54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#pragma ident "%Z%%M% %I% %E% SMI"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Use is subject to license terms.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfstatic char *password_policy_attributes[] = { "cn", "krbmaxpwdlife", "krbminpwdlife",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Function to create password policy object.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* get the first component of the dn to set the cn attribute */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_set_error_message(context, st, gettext("Invalid password policy DN syntax"));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_ADD,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_ADD,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_ADD,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_ADD,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_ADD,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* password policy object creation */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Function to modify password policy object.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_name_to_policydn (context, policy->name, &policy_dn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxpwdlife", LDAP_MOD_REPLACE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbminpwdlife", LDAP_MOD_REPLACE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdmindiffchars", LDAP_MOD_REPLACE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdminlength", LDAP_MOD_REPLACE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf || ((st=krb5_add_int_mem_ldap_mod(&mods, "krbpwdhistorylength", LDAP_MOD_REPLACE,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* modify the password policy object. */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This will fail if the 'policy_dn' is anywhere other than under the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container. This is correct behaviour. 'kdb5_ldap_util' will support
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * management of only such policy objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", (int *)&(pol_entry->pw_max_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbminpwdlife", (int *)&(pol_entry->pw_min_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", (int *)&(pol_entry->pw_min_classes));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdminlength", (int *)&(pol_entry->pw_min_length));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", (int *)&(pol_entry->pw_history_num));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the reference count */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Solaris Kerberos: trying to avoid memory leaks */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_password_policy_from_dn (krb5_context context,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#if 0 /************** Begin IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /**************** END IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#if 0 /************** Begin IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &((*policy)->pw_max_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbminpwdlife", &((*policy)->pw_min_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &((*policy)->pw_min_classes));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdminlength", &((*policy)->pw_min_length));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &((*policy)->pw_history_num));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the reference count */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbPwdPolicyReference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /**************** END IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Convert 'name' into a directory DN and call
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * 'krb5_ldap_get_password_policy_from_dn'
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_get_password_policy (context, name, policy, cnt)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_name_to_policydn(context, name, &policy_dn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *policy_dn = NULL, *class[] = {"krbpwdpolicy", NULL};
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* validate the input parameters */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_name_to_policydn (context, policy, &policy_dn);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Ensure that the object is a password policy */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (mask == 0) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != LDAP_SUCCESS) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_iterate_password_policy(context, match_expr, func, func_arg)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Clear the global error string */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAP_SEARCH(ldap_context->lrparams->realmdn, LDAP_SCOPE_ONELEVEL, "(objectclass=krbpwdpolicy)", password_policy_attributes);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf st = krb5_ldap_get_string(ld, ent, "cn", &policy, &attr_present);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((st = populate_policy(context, ld, ent, policy, entry)) != 0)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#if 0 /************** Begin IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbmaxpwdlife", &(entry->pw_max_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbminpwdlife", &(entry->pw_min_life));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdmindiffchars", &(entry->pw_min_classes));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdminlength", &(entry->pw_min_length));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_get_value(ld, ent, "krbpwdhistorylength", &(entry->pw_history_num));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Get the reference count */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf "krbPwdPolicyReference",
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#endif /**************** END IFDEF'ed OUT *******************************/
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* XXX this will free policy so don't free it */