/*
*
* Copyright (c) 2004-2005, Novell, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* * The copyright holder's name is not used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include "ldap_main.h"
#include "kdb_ldap.h"
#include "ldap_principal.h"
#include "princ_xdr.h"
#include "ldap_err.h"
#include <libintl.h>
"objectclass",
"krbprincipalkey",
"krbmaxrenewableage",
"krbmaxticketlife",
"krbticketflags",
"krbprincipalexpiration",
"krbticketpolicyreference",
"krbUpEnabled",
"krbpwdpolicyreference",
"krbpasswordexpiration",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
#ifdef HAVE_EDIRECTORY
"loginexpirationtime",
"logindisabled",
#endif
"loginexpirationtime",
"logindisabled",
"modifytimestamp",
"krbLastPwdChange",
"krbExtraData",
"krbObjectReferences",
NULL };
/* Must match KDB_*_ATTR macros in ldap_principal.h. */
"krbmaxrenewableage",
"krbticketflags",
"krbprincipalexpiration",
"krbticketpolicyreference",
"krbUpEnabled",
"krbpwdpolicyreference",
"krbpasswordexpiration",
"krbprincipalkey",
"krblastpwdchange",
"krbextradata",
"krbLastSuccessfulAuth",
"krbLastFailedAuth",
"krbLoginFailedCount",
NULL };
void
{
int i, j;
if (tl_data->tl_data_contents)
}
for (i = 0; i < entry->n_key_data; i++) {
0,
}
}
}
}
}
return;
}
int nentries;
{
register int i;
for (i = 0; i < nentries; i++)
return 0;
}
char *match_expr;
char **db_args;
{
/* Clear the global error string */
if (db_args) {
/* LDAP does not support db_args DB arguments for krb5_ldap_iterate */
gettext("Unsupported argument \"%s\" for ldap"),
db_args[0]);
return EINVAL;
}
goto cleanup;
}
}
/*
* If no match_expr then iterate through all krb princs like the db2 plugin
*/
if (match_expr == NULL)
/*LINTED*/
goto cleanup;
GET_HANDLE();
if (values[i])
continue;
continue;
&entry)) != 0)
goto cleanup;
if (princ_name)
break;
}
if (princ_name)
}
}
} /* end of for (ent= ... */
} /* end of for (tree= ... */
if (filter)
/* Solaris Kerberos: fix memory leak */
}
return st;
}
/*
* delete a principal from the directory.
*/
int *nentries; /* how many found & deleted */
{
unsigned int attrsetmask=0;
/* Clear the global error string */
/* get the principal info */
if ((st=krb5_ldap_get_principal(context, searchfor, &entries, nentries, &more)) != 0 || *nentries == 0)
goto cleanup;
goto cleanup;
goto cleanup;
}
GET_HANDLE();
if (ptype == KDB_STANDALONE_PRINCIPAL_OBJECT) {
if (st != LDAP_SUCCESS) {
goto cleanup;
}
} else {
goto cleanup;
strval)) != 0)
goto cleanup;
if (singleentry == FALSE) {
goto cleanup;
}
} else {
/*
* If the Kerberos user principal to be deleted happens to be the last one associated
* with the directory user object, then it is time to delete the other kerberos
* specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
* From the attrsetmask value, identify the attributes set on the directory user
* object and delete them.
* NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
*/
while (attrsetmask) {
if (attrsetmask & 1) {
NULL)) != 0)
goto cleanup;
}
attrsetmask >>= 1;
++j;
}
/* the same should be done with the objectclass attributes */
{
/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
int p, q, r=0, amask=0;
goto cleanup;
for (p=1, q=0; p<=4; p<<=1, ++q)
if (p & amask)
strval[r++] = attrvalues[q];
if (r > 0) {
strval)) != 0)
goto cleanup;
}
}
}
if (st != LDAP_SUCCESS) {
goto cleanup;
}
}
if (user)
if (DN)
int i=0;
++i;
}
}
if (st == 0)
return st;
}
/*
* Function: krb5_ldap_unparse_principal_name
*
* Purpose: Removes '\\' that comes before every occurence of '@'
* in the principal name component.
*
* Arguments:
*
*/
{
int l=0;
if (!tmp_princ_name) {
goto cleanup;
}
if (!princ_name) {
goto cleanup;
}
l = 0;
while (*tmp_princ_name) {
tmp_princ_name += 1;
} else {
*(princ_name + l) = *tmp_princ_name++;
l++;
}
}
/*LINTED*/
}
if (tmp) {
}
if (princ_name) {
princ_name = NULL;
}
return st;
}
/*
* Function: krb5_ldap_parse_principal_name
*
* Purpose: Inserts '\\' before every occurence of '@'
* in the principal name component.
*
* Arguments:
* i_princ_name (input) Principal name without '\\'
* o_princ_name (output) Principal name with '\\'
*
* Note: The caller has to free the memory allocated for o_princ_name.
*/
char *i_princ_name;
char **o_princ_name;
{
if (!at_rlm_name) {
if (!o_princ_name) {
goto cleanup;
}
} else {
if (!tmp_princ_name) {
goto cleanup;
}
l = 0;
while (tmp_princ_name[l]) {
if (tmp_princ_name[l++] == '@')
at_count++;
}
if (!princ_name) {
goto cleanup;
}
l = 0;
m = 0;
while (tmp_princ_name[l]) {
if (tmp_princ_name[l] == '@') {
princ_name[m++]='\\';
}
princ_name[m++]=tmp_princ_name[l++];
}
/* Solaris Kerberos: using strlcat for safety */
}
if (tmp_princ_name) {
}
return st;
}