dd9ccd46893ed9c4247368a00a0253d45a26311c * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Use is subject to license terms.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Create / Delete / Modify / View / List service objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Service objects have rights over realm objects and principals. The following
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * functions manage the service objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern char *yes;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic int process_host_list(char **host_list, int servicetype)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char host_str[MAX_LEN_LIST_ENTRY] = "", proto_str[PROTOCOL_STR_LEN + 1] = "", port_str[PORT_STR_LEN + 1] = "";
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Protocol and port number processing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; host_list[j]; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Look for one hash */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((pchr = strchr(host_list[j], HOST_INFO_DELIMITER))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check input for buffer overflow */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First copy off the host name portion */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse for the protocol string and translate to number */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf proto_str[0] = '\0'; /* Make the string null if invalid */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Look for one more hash */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse for the port string and check if it is numeric */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (!strtol(port_str, NULL, 10)) /* Not a valid number */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* We have only host name */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf strncpy (host_str, host_list[j], MAX_LEN_LIST_ENTRY - 1);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Now, based on service type, fill in suitable protocol
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf and port values if they are absent or not matching */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print warning message */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf (gettext("Admin Server supports only TCP protocol, hence setting that\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print warning message */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf (gettext("Password Server supports only UDP protocol, hence setting that\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Finally form back the string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf snprintf (host_list[j], strlen(host_str) + strlen(proto_str) + strlen(port_str) + 2 + 1,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Given a realm name, this function will convert it to a DN by appending the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Kerberos container location.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i = 0; (list[i] != NULL) && (i < MAX_LIST_ENTRIES); i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Restrict copying to max. length to avoid buffer overflow */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf snprintf (temp_str, MAX_DN_CHARS, "cn=%s,%s", list[i], krbcontainer_loc);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Make copy of string to temporary node */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* On success, free list node and attach new one */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will create a service object on the LDAP Server, with the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specified attributes.
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate memory for service parameters structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf srvparams = (krb5_ldap_service_params*) calloc(1, sizeof(krb5_ldap_service_params));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf dal_handle = (kdb5_dal_handle *) util_context->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_context = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate memory for extra arguments to be used for setting
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf password -- it's OK to allocate as much as the total number
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf extra_argv = (char **) calloc((unsigned int)argc, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set first of the extra arguments as the program name */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Read Kerberos container info, to construct realm DN from name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and for assigning rights
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading Kerberos container information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = process_host_list (srvparams->krbhostservers,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Convert realm names to realm DNs */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If argument is none of the above and beginning with '-',
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * it must be related to password -- collect it
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * to pass onto kdb5_ldap_set_service_password()
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Checking for options of setting the password for the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * service (by using 'setsrvpw') is not modular. --need to
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * have a common function that can be shared with 'setsrvpw'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* For '-f' option alone, pick up the following argument too */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other option is invalid */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other argument must be service DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First check if service DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * if so, there's a usage error
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("while creating service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If not present already, fill up service DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while creating service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* No point in proceeding further if service DN value is not available */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("while creating service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (srvparams->servicetype == 0) { /* Not provided and hence not set */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("while creating service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create object with all attributes provided */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_create_service(util_context, srvparams, mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* ** NOTE ** srvparams structure should not be modified, as it is
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * used for deletion of the service object in case of any failures
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * from now on.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set password too */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set service DN as the last argument */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf extra_argv[extra_argc] = strdup(srvparams->servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = kdb5_ldap_set_service_password(extra_argc, extra_argv)) != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Rights assignment */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%s", gettext("Changing rights for the service object. Please wait ... "));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; (srvparams->krbrealmreferences[i] != NULL); i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the realm name, not the dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf temprdns = ldap_explode_dn(srvparams->krbrealmreferences[i], 1);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_realm_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading information of realm '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_add_service_rights(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while assigning rights '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* This is for deleting the service object if something goes
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * wrong in creating the service object
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* srvparams is populated from the user input and should be correct as
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * we were successful in creating a service object. Reusing the same
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_delete_service(util_context, srvparams, srvparams->servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while creating service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will modify the attributes of a given service
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * object on the LDAP Server
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf dal_handle = (kdb5_dal_handle *) util_context->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_context = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments, only to pick up service DN (Pass 1) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Skip arguments next to 'servicehost'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf and 'realmdn' arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* Any other argument must be service DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* First check if service DN is already provided --
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if so, there's a usage error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("while modifying service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If not present already, fill up service DN */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while modifying service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* No point in proceeding further if service DN value is not available */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("while modifying service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask);
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(me, retval, gettext("while reading information of service '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Read Kerberos container info, to construct realm DN from name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and for assigning rights
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading Kerberos container information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse all arguments, but skip the service DN (Pass 2) */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Free the old list if available */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf srvparams->krbhostservers = (char **)calloc(MAX_LIST_ENTRIES,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = process_host_list (srvparams->krbhostservers,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set flag to ignore 'add' and 'clear' */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If attribute doesn't exist, don't permit 'clear' option */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Send out some proper error message here */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, EINVAL, gettext("service host list is empty\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate list for processing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = process_host_list (list, srvparams->servicetype))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean up */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate list for processing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = process_host_list (list, srvparams->servicetype))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Call list_modify_str_array() only if host server attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * exists already --Actually, it's better to handle this
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * within list_modify_str_array()
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Re-size existing list */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf existing_entries = list_count_str_array(srvparams->krbhostservers);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf temp_ptr = (char **) realloc(srvparams->krbhostservers,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *) * (existing_entries + new_entries + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean up */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Store the old realm list for removing rights */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Free the old list if available */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_free_list_entries (srvparams->krbrealmreferences);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf srvparams->krbrealmreferences = (char **)calloc(MAX_LIST_ENTRIES,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Convert realm names to realm DNs */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set flag to ignore 'add' and 'clear' */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If attribute doesn't exist, don't permit 'clear' option */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((in_mask & LDAP_SERVICE_REALMREFERENCE) == 0) || (srvparams->krbrealmreferences == NULL)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Send out some proper error message here */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Store the old realm list for removing rights */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate list for processing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Convert realm names to realm DNs */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list_modify_str_array(&(srvparams->krbrealmreferences),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean up */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Allocate list for processing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Convert realm names to realm DNs */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((in_mask & LDAP_SERVICE_REALMREFERENCE) && (srvparams->krbrealmreferences) && (!oldrealmrefs)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Store the old realm list for removing rights */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf oldrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Call list_modify_str_array() only if realm DN attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * exists already -- Actually, it's better to handle this
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * within list_modify_str_array() */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Re-size existing list */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf temp_ptr = (char **) realloc(srvparams->krbrealmreferences,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sizeof(char *) * (existing_entries + new_entries + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf list_modify_str_array(&(srvparams->krbrealmreferences),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean up */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Any other argument must be service DN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf -- skip it */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Modify attributes of object */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_modify_service(util_context, srvparams, out_mask)))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Service rights modification code */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%s", gettext("Changing rights for the service object. Please wait ... "));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf newrealmrefs = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((srvparams != NULL) && (srvparams->krbrealmreferences != NULL)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; srvparams->krbrealmreferences[j] != NULL; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf newrealmrefs[j] = strdup(srvparams->krbrealmreferences[j]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Delete the rights for the given service, on each of the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container & subtree in the old realm reference list.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the realm name, not the dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_realm_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading information of realm '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_delete_service_rights(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while assigning rights '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Add the rights for the given service, on each of the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container & subtree in the new realm reference list.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the realm name, not the dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf gettext("while reading Kerberos container information"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_realm_params(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while reading information of realm '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_add_service_rights(util_context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while assigning rights '%s'"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clean-up structure */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while modifying service object"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will delete the entry corresponding to the service object
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * from the service password file.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfrem_service_entry_from_file(argc, argv, file_name, service_object)
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for permissions on the password file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If the specified file itself is not there, no need to show error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("while deleting entry from file %s", file_name));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create a temporary file which contains all the entries except the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf entry for the given service dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("while deleting entry from file %s"), file_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create a new file with the extension .tmp */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while deleting entry from file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("while deleting entry from file\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Copy only those lines which donot have the specified service dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("while deleting entry from file\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("while deleting entry from file\n"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will delete the service object from the LDAP Server
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and unlink the references to the Realm objects (if any)
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, ENOMEM, gettext("while destroying service"));
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, ENOMEM, gettext("while destroying service"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("This will delete the service object '%s', are you sure?\n"), servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_service(util_context, servicedn,
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, retval, gettext("while destroying service '%s'"), servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_delete_service(util_context, lserparams, servicedn);
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, retval, gettext("while destroying service '%s'"), servicedn);
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, ENOMEM, gettext("while destroying service"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("** service object '%s' deleted.\n"), servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = rem_service_entry_from_file(argc, argv, stashfilename, servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("** error removing service object entry '%s' from password file.\n"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will display information about the given service object
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, ENOMEM, gettext("while viewing service"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) {
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
dd9ccd46893ed9c4247368a00a0253d45a26311c com_err(progname, retval, gettext("while viewing service '%s'"), servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will list the DNs of kerberos services present on
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the LDAP Server under a specific sub-tree (entire tree by default)
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Check for number of arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse base DN argument if present */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while listing services"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_ldap_list_services(util_context, basedn, &list);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while listing policy objects"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will print the service object information
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * to the standard output
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print the service dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-20s\n", gettext("Service dn: "), lserparams->servicedn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print the service type of the object to be read */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-20s\n", gettext("Service type: "), "kdc");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (lserparams->servicetype == LDAP_ADMIN_SERVICE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-20s\n", gettext("Service type: "), "admin");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (lserparams->servicetype == LDAP_PASSWD_SERVICE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-20s\n", gettext("Service type: "), "pwd");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print the host server values */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; lserparams->krbhostservers[i] != NULL; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-50s\n","",lserparams->krbhostservers[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Print the realm reference dn values */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; lserparams && lserparams->krbrealmreferences && lserparams->krbrealmreferences[i] != NULL; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf("%20s%-50s\n","",lserparams->krbrealmreferences[i]);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will generate random password of length(RANDOM_PASSWD_LEN)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ctxt - context
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * RANDOM_PASSWD_LEN length random password
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic int generate_random_password(krb5_context ctxt, char **randpwd, unsigned int *passlen)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /*int len = 0;*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* setting random password length in the range 16-32 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err("setsrvpw", ENOMEM, gettext("while generating random password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err("setsrvpw", ret, gettext("Error generating random password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* restricting to ascii chars. Need to change this when 8.8 supports */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if (random_pwd[i] == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function will set the password of the service object in the directory
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and/or the specified service password file.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * argc - contains the number of arguments for this sub-command
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * argv - array of arguments for this sub-command
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* The arguments for setsrv password should contain the service object DN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and options to specify whether the password should be updated in file only
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * or both file and directory. So the possible combination of arguments are:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw servicedn wherein argc is 2
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw -fileonly servicedn wherein argc is 3
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw -randpw servicedn wherein argc is 3
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw -f filename servicedn wherein argc is 4
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw -fileonly -f filename servicedn wherein argc is 5
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * setsrvpw -randpw -f filename servicedn wherein argc is 5
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf dal_handle = (kdb5_dal_handle *)util_context->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf lparams = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Parse the arguments */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Verify if the file location has the proper file name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * for eg, if the file location is a directory like /home/temp/,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * we reject it.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((filelen == 0) || (file_name[filelen-1] == '/')) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("%s: Filename not specified for setting service object password\n"), me);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("%s: Invalid option specified for \"setsrvpw\" command\n"), me);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("%s: Service object not specified for \"setsrvpw\" command\n"), me);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((errcode = krb5_ldap_db_init(util_context, lparams))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errcode, gettext("while initializing database"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("%s: Invalid option specified for \"setsrvpw\" command\n"), me);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Generate random password */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((errcode = generate_random_password(util_context, &passwd, &passwd_len))) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("%s: Failed to set service object password\n"), me);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the service object password from the terminal */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* size of allocation=strlen of servicedn + strlen("Password for \" \"")=20 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(prompt1, gettext("Password for \"%s\""), service_object);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* size of allocation=strlen of servicedn + strlen("Re-enter Password for \" \"")=30 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(prompt2, gettext("Re-enter password for \"%s\""), service_object);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf retval = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, retval, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Hex the password */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (errcode != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errcode, gettext("Failed to convert the password to hex"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Password = {CRYPT}<encrypted password>:<encrypted key> */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf encrypted_passwd.value = (unsigned char *)malloc(strlen(service_object) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf encrypted_passwd.len = strlen((char *)encrypted_passwd.value);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* We should check if the file exists and we have permission to write into that file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf printf(gettext("File does not exist. Creating the file %s...\n"), file_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error creating file %s"), file_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Unable to access the file %s"), file_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((errcode = krb5_ldap_set_service_passwd(util_context, service_object, passwd)) != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errcode, gettext("Failed to set password for service object %s"), service_object);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* TODO: file lock for the service password file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* set password in the file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to open file %s"), file_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If the service object dn is not present in the service password file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (fwrite(encrypted_passwd.value, (unsigned int)encrypted_passwd.len, 1, pfile) != 1) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error reading service object password file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Password entry for the service object is already present in the file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Delete the existing entry and add the new entry */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create a new file with the extension .tmp */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf tmp_file = (char *) malloc(sizeof(char) * (strlen(file_name) + 4 + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error creating file %s"), tmp_file);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (fprintf(newfile, "%s", encrypted_passwd.value) < 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error reading service object password file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* TODO: file lock for the service password file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf memset(encrypted_passwd.value, 0, encrypted_passwd.len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#else /* #ifdef HAVE_EDIRECTORY */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Convert the user supplied password into hexadecimal and stash it. Only a
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * little more secure than storing plain password in the file ...
dd9ccd46893ed9c4247368a00a0253d45a26311c /* Solaris Kerberos */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * stashsrvpw [-f filename] service_dn
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 'service_dn' is the DN of the service object
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 'filename' is the path of the stash file
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Find the stash file name */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else { /* argc == 2 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Pick up the stash-file name from krb5.conf */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf profile_get_string(util_context->profile, KDB_REALM_SECTION,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf util_context->default_realm, KDB_MODULE_POINTER, NULL, §ion);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf profile_get_string(util_context->profile, KDB_MODULE_DEF_SECTION,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Stash file path neither in krb5.conf nor on command line */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Solaris Kerberos: use default if ldap_service_password_file not set
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get password from user */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the service object password from the terminal */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* size of prompt = strlen of servicedn + strlen("Password for \" \"") */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf + sizeof ("Password for \" \"")));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(prompt1, gettext("Password for \"%s\""), service_object);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* size of prompt = strlen of servicedn + strlen("Re-enter Password for \" \"") */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf + sizeof ("Re-enter Password for \" \"")));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(prompt2, gettext("Re-enter password for \"%s\""), service_object);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ret = krb5_read_password(util_context, prompt1, prompt2, passwd, &passwd_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ret != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ret, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Convert the password to hexadecimal */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ret != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ret, gettext("Failed to convert the password to hexadecimal"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* TODO: file lock for the service passowrd file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* set password in the file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to open file %s: %s"), file_name,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: safer than the above */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (fd < 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to open file %s: %s"), file_name,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to open file %s: %s"), file_name,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * White spaces not allowed, # delimits the service dn from the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If the service object dn is not present in the service password file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error reading service object password file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Password entry for the service object is already present in the file
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Delete the existing entry and add the new entry
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Create a new file with the extension .tmp */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf tmp_file = (char *) malloc(sizeof(char) * (strlen(file_name) + 4 + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, ENOMEM, gettext("while setting service object password"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error creating file %s"), tmp_file);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Error reading service object password file"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* TODO: file lock for the service passowrd file */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ret != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf com_err(me, errno, gettext("Failed to write service object password to "
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* db_usage(STASH_SRV_PW); */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /* #ifdef HAVE_EDIRECTORY */