dd9ccd46893ed9c4247368a00a0253d45a26311c * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
dd9ccd46893ed9c4247368a00a0253d45a26311c * Use is subject to license terms.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Create / Delete / Modify / View / List policy objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern time_t get_date(char *); /* kadmin/cli/getdate.o */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic void print_policy_params(krb5_ldap_policy_params *policyparams, int mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern char *yes;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic krb5_error_code init_ldap_realm (int argc, char *argv[]) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* This operation is being performed in the context of a realm. So,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * initialize the realm */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf dal_handle = (kdb5_dal_handle *) util_context->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_context = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_read_krbcontainer_params (util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (retval != 0) {
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, retval, gettext("while reading kerberos container information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (retval != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will create a ticket policy object with the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specified attributes.
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate memory for policy parameters structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get current time */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while creating policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* policy DN is a mandatory argument. If not provided, print usage */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading realm information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create object with all attributes provided */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while creating policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will destroy the specified ticket policy
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * object interactively, unless forced through an option.
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while destroying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_delete_policy(util_context, policy)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("** policy object '%s' deleted.\n"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while destroying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will modify the attributes of a given ticket
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * policy object.
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments -- minimum is 3
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf since atleast one parameter should be given in
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf addition to 'modify_policy' and policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments, only to pick up policy DN (Pass 1) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Skip arguments next to 'maxtktlife'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf and 'maxrenewlife' arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Do nothing for ticket flag arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf !strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other argument must be policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First check if policy DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If not present already, fill up policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while modifying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading information of policy '%s'"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get current time */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments, but skip policy DN (Pass 2) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err (me, retval, gettext("while providing time specification"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Any other argument must be policy DN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf -- skip it */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Modify attributes of object */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while modifying policy object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will display information about the given policy object,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * fetching the information from the LDAP Server.
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while viewing policy '%s'"), policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will print the policy object information to the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * standard output.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print the policy DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print max. ticket life and max. renewable life, if present */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Service flags are printed */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will list the DNs of policy objects under a specific
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * sub-tree (entire tree by default)
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_list_policy(util_context, basedn, &list);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while listing policy objects"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Reproduced from kadmin.c, instead of linking
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf the entire kadmin.o */