54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Use is subject to license terms.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "objectclass",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbprincipalkey",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbmaxrenewableage",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbmaxticketlife",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbticketflags",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbprincipalexpiration",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbticketpolicyreference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbUpEnabled",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbpwdpolicyreference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbpasswordexpiration",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLastFailedAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLoginFailedCount",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLastSuccessfulAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "loginexpirationtime",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "logindisabled",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "loginexpirationtime",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "logindisabled",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "modifytimestamp",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLastPwdChange",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbExtraData",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbObjectReferences",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* Must match KDB_*_ATTR macros in ldap_principal.h. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbmaxrenewableage",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbticketflags",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbprincipalexpiration",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbticketpolicyreference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbUpEnabled",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbpwdpolicyreference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbpasswordexpiration",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbprincipalkey",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krblastpwdchange",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbextradata",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLastSuccessfulAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLastFailedAuth",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbLoginFailedCount",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf register int i;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i = 0; i < nentries; i++)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_ldap_iterate(context, match_expr, func, func_arg, db_args)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_error_code (*func) (krb5_pointer, krb5_db_entry *);
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf /* Solaris Kerberos: adding support for -rev/recurse flags */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char **subtree=NULL, *princ_name=NULL, *realm=NULL, **values=NULL, *filter=NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf /* Solaris Kerberos: adding support for -rev/recurse flags */
2dd2efa5a06a9befe46075cf41e16f57533c9f98willf /* LDAP does not support db_args DB arguments for krb5_ldap_iterate */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(context, st, gettext("Default realm not set"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If no match_expr then iterate through all krb princs like the db2 plugin
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf filterlen = strlen(FILTER) + strlen(match_expr) + 2 + 1; /* 2 for closing brackets */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (krb5_parse_name(context, princ_name, &principal) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (is_principal_in_realm(ldap_context, principal) == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* end of for (ent= ... */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* end of for (tree= ... */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: fix memory leak */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * delete a principal from the directory.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_delete_principal(context, searchfor, nentries)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the principal info */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_ldap_get_principal(context, searchfor, &entries, nentries, &more)) != 0 || *nentries == 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(context, st, gettext("DN information missing"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * If the Kerberos user principal to be deleted happens to be the last one associated
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * with the directory user object, then it is time to delete the other kerberos
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * From the attrsetmask value, identify the attributes set on the directory user
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * object and delete them.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * other principals' keys are exisiting/left-over. So delete all the values.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* the same should be done with the objectclass attributes */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (r > 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_free_principal(context, &entries, *nentries);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Function: krb5_ldap_unparse_principal_name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Purpose: Removes '\\' that comes before every occurence of '@'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * in the principal name component.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Arguments:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * user_name (input/output) Principal name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *tmp_princ_name=NULL, *princ_name=NULL, *tmp=NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Function: krb5_ldap_parse_principal_name
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Purpose: Inserts '\\' before every occurence of '@'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * in the principal name component.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Arguments:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * i_princ_name (input) Principal name without '\\'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * o_princ_name (output) Principal name with '\\'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Note: The caller has to free the memory allocated for o_princ_name.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_parse_principal_name(i_princ_name, o_princ_name)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *tmp_princ_name = NULL, *princ_name = NULL, *at_rlm_name = NULL;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf int l = 0, m = 0, tmp_princ_name_len = 0, princ_name_len = 0, at_count = 0;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf tmp_princ_name = (char *) malloc ((unsigned) tmp_princ_name_len + 1);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf memset(tmp_princ_name, 0, (unsigned) tmp_princ_name_len + 1);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf memcpy(tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf princ_name = (char *) malloc ((unsigned) princ_name_len);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: using strlcat for safety */