krb5/ldap_util/kdb5_ldap_policy.c

54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * kadmin/ldap_util/kdb5_ldap_policy.c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
dd9ccd46893ed9c4247368a00a0253d45a26311c/*
dd9ccd46893ed9c4247368a00a0253d45a26311c * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
dd9ccd46893ed9c4247368a00a0253d45a26311c * Use is subject to license terms.
dd9ccd46893ed9c4247368a00a0253d45a26311c */
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *   * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *       this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *   * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *       notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *       documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *   * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *       derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Create / Delete / Modify / View / List policy objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <stdio.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <time.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <k5-int.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <kadm5/admin.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <libintl.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include <locale.h>
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include "kdb5_ldap_util.h"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include "kdb5_ldap_list.h"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#include "ldap_tkt_policy.h"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern time_t get_date(char *); /* kadmin/cli/getdate.o */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic void print_policy_params(krb5_ldap_policy_params *policyparams, int mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic char *strdur(time_t duration);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern char *yes;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern kadm5_config_params global_params;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic krb5_error_code init_ldap_realm (int argc, char *argv[]) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* This operation is being performed in the context of a realm. So,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf     * initialize the realm */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int mask = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    kdb5_dal_handle *dal_handle = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_context *ldap_context=NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    dal_handle = (kdb5_dal_handle *) util_context->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    ldap_context = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!ldap_context) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ldap_context->krbcontainer == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = krb5_ldap_read_krbcontainer_params (util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf                &(ldap_context->krbcontainer));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (retval != 0) {
dd9ccd46893ed9c4247368a00a0253d45a26311c        /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c            com_err(progname, retval, gettext("while reading kerberos container information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ldap_context->lrparams == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = krb5_ldap_read_realm_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf                global_params.realm,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf                &(ldap_context->lrparams),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf                &mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (retval != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return retval;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will create a ticket policy object with the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specified attributes.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfvoid
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkdb5_ldap_create_policy(argc, argv)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int argc;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *argv[];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
dd9ccd46893ed9c4247368a00a0253d45a26311c    /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c    char *me = progname;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_policy_params *policyparams = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean print_usage = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean no_msg = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int mask = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time_t date = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time_t now = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int i = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((argc < 2) || (argc > 16)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Allocate memory for policy parameters structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policyparams == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    retval = ENOMEM;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Get current time */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time (&now);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Parse all arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    for (i = 1; i < argc; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!strcmp(argv[i], "-maxtktlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (++i > argc - 1)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        date = get_date(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (date == (time_t)(-1)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->maxtktlife = date - now;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_MAXTKTLIFE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp(argv[i], "-maxrenewlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (++i > argc - 1)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        date = get_date(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (date == (time_t)(-1)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->maxrenewlife = date - now;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_MAXRENEWLIFE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_svr")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_tix")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "needchange")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf           if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policyparams->policy != NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            policyparams->policy = strdup(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policyparams->policy == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = ENOMEM;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while creating policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* policy DN is a mandatory argument. If not provided, print usage */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policyparams->policy == NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = init_ldap_realm (argc, argv))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while reading realm information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Create object with all attributes provided */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_usage:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_usage = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_nomsg:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    no_msg = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_free_policy (util_context, policyparams);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (print_usage)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    db_usage(CREATE_POLICY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (retval) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!no_msg)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while creating policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will destroy the specified ticket policy
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * object interactively, unless forced through an option.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfvoid
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkdb5_ldap_destroy_policy(argc, argv)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int argc;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *argv[];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
dd9ccd46893ed9c4247368a00a0253d45a26311c    /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c    char *me = progname;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_policy_params *policyparams = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean print_usage = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean no_msg = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *policy = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    unsigned int mask = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int force = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char buf[5] = {0};
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int i = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((argc < 2) || (argc > 3)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    for (i = 1; i < argc; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (strcmp(argv[i], "-force") == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        force++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf           if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policy != NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            policy = strdup(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policy == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = ENOMEM;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while destroying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy == NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!force) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf(gettext("(type 'yes' to confirm)? "));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (fgets(buf, sizeof(buf), stdin) == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (strcmp(buf, yes)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = init_ldap_realm (argc, argv)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = krb5_ldap_delete_policy(util_context, policy)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf(gettext("** policy object '%s' deleted.\n"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_usage:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_usage = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_nomsg:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    no_msg = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_free_policy (util_context, policyparams);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    free (policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (print_usage) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    db_usage(DESTROY_POLICY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (retval) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!no_msg)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while destroying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will modify the attributes of a given ticket
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * policy object.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfvoid
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkdb5_ldap_modify_policy(argc, argv)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int argc;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *argv[];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
dd9ccd46893ed9c4247368a00a0253d45a26311c    /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c    char *me = progname;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_policy_params *policyparams = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean print_usage = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean no_msg = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *policy = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    unsigned int in_mask = 0, out_mask = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time_t date = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time_t now = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int i = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Check for number of arguments -- minimum is 3
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf       since atleast one parameter should be given in
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf       addition to 'modify_policy' and policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((argc < 3) || (argc > 16)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Parse all arguments, only to pick up policy DN (Pass 1) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    for (i = 1; i < argc; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Skip arguments next to 'maxtktlife'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf       and 'maxrenewlife' arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!strcmp(argv[i], "-maxtktlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        ++i;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp(argv[i], "-maxrenewlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        ++i;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Do nothing for ticket flag arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    else if (!strcmp((argv[i] + 1), "allow_postdated") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_forwardable") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_renewable") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_proxiable") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_dup_skey") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "requires_preauth") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "requires_hwauth") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_svr") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_tgs_req") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "allow_tix") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "needchange") ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf         !strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf           if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policy != NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            policy = strdup(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf            if (policy == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = ENOMEM;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while modifying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy == NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = init_ldap_realm (argc, argv)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (retval) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while reading information of policy '%s'"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Get current time */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time (&now);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Parse all arguments, but skip policy DN (Pass 2) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    for (i = 1; i < argc; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!strcmp(argv[i], "-maxtktlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (++i > argc - 1)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        date = get_date(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (date == (time_t)(-1)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->maxtktlife = date - now;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_MAXTKTLIFE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp(argv[i], "-maxrenewlife")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (++i > argc - 1)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        date = get_date(argv[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (date == (time_t)(-1)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        retval = EINVAL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_nomsg;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->maxrenewlife = date - now;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_MAXRENEWLIFE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_svr")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "allow_tix")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "needchange")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        if (*(argv[i]) == '+')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else if (*(argv[i]) == '-')
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        out_mask |= LDAP_POLICY_TKTFLAGS;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        /* Any other argument must be policy DN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf           -- skip it */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Modify attributes of object */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_usage:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_usage = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_nomsg:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    no_msg = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_free_policy (util_context, policyparams);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        free (policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (print_usage)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    db_usage(MODIFY_POLICY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (retval) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (!no_msg)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        com_err(me, retval, gettext("while modifying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will display information about the given policy object,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * fetching the information from the LDAP Server.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfvoid
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkdb5_ldap_view_policy(argc, argv)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int argc;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *argv[];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
dd9ccd46893ed9c4247368a00a0253d45a26311c    /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c    char *me = progname;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_policy_params *policyparams = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean print_usage = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *policy = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    unsigned int mask = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (argc != 2) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    policy = strdup(argv[1]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy == NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    com_err(me, ENOMEM, gettext("while viewing policy"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = init_ldap_realm (argc, argv)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    com_err(me, retval, gettext("while viewing policy '%s'"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_policy_params (policyparams, mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_usage:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_usage = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_free_policy (util_context, policyparams);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (policy)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    free (policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (print_usage) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    db_usage(VIEW_POLICY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will print the policy object information to the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * standard output.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic void
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfprint_policy_params(policyparams, mask)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_ldap_policy_params *policyparams;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int mask;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Print the policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Print max. ticket life and max. renewable life, if present */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (mask & LDAP_POLICY_MAXTKTLIFE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (mask & LDAP_POLICY_MAXRENEWLIFE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Service flags are printed */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("%25s: ", gettext("Ticket flags"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (mask & LDAP_POLICY_TKTFLAGS) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int ticketflags = policyparams->tktflags;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_POSTDATED");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_FORWARDABLE");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_RENEWABLE");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_PROXIABLE");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_DUP_SKEY");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","REQUIRES_PRE_AUTH");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","REQUIRES_HW_AUTH");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_SVR)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_SVR");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_TGT_BASED");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","DISALLOW_ALL_TIX");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","REQUIRES_PWCHANGE");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        printf("%s ","PWCHANGE_SERVICE");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("\n");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will list the DNs of policy objects under a specific
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * sub-tree (entire tree by default)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfvoid kdb5_ldap_list_policies(argc, argv)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int argc;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *argv[];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
dd9ccd46893ed9c4247368a00a0253d45a26311c    /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c    char *me = progname;
dd9ccd46893ed9c4247368a00a0253d45a26311c
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_error_code retval = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_boolean print_usage = FALSE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char *basedn = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char **list = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    char **plist = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((argc != 1) && (argc != 3)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto err_usage;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval = init_ldap_realm (argc, argv)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    retval = krb5_ldap_list_policy(util_context, basedn, &list);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if ((retval != 0) || (list == NULL))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    for (plist = list; *plist != NULL; plist++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    printf("%s\n", *plist);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    goto cleanup;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillferr_usage:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    print_usage = TRUE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcleanup:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (list != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    krb5_free_list_entries (list);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    free (list);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (basedn)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    free (basedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (print_usage) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    db_usage(LIST_POLICY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (retval) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    com_err(me, retval, gettext("while listing policy objects"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    exit_status++;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    }
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Reproduced from kadmin.c, instead of linking
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf   the entire kadmin.o */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic char *strdur(duration)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    time_t duration;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf{
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    static char out[50];
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    int neg, days, hours, minutes, seconds;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    if (duration < 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    duration *= -1;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    neg = 1;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    } else
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    neg = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    days = duration / (24 * 3600);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    duration %= 24 * 3600;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    hours = duration / 3600;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    duration %= 3600;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    minutes = duration / 60;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    duration %= 60;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    seconds = duration;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        days, days == 1 ? gettext("day") : gettext("days"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf        hours, minutes, seconds);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf    return out;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf}