ldap_principal.c revision 54925bf60766fbb4f1f2d7c843721406a7b7a3fb
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers#pragma ident "%Z%%M% %I% %E% SMI"
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Copyright (c) 2004-2005, Novell, Inc.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * All rights reserved.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Redistribution and use in source and binary forms, with or without
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * modification, are permitted provided that the following conditions are met:
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * * Redistributions of source code must retain the above copyright notice,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * this list of conditions and the following disclaimer.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * * Redistributions in binary form must reproduce the above copyright
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * notice, this list of conditions and the following disclaimer in the
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * documentation and/or other materials provided with the distribution.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * * The copyright holder's name is not used to endorse or promote products
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * derived from this software without specific prior written permission.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * POSSIBILITY OF SUCH DAMAGE.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Use is subject to license terms.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowersstruct timeval timelimit = {300, 0}; /* 5 minutes */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowerschar *principal_attributes[] = { "krbprincipalname",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "objectclass",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbprincipalkey",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbmaxrenewableage",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbmaxticketlife",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbticketflags",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbprincipalexpiration",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbticketpolicyreference",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbUpEnabled",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbpwdpolicyreference",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbpasswordexpiration",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLastFailedAuth",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLoginFailedCount",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLastSuccessfulAuth",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "loginexpirationtime",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "logindisabled",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "loginexpirationtime",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "logindisabled",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "modifytimestamp",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLastPwdChange",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbExtraData",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbObjectReferences",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers/* Must match KDB_*_ATTR macros in ldap_principal.h. */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowersstatic char *attributes_set[] = { "krbmaxticketlife",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbmaxrenewableage",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbticketflags",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbprincipalexpiration",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbticketpolicyreference",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbUpEnabled",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbpwdpolicyreference",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbpasswordexpiration",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbprincipalkey",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krblastpwdchange",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbextradata",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLastSuccessfulAuth",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLastFailedAuth",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers "krbLoginFailedCount",
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowerskrb5_ldap_free_principal(kcontext , entries, nentries)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers register int i;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers for (i = 0; i < nentries; i++)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowerskrb5_ldap_iterate(context, match_expr, func, func_arg)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_error_code (*func) (krb5_pointer, krb5_db_entry *);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers char **subtree=NULL, *princ_name=NULL, *realm=NULL, **values=NULL, *filter=NULL;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* Clear the global error string */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_set_error_message(context, st, gettext("Default realm not set"));
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * If no match_expr then iterate through all krb princs like the db2 plugin
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers filterlen = strlen(FILTER) + strlen(match_expr) + 2 + 1; /* 2 for closing brackets */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (krb5_parse_name(context, princ_name, &principal) != 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (is_principal_in_realm(ldap_context, principal) == 0) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers } /* end of for (ent= ... */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers } /* end of for (tree= ... */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* Solaris Kerberos: fix memory leak */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * delete a principal from the directory.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowerskrb5_ldap_delete_principal(context, searchfor, nentries)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers unsigned int attrsetmask=0;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* Clear the global error string */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* get the principal info */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=krb5_ldap_get_principal(context, searchfor, &entries, nentries, &more)) != 0 || *nentries == 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_set_error_message(context, st, gettext("DN information missing"));
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers || ((st=krb5_ldap_unparse_principal_name(user)) != 0))
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * If the Kerberos user principal to be deleted happens to be the last one associated
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * with the directory user object, then it is time to delete the other kerberos
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * From the attrsetmask value, identify the attributes set on the directory user
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * object and delete them.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * other principals' keys are exisiting/left-over. So delete all the values.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* the same should be done with the objectclass attributes */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers int p, q, r=0, amask=0;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if (r > 0) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_ldap_free_principal(context, &entries, *nentries);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Function: krb5_ldap_unparse_principal_name
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Purpose: Removes '\\' that comes before every occurence of '@'
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * in the principal name component.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Arguments:
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * user_name (input/output) Principal name
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers char *tmp_princ_name=NULL, *princ_name=NULL, *tmp=NULL;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers if ((*tmp_princ_name == '\\') && (*(tmp_princ_name+1) == '@')) {
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Function: krb5_ldap_parse_principal_name
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Purpose: Inserts '\\' before every occurence of '@'
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * in the principal name component.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Arguments:
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * i_princ_name (input) Principal name without '\\'
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * o_princ_name (output) Principal name with '\\'
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers * Note: The caller has to free the memory allocated for o_princ_name.
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowerskrb5_ldap_parse_principal_name(i_princ_name, o_princ_name)
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers char *tmp_princ_name = NULL, *princ_name = NULL, *at_rlm_name = NULL;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers int l = 0, m = 0, tmp_princ_name_len = 0, princ_name_len = 0, at_count = 0;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers tmp_princ_name = (char *) malloc ((unsigned) tmp_princ_name_len + 1);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers memset(tmp_princ_name, 0, (unsigned) tmp_princ_name_len + 1);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers memcpy(tmp_princ_name, i_princ_name, (unsigned) tmp_princ_name_len);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers princ_name_len = strlen(i_princ_name) + at_count + 1;
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers princ_name = (char *) malloc ((unsigned) princ_name_len);
f9fbec18f5b458b560ecf45d3db8e8bd56bf6942mcpowers /* Solaris Kerberos: using strlcat for safety */