54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Use is subject to license terms.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfextern char *strptime (const char *, const char *, struct tm *);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfremove_overlapping_subtrees(char **listin, char **listop, int *subtcount,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Linux (GNU Libc) provides a length-limited variant of strdup.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf But all the world's not Linux. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic char *my_strndup (const char *input, size_t limit)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Get integer or string values from the config section, falling back
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf to the default section, then to hard-coded values. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfprof_get_integer_def(krb5_context ctx, const char *conf_section,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message (ctx, err, gettext("Error reading '%s' attribute: %s"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message (ctx, err, gettext("Error reading '%s' attribute: %s"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* We don't have non-null defaults in any of our calls, so don't
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf bother with the extra argument. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfprof_get_string_def(krb5_context ctx, const char *conf_section,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message (ctx, err, gettext("Error reading '%s' attribute: %s"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (*out != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message (ctx, err, gettext("Error reading '%s' attribute: %s"),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function reads the parameters from the krb5.conf file. The
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * parameters read here are DAL-LDAP specific attributes. Some of
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * these are ldap_server ....
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_read_server_params(context, conf_section, srv_type)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_context = (krb5_ldap_context *) dal_handle->db_context;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* copy the conf_section into ldap_context for later use */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* initialize the mutexs and condition variable */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* this portion logically doesn't fit here should be moved appropriately */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* this mutex is used in ldap reconnection pool */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_dal_err_funcp(context, krb5_err_have_str, st,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "k5_mutex_init failed");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If max_server_conns is not set read it from database module
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * section of conf file this parameter defines maximum ldap
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * connections per ldap server.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "ldap_conns_per_server",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf gettext("Minimum connections required per server is 2"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the bind dn is not set read it from the database module
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * section of conf file this paramter is populated by one of the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * KDC, ADMIN or PASSWD dn to be used to connect to LDAP
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * server. The srv_type decides which dn to read.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = prof_get_string_def (context, conf_section, name,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Read service_password_file parameter from database module
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * section of conf file this file contains stashed passwords of
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the KDC, ADMIN and PASSWD dns.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Solaris Kerberos: providing a default.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = profile_get_string (context->profile, KDB_MODULE_SECTION,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "ldap_service_password_file",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = profile_get_string (context->profile, KDB_MODULE_DEF_SECTION,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "ldap_service_password_file",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Solaris Kerberos: we must use root_certificate_file
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Note, I've changed the ldap_root_certificate_file config parameter to
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ldap_cert_path which is more appropriate for that parameter.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* #ifdef HAVE_EDIRECTORY */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If root certificate file is not set read it from database
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * module section of conf file this is the trusted root
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * certificate of the Directory.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "ldap_cert_path",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* #endif */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the ldap server parameter is not set read the list of ldap
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * servers from the database module section of the conf file.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *server_info = (krb5_ldap_server_info **) calloc (SERV_COUNT+1,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message (context, st, gettext("Error reading 'ldap_servers' attribute"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*server_info)[ele]->server_name = strdup("ldapi://");
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*server_info)[ele] = (krb5_ldap_server_info *)calloc(1,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function frees the krb5_ldap_context structure members.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_server_handle *ldap_server_handle=NULL, *next_ldap_server_handle=NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Free all ldap servers list and the ldap handles associated with
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf the ldap server. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf free (ldap_context->server_info_list[i]->server_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ldap_context->server_info_list[i]->root_certificate_file) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf free (ldap_context->server_info_list[i]->root_certificate_file);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ldap_context->server_info_list[i]->ldap_server_handles) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_server_handle = ldap_context->server_info_list[i]->ldap_server_handles;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ldap_unbind_ext_s(ldap_server_handle->ldap_handle, NULL, NULL);
7c64d3750da7fda7e450b8f9b0b963905ded6379mp/* Solaris Kerberos */
7c64d3750da7fda7e450b8f9b0b963905ded6379mp/* #ifdef HAVE_EDIRECTORY */
7c64d3750da7fda7e450b8f9b0b963905ded6379mp/* #endif */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_xfree(ldap_context->certificates[i]->certificate);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * check to see if the principal belongs to the default realm.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The default realm is present in the krb5_ldap_context structure.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The principal has a realm portion. This realm portion is compared with the default realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * to check whether the principal belong to the default realm.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Return 0 if principal belongs to default realm else 1.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf defrealmlen = strlen(ldap_context->lrparams->realm_name);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Care should be taken for inter-realm principals as the default
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * realm can exist in the realm part of the principal name or can
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * also exist in the second portion of the name part. However, if
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the default realm exist in the second part of the principal
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * portion, then the first portion of the principal name SHOULD be
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * "krbtgt". All this check is done in the immediate block.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* first check the length, if they are not equal, then they are not same */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* if the length is equal, check for the contents */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* if we are here, then the realm portions match, return 0 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Deduce the subtree information from the context. A realm can have
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * multiple subtrees.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 1. the Realm container
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 2. the actual subtrees associated with the Realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * However, there are some conditions to be considered to deduce the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * actual subtree/s associated with the realm. The conditions are as
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 1. If the subtree information of the Realm is [Root] or NULL (that
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * is internal a [Root]) then the realm has only one subtree
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * i.e [Root], i.e. whole of the tree.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 2. If the subtree information of the Realm is missing/absent, then the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * realm has only one, i.e., the Realm container. NOTE: In all cases
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Realm container SHOULD be the one among the subtrees or the only
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * one subtree.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 3. The subtree information of the realm is overlapping the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container of the realm, then the realm has only one subtree and
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * it is the subtree information associated with the realm.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf unsigned int *ntree;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtarr = (char **) malloc(sizeof(char *) * (subtreecount + 1 /*realm dn*/ + 1 /*containerref*/ + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf memset(subtarr, 0, (sizeof(char *) * (subtreecount+1+1+1)));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the complete subtree list */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf newsubtree = (char **) malloc(sizeof(char *) * (ncount + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = remove_overlapping_subtrees(subtarr, newsubtree, &ncount,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function appends the content with a type into the tl_data
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * structure. Based on the type the length of the content is either
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * pre-defined or computed from the content. Returns 0 in case of
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * success and 1 if the type associated with the content is undefined.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* allocate required memory */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the tl_type value */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the content length */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* allocate required memory */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf tl_data->tl_data_contents = realloc(tl_data->tl_data_contents,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the tl_type value */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the content length */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* store the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function scans the tl_data structure to get the value of a
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * type defined by the tl_type (second parameter). The tl_data
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * structure has all the data in the tl_data_contents member. The
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * format of the tl_data_contents is as follows. The first byte
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * defines the type of the content that follows. The next 2 bytes
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * define the size n (in terms of bytes) of the content that
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * follows. The next n bytes define the content itself.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf while (curr < (tl_data->tl_data_contents + tl_data->tl_data_length)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the type of the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* forward by 1 byte*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the length of the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* forward by 2 bytes */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the actual content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* intptr = malloc(sublen); */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the length of the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* forward by 2 bytes */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the length of the content */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* forward by 2 bytes */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (; j<i; j++)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* move to the current content block */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * wrapper routines for decode_tl_data
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_get_int_from_tl_data(context, entries, type, intval)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Get the mask representing the attributes set on the directory
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * object (user, policy ...).
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf unsigned int *mask;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf return krb5_get_int_from_tl_data(context, entries, KDB_TL_MASK,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCTYPE, ptype);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf return krb5_get_int_from_tl_data(context, entries, KDB_TL_PRINCCOUNT, pcount);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (decode_tl_data(&tl_data, KDB_TL_LINKDN, &voidptr) == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_get_str_from_tl_data(context, entries, type, strval)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (type != KDB_TL_USERDN && type != KDB_TL_CONTAINERDN) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_dbe_lookup_tl_data(context, entries, &tl_data)) != 0) || tl_data.tl_data_length == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf return krb5_get_str_from_tl_data(context, entries, KDB_TL_USERDN, userdn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf return krb5_get_str_from_tl_data(context, entries, KDB_TL_CONTAINERDN, containerdn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function reads the attribute values (if the attribute is
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * non-null) from the dn. The read attribute values is compared
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * aganist the attrvalues passed to the function and a bit mask is set
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * for all the matching attributes (attributes existing in both list).
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The bit to be set is selected such that the index of the attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * in the attrvalues parameter is the position of the bit. For ex:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the first element in the attrvalues is present in both list shall
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * set the LSB of the bit mask.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * In case if either the attribute or the attrvalues parameter to the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * function is NULL, then the existence of the object is considered
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and appropriate status is returned back.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfcheckattributevalue (ld, dn, attribute, attrvalues, mask)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = set_ldap_error(0, LDAP_NO_SUCH_OBJECT, OP_SEARCH);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* read the attribute values from the dn */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the attribute/attrvalues is NULL, then check for the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * existence of the object alone.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* reset the bit mask */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* read the attribute values */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((values=ldap_get_values(ld, entry, attribute)) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Compare the read attribute values with the attrvalues
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * array and set the appropriate bit mask.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j=0; attrvalues[j]; ++j) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; values[i]; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function updates a single attribute with a single value of a
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specified dn. This function is mainly used to update
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krbRealmReferences, krbKdcServers, krbAdminServers... when KDC,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ADMIN, PASSWD servers are associated with some realms or vice
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* data to update the {attr,attrval} combination */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* ldap modify operation */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* if the {attr,attrval} combination is already present return a success
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LDAP_ALREADY_EXISTS is for single-valued attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LDAP_TYPE_OR_VALUE_EXISTS is for multi-valued attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st == LDAP_ALREADY_EXISTS || st == LDAP_TYPE_OR_VALUE_EXISTS)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function deletes a single attribute with a single value of a
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specified dn. This function is mainly used to delete
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krbRealmReferences, krbKdcServers, krbAdminServers... when KDC,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ADMIN, PASSWD servers are disassociated with some realms or vice
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* data to delete the {attr,attrval} combination */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* ldap modify operation */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* if either the attribute or the attribute value is missing return a success */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st == LDAP_NO_SUCH_ATTRIBUTE || st == LDAP_UNDEFINED_TYPE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function takes in 2 string arrays, compares them to remove the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * matching entries. The first array is the original list and the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * second array is the modified list. Removing the matching entries
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * will result in a reduced array, where the left over first array
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * elements are the deleted entries and the left over second array
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * elements are the added entries. These additions and deletions has
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * resulted in the modified second array.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* compute the first array length */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0;src[i]; ++i)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* return if the length is 0 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* index of the last element and also the length of the array */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* compute the second array length */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0;dest[i]; ++i)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* return if the length is 0 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* index of the last element and also the length of the array */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* check for the similar elements and delete them from both the arrays */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; src[i]; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j=0; dest[j]; ++j) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* if the element are same */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the matched element is in the middle, then copy
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the last element to the matched index.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (i != slen) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the matched element is the last, free it and
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * set it to NULL.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* reduce the array length by 1 */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* repeat the same processing for the second array too */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (j != dlen) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The source array is reduced by 1, so reduce the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * index variable used for source array by 1. No need
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * to adjust the second array index variable as it is
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * reset while entering the inner loop.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This function replicates the contents of the src array for later
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * use. Mostly the contents of the src array is obtained from a
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ldap_search operation and the contents are required for later use.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* allocate memory for the dest array */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *dest = (char **) calloc((unsigned) count+1, sizeof(char *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* copy the members from src to dest array. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* in case of error free up everything and return */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; (*dest)[i]; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krb5_ldap_get_value() - get the integer value of the attribute
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Returns, 0 if the attribute is present, 1 if the attribute is missing.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The retval is 0 if the attribute is missing.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krb5_ldap_get_string() - Returns the first string of the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * attribute. Intended to
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_string(ld, ent, attribute, retstr, attr_present)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krb5_ldap_get_strings() - Returns all the values
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * of the attribute.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_strings(ld, ent, attribute, retarr, attr_present)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; i< count; ++i) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; i< count; ++i)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_time(ld, ent, attribute, rettime, attr_present)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Function to allocate, set the values of LDAPMod structure. The
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LDAPMod structure is then added to the array at the ind
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf lmods = (LDAPMod **) realloc((*mods), (2+i) * sizeof(LDAPMod *));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf int i=0, j=0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_values = malloc (sizeof(char *) * (j+1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (; k<j; k++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_add_ber_mem_ldap_mod(mods, attribute, op, ber_values)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf int i=0, j=0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_bvalues = malloc (sizeof(struct berval *) * (j+1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_bvalues[j] = calloc(1, sizeof(struct berval));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_bvalues[j]->bv_len = ber_values[j]->bv_len;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_bvalues[j]->bv_val = malloc((*mods)[i]->mod_bvalues[j]->bv_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf memcpy((*mods)[i]->mod_bvalues[j]->bv_val, ber_values[j]->bv_val,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic inline char *
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_add_int_arr_mem_ldap_mod(mods, attribute, op, value)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf int i=0, j=0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf (*mods)[i]->mod_values = malloc(sizeof(char *) * (j+1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((*mods)[i]->mod_values[j] = format_d(value[j])) == NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((*mods)[i]->mod_values[0] = format_d(value)) == NULL)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*ARGSUSED*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_set_option(krb5_context kcontext, int option, void *value)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*ARGSUSED*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*ARGSUSED*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_supported_realms(krb5_context kcontext, char **realms)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/*ARGSUSED*/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_free_supported_realms(krb5_context kcontext, char **realms)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfconst char *
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_errcode_2_string(krb5_context kcontext, long err_code)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_release_errcode_string(krb5_context kcontext, const char *msg)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Get the number of times an object has been referred to in a realm. this is
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * needed to find out if deleting the attribute will cause dangling links.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * An LDAP handle may be optionally specified to prevent race condition - there
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * are a limited number of LDAP handles.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_reference_count (krb5_context context, char *dn, char *refattr,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf filter = (char *) malloc (strlen (refattr) + strlen (ptr) + 2);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (n == -1) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ret = ldap_parse_result (ld, result, &errcode, NULL, NULL, NULL, NULL, 0);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i = 0; i < ntrees; i++)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * For now, policy objects are expected to be directly under the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_error_code krb5_ldap_policydn_to_name (context, policy_dn, name)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (strcmp (ldap_context->lrparams->realmdn, policy_dn + (len2 - len1)) != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf rdn = strndup(policy_dn, len2 - len1 - 1); /* 1 character for ',' */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (ldap_str2dn (rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC) != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf else if (strcasecmp (dn[0][0]->la_attr.bv_val, "cn") != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *name = strndup(dn[0][0]->la_value.bv_val, dn[0][0]->la_value.bv_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* 1 = return DN components without type prefix */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_error_code krb5_ldap_name_to_policydn (context, name, policy_dn)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Used for removing policy reference from an object */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf (*policy_dn, "cn=%s,%s", ptr, ldap_context->lrparams->realmdn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* remove overlapping and repeated subtree entries from the list of subtrees */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfremove_overlapping_subtrees(char **listin, char **listop, int *subtcount, int sscope)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((lendiff > 0) && (strcasecmp((listin[k])+lendiff, listin[j])==0)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (k != slen) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } else if ((lendiff < 0) && (strcasecmp((listin[j])+abs(lendiff), listin[k])==0)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (j != slen) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((lendiff == 0) && (strcasecmp(listin[j], listin[k])==0)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (j != slen) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Fill out a krb5_db_entry princ entry struct given a LDAP message containing
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * the results of a principal search of the directory.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char **values = NULL, *policydn = NULL, *pwdpolicydn = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: added next line to fix memleak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_copy_principal(context, princ, &(entry->princ))) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the associated directory user information */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((values = ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_unparse_name(context, princ, &user)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf kerberos_principal_object_type = KDB_STANDALONE_PRINCIPAL_OBJECT;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCTYPE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* add principalcount, DN and principaltype user information to tl_data */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=store_tl_data(&userinfo_tl_data, KDB_TL_PRINCCOUNT, &pcount)) != 0) ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ((st=store_tl_data(&userinfo_tl_data, KDB_TL_USERDN, DN)) != 0))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* read all the kerberos attributes */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBLASTSUCCESSFULAUTH */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "krbLastSuccessfulAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBLASTFAILEDAUTH */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "krbLastFailedAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBLOGINFAILEDCOUNT */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_ldap_get_value(ld, ent, "krbLoginFailedCount",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris kerberos: need the cast */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBMAXTICKETLIFE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", &(entry->max_life)) == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBMAXRENEWABLEAGE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBTICKETFLAGS */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_ldap_get_value(ld, ent, "krbticketflags", &(entry->attributes)) == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* PRINCIPAL EXPIRATION TIME */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "krbprincipalexpiration", &(entry->expiration),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* PASSWORD EXPIRATION TIME */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "krbpasswordexpiration", &(entry->pw_expiration),
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBPOLICYREFERENCE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", &policydn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Ensure that the policy is inside the realm container */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_ldap_policydn_to_name (context, policydn, &tktpolname)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBPWDPOLICYREFERENCE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_string(ld, ent, "krbpwdpolicyreference", &pwdpolicydn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: changed this to fix memleak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* krb5_tl_data kadm_tl_data; */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Ensure that the policy is inside the realm container */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf /* Solaris Kerberos: adding support for key history in LDAP KDB */
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBSECRETKEY */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_decode_krbsecretkey(context, entry, bvalues)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* LAST PASSWORD CHANGE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "krbLastPwdChange",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_dbe_update_last_pwd_change(context, entry,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* KRBOBJECTREFERENCES */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_ldap_get_strings(ld, ent, "krbobjectreferences",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = store_tl_data(&userinfo_tl_data, KDB_TL_LINKDN,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set tl_data */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((ber_tl_data = ldap_get_values_len (ld, ent, "krbExtraData")) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = berval2tl_data (ber_tl_data[i], &ptr)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_dbe_update_tl_data(context, entry, ptr)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris kerberos: fix memory leak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* update the mask of attributes present on the directory object to the tl_data */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_MASK, &mask)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* LOGIN EXPIRATION TIME */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_time(ld, ent, "loginexpirationtime", &expiretime,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* LOGIN DISABLED */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_string(ld, ent, "logindisabled", &is_login_disabled,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* We already know that the policy is inside the realm container. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: fix memory leak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* XXX so krb5_encode_princ_contents() will be happy */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: added this to fix memleak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Solaris libldap does not provide the following functions which are in
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * OpenLDAP. Note, Solaris Kerberos added the use_SSL to do a SSL init. Also
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * added errstr to return specific error if it isn't NULL. Yes, this is ugly
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * and no, the errstr should not be free()'ed.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfldap_initialize(LDAP **ldp, char *url, int use_SSL, char **errstr)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* For now, we don't use any DN that may be provided. And on
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf Solaris (based on Mozilla's LDAP client code), we need the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf _nodn form to parse "ldap://host" without a trailing slash.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf Also, this version won't handle an input string which contains
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf multiple URLs, unlike the OpenLDAP ldap_initialize. See
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf https://bugzilla.mozilla.org/show_bug.cgi?id=353336#c1 . */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* to avoid reinit and leaking handles, *ldp must be NULL */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (rc == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* report error from ldap url parsing */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* convert to generic LDAP error */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /* HAVE_LDAP_INITIALIZE */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfldap_unbind_ext_s(LDAP *ld, LDAPControl **sctrls, LDAPControl **cctrls)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /* HAVE_LDAP_UNBIND_EXT_S */