2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright (c) 2004-2005, Novell, Inc. 2N/A * All rights reserved. 2N/A * Redistribution and use in source and binary forms, with or without 2N/A * modification, are permitted provided that the following conditions are met: 2N/A * * Redistributions of source code must retain the above copyright notice, 2N/A * this list of conditions and the following disclaimer. 2N/A * * Redistributions in binary form must reproduce the above copyright 2N/A * notice, this list of conditions and the following disclaimer in the 2N/A * documentation and/or other materials provided with the distribution. 2N/A * * The copyright holder's name is not used to endorse or promote products 2N/A * derived from this software without specific prior written permission. 2N/A * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 2N/A * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2N/A * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2N/A * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 2N/A * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 2N/A * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 2N/A * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 2N/A * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 2N/A * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 2N/A * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 2N/A * POSSIBILITY OF SUCH DAMAGE. 2N/A * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A/* Return true if it's okay to return aliases according to flags. */ 2N/A * The current DAL does not have a flag to indicate whether 2N/A * aliases are okay. For service name lookups (AS or TGT path), 2N/A * we can always return aliases. For client name lookups, we can 2N/A * only return aliases if the client passed the canonicalize flag. 2N/A * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name 2N/A * This method has the side effect of permitting aliases for 2N/A * lookups by administrative interfaces (e.g. kadmin). Since we 2N/A * don't have explicit admin support for aliases yet, this is 2N/A * look up a principal in the directory. 2N/A /* Clear the global error string */ 2N/A /* set initial values */ 2N/A /* get the associated directory user information */ 2N/A /* a wild-card in a principal name can return a list of kerberos principals. 2N/A * Make sure that the correct principal is returned. 2N/A * NOTE: a principalname k* in ldap server will return all the principals starting with a k 2N/A /* We matched an alias, not the canonical name. */ 2N/A }
else /* No canonicalization, so don't return aliases. */ 2N/A }
/* for (tree=0 ... */ 2N/A /* once done, put back the ldap handle */ 2N/A * ptype is creating confusions. Additionally the logic 2N/A * surronding ptype is redundunt and can be achevied 2N/A * with the help of dn and containerdn members. 2N/A * so dropping the ptype member 2N/A * This should be pushed back into other library initialization 2N/A * This should be pushed back into other library initialization 2N/A/* Decoding ASN.1 encoded key */ 2N/A /* Find the number of key versions */ 2N/A /*CHECK_NULL(ret[j]); */ 2N/A /* Clear the global error string */ 2N/A /* get ldap handle */ 2N/A /* get the principal information to act on */ 2N/A /* Identity the type of operation, it can be 2N/A * add principal or modify principal. 2N/A * hack if the entries->mask has KRB_PRINCIPAL flag set 2N/A * then it is a add operation 2N/A /* A load operation is special, will do a mix-in (add krbprinc 2N/A * attrs to a non-krb object entry) if an object exists with a 2N/A * matching krbprincipalname attribute so try to find existing 2N/A * object and set principal_dn. This assumes that the 2N/A * krbprincipalname attribute is unique (only one object entry has 2N/A * a particular krbprincipalname attribute). 2N/A /* must have principal name for search */ 2N/A /* get the current subtree list */ 2N/A /* search for entry with matching krbprincipalname attribute */ 2N/A /* just look for entry with principal_dn */ 2N/A gettext(
"operation can not continue, more than one entry with principal name \"%s\" found"),
2N/A /* setting principal_dn will cause that entry to be modified further down */ 2N/A /* could not perform search, return with failure */ 2N/A * If it isn't found then assume a standalone princ entry is to 2N/A }
/* end for (tree = 0; principal_dn == ... */ 2N/A * if principal_dn is null then there is code further down to 2N/A * deal with setting standalone_principal_dn. Also note that 2N/A * this will set create_standalone_prinicipal true for 2N/A * non-mix-in entries which is okay if loading from a dump. 2N/A }
/* end if (entries->mask & KADM5_LOAD */ 2N/A /* time to generate the DN information with the help of 2N/A * containerdn, principalcontainerreference or 2N/A * realmcontainerdn information 2N/A /* get the subtree information */ 2N/A /* if the principal is a inter-realm principal, always created in the realm container */ 2N/A * Here the subtree should be changed with 2N/A * principalcontainerreference attribute value 2N/A * free subtree when you are done using the subtree 2N/A * set the boolean create_standalone_prinicipal to TRUE 2N/A * If the DN information is presented by the user, time to 2N/A * validate the input to ensure that the DN falls under 2N/A * any of the subtrees 2N/A /* make sure the DN falls in the subtree */ 2N/A * Even though the standalone_principal_dn is constructed 2N/A * within this function, there is the containerdn input 2N/A * from the user that can become part of the it. 2N/A /* get the current subtree list */ 2N/A * dn value will be set either by dn, linkdn or the standalone_principal_dn 2N/A * In the first 2 cases, the dn should be existing and in the last case we 2N/A * are supposed to create the ldap object. so the below should not be 2N/A * executed for the last case. 2N/A * If the ldap object is missing, this results in an error. 2N/A * Search for krbprincipalname attribute here. 2N/A * This is to find if a kerberos identity is already present 2N/A * on the ldap object, in which case adding a kerberos identity 2N/A * on the ldap object should result in an error. 2N/A * If xargs.dn is set then the request is to add a 2N/A * kerberos principal on a ldap object, but if 2N/A * there is one already on the ldap object this 2N/A * should result in an error. 2N/A * link information can be changed using modprinc. 2N/A * However, link information can be changed only on the 2N/A * standalone kerberos principal objects. A standalone 2N/A * kerberos principal object is of type krbprincipal 2N/A * structural objectclass. 2N/A * NOTE: kerberos principals on an ldap object can't be 2N/A * linked to other ldap objects. 2N/A gettext(
"link information can not be set/updated as the kerberos principal belongs to an ldap object"));
2N/A * Check the link information. If there is already a link 2N/A * existing then this operation is not allowed. 2N/A "to a ldap object"));
2N/A /* Check if the krbLoginFailedCount attribute exists. (Through 2N/A * krb5 1.8.1, it wasn't set in new entries.) */ 2N/A * If the client library and server supports RFC 4525, 2N/A * then use it to increment by one the value of the 2N/A * krbLoginFailedCount attribute. Otherwise, assert the 2N/A * (provided) old value by deleting it before adding. 2N/A#
endif /* LDAP_MOD_INCREMENT */ 2N/A "krbLoginFailedCount",
2N/A /* Initialize krbLoginFailedCount in new entries to help avoid a 2N/A * race during the first failed login. */ 2N/A /* FIX ME: I guess the princ_ent should be freed after this call */ 2N/A * a load is special in that existing entries must have attrs that 2N/A "krbpasswordexpiration",
2N/A /* Update last password change whenever a new key is set */ 2N/A }
/* Modify Key data ends here */ 2N/A /* Ignore tl_data that are stored in separate directory 2N/A /* Directory specific attribute */ 2N/A /* if xargs.tktpolicydn is a empty string, then delete 2N/A * already existing krbticketpolicyreference attr */ 2N/A * in case mods is NULL then return 2N/A * not sure but can happen in a modprinc 2N/A * so no need to return an error 2N/A * addprinc will at least have the principal name 2N/A * and the keys passed in 2N/A /* a load operation must replace an existing entry */ 2N/A * Here existing ldap object is modified and can be related 2N/A * to any attribute, so always ensure that the ldap 2N/A * object is extended with all the kerberos related 2N/A * objectclasses so that there are no constraint 2N/A for (p=
1, q=0; p<=
2; p<<=
1, ++q) {
2N/A st = 0;
/* reset the return status */ 2N/A st = -
1;
/* Something more appropriate ? */ 2N/A gettext(
"unable to decode stored principal key data (%s)"),
msg);
2N/A /* Solaris Kerberos */