kdb5_ldap_policy.c revision dd9ccd46893ed9c4247368a00a0253d45a26311c
/*
* kadmin/ldap_util/kdb5_ldap_policy.c
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 2004-2005, Novell, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* * The copyright holder's name is not used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Create / Delete / Modify / View / List policy objects.
*/
#include <stdio.h>
#include <time.h>
#include <k5-int.h>
#include <kadm5/admin.h>
#include <libintl.h>
#include <locale.h>
#include "kdb5_ldap_util.h"
#include "kdb5_ldap_list.h"
#include "ldap_tkt_policy.h"
extern time_t get_date(char *); /* kadmin/cli/getdate.o */
static void print_policy_params(krb5_ldap_policy_params *policyparams, int mask);
static char *strdur(time_t duration);
extern char *yes;
extern kadm5_config_params global_params;
static krb5_error_code init_ldap_realm (int argc, char *argv[]) {
/* This operation is being performed in the context of a realm. So,
* initialize the realm */
int mask = 0;
krb5_error_code retval = 0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context=NULL;
dal_handle = (kdb5_dal_handle *) util_context->db_context;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
if (!ldap_context) {
retval = EINVAL;
goto cleanup;
}
if (ldap_context->krbcontainer == NULL) {
retval = krb5_ldap_read_krbcontainer_params (util_context,
&(ldap_context->krbcontainer));
if (retval != 0) {
/* Solaris Kerberos */
com_err(progname, retval, gettext("while reading kerberos container information"));
goto cleanup;
}
}
if (ldap_context->lrparams == NULL) {
retval = krb5_ldap_read_realm_params(util_context,
global_params.realm,
&(ldap_context->lrparams),
&mask);
if (retval != 0) {
goto cleanup;
}
}
cleanup:
return retval;
}
/*
* This function will create a ticket policy object with the
* specified attributes.
*/
void
kdb5_ldap_create_policy(argc, argv)
int argc;
char *argv[];
{
/* Solaris Kerberos */
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
int mask = 0;
time_t date = 0;
time_t now = 0;
int i = 0;
/* Check for number of arguments */
if ((argc < 2) || (argc > 16)) {
goto err_usage;
}
/* Allocate memory for policy parameters structure */
policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
if (policyparams == NULL) {
retval = ENOMEM;
goto cleanup;
}
/* Get current time */
time (&now);
/* Parse all arguments */
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-maxtktlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, gettext("while providing time specification"));
goto err_nomsg;
}
policyparams->maxtktlife = date - now;
mask |= LDAP_POLICY_MAXTKTLIFE;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, gettext("while providing time specification"));
goto err_nomsg;
}
policyparams->maxrenewlife = date - now;
mask |= LDAP_POLICY_MAXRENEWLIFE;
} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_svr")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tix")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "needchange")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policyparams->policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policyparams->policy = strdup(argv[i]);
if (policyparams->policy == NULL) {
retval = ENOMEM;
com_err(me, retval, gettext("while creating policy object"));
goto err_nomsg;
}
}
}
/* policy DN is a mandatory argument. If not provided, print usage */
if (policyparams->policy == NULL)
goto err_usage;
if ((retval = init_ldap_realm (argc, argv))) {
com_err(me, retval, gettext("while reading realm information"));
goto err_nomsg;
}
/* Create object with all attributes provided */
if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
goto cleanup;
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (print_usage)
db_usage(CREATE_POLICY);
if (retval) {
if (!no_msg)
com_err(me, retval, gettext("while creating policy object"));
exit_status++;
}
return;
}
/*
* This function will destroy the specified ticket policy
* object interactively, unless forced through an option.
*/
void
kdb5_ldap_destroy_policy(argc, argv)
int argc;
char *argv[];
{
/* Solaris Kerberos */
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
char *policy = NULL;
unsigned int mask = 0;
int force = 0;
char buf[5] = {0};
int i = 0;
if ((argc < 2) || (argc > 3)) {
goto err_usage;
}
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "-force") == 0) {
force++;
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
retval = ENOMEM;
com_err(me, retval, gettext("while destroying policy object"));
goto err_nomsg;
}
}
}
if (policy == NULL)
goto err_usage;
if (!force) {
printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy);
printf(gettext("(type 'yes' to confirm)? "));
if (fgets(buf, sizeof(buf), stdin) == NULL) {
retval = EINVAL;
goto cleanup;
}
if (strcmp(buf, yes)) {
exit_status++;
goto cleanup;
}
}
if ((retval = init_ldap_realm (argc, argv)))
goto err_nomsg;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
goto cleanup;
if ((retval = krb5_ldap_delete_policy(util_context, policy)))
goto cleanup;
printf(gettext("** policy object '%s' deleted.\n"), policy);
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (policy) {
free (policy);
}
if (print_usage) {
db_usage(DESTROY_POLICY);
}
if (retval) {
if (!no_msg)
com_err(me, retval, gettext("while destroying policy object"));
exit_status++;
}
return;
}
/*
* This function will modify the attributes of a given ticket
* policy object.
*/
void
kdb5_ldap_modify_policy(argc, argv)
int argc;
char *argv[];
{
/* Solaris Kerberos */
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
char *policy = NULL;
unsigned int in_mask = 0, out_mask = 0;
time_t date = 0;
time_t now = 0;
int i = 0;
/* Check for number of arguments -- minimum is 3
since atleast one parameter should be given in
addition to 'modify_policy' and policy DN */
if ((argc < 3) || (argc > 16)) {
goto err_usage;
}
/* Parse all arguments, only to pick up policy DN (Pass 1) */
for (i = 1; i < argc; i++) {
/* Skip arguments next to 'maxtktlife'
and 'maxrenewlife' arguments */
if (!strcmp(argv[i], "-maxtktlife")) {
++i;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
++i;
}
/* Do nothing for ticket flag arguments */
else if (!strcmp((argv[i] + 1), "allow_postdated") ||
!strcmp((argv[i] + 1), "allow_forwardable") ||
!strcmp((argv[i] + 1), "allow_renewable") ||
!strcmp((argv[i] + 1), "allow_proxiable") ||
!strcmp((argv[i] + 1), "allow_dup_skey") ||
!strcmp((argv[i] + 1), "requires_preauth") ||
!strcmp((argv[i] + 1), "requires_hwauth") ||
!strcmp((argv[i] + 1), "allow_svr") ||
!strcmp((argv[i] + 1), "allow_tgs_req") ||
!strcmp((argv[i] + 1), "allow_tix") ||
!strcmp((argv[i] + 1), "needchange") ||
!strcmp((argv[i] + 1), "password_changing_service")) {
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
retval = ENOMEM;
com_err(me, retval, gettext("while modifying policy object"));
goto err_nomsg;
}
}
}
if (policy == NULL)
goto err_usage;
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
if (retval) {
com_err(me, retval, gettext("while reading information of policy '%s'"), policy);
goto err_nomsg;
}
/* Get current time */
time (&now);
/* Parse all arguments, but skip policy DN (Pass 2) */
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-maxtktlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, gettext("while providing time specification"));
goto err_nomsg;
}
policyparams->maxtktlife = date - now;
out_mask |= LDAP_POLICY_MAXTKTLIFE;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, gettext("while providing time specification"));
goto err_nomsg;
}
policyparams->maxrenewlife = date - now;
out_mask |= LDAP_POLICY_MAXRENEWLIFE;
} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_svr")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tix")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "needchange")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else {
/* Any other argument must be policy DN
-- skip it */
}
}
/* Modify attributes of object */
if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
goto cleanup;
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (policy)
free (policy);
if (print_usage)
db_usage(MODIFY_POLICY);
if (retval) {
if (!no_msg)
com_err(me, retval, gettext("while modifying policy object"));
exit_status++;
}
return;
}
/*
* This function will display information about the given policy object,
* fetching the information from the LDAP Server.
*/
void
kdb5_ldap_view_policy(argc, argv)
int argc;
char *argv[];
{
/* Solaris Kerberos */
char *me = progname;
krb5_ldap_policy_params *policyparams = NULL;
krb5_error_code retval = 0;
krb5_boolean print_usage = FALSE;
char *policy = NULL;
unsigned int mask = 0;
if (argc != 2) {
goto err_usage;
}
policy = strdup(argv[1]);
if (policy == NULL) {
com_err(me, ENOMEM, gettext("while viewing policy"));
exit_status++;
goto cleanup;
}
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
com_err(me, retval, gettext("while viewing policy '%s'"), policy);
exit_status++;
goto cleanup;
}
print_policy_params (policyparams, mask);
goto cleanup;
err_usage:
print_usage = TRUE;
cleanup:
krb5_ldap_free_policy (util_context, policyparams);
if (policy)
free (policy);
if (print_usage) {
db_usage(VIEW_POLICY);
}
return;
}
/*
* This function will print the policy object information to the
* standard output.
*/
static void
print_policy_params(policyparams, mask)
krb5_ldap_policy_params *policyparams;
int mask;
{
/* Print the policy DN */
printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy);
/* Print max. ticket life and max. renewable life, if present */
if (mask & LDAP_POLICY_MAXTKTLIFE)
printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife));
if (mask & LDAP_POLICY_MAXRENEWLIFE)
printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife));
/* Service flags are printed */
printf("%25s: ", gettext("Ticket flags"));
if (mask & LDAP_POLICY_TKTFLAGS) {
int ticketflags = policyparams->tktflags;
if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
printf("%s ","DISALLOW_POSTDATED");
if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
printf("%s ","DISALLOW_FORWARDABLE");
if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
printf("%s ","DISALLOW_RENEWABLE");
if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
printf("%s ","DISALLOW_PROXIABLE");
if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
printf("%s ","DISALLOW_DUP_SKEY");
if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
printf("%s ","REQUIRES_PRE_AUTH");
if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
printf("%s ","REQUIRES_HW_AUTH");
if (ticketflags & KRB5_KDB_DISALLOW_SVR)
printf("%s ","DISALLOW_SVR");
if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
printf("%s ","DISALLOW_TGT_BASED");
if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
printf("%s ","DISALLOW_ALL_TIX");
if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
printf("%s ","REQUIRES_PWCHANGE");
if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
printf("%s ","PWCHANGE_SERVICE");
}
printf("\n");
return;
}
/*
* This function will list the DNs of policy objects under a specific
* sub-tree (entire tree by default)
*/
void kdb5_ldap_list_policies(argc, argv)
int argc;
char *argv[];
{
/* Solaris Kerberos */
char *me = progname;
krb5_error_code retval = 0;
krb5_boolean print_usage = FALSE;
char *basedn = NULL;
char **list = NULL;
char **plist = NULL;
/* Check for number of arguments */
if ((argc != 1) && (argc != 3)) {
goto err_usage;
}
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
retval = krb5_ldap_list_policy(util_context, basedn, &list);
if ((retval != 0) || (list == NULL))
goto cleanup;
for (plist = list; *plist != NULL; plist++) {
printf("%s\n", *plist);
}
goto cleanup;
err_usage:
print_usage = TRUE;
cleanup:
if (list != NULL) {
krb5_free_list_entries (list);
free (list);
}
if (basedn)
free (basedn);
if (print_usage) {
db_usage(LIST_POLICY);
}
if (retval) {
com_err(me, retval, gettext("while listing policy objects"));
exit_status++;
}
return;
}
/* Reproduced from kadmin.c, instead of linking
the entire kadmin.o */
static char *strdur(duration)
time_t duration;
{
static char out[50];
int neg, days, hours, minutes, seconds;
if (duration < 0) {
duration *= -1;
neg = 1;
} else
neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
duration %= 3600;
minutes = duration / 60;
duration %= 60;
seconds = duration;
snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
days, days == 1 ? gettext("day") : gettext("days"),
hours, minutes, seconds);
return out;
}