54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf#pragma ident "%Z%%M% %I% %E% SMI"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Copyright (c) 2004-2005, Novell, Inc.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * All rights reserved.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * Redistribution and use in source and binary forms, with or without
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * modification, are permitted provided that the following conditions are met:
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions of source code must retain the above copyright notice,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * this list of conditions and the following disclaimer.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * Redistributions in binary form must reproduce the above copyright
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * notice, this list of conditions and the following disclaimer in the
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * documentation and/or other materials provided with the distribution.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * * The copyright holder's name is not used to endorse or promote products
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * derived from this software without specific prior written permission.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * POSSIBILITY OF SUCH DAMAGE.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf/* NOTE: add appropriate rights for krbpasswordexpiration attribute */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * This will set the rights for the Kerberos service objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * The function will read the subtree attribute from the specified
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * realm name and will the appropriate rights on both the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * container and the subtree. The kerberos context passed should
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * have a valid ldap handle, with appropriate rights to write acl
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * attributes.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf * krb5_context - IN The Kerberos context with valid ldap handle
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If the subtree is null, set the value to root */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set the rights for the service object on the security container */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set the rights for the service object on the kerberos container */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set the rights for the realm */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Construct the realm dn from realm name */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* Realm rights settings ends here */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Subtree rights to be set */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Populate the acl data to be added to the subtree */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* set rights to a list of subtrees */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* set rights to a list of subtrees */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* set rights to a list of subtrees */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* Subtree rights settings ends here */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf This will set the rights for the Kerberos service objects.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf The function will read the subtree attribute from the specified
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realm name and will the appropriate rights on both the realm
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf container and the subtree. The kerberos context passed should
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf have a valid ldap handle, with appropriate rights to write acl
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf attributes.
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf krb5_context - IN The Kerberos context with valid ldap handle
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillfkrb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf LDAPMod *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* If the subtree is null, set the value to root */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set the rights for the realm */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Construct the realm dn from realm name */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* Realm rights setting ends here */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Set the rights for the subtree */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf /* Populate the acl data to be added to the subtree */
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
54925bf60766fbb4f1f2d7c843721406a7b7a3fbwillf } /* Subtree rights setting ends here */