diff options
| -rw-r--r-- | src/lib/krb5/error_tables/kdb5_err.et | 1 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_exp.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 431 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c | 24 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M | 52 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c | 10 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/Makefile.in | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 1 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 21 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 6 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 49 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 7 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 7 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c | 39 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h | 5 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 8 |
17 files changed, 204 insertions, 495 deletions
diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et index d6014acec..953fff328 100644 --- a/src/lib/krb5/error_tables/kdb5_err.et +++ b/src/lib/krb5/error_tables/kdb5_err.et @@ -75,6 +75,7 @@ ec KRB5_KDB_SERVER_INTERNAL_ERR, "Server error" ec KRB5_KDB_ACCESS_ERROR, "Unable to access Kerberos database" ec KRB5_KDB_INTERNAL_ERROR, "Kerberos database internal error" ec KRB5_KDB_CONSTRAINT_VIOLATION, "Kerberos database constraints violated" +ec KRB5_KDB_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" end diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 15aea0a60..6c5a37077 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -40,6 +40,7 @@ #include "ldap_principal.h" #include "ldap_pwd_policy.h" + /* * Exposed API */ @@ -51,12 +52,12 @@ kdb_vftabl kdb_function_table = { /* fini_library */ krb5_ldap_lib_cleanup, /* init_module */ krb5_ldap_open, /* fini_module */ krb5_ldap_close, - /* db_create */ NULL, - /* db_destroy */ NULL, + /* db_create */ krb5_ldap_create_realm_1, + /* db_destroy */ krb5_ldap_delete_realm_1, /* db_get_age */ krb5_ldap_db_get_age, - /* db_set_option */ NULL, - /* db_lock */ NULL, - /* db_unlock */ NULL, + /* db_set_option */ krb5_ldap_set_option, + /* db_lock */ krb5_ldap_lock, + /* db_unlock */ krb5_ldap_unlock, /* db_get_principal */ krb5_ldap_get_principal, /* db_free_principal */ krb5_ldap_free_principal, /* db_put_principal */ krb5_ldap_put_principal, @@ -68,11 +69,12 @@ kdb_vftabl kdb_function_table = { /* db_iter_policy */ krb5_ldap_iterate_password_policy, /* db_delete_policy */ krb5_ldap_delete_password_policy, /* db_free_policy */ krb5_ldap_free_password_policy, - /* db_supported_realms */ NULL, - /* db_free_supported_realms */ NULL, - /* errcode_2_string */ NULL, + /* db_supported_realms */ krb5_ldap_supported_realms, + /* db_free_supported_realms */ krb5_ldap_free_supported_realms, + /* errcode_2_string */ krb5_ldap_errcode_2_string, /* db_alloc */ krb5_ldap_alloc, /* db_free */ krb5_ldap_free, + /* optional functions */ /* set_master_key */ krb5_ldap_set_mkey, /* get_master_key */ krb5_ldap_get_mkey, /* setup_master_key_name */ NULL, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 2c62522af..55b0690ec 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -427,91 +427,6 @@ void kdb5_ldap_create(argc, argv) mask |= LDAP_REALM_PASSWDSERVERS; } #endif - else if (!strcmp(argv[i], "-enctypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppenctypes, 0, sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist)) != 0) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(tlist[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "Invalid encryption type '%s'", - tlist[j]); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppsalttypes, 0, sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist))) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(tlist[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while creating realm '%s'", - tlist[j], global_params.realm); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if (!strcmp(argv[i], "-s")) { do_stash = 1; } @@ -530,43 +445,6 @@ void kdb5_ldap_create(argc, argv) * default values and also add to the list of supported * enctypes/salttype */ - if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) { - rparams->defenctype = ENCTYPE_DES3_CBC_SHA1; - mask |= LDAP_REALM_DEFENCTYPE; - printf("Default enctype not specified: \"des3-cbc-sha1\" " - "will be added as the default enctype and to the " - "list of supported enctypes.\n"); - - /* Now, add this to the list of supported enctypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPENCTYPE) { - for (i=0; rparams->suppenctypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppenctypes[i] = ENCTYPE_DES3_CBC_SHA1; - rparams->suppenctypes[i + 1] = END_OF_LIST; - } - } - - if ( !(mask & LDAP_REALM_DEFSALTTYPE) && (rparams != NULL)) { - rparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL; - mask |= LDAP_REALM_DEFSALTTYPE; - printf("Default salttype not specified: \"normal\" will be " - "added as the default salttype and to the list of " - "supported salttypes.\n"); - - /* Now, add this to the list of supported salttypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPSALTTYPE) { - for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppsalttypes[i] = KRB5_KDB_SALTTYPE_NORMAL; - rparams->suppsalttypes[i + 1] = END_OF_LIST; - } - } rblock.max_life = global_params.max_life; rblock.max_rlife = global_params.max_rlife; @@ -761,7 +639,7 @@ void kdb5_ldap_create(argc, argv) /* Create special principals inside the realm subtree */ { - char princ_name[MAX_PRINC_SIZE], localname[MAXHOSTNAMELEN]; + char princ_name[MAX_PRINC_SIZE]; struct hostent *hp = NULL; krb5_principal_data tgt_princ = { 0, /* magic number */ @@ -770,7 +648,7 @@ void kdb5_ldap_create(argc, argv) 2, /* int length */ KRB5_NT_SRV_INST /* int type */ }; - krb5_principal p; + krb5_principal p, temp_p=NULL; krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); @@ -842,31 +720,32 @@ void kdb5_ldap_create(argc, argv) krb5_free_principal(util_context, p); /* Create 'kadmin/<hostname>' ... */ - if (gethostname(localname, sizeof(localname))) { - retval = errno; - com_err(argv[0], retval, "gethostname, while adding entries to the database"); - goto err_nomsg; + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { + com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; } - hp = gethostbyname(localname); - if (hp == NULL) { - retval = errno; - com_err(argv[0], retval, "gethostbyname, while adding entries to the database"); - goto err_nomsg; + + if((retval=krb5_copy_principal(util_context, p, &temp_p))) { + com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; } - assert (sizeof(princ_name) >= strlen(hp->h_name) + strlen(global_params.realm) + 9); - /* snprintf(princ_name, MAXHOSTNAMELEN + 8, "kadmin/%s", hp->h_name); */ - snprintf(princ_name, sizeof(princ_name), "kadmin/%s@%s", hp->h_name, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); - goto err_nomsg; + + /* change the realm portion to the default realm */ + free( temp_p->realm.data ); + temp_p->realm.length = strlen( util_context->default_realm ); + temp_p->realm.data = strdup( util_context->default_realm ); + if( temp_p->realm.data == NULL ) { + com_err(argv[0], ENOMEM, "while adding entries to the database"); + goto err_nomsg; } rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); com_err(argv[0], retval, "while adding entries to the database"); goto err_nomsg; } + krb5_free_principal(util_context, temp_p); krb5_free_principal(util_context, p); if (ldap_context->lrparams->subtree != NULL) @@ -1472,220 +1351,6 @@ void kdb5_ldap_modify(argc, argv) } } #endif - else if (!strcmp(argv[i], "-enctypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPENCTYPE) - free(rparams->suppenctypes); - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "'%s' specified for enctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newenctypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearenctypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newenctypes) && (rparams->suppenctypes != NULL)) { - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - memset(tlist, END_OF_LIST, sizeof(int) * MAX_LIST_ENTRIES); - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addenctypes")) { - if (++i > argc-1) - goto err_usage; - if (!newenctypes) { - int *tmp; - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppenctypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_enctype *) realloc (rparams->suppenctypes, - sizeof(krb5_enctype) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppenctypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPSALTTYPE) - free(rparams->suppsalttypes); - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newsalttypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearsalttypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newsalttypes) && (rparams->suppsalttypes != NULL)) { - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addsalttypes")) { - if (++i > argc-1) - goto err_usage; - if (!newsalttypes) { - int *tmp; - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppsalttypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_int32 *) realloc (rparams->suppsalttypes, - sizeof(krb5_int32) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppsalttypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { mask|=ret_mask; @@ -2169,50 +1834,6 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (num_entry_printed == 0) printf("\n"); } - if (mask & LDAP_REALM_SUPPENCTYPE) { - printf("%25s:", "Supported Enc Types"); - if (rparams->suppenctypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppenctypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_enctype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } - if (mask & LDAP_REALM_DEFENCTYPE) { - retval = krb5_enctype_to_string(rparams->defenctype, buff, BUFF_LEN); - if (retval == 0) { - printf("%25s: %-50s\n", "Default Enc Type", buff); - } - } - if (mask & LDAP_REALM_SUPPSALTTYPE) { - printf("%25s:", "Supported Salt Types"); - if (rparams->suppsalttypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppsalttypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_salttype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } if (mask & LDAP_REALM_MAXTICKETLIFE) { printf("%25s:", "Maximum Ticket Life"); printf(" %s \n", strdur(rparams->max_life)); @@ -2222,10 +1843,11 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) printf("%25s:", "Maximum Renewable Life"); printf(" %s \n", strdur(rparams->max_renewable_life)); } - printf("%25s: ", "Ticket flags"); - if (mask & LDAP_POLICY_TKTFLAGS) { + + if (mask & LDAP_REALM_KRBTICKETFLAGS) { int ticketflags = rparams->tktflags; + printf("%25s: ", "Ticket flags"); if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) printf("%s ","DISALLOW_POSTDATED"); @@ -2261,16 +1883,9 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) printf("%s ","PWCHANGE_SERVICE"); - } - if (mask & LDAP_REALM_DEFSALTTYPE) { - retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN); - if (retval == 0) { - printf("\n%25s: %-50s\n", "Default Salt Type", buff); - } + printf("\n"); } - /* if (mask & LDAP_REALM_POLICYREFERENCE) - printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/ return; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 69e3b7694..1ce08feb2 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1743,9 +1743,12 @@ kdb5_ldap_set_service_password(argc, argv) errcode = tohex(pwd, &hex); if (errcode != 0) { - if(hex.length != 0) + if(hex.length != 0) { + memset(hex.data, 0, hex.length); free(hex.data); + } com_err(me, errcode, "Failed to convert the password to hex"); + memset(passwd, 0, passwd_len); goto cleanup; } /* Password = {CRYPT}<encrypted password>:<encrypted key> */ @@ -1754,6 +1757,7 @@ kdb5_ldap_set_service_password(argc, argv) if (encrypted_passwd.value == NULL) { com_err(me, ENOMEM, "while setting service object password"); memset(passwd, 0, passwd_len); + memset(hex.data, 0, hex.length); free(hex.data); goto cleanup; } @@ -1761,6 +1765,8 @@ kdb5_ldap_set_service_password(argc, argv) 1 + 5 + hex.length + 1] = '\0'; sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data); encrypted_passwd.len = strlen((char *)encrypted_passwd.value); + memset(hex.data, 0, hex.length); + free(hex.data); } /* We should check if the file exists and we have permission to write into that file */ @@ -1912,8 +1918,10 @@ cleanup: if (passwd) free(passwd); - if (encrypted_passwd.value) + if (encrypted_passwd.value) { + memset(encrypted_passwd.value, 0, encrypted_passwd.len); free(encrypted_passwd.value); + } if (pfile) fclose(pfile); @@ -1949,6 +1957,7 @@ kdb5_ldap_stash_service_password(argc, argv) FILE *pfile = NULL; krb5_boolean print_usage = FALSE; krb5_data hexpasswd = {0, 0, NULL}; + mode_t old_mode = 0; /* * Format: @@ -2047,16 +2056,17 @@ done: ret = tohex(pwd, &hexpasswd); if(ret != 0){ - if(hexpasswd.length != 0) - free(hexpasswd.data); com_err(me, ret, "Failed to convert the password to hexadecimal"); + memset(passwd, 0, passwd_len); goto cleanup; } } + memset(passwd, 0, passwd_len); /* TODO: file lock for the service passowrd file */ /* set password in the file */ + old_mode = umask(0177); pfile = fopen(file_name, "a+"); if (pfile == NULL) { com_err(me, errno, "Failed to open file %s: %s", file_name, @@ -2064,6 +2074,7 @@ done: goto cleanup; } rewind (pfile); + umask(old_mode); while (fgets (line, MAX_LEN, pfile) != NULL) { if ((str = strstr (line, service_object)) != NULL) { @@ -2162,6 +2173,11 @@ done: cleanup: + if(hexpasswd.length != 0) { + memset(hexpasswd.data, 0, hexpasswd.length); + free(hexpasswd.data); + } + if (service_object) free(service_object); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M index 20dc3e726..5ff7615f1 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M @@ -29,7 +29,7 @@ a Kerberos realm. Specifies the SSL port number of the LDAP server. .SH COMMANDS .TP -\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Creates realm in directory. Options: .RS .TP @@ -41,18 +41,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. This is also a part of supported enctypes list. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt types for the realm. -.TP \fB\-k\fP\ \fImkeytype\fP Specifies the key type of the master key in the database; the default is that given in @@ -235,7 +223,7 @@ Re-enter KDC database master key to verify: .RE .TP -\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Modifies the attributes of a realm. Options: .RS @@ -248,34 +236,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be removed from the supported encryption types -of the realm. This is a colon-separated list. -.TP -\fB\-addenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be added to the supported encryption types of the -realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be removed from the supported salt types of the realm. -This is a colon-separated list. -.TP -\fB\-addsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be added to the supported salt types of the realm. This -is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt type for the realm. -.TP \fB\-maxtktlife\fP\ \fImax_ticket_life\fP Specifies maximum ticket life for principals in this realm. .TP @@ -476,14 +436,6 @@ Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org SearchScope: ONE - Supported Enc Types: DES cbc mode with RSA-MD5 - Triple DES cbc mode with HMAC/sha1 - Default Enc Type: Triple DES cbc mode with HMAC/sha1 - Supported Salt Types: Version 5 - Version 4 - Special - AFS version 3 - Default Salt Type: Version 5 Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 889151531..4b07b2754 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -107,7 +107,7 @@ krb5_boolean manual_mkey = FALSE; void usage() { fprintf(stderr, "Usage: " -"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" +"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" "\tcmd [cmd_options]\n" /* Create realm */ @@ -116,8 +116,6 @@ void usage() "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" "\t\t[-pwddn passwd_service_list]\n" #endif -"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n" "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" @@ -131,10 +129,6 @@ void usage() "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" #endif -"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n" -"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n" -"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" /* View realm */ @@ -508,6 +502,8 @@ int main(argc, argv) goto cleanup; } + ldap_context->kcontext = util_context; + /* If LDAP parameters are specified, replace them with the values from config */ if (ldapmask & CMD_LDAP_D) { /* If password is not specified, prompt for it */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index 1b650c530..c6cec5752 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -31,7 +31,7 @@ SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(SUPPORT_DEPLIB) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(SUPPORT_LIB) -lldap -llber $(LIBS) +SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(COM_ERR_LIB) $(SUPPORT_LIB) -lldap -llber $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 358bf152f..7c3622425 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -236,6 +236,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, goto clean_n_exit; } + ldap_context->kcontext = context; while ( t_ptr && *t_ptr ) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 888fed0c5..2bb3b8574 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -201,6 +201,7 @@ typedef struct _krb5_ldap_context { k5_mutex_t hndl_lock; krb5_ldap_krbcontainer_params *krbcontainer; krb5_ldap_realm_params *lrparams; + krb5_context kcontext; /* to set the error code and message */ } krb5_ldap_context; @@ -259,4 +260,24 @@ krb5_ldap_read_startup_information(krb5_context ); int has_sasl_external_mech(krb5_context, char *); +/* DAL functions */ + +krb5_error_code +krb5_ldap_set_option( krb5_context, int, void * ); + +krb5_error_code +krb5_ldap_lock( krb5_context, int ); + +krb5_error_code +krb5_ldap_unlock( krb5_context ); + +krb5_error_code +krb5_ldap_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context, long ); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index b0902d23c..5832554ad 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -161,7 +161,8 @@ krb5_ldap_initialize(ldap_context, server_info) if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, port)) == NULL) { st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (0, st, "%s", strerror(errno)); + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, st, "%s", strerror(errno)); goto err_out; } @@ -170,7 +171,8 @@ krb5_ldap_initialize(ldap_context, server_info) server_info->server_status = ON; krb5_update_ldap_handle(ldap_server_handle, server_info); } else { - krb5_set_error_message (0, KRB5_KDB_ACCESS_ERROR, "%s", + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", ldap_err2string(st)); st = KRB5_KDB_ACCESS_ERROR; server_info->server_status = OFF; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 153a3c63e..af061640b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1469,3 +1469,52 @@ krb5_add_int_mem_ldap_mod(mods, attribute, op, value) return ENOMEM; return 0; } + +krb5_error_code +krb5_ldap_set_option( krb5_context kcontext, int option, void *value ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_lock( krb5_context kcontext, int mode ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_unlock( krb5_context kcontext ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 6509ff9e7..52c113cd5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -205,10 +205,7 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) if(attr_present == TRUE){ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0) goto cleanup; - } - if(!(mask & KDB_MAX_LIFE_ATTR) && !(mask & KDB_MAX_RLIFE_ATTR) && !(mask & KDB_TKT_FLAGS_ATTR)){ - if (attr_present == TRUE) - mask |= KDB_POL_REF_ATTR; + mask |= KDB_POL_REF_ATTR; } /* KRBPWDPOLICYREFERENCE */ @@ -1068,7 +1065,7 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn) if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0) goto cleanup; - if ((mask & tkt_mask) != tkt_mask) { + if ((mask & tkt_mask) == 0) { if (policydn != NULL) { st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask); if (st && st != KRB5_KDB_NOENTRY) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 2ac8219c1..87f619c9d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -1648,3 +1648,21 @@ krb5_ldap_free_realm_params(rparams) } return; } + +/* DAL functions */ + +krb5_error_code +krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index fabc316ca..21d7d877c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -68,7 +68,6 @@ typedef struct _krb5_ldap_realm_params { krb5_int32 defsalttype; krb5_enctype *suppenctypes; krb5_int32 *suppsalttypes; - char **ldapservers; char **kdcservers; char **adminservers; char **passwdservers; @@ -96,4 +95,10 @@ krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, in void krb5_ldap_free_realm_params(krb5_ldap_realm_params *); +krb5_error_code +krb5_ldap_create_realm_1(krb5_context, char *, char **); + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context, char *, char **); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 865fe21a1..702f548c5 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -136,6 +136,26 @@ krb5_ldap_readpassword(context, ldap_context, password) CT.len = strlen((char *)CT.value); st = dec_password(CT, &PT); if(st != 0){ + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, "Password has zero length"); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, "Password corrupted"); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, "Not a hexadecimal password"); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; + } goto rp_exit; } *password = PT.value; @@ -192,6 +212,11 @@ tohex(in, ret) * <secret> := {HEX}<password in hexadecimal> * * <password> is the actual eDirectory password of the service + * Return values: + * ERR_NO_MEM - No Memory + * ERR_PWD_ZERO - Password has zero length + * ERR_PWD_BAD - Passowrd corrupted + * ERR_PWD_NOT_HEX - Not a hexadecimal password */ int dec_password(struct data pwd, struct data *ret){ @@ -202,8 +227,7 @@ int dec_password(struct data pwd, struct data *ret){ ret->value = NULL; if (pwd.len == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Password has zero length"); + err = ERR_PWD_ZERO; ret->len = 0; goto cleanup; } @@ -214,14 +238,13 @@ int dec_password(struct data pwd, struct data *ret){ if((pwd.len - strlen("{HEX}")) % 2 != 0){ /* A hexadecimal encoded password should have even length */ - err = EINVAL; - krb5_set_error_message (0, err, "Password corrupted"); + err = ERR_PWD_BAD; ret->len = 0; goto cleanup; } ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); if(ret->value == NULL){ - err = ENOMEM; + err = ERR_NO_MEM; ret->len = 0; goto cleanup; } @@ -231,8 +254,7 @@ int dec_password(struct data pwd, struct data *ret){ int k; /* Check if it is a hexadecimal number */ if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } @@ -241,8 +263,7 @@ int dec_password(struct data pwd, struct data *ret){ } goto cleanup; } else { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h index c51d1a172..bd7e3dc63 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h @@ -37,6 +37,11 @@ struct data{ unsigned char *value; }; +#define ERR_NO_MEM 1 +#define ERR_PWD_ZERO 2 +#define ERR_PWD_BAD 3 +#define ERR_PWD_NOT_HEX 4 + int dec_password(struct data, struct data *); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 2e75b7eae..8178271ea 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -39,3 +39,11 @@ krb5_ldap_free krb5_ldap_set_mkey krb5_ldap_get_mkey disjoint_members +krb5_ldap_create_realm_1 +krb5_ldap_delete_realm_1 +krb5_ldap_set_option +krb5_ldap_lock +krb5_ldap_unlock +krb5_ldap_supported_realms +krb5_ldap_free_supported_realms +krb5_ldap_errcode_2_string |