); - krb5_dbe_free_contents(context, &entries); + retval = (*func)(func_arg, entry); + krb5_dbe_free(context, entry); retval2 = k5_mutex_lock(krb5_db2_mutex); /* Note: If re-locking fails, the wrapper in db2_exp.c will still try to unlock it again. That would be a bug. Fix @@ -1319,11 +1274,11 @@ krb5_db2_create_policy(krb5_context context, osa_policy_ent_t policy) krb5_error_code krb5_db2_get_policy(krb5_context context, - char *name, osa_policy_ent_t * policy, int *cnt) + char *name, osa_policy_ent_t *policy) { krb5_db2_context *dbc = context->dal_handle->db_context; - return osa_adb_get_policy(dbc->policy_db, name, policy, cnt); + return osa_adb_get_policy(dbc->policy_db, name, policy); } krb5_error_code @@ -1450,9 +1405,8 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) struct nra_context *nra = (struct nra_context *)ptr; kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle; krb5_error_code retval; - int n_entries = 0, changed; - krb5_db_entry s_entry; - krb5_boolean more; + int changed; + krb5_db_entry *s_entry; krb5_db2_context *dst_db; memset(&s_entry, 0, sizeof(s_entry)); @@ -1461,23 +1415,21 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) dal_handle->db_context = nra->db_context; /* look up the new principal in the old DB */ - retval = krb5_db2_get_principal(nra->kcontext, entry->princ, &s_entry, - &n_entries, &more); - if (retval != 0 || n_entries == 0) { + retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry); + if (retval != 0) { /* principal may be newly created, so ignore */ dal_handle->db_context = dst_db; return 0; } /* merge non-replicated attributes from the old entry in */ - krb5_db2_merge_principal(nra->kcontext, &s_entry, entry, &changed); + krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed); dal_handle->db_context = dst_db; /* if necessary, commit the modified new entry to the new DB */ if (changed) { - retval = krb5_db2_put_principal(nra->kcontext, entry, &n_entries, - NULL); + retval = krb5_db2_put_principal(nra->kcontext, entry, NULL); } else { retval = 0; } diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index d7ac7a4cb..6096dc4b1 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -60,9 +60,9 @@ krb5_error_code krb5_db2_fini(krb5_context); krb5_error_code krb5_db2_get_age(krb5_context, char *, time_t *); krb5_error_code krb5_db2_rename(krb5_context, char *, char *, int ); krb5_error_code krb5_db2_get_principal(krb5_context, krb5_const_principal, - krb5_db_entry *, int *, krb5_boolean *); -void krb5_db2_free_principal(krb5_context, krb5_db_entry *, int); -krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, int *, + unsigned int, krb5_db_entry **); +void krb5_db2_free_principal(krb5_context, krb5_db_entry *); +krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, char **db_args); krb5_error_code krb5_db2_iterate_ext(krb5_context, krb5_error_code (*)(krb5_pointer, @@ -85,12 +85,8 @@ krb5_error_code krb5_db2_get_mkey_list(krb5_context context, krb5_keylist_node **keylist); krb5_error_code -krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, - register int *nentries, char **db_args); - -krb5_error_code -krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, - int *nentries); +krb5_db2_delete_principal(krb5_context context, + krb5_const_principal searchfor); krb5_error_code krb5_db2_lib_init(void); krb5_error_code krb5_db2_lib_cleanup(void); @@ -122,8 +118,7 @@ krb5_error_code krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry); krb5_error_code krb5_db2_get_policy(krb5_context kcontext, - char *name, osa_policy_ent_t *policy, - int *cnt); + char *name, osa_policy_ent_t *policy); krb5_error_code krb5_db2_put_policy(krb5_context kcontext, osa_policy_ent_t policy); diff --git a/src/plugins/kdb/db2/kdb_xdr.c b/src/plugins/kdb/db2/kdb_xdr.c index 81a3cc426..14b63fa04 100644 --- a/src/plugins/kdb/db2/kdb_xdr.c +++ b/src/plugins/kdb/db2/kdb_xdr.c @@ -47,15 +47,9 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, return(retval); } -void -krb5_free_princ_dbkey(krb5_context context, krb5_data *key) -{ - (void) krb5_free_data_contents(context, key); -} - krb5_error_code -krb5_encode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry) +krb5_encode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry *entry) { int i, j; unsigned int unparse_princ_size; @@ -229,29 +223,23 @@ epc_error:; return retval; } -void -krb5_free_princ_contents(krb5_context context, krb5_data *contents) -{ - krb5_free_data_contents(context, contents); - return; -} - krb5_error_code -krb5_decode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry) +krb5_decode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry **entry_ptr) { int sizeleft, i; unsigned char * nextloc; krb5_tl_data ** tl_data; krb5_int16 i16; - + krb5_db_entry * entry; krb5_error_code retval; - /* Zero out entry and NULL pointers */ - memset(entry, 0, sizeof(krb5_db_entry)); + entry = k5alloc(sizeof(*entry), &retval); + if (entry == NULL) + return retval; /* - * undo the effects of encode_princ_contents. + * Reverse the encoding of encode_princ_entry. * * The first part is decoding the base type. If the base type is * bigger than the original base type then the additional fields @@ -262,8 +250,10 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, /* First do the easy stuff */ nextloc = (unsigned char *)content->data; sizeleft = content->length; - if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* Base Length */ krb5_kdb_decode_int16(nextloc, entry->len); @@ -305,25 +295,28 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, krb5_kdb_decode_int16(nextloc, entry->n_tl_data); nextloc += 2; - if (entry->n_tl_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if (entry->n_tl_data < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* # key_data strutures */ krb5_kdb_decode_int16(nextloc, entry->n_key_data); nextloc += 2; - if (entry->n_key_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if (entry->n_key_data < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* Check for extra data */ if (entry->len > KRB5_KDB_V1_BASE_LENGTH) { entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH; - if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) { - memcpy(entry->e_data, nextloc, entry->e_length); - nextloc += entry->e_length; - } else { - return ENOMEM; - } + entry->e_data = k5alloc(entry->e_length, &retval); + if (entry->e_data == NULL) + goto error_out; + memcpy(entry->e_data, nextloc, entry->e_length); + nextloc += entry->e_length; } /* @@ -435,40 +428,36 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, abort(); } } + *entry_ptr = entry; return 0; -error_out:; - krb5_dbe_free_contents(context, entry); +error_out: + krb5_dbe_free(context, entry); return retval; } void -krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) +krb5_dbe_free(krb5_context context, krb5_db_entry *entry) { krb5_tl_data * tl_data_next; krb5_tl_data * tl_data; int i, j; - if (entry->e_data) - free(entry->e_data); - if (entry->princ) - krb5_free_principal(context, entry->princ); + if (entry == NULL) + return; + free(entry->e_data); + krb5_free_principal(context, entry->princ); for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) { tl_data_next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); + free(tl_data->tl_data_contents); free(tl_data); } if (entry->key_data) { for (i = 0; i < entry->n_key_data; i++) { for (j = 0; j < entry->key_data[i].key_data_ver; j++) { if (entry->key_data[i].key_data_length[j]) { - if (entry->key_data[i].key_data_contents[j]) { - memset(entry->key_data[i].key_data_contents[j], - 0, - (unsigned) entry->key_data[i].key_data_length[j]); - free (entry->key_data[i].key_data_contents[j]); - } + zapfree(entry->key_data[i].key_data_contents[j], + entry->key_data[i].key_data_length[j]); } entry->key_data[i].key_data_contents[j] = NULL; entry->key_data[i].key_data_length[j] = 0; @@ -477,6 +466,5 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) } free(entry->key_data); } - memset(entry, 0, sizeof(*entry)); - return; + free(entry); } diff --git a/src/plugins/kdb/db2/kdb_xdr.h b/src/plugins/kdb/db2/kdb_xdr.h index e4a202b37..122605f76 100644 --- a/src/plugins/kdb/db2/kdb_xdr.h +++ b/src/plugins/kdb/db2/kdb_xdr.h @@ -9,20 +9,14 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, krb5_const_principal principal); krb5_error_code -krb5_decode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry); +krb5_decode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry **entry); void -krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry); +krb5_dbe_free(krb5_context context, krb5_db_entry *entry); krb5_error_code -krb5_encode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry); - -void -krb5_free_princ_dbkey(krb5_context context, krb5_data *key); - -void -krb5_free_princ_contents(krb5_context context, krb5_data *contents); +krb5_encode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry *entry); #endif diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c index 1e9cc11d9..3ba53d214 100644 --- a/src/plugins/kdb/db2/lockout.c +++ b/src/plugins/kdb/db2/lockout.c @@ -73,17 +73,14 @@ lookup_lockout_policy(krb5_context context, if (adb.policy != NULL) { osa_policy_ent_t policy = NULL; - int count = 0; - code = krb5_db2_get_policy(context, adb.policy, - &policy, &count); - if (code == 0 && count == 1) { + code = krb5_db2_get_policy(context, adb.policy, &policy); + if (code == 0) { *pw_max_fail = policy->pw_max_fail; *pw_failcnt_interval = policy->pw_failcnt_interval; *pw_lockout_duration = policy->pw_lockout_duration; - } - if (policy != NULL) krb5_db2_free_policy(context, policy); + } } xdr_destroy(&xdrs); @@ -148,7 +145,6 @@ krb5_db2_lockout_audit(krb5_context context, krb5_kvno max_fail = 0; krb5_deltat failcnt_interval = 0; krb5_deltat lockout_duration = 0; - int nentries = 1; krb5_db2_context *db_ctx = context->dal_handle->db_context; krb5_boolean need_update = FALSE; @@ -198,7 +194,7 @@ krb5_db2_lockout_audit(krb5_context context, } if (need_update) { - code = krb5_db2_put_principal(context, entry, &nentries, NULL); + code = krb5_db2_put_principal(context, entry, NULL); if (code != 0) return code; } diff --git a/src/plugins/kdb/db2/policy_db.h b/src/plugins/kdb/db2/policy_db.h index f2842e956..6c920bc44 100644 --- a/src/plugins/kdb/db2/policy_db.h +++ b/src/plugins/kdb/db2/policy_db.h @@ -87,10 +87,8 @@ krb5_error_code osa_adb_create_policy(osa_adb_policy_t db, osa_policy_ent_t entry); krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db, char * name); -krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, - char * name, - osa_policy_ent_t *entry, - int *cnt); +krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name, + osa_policy_ent_t *entry); krb5_error_code osa_adb_put_policy(osa_adb_policy_t db, osa_policy_ent_t entry); krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 0ee57d118..97710aef8 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2345,7 +2345,6 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ, unsigned char *curr=NULL; krb5_tl_data *tl_data=NULL; krb5_db_entry entry; - int nentry=1; long mask = 0; krb5_keyblock key; int kvno = 0; @@ -2497,7 +2496,7 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ, break; } /* end of switch */ - retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL); + retval = krb5_ldap_put_principal(context, &entry, NULL); if (retval) { com_err(NULL, retval, "while adding entries to database"); goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 85c70761f..1f3e60e92 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -2113,13 +2113,12 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, /* We already know that the policy is inside the realm container. */ if (polname) { osa_policy_ent_t pwdpol; - int cnt=0; krb5_timestamp last_pw_changed; krb5_ui_4 pw_max_life; memset(&pwdpol, 0, sizeof(pwdpol)); - if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) + if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0) goto cleanup; pw_max_life = pwdpol->pw_max_life; free (pwdpol); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 9128fd5d7..68b08c512 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -123,13 +123,12 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) void -krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries, - int nentries) +krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entry) { - register int i; - for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(kcontext, &entries[i]); - return 0; + if (entry == NULL) + return; + krb5_dbe_free_contents(kcontext, entry); + free(entry); } krb5_error_code @@ -230,7 +229,7 @@ cleanup: */ krb5_error_code krb5_ldap_delete_principal(krb5_context context, - krb5_const_principal searchfor, int *nentries) + krb5_const_principal searchfor) { char *user=NULL, *DN=NULL, *strval[10] = {NULL}; LDAPMod **mods=NULL; @@ -242,21 +241,20 @@ krb5_ldap_delete_principal(krb5_context context, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - krb5_db_entry entries; - krb5_boolean more=0; + krb5_db_entry *entry = NULL; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); /* get the principal info */ - if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0) + if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry))) goto cleanup; - if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) || - ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) || - ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) || - ((st=krb5_get_userdn(context, &entries, &(DN))) != 0)) + if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) || + ((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) || + ((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) || + ((st=krb5_get_userdn(context, entry, &(DN))) != 0)) goto cleanup; if (DN == NULL) { @@ -356,8 +354,7 @@ cleanup: free (secretkey); } - if (st == 0) - krb5_ldap_free_principal(context, &entries, *nentries); + krb5_ldap_free_principal(context, entry); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index 805462d36..3942e3f42 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -95,17 +95,17 @@ extern struct timeval timeout; extern char *policyclass[]; krb5_error_code -krb5_ldap_put_principal(krb5_context, krb5_db_entry *, int *, char **); +krb5_ldap_put_principal(krb5_context, krb5_db_entry *, char **); krb5_error_code krb5_ldap_get_principal(krb5_context , krb5_const_principal , - unsigned int, krb5_db_entry *, int *, krb5_boolean *); + unsigned int, krb5_db_entry **); krb5_error_code -krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *); +krb5_ldap_delete_principal(krb5_context, krb5_const_principal); void -krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int ); +krb5_ldap_free_principal(krb5_context, krb5_db_entry *); krb5_error_code krb5_ldap_iterate(krb5_context, char *, diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 7ad31da83..9b50eda72 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -100,8 +100,7 @@ aliases_ok(unsigned int flags) krb5_error_code krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry *entries, - int *nentries, krb5_boolean *more) + unsigned int flags, krb5_db_entry **entry_ptr) { char *user=NULL, *filter=NULL, **subtree=NULL; unsigned int tree=0, ntrees=1, princlen=0; @@ -113,15 +112,14 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_principal cprinc=NULL; + krb5_boolean found=FALSE; + krb5_db_entry *entry = NULL; + + *entry_ptr = NULL; /* Clear the global error string */ krb5_clear_error_message(context); - /* set initial values */ - *nentries = 0; - *more = 0; - memset(entries, 0, sizeof(*entries)); - if (searchfor == NULL) return EINVAL; @@ -131,7 +129,6 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { - *more = 0; krb5_set_error_message (context, st, "Principal does not belong to realm"); goto cleanup; } @@ -153,10 +150,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, goto cleanup; GET_HANDLE(); - for (tree=0; tree < ntrees && *nentries == 0; ++tree) { + for (tree=0; tree < ntrees && !found; ++tree) { LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); - for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) { + for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) { /* get the associated directory user information */ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { @@ -168,13 +165,13 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, */ for (i=0; values[i] != NULL; ++i) { if (strcmp(values[i], user) == 0) { - *nentries = 1; + found = TRUE; break; } } ldap_value_free(values); - if (*nentries == 0) /* no matching principal found */ + if (!found) /* no matching principal found */ continue; } @@ -189,31 +186,34 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if (st != 0) goto cleanup; } else /* No canonicalization, so don't return aliases. */ - *nentries = 0; + found = FALSE; } ldap_value_free(values); - if (*nentries == 0) + if (!found) continue; } + entry = k5alloc(sizeof(*entry), &st); + if (entry == NULL) + goto cleanup; if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, cprinc ? cprinc : searchfor, - entries)) != 0) + entry)) != 0) goto cleanup; } ldap_msgfree(result); result = NULL; } /* for (tree=0 ... */ - /* once done, put back the ldap handle */ - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - ldap_server_handle = NULL; + if (found) { + *entry_ptr = entry; + entry = NULL; + } else + st = KRB5_KDB_NOENTRY; cleanup: ldap_msgfree(result); - - if (*nentries == 0 || st != 0) - krb5_dbe_free_contents(context, entries); + krb5_ldap_free_principal(context, entry); if (filter) free (filter); @@ -494,10 +494,10 @@ tl_data2berval (krb5_tl_data *in, struct berval **out) } krb5_error_code -krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, - int *nentries, char **db_args) +krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + char **db_args) { - int i=0, l=0, kerberos_principal_object_type=0; + int l=0, kerberos_principal_object_type=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; @@ -529,554 +529,574 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, /* get ldap handle */ GET_HANDLE(); - for (i=0; i < *nentries; ++i, ++entries) { - if (is_principal_in_realm(ldap_context, entries->princ) != 0) { - st = EINVAL; - krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + if (is_principal_in_realm(ldap_context, entry->princ) != 0) { + st = EINVAL; + krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + goto cleanup; + } + + /* get the principal information to act on */ + if (entry->princ) { + if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) || + ((st=krb5_ldap_unparse_principal_name(user)) != 0)) goto cleanup; - } + } - /* get the principal information to act on */ - if (entries->princ) { - if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) || - ((st=krb5_ldap_unparse_principal_name(user)) != 0)) - goto cleanup; - } + /* Identity the type of operation, it can be + * add principal or modify principal. + * hack if the entry->mask has KRB_PRINCIPAL flag set + * then it is a add operation + */ + if (entry->mask & KADM5_PRINCIPAL) + optype = ADD_PRINCIPAL; + else + optype = MODIFY_PRINCIPAL; - /* Identity the type of operation, it can be - * add principal or modify principal. - * hack if the entries->mask has KRB_PRINCIPAL flag set - * then it is a add operation - */ - if (entries->mask & KADM5_PRINCIPAL) - optype = ADD_PRINCIPAL; - else - optype = MODIFY_PRINCIPAL; + if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) || + ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0)) + goto cleanup; - if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) || - ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0)) - goto cleanup; + if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) + goto cleanup; + + if (entry->mask & KADM5_LOAD) { + int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; + char **subtreelist = NULL, *filter = NULL; - if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) + /* A load operation is special, will do a mix-in (add krbprinc + * attrs to a non-krb object entry) if an object exists with a + * matching krbprincipalname attribute so try to find existing + * object and set principal_dn. This assumes that the + * krbprincipalname attribute is unique (only one object entry has + * a particular krbprincipalname attribute). + */ + if (user == NULL) { + /* must have principal name for search */ + st = EINVAL; + krb5_set_error_message(context, st, "operation can not continue, principal name not found"); goto cleanup; + } + princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ + if ((filter = malloc(princlen)) == NULL) { + st = ENOMEM; + goto cleanup; + } + snprintf(filter, princlen, FILTER"%s))", user); - if (entries->mask & KADM5_LOAD) { - int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; - char **subtreelist = NULL, *filter = NULL; + /* get the current subtree list */ + if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) + goto cleanup; - /* A load operation is special, will do a mix-in (add krbprinc - * attrs to a non-krb object entry) if an object exists with a - * matching krbprincipalname attribute so try to find existing - * object and set principal_dn. This assumes that the - * krbprincipalname attribute is unique (only one object entry has - * a particular krbprincipalname attribute). - */ - if (user == NULL) { - /* must have principal name for search */ - st = EINVAL; - krb5_set_error_message(context, st, "operation can not continue, principal name not found"); - goto cleanup; - } - princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; + found_entry = FALSE; + /* search for entry with matching krbprincipalname attribute */ + for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { + result = NULL; + if (principal_dn == NULL) { + LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); + } else { + /* just look for entry with principal_dn */ + LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); } - snprintf(filter, princlen, FILTER"%s))", user); - - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; - - found_entry = FALSE; - /* search for entry with matching krbprincipalname attribute */ - for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { - result = NULL; - if (principal_dn == NULL) { - LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); - } else { - /* just look for entry with principal_dn */ - LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); - } - if (st == LDAP_SUCCESS) { - numlentries = ldap_count_entries(ld, result); - if (numlentries > 1) { - ldap_msgfree(result); - free(filter); - st = EINVAL; - krb5_set_error_message(context, st, - "operation can not continue, more than one entry with principal name \"%s\" found", - user); - goto cleanup; - } else if (numlentries == 1) { - found_entry = TRUE; - if (principal_dn == NULL) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - /* setting principal_dn will cause that entry to be modified further down */ - if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { - ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); - st = set_ldap_error (context, st, 0); - ldap_msgfree(result); - free(filter); - goto cleanup; - } + if (st == LDAP_SUCCESS) { + numlentries = ldap_count_entries(ld, result); + if (numlentries > 1) { + ldap_msgfree(result); + free(filter); + st = EINVAL; + krb5_set_error_message(context, st, + "operation can not continue, more than one entry with principal name \"%s\" found", + user); + goto cleanup; + } else if (numlentries == 1) { + found_entry = TRUE; + if (principal_dn == NULL) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + /* setting principal_dn will cause that entry to be modified further down */ + if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { + ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); + st = set_ldap_error (context, st, 0); + ldap_msgfree(result); + free(filter); + goto cleanup; } } } - if (result) - ldap_msgfree(result); - } else if (st != LDAP_NO_SUCH_OBJECT) { - /* could not perform search, return with failure */ - st = set_ldap_error (context, st, 0); - free(filter); - goto cleanup; } - /* - * If it isn't found then assume a standalone princ entry is to - * be created. - */ - } /* end for (tree = 0; principal_dn == ... */ + if (result) + ldap_msgfree(result); + } else if (st != LDAP_NO_SUCH_OBJECT) { + /* could not perform search, return with failure */ + st = set_ldap_error (context, st, 0); + free(filter); + goto cleanup; + } + /* + * If it isn't found then assume a standalone princ entry is to + * be created. + */ + } /* end for (tree = 0; principal_dn == ... */ - free(filter); + free(filter); - if (found_entry == FALSE && principal_dn != NULL) { - /* - * if principal_dn is null then there is code further down to - * deal with setting standalone_principal_dn. Also note that - * this will set create_standalone_prinicipal true for - * non-mix-in entries which is okay if loading from a dump. - */ - create_standalone_prinicipal = TRUE; - standalone_principal_dn = strdup(principal_dn); - CHECK_NULL(standalone_principal_dn); - } - } /* end if (entries->mask & KADM5_LOAD */ + if (found_entry == FALSE && principal_dn != NULL) { + /* + * if principal_dn is null then there is code further down to + * deal with setting standalone_principal_dn. Also note that + * this will set create_standalone_prinicipal true for + * non-mix-in entries which is okay if loading from a dump. + */ + create_standalone_prinicipal = TRUE; + standalone_principal_dn = strdup(principal_dn); + CHECK_NULL(standalone_principal_dn); + } + } /* end if (entry->mask & KADM5_LOAD */ - /* time to generate the DN information with the help of - * containerdn, principalcontainerreference or - * realmcontainerdn information - */ - if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ - /* get the subtree information */ - if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && - strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) { - /* if the principal is a inter-realm principal, always created in the realm container */ - subtree = strdup(ldap_context->lrparams->realmdn); - } else if (xargs.containerdn) { - if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { - if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { - int ost = st; - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", - xargs.containerdn); - prepend_err_str(context, errbuf, st, ost); - } - goto cleanup; + /* time to generate the DN information with the help of + * containerdn, principalcontainerreference or + * realmcontainerdn information + */ + if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ + /* get the subtree information */ + if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") && + strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) { + /* if the principal is a inter-realm principal, always created in the realm container */ + subtree = strdup(ldap_context->lrparams->realmdn); + } else if (xargs.containerdn) { + if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + int ost = st; + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", + xargs.containerdn); + prepend_err_str(context, errbuf, st, ost); } - subtree = strdup(xargs.containerdn); - } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { - /* - * Here the subtree should be changed with - * principalcontainerreference attribute value - */ - subtree = strdup(ldap_context->lrparams->containerref); - } else { - subtree = strdup(ldap_context->lrparams->realmdn); + goto cleanup; } - CHECK_NULL(subtree); - - if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", - user, subtree) < 0) - standalone_principal_dn = NULL; - CHECK_NULL(standalone_principal_dn); + subtree = strdup(xargs.containerdn); + } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { /* - * free subtree when you are done using the subtree - * set the boolean create_standalone_prinicipal to TRUE + * Here the subtree should be changed with + * principalcontainerreference attribute value */ - create_standalone_prinicipal = TRUE; - free(subtree); - subtree = NULL; + subtree = strdup(ldap_context->lrparams->containerref); + } else { + subtree = strdup(ldap_context->lrparams->realmdn); } + CHECK_NULL(subtree); + if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", + user, subtree) < 0) + standalone_principal_dn = NULL; + CHECK_NULL(standalone_principal_dn); /* - * If the DN information is presented by the user, time to - * validate the input to ensure that the DN falls under - * any of the subtrees + * free subtree when you are done using the subtree + * set the boolean create_standalone_prinicipal to TRUE */ - if (xargs.dn_from_kbd == TRUE) { - /* make sure the DN falls in the subtree */ - int tre=0, dnlen=0, subtreelen=0, ntrees=0; - char **subtreelist=NULL; - char *dn=NULL; - krb5_boolean outofsubtree=TRUE; - - if (xargs.dn != NULL) { - dn = xargs.dn; - } else if (xargs.linkdn != NULL) { - dn = xargs.linkdn; - } else if (standalone_principal_dn != NULL) { - /* - * Even though the standalone_principal_dn is constructed - * within this function, there is the containerdn input - * from the user that can become part of the it. - */ - dn = standalone_principal_dn; - } + create_standalone_prinicipal = TRUE; + free(subtree); + subtree = NULL; + } - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; + /* + * If the DN information is presented by the user, time to + * validate the input to ensure that the DN falls under + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { + /* make sure the DN falls in the subtree */ + int tre=0, dnlen=0, subtreelen=0, ntrees=0; + char **subtreelist=NULL; + char *dn=NULL; + krb5_boolean outofsubtree=TRUE; + + if (xargs.dn != NULL) { + dn = xargs.dn; + } else if (xargs.linkdn != NULL) { + dn = xargs.linkdn; + } else if (standalone_principal_dn != NULL) { + /* + * Even though the standalone_principal_dn is constructed + * within this function, there is the containerdn input + * from the user that can become part of the it. + */ + dn = standalone_principal_dn; + } - for (tre=0; tre<ntrees; ++tre) { - if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { + /* get the current subtree list */ + if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) + goto cleanup; + + for (tre=0; tre<ntrees; ++tre) { + if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { + outofsubtree = FALSE; + break; + } else { + dnlen = strlen (dn); + subtreelen = strlen(subtreelist[tre]); + if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { outofsubtree = FALSE; break; - } else { - dnlen = strlen (dn); - subtreelen = strlen(subtreelist[tre]); - if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { - outofsubtree = FALSE; - break; - } } } + } - for (tre=0; tre < ntrees; ++tre) { - free(subtreelist[tre]); - } + for (tre=0; tre < ntrees; ++tre) { + free(subtreelist[tre]); + } - if (outofsubtree == TRUE) { - st = EINVAL; - krb5_set_error_message(context, st, "DN is out of the realm subtree"); - goto cleanup; - } + if (outofsubtree == TRUE) { + st = EINVAL; + krb5_set_error_message(context, st, "DN is out of the realm subtree"); + goto cleanup; + } + + /* + * dn value will be set either by dn, linkdn or the standalone_principal_dn + * In the first 2 cases, the dn should be existing and in the last case we + * are supposed to create the ldap object. so the below should not be + * executed for the last case. + */ + if (standalone_principal_dn == NULL) { /* - * dn value will be set either by dn, linkdn or the standalone_principal_dn - * In the first 2 cases, the dn should be existing and in the last case we - * are supposed to create the ldap object. so the below should not be - * executed for the last case. + * If the ldap object is missing, this results in an error. */ - if (standalone_principal_dn == NULL) { - /* - * If the ldap object is missing, this results in an error. - */ - - /* - * Search for krbprincipalname attribute here. - * This is to find if a kerberos identity is already present - * on the ldap object, in which case adding a kerberos identity - * on the ldap object should result in an error. - */ - char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; - - LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); - if (st == LDAP_SUCCESS) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { - ldap_value_free(values); - } + /* + * Search for krbprincipalname attribute here. + * This is to find if a kerberos identity is already present + * on the ldap object, in which case adding a kerberos identity + * on the ldap object should result in an error. + */ + char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; + + LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); + if (st == LDAP_SUCCESS) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { + ldap_value_free(values); + } - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - krb_identity_exists = TRUE; - ldap_value_free(values); - } + if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { + krb_identity_exists = TRUE; + ldap_value_free(values); } - ldap_msgfree(result); - } else { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; } + ldap_msgfree(result); + } else { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; } } + } + /* + * If xargs.dn is set then the request is to add a + * kerberos principal on a ldap object, but if + * there is one already on the ldap object this + * should result in an error. + */ + + if (xargs.dn != NULL && krb_identity_exists == TRUE) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + + if (xargs.linkdn != NULL) { /* - * If xargs.dn is set then the request is to add a - * kerberos principal on a ldap object, but if - * there is one already on the ldap object this - * should result in an error. + * link information can be changed using modprinc. + * However, link information can be changed only on the + * standalone kerberos principal objects. A standalone + * kerberos principal object is of type krbprincipal + * structural objectclass. + * + * NOTE: kerberos principals on an ldap object can't be + * linked to other ldap objects. */ - - if (xargs.dn != NULL && krb_identity_exists == TRUE) { + if (optype == MODIFY_PRINCIPAL && + kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); + snprintf(errbuf, sizeof(errbuf), + "link information can not be set/updated as the kerberos principal belongs to an ldap object"); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } + /* + * Check the link information. If there is already a link + * existing then this operation is not allowed. + */ + { + char **linkdns=NULL; + int j=0; - if (xargs.linkdn != NULL) { - /* - * link information can be changed using modprinc. - * However, link information can be changed only on the - * standalone kerberos principal objects. A standalone - * kerberos principal object is of type krbprincipal - * structural objectclass. - * - * NOTE: kerberos principals on an ldap object can't be - * linked to other ldap objects. - */ - if (optype == MODIFY_PRINCIPAL && - kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { + if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) { + snprintf(errbuf, sizeof(errbuf), + "Failed getting object references"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + if (linkdns != NULL) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), - "link information can not be set/updated as the kerberos principal belongs to an ldap object"); + "kerberos principal is already linked " + "to a ldap object"); krb5_set_error_message(context, st, "%s", errbuf); + for (j=0; linkdns[j] != NULL; ++j) + free (linkdns[j]); + free (linkdns); goto cleanup; } - /* - * Check the link information. If there is already a link - * existing then this operation is not allowed. - */ - { - char **linkdns=NULL; - int j=0; + } - if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) { - snprintf(errbuf, sizeof(errbuf), - "Failed getting object references"); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - if (linkdns != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "kerberos principal is already linked " - "to a ldap object"); - krb5_set_error_message(context, st, "%s", errbuf); - for (j=0; linkdns[j] != NULL; ++j) - free (linkdns[j]); - free (linkdns); - goto cleanup; - } - } + establish_links = TRUE; + } - establish_links = TRUE; + if (entry->mask & KADM5_LAST_SUCCESS) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->last_success)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_LAST_SUCCESS) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_success)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_LAST_FAILED) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->last_failed)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free(strval[0]); + } - if (entries->mask & KADM5_LAST_FAILED) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_failed)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free(strval[0]); - } + if (entry->mask & KADM5_FAIL_AUTH_COUNT) { + krb5_kvno fail_auth_count; - if (entries->mask & KADM5_FAIL_AUTH_COUNT) { - krb5_kvno fail_auth_count; + fail_auth_count = entry->fail_auth_count; + if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + fail_auth_count++; - fail_auth_count = entries->fail_auth_count; - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - fail_auth_count++; + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_REPLACE, + fail_auth_count); + if (st != 0) + goto cleanup; + } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { + int attr_mask = 0; + krb5_boolean has_fail_count; + + /* Check if the krbLoginFailedCount attribute exists. (Through + * krb5 1.8.1, it wasn't set in new entries.) */ + st = krb5_get_attributes_mask(context, entry, &attr_mask); + if (st != 0) + goto cleanup; + has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); + /* + * If the client library and server supports RFC 4525, + * then use it to increment by one the value of the + * krbLoginFailedCount attribute. Otherwise, assert the + * (provided) old value by deleting it before adding. + */ +#ifdef LDAP_MOD_INCREMENT + if (ldap_server_handle->server_info->modify_increment && + has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_REPLACE, - fail_auth_count); + LDAP_MOD_INCREMENT, 1); if (st != 0) goto cleanup; - } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { - int attr_mask = 0; - krb5_boolean has_fail_count; - - /* Check if the krbLoginFailedCount attribute exists. (Through - * krb5 1.8.1, it wasn't set in new entries.) */ - st = krb5_get_attributes_mask(context, entries, &attr_mask); - if (st != 0) - goto cleanup; - has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); - - /* - * If the client library and server supports RFC 4525, - * then use it to increment by one the value of the - * krbLoginFailedCount attribute. Otherwise, assert the - * (provided) old value by deleting it before adding. - */ -#ifdef LDAP_MOD_INCREMENT - if (ldap_server_handle->server_info->modify_increment && - has_fail_count) { - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_INCREMENT, 1); - if (st != 0) - goto cleanup; - } else { + } else { #endif /* LDAP_MOD_INCREMENT */ - if (has_fail_count) { - st = krb5_add_int_mem_ldap_mod(&mods, - "krbLoginFailedCount", - LDAP_MOD_DELETE, - entries->fail_auth_count); - if (st != 0) - goto cleanup; - } - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_ADD, - entries->fail_auth_count + 1); + if (has_fail_count) { + st = krb5_add_int_mem_ldap_mod(&mods, + "krbLoginFailedCount", + LDAP_MOD_DELETE, + entry->fail_auth_count); if (st != 0) goto cleanup; -#ifdef LDAP_MOD_INCREMENT } -#endif - } else if (optype == ADD_PRINCIPAL) { - /* Initialize krbLoginFailedCount in new entries to help avoid a - * race during the first failed login. */ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_ADD, 0); - } - - if (entries->mask & KADM5_MAX_LIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) + LDAP_MOD_ADD, + entry->fail_auth_count + 1); + if (st != 0) goto cleanup; +#ifdef LDAP_MOD_INCREMENT } +#endif + } else if (optype == ADD_PRINCIPAL) { + /* Initialize krbLoginFailedCount in new entries to help avoid a + * race during the first failed login. */ + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_ADD, 0); + } - if (entries->mask & KADM5_MAX_RLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, - entries->max_renewable_life)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_MAX_LIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_ATTRIBUTES) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, - entries->attributes)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_MAX_RLIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, + entry->max_renewable_life)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_PRINCIPAL) { - memset(strval, 0, sizeof(strval)); - strval[0] = user; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_ATTRIBUTES) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, + entry->attributes)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_PRINC_EXPIRE_TIME) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_PRINCIPAL) { + memset(strval, 0, sizeof(strval)); + strval[0] = user; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + } + + if (entry->mask & KADM5_PRINC_EXPIRE_TIME) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_PW_EXPIRATION) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", - LDAP_MOD_REPLACE, - strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_PW_EXPIRATION) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", + LDAP_MOD_REPLACE, + strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_POLICY) { - memset(&princ_ent, 0, sizeof(princ_ent)); - for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { - if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { - /* FIX ME: I guess the princ_ent should be freed after this call */ - if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { - goto cleanup; - } + if (entry->mask & KADM5_POLICY) { + memset(&princ_ent, 0, sizeof(princ_ent)); + for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) { + if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { + /* FIX ME: I guess the princ_ent should be freed after this call */ + if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { + goto cleanup; } } + } - if (princ_ent.aux_attributes & KADM5_POLICY) { - memset(strval, 0, sizeof(strval)); - if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) - goto cleanup; - strval[0] = polname; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message(context, st, "Password policy value null"); + if (princ_ent.aux_attributes & KADM5_POLICY) { + memset(strval, 0, sizeof(strval)); + if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) goto cleanup; - } - } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) { - /* - * a load is special in that existing entries must have attrs that - * removed. - */ - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) + strval[0] = polname; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message(context, st, "Password policy value null"); + goto cleanup; } + } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) { + /* + * a load is special in that existing entries must have attrs that + * removed. + */ - if (entries->mask & KADM5_POLICY_CLR) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { - krb5_kvno mkvno; + if (entry->mask & KADM5_POLICY_CLR) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) + goto cleanup; + } - if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0) - goto cleanup; - bersecretkey = krb5_encode_krbsecretkey (entries->key_data, - entries->n_key_data, mkvno); + if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) { + krb5_kvno mkvno; - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) - goto cleanup; + if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0) + goto cleanup; + bersecretkey = krb5_encode_krbsecretkey (entry->key_data, + entry->n_key_data, mkvno); - if (!(entries->mask & KADM5_PRINCIPAL)) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, - "krbpasswordexpiration", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) + goto cleanup; + + if (!(entry->mask & KADM5_PRINCIPAL)) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, + "krbpasswordexpiration", + LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - /* Update last password change whenever a new key is set */ - { - krb5_timestamp last_pw_changed; - if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, - &last_pw_changed)) != 0) - goto cleanup; + /* Update last password change whenever a new key is set */ + { + krb5_timestamp last_pw_changed; + if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, + &last_pw_changed)) != 0) + goto cleanup; - memset(strval, 0, sizeof(strval)); - if ((strval[0] = getstringtime(last_pw_changed)) == NULL) - goto cleanup; + memset(strval, 0, sizeof(strval)); + if ((strval[0] = getstringtime(last_pw_changed)) == NULL) + goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", + LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - } /* Modify Key data ends here */ + } /* Modify Key data ends here */ - /* Set tl_data */ - if (entries->tl_data != NULL) { - int count = 0; - struct berval **ber_tl_data = NULL; - krb5_tl_data *ptr; - for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + /* Set tl_data */ + if (entry->tl_data != NULL) { + int count = 0; + struct berval **ber_tl_data = NULL; + krb5_tl_data *ptr; + for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE +#ifdef SECURID + || ptr->tl_data_type == KRB5_TL_DB_ARGS +#endif + || ptr->tl_data_type == KRB5_TL_KADM_DATA + || ptr->tl_data_type == KDB_TL_USER_INFO + || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + count++; + } + if (count != 0) { + int j; + ber_tl_data = (struct berval **) calloc (count + 1, + sizeof (struct berval*)); + if (ber_tl_data == NULL) { + st = ENOMEM; + goto cleanup; + } + for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + /* Ignore tl_data that are stored in separate directory + * attributes */ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS @@ -1085,156 +1105,134 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) continue; - count++; + if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) + break; + j++; } - if (count != 0) { - int j; - ber_tl_data = (struct berval **) calloc (count + 1, - sizeof (struct berval*)); - if (ber_tl_data == NULL) { - st = ENOMEM; - goto cleanup; - } - for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { - /* Ignore tl_data that are stored in separate directory - * attributes */ - if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE -#ifdef SECURID - || ptr->tl_data_type == KRB5_TL_DB_ARGS -#endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA - || ptr->tl_data_type == KDB_TL_USER_INFO - || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) - break; - j++; - } - if (st != 0) { - for (j = 0; ber_tl_data[j] != NULL; j++) { - free (ber_tl_data[j]->bv_val); - free (ber_tl_data[j]); - } - free (ber_tl_data); - goto cleanup; + if (st != 0) { + for (j = 0; ber_tl_data[j] != NULL; j++) { + free (ber_tl_data[j]->bv_val); + free (ber_tl_data[j]); } - ber_tl_data[count] = NULL; - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, - ber_tl_data)) != 0) - goto cleanup; + free (ber_tl_data); + goto cleanup; } + ber_tl_data[count] = NULL; + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, + ber_tl_data)) != 0) + goto cleanup; } + } - /* Directory specific attribute */ - if (xargs.tktpolicydn != NULL) { - int tmask=0; - - if (strlen(xargs.tktpolicydn) != 0) { - st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); - CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - - strval[0] = xargs.tktpolicydn; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; + /* Directory specific attribute */ + if (xargs.tktpolicydn != NULL) { + int tmask=0; - } else { - /* if xargs.tktpolicydn is a empty string, then delete - * already existing krbticketpolicyreference attr */ - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } + if (strlen(xargs.tktpolicydn) != 0) { + st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); + CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - } + strval[0] = xargs.tktpolicydn; + strval[1] = NULL; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; - if (establish_links == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = xargs.linkdn; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) + } else { + /* if xargs.tktpolicydn is a empty string, then delete + * already existing krbticketpolicyreference attr */ + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } - /* - * in case mods is NULL then return - * not sure but can happen in a modprinc - * so no need to return an error - * addprinc will at least have the principal name - * and the keys passed in - */ - if (mods == NULL) + } + + if (establish_links == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = xargs.linkdn; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; + } - if (create_standalone_prinicipal == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = "krbprincipal"; - strval[1] = "krbprincipalaux"; - strval[2] = "krbTicketPolicyAux"; + /* + * in case mods is NULL then return + * not sure but can happen in a modprinc + * so no need to return an error + * addprinc will at least have the principal name + * and the keys passed in + */ + if (mods == NULL) + goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + if (create_standalone_prinicipal == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = "krbprincipal"; + strval[1] = "krbprincipalaux"; + strval[2] = "krbTicketPolicyAux"; - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) { - /* a load operation must replace an existing entry */ - st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", - ldap_err2string(st)); - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } else { - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - } - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; + + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); + if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) { + /* a load operation must replace an existing entry */ + st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); + snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", + ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; + } else { + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); } - } else { - /* - * Here existing ldap object is modified and can be related - * to any attribute, so always ensure that the ldap - * object is extended with all the kerberos related - * objectclasses so that there are no constraint - * violations. - */ - { - char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; - int p, q, r=0, amask=0; + } + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + } else { + /* + * Here existing ldap object is modified and can be related + * to any attribute, so always ensure that the ldap + * object is extended with all the kerberos related + * objectclasses so that there are no constraint + * violations. + */ + { + char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; + int p, q, r=0, amask=0; - if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, - "objectclass", attrvalues, &amask)) != 0) - goto cleanup; + if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, + "objectclass", attrvalues, &amask)) != 0) + goto cleanup; - memset(strval, 0, sizeof(strval)); - for (p=1, q=0; p<=2; p<<=1, ++q) { - if ((p & amask) == 0) - strval[r++] = attrvalues[q]; - } - if (r != 0) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - } + memset(strval, 0, sizeof(strval)); + for (p=1, q=0; p<=2; p<<=1, ++q) { + if ((p & amask) == 0) + strval[r++] = attrvalues[q]; } - if (xargs.dn != NULL) - st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); - else - st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); - - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; + if (r != 0) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; } + } + if (xargs.dn != NULL) + st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); + else + st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - entries->fail_auth_count++; + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_MOD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; } + + if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + entry->fail_auth_count++; } cleanup: @@ -1269,7 +1267,6 @@ cleanup: ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - *nentries = i; return(st); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index 6d25ca1d8..d58fbe965 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -226,8 +226,7 @@ cleanup: static krb5_error_code krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, - char *pol_dn, osa_policy_ent_t *policy, - int *cnt) + char *pol_dn, osa_policy_ent_t *policy) { krb5_error_code st=0, tempst=0; LDAP *ld=NULL; @@ -247,7 +246,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, SETUP_CONTEXT(); GET_HANDLE(); - *cnt = 0; *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); if (*policy == NULL) { st = ENOMEM; @@ -256,7 +254,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, memset(*policy, 0, sizeof(osa_policy_ent_rec)); LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); - *cnt = 1; #if 0 /************** Begin IFDEF'ed OUT *******************************/ (*policy)->name = strdup(name); CHECK_NULL((*policy)->name); @@ -302,7 +299,7 @@ cleanup: */ krb5_error_code krb5_ldap_get_password_policy(krb5_context context, char *name, - osa_policy_ent_t *policy, int *cnt) + osa_policy_ent_t *policy) { krb5_error_code st = 0; char *policy_dn = NULL; @@ -320,7 +317,8 @@ krb5_ldap_get_password_policy(krb5_context context, char *name, if (st != 0) goto cleanup; - st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt); + st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, + policy); cleanup: if (policy_dn != NULL) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h index 12396ac12..101119553 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h @@ -33,7 +33,7 @@ #define _LDAP_KRBPWDPOLICY_H_ krb5_error_code -krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *); +krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *); krb5_error_code krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 81df6292c..11ca9cdce 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -322,9 +322,8 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm) for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { - int nent = 0; - if ((st=krb5_ldap_delete_principal(context, principal, - &nent)) != LDAP_SUCCESS) + st=krb5_ldap_delete_principal(context, principal); + if (st && st != KRB5_KDB_NOENTRY) goto cleanup; } krb5_free_principal(context, principal); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 323963e8d..c1a4d7ebe 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -71,11 +71,9 @@ lookup_lockout_policy(krb5_context context, if (adb.policy != NULL) { osa_policy_ent_t policy = NULL; - int count = 0; - code = krb5_ldap_get_password_policy(context, adb.policy, - &policy, &count); - if (code == 0 && count == 1) { + code = krb5_ldap_get_password_policy(context, adb.policy, &policy); + if (code == 0) { *pw_max_fail = policy->pw_max_fail; *pw_failcnt_interval = policy->pw_failcnt_interval; *pw_lockout_duration = policy->pw_lockout_duration; @@ -147,7 +145,6 @@ krb5_ldap_lockout_audit(krb5_context context, krb5_kvno max_fail = 0; krb5_deltat failcnt_interval = 0; krb5_deltat lockout_duration = 0; - int nentries = 1; SETUP_CONTEXT(); @@ -198,7 +195,7 @@ krb5_ldap_lockout_audit(krb5_context context, } if (entry->mask) { - code = krb5_ldap_put_principal(context, entry, &nentries, NULL); + code = krb5_ldap_put_principal(context, entry, NULL); if (code != 0) return code; } |