diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2006-08-29 19:52:38 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2006-08-29 19:52:38 +0000 |
| commit | 9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9 (patch) | |
| tree | 3befcfac58d545f39230a8807a3955a1157556a9 | |
| parent | 7d5184becee74e2b908e60c7c58eec6fcf8dd2d2 (diff) | |
| download | krb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.zip krb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.tar.gz krb5-9ea7dbddd2e7bfc54650de3933fadc18bd27b6e9.tar.bz2 | |
Patch from Savitha R:
ldap_util
1. Kdb5_ldap_util interface
Removed supp enctypes, suppsalttypes from create realm and modify
realm since they are currently not used
2. memset passwd strings to zero when not used any more
3. Using krb5_sname_to_principal in place of gethostbyname while
creating the kadmin principal with hostname.
libkdb_ldap
1. Added mandatory functions which were missing in the LDAP plug-in
2. Error handling changes - Setting the error message in the
kerberos context when decryption of the service passwd fails or
connection to the LDAP server fails during initialization.
Additional changes:
libkdb_ldap: Link against com_err library, to provide error_message().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18548 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/krb5/error_tables/kdb5_err.et | 1 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_exp.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 431 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c | 24 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M | 52 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c | 10 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/Makefile.in | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 1 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 21 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 6 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 49 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 7 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 7 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c | 39 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h | 5 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 8 |
17 files changed, 204 insertions, 495 deletions
diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et index d6014ac..953fff3 100644 --- a/src/lib/krb5/error_tables/kdb5_err.et +++ b/src/lib/krb5/error_tables/kdb5_err.et @@ -75,6 +75,7 @@ ec KRB5_KDB_SERVER_INTERNAL_ERR, "Server error" ec KRB5_KDB_ACCESS_ERROR, "Unable to access Kerberos database" ec KRB5_KDB_INTERNAL_ERROR, "Kerberos database internal error" ec KRB5_KDB_CONSTRAINT_VIOLATION, "Kerberos database constraints violated" +ec KRB5_KDB_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" end diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 15aea0a..6c5a370 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -40,6 +40,7 @@ #include "ldap_principal.h" #include "ldap_pwd_policy.h" + /* * Exposed API */ @@ -51,12 +52,12 @@ kdb_vftabl kdb_function_table = { /* fini_library */ krb5_ldap_lib_cleanup, /* init_module */ krb5_ldap_open, /* fini_module */ krb5_ldap_close, - /* db_create */ NULL, - /* db_destroy */ NULL, + /* db_create */ krb5_ldap_create_realm_1, + /* db_destroy */ krb5_ldap_delete_realm_1, /* db_get_age */ krb5_ldap_db_get_age, - /* db_set_option */ NULL, - /* db_lock */ NULL, - /* db_unlock */ NULL, + /* db_set_option */ krb5_ldap_set_option, + /* db_lock */ krb5_ldap_lock, + /* db_unlock */ krb5_ldap_unlock, /* db_get_principal */ krb5_ldap_get_principal, /* db_free_principal */ krb5_ldap_free_principal, /* db_put_principal */ krb5_ldap_put_principal, @@ -68,11 +69,12 @@ kdb_vftabl kdb_function_table = { /* db_iter_policy */ krb5_ldap_iterate_password_policy, /* db_delete_policy */ krb5_ldap_delete_password_policy, /* db_free_policy */ krb5_ldap_free_password_policy, - /* db_supported_realms */ NULL, - /* db_free_supported_realms */ NULL, - /* errcode_2_string */ NULL, + /* db_supported_realms */ krb5_ldap_supported_realms, + /* db_free_supported_realms */ krb5_ldap_free_supported_realms, + /* errcode_2_string */ krb5_ldap_errcode_2_string, /* db_alloc */ krb5_ldap_alloc, /* db_free */ krb5_ldap_free, + /* optional functions */ /* set_master_key */ krb5_ldap_set_mkey, /* get_master_key */ krb5_ldap_get_mkey, /* setup_master_key_name */ NULL, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 2c62522..55b0690 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -427,91 +427,6 @@ void kdb5_ldap_create(argc, argv) mask |= LDAP_REALM_PASSWDSERVERS; } #endif - else if (!strcmp(argv[i], "-enctypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppenctypes, 0, sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist)) != 0) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(tlist[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "Invalid encryption type '%s'", - tlist[j]); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - char *tlist[MAX_LIST_ENTRIES] = {NULL}; - - if (++i > argc-1) - goto err_usage; - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - memset(rparams->suppsalttypes, 0, sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, tlist))) { - goto cleanup; - } - for(j = 0; tlist[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(tlist[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while creating realm '%s'", - tlist[j], global_params.realm); - krb5_free_list_entries(tlist); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(tlist); - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while creating realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if (!strcmp(argv[i], "-s")) { do_stash = 1; } @@ -530,43 +445,6 @@ void kdb5_ldap_create(argc, argv) * default values and also add to the list of supported * enctypes/salttype */ - if ( !(mask & LDAP_REALM_DEFENCTYPE) && (rparams != NULL)) { - rparams->defenctype = ENCTYPE_DES3_CBC_SHA1; - mask |= LDAP_REALM_DEFENCTYPE; - printf("Default enctype not specified: \"des3-cbc-sha1\" " - "will be added as the default enctype and to the " - "list of supported enctypes.\n"); - - /* Now, add this to the list of supported enctypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPENCTYPE) { - for (i=0; rparams->suppenctypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppenctypes[i] = ENCTYPE_DES3_CBC_SHA1; - rparams->suppenctypes[i + 1] = END_OF_LIST; - } - } - - if ( !(mask & LDAP_REALM_DEFSALTTYPE) && (rparams != NULL)) { - rparams->defsalttype = KRB5_KDB_SALTTYPE_NORMAL; - mask |= LDAP_REALM_DEFSALTTYPE; - printf("Default salttype not specified: \"normal\" will be " - "added as the default salttype and to the list of " - "supported salttypes.\n"); - - /* Now, add this to the list of supported salttypes. The - * duplicate values will be removed in DAL-LDAP - */ - if (mask & LDAP_REALM_SUPPSALTTYPE) { - for (i=0; rparams->suppsalttypes[i] != END_OF_LIST; i++) - ; - assert (i < END_OF_LIST - 1); - rparams->suppsalttypes[i] = KRB5_KDB_SALTTYPE_NORMAL; - rparams->suppsalttypes[i + 1] = END_OF_LIST; - } - } rblock.max_life = global_params.max_life; rblock.max_rlife = global_params.max_rlife; @@ -761,7 +639,7 @@ void kdb5_ldap_create(argc, argv) /* Create special principals inside the realm subtree */ { - char princ_name[MAX_PRINC_SIZE], localname[MAXHOSTNAMELEN]; + char princ_name[MAX_PRINC_SIZE]; struct hostent *hp = NULL; krb5_principal_data tgt_princ = { 0, /* magic number */ @@ -770,7 +648,7 @@ void kdb5_ldap_create(argc, argv) 2, /* int length */ KRB5_NT_SRV_INST /* int type */ }; - krb5_principal p; + krb5_principal p, temp_p=NULL; krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); @@ -842,31 +720,32 @@ void kdb5_ldap_create(argc, argv) krb5_free_principal(util_context, p); /* Create 'kadmin/<hostname>' ... */ - if (gethostname(localname, sizeof(localname))) { - retval = errno; - com_err(argv[0], retval, "gethostname, while adding entries to the database"); - goto err_nomsg; + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { + com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; } - hp = gethostbyname(localname); - if (hp == NULL) { - retval = errno; - com_err(argv[0], retval, "gethostbyname, while adding entries to the database"); - goto err_nomsg; + + if((retval=krb5_copy_principal(util_context, p, &temp_p))) { + com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; } - assert (sizeof(princ_name) >= strlen(hp->h_name) + strlen(global_params.realm) + 9); - /* snprintf(princ_name, MAXHOSTNAMELEN + 8, "kadmin/%s", hp->h_name); */ - snprintf(princ_name, sizeof(princ_name), "kadmin/%s@%s", hp->h_name, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); - goto err_nomsg; + + /* change the realm portion to the default realm */ + free( temp_p->realm.data ); + temp_p->realm.length = strlen( util_context->default_realm ); + temp_p->realm.data = strdup( util_context->default_realm ); + if( temp_p->realm.data == NULL ) { + com_err(argv[0], ENOMEM, "while adding entries to the database"); + goto err_nomsg; } rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); com_err(argv[0], retval, "while adding entries to the database"); goto err_nomsg; } + krb5_free_principal(util_context, temp_p); krb5_free_principal(util_context, p); if (ldap_context->lrparams->subtree != NULL) @@ -1472,220 +1351,6 @@ void kdb5_ldap_modify(argc, argv) } } #endif - else if (!strcmp(argv[i], "-enctypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPENCTYPE) - free(rparams->suppenctypes); - rparams->suppenctypes = (krb5_enctype *)malloc( - sizeof(krb5_enctype) * MAX_LIST_ENTRIES); - if (rparams->suppenctypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], - &rparams->suppenctypes[j]))) { - com_err(argv[0], retval, "'%s' specified for enctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppenctypes[j] = END_OF_LIST; - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newenctypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearenctypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newenctypes) && (rparams->suppenctypes != NULL)) { - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - memset(tlist, END_OF_LIST, sizeof(int) * MAX_LIST_ENTRIES); - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addenctypes")) { - if (++i > argc-1) - goto err_usage; - if (!newenctypes) { - int *tmp; - - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppenctypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_enctype *) realloc (rparams->suppenctypes, - sizeof(krb5_enctype) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppenctypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_enctype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addenctypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - - j = list_modify_int_array(rparams->suppenctypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppenctypes, (size_t)j, sizeof(krb5_enctype), - compare_int); - mask |= LDAP_REALM_SUPPENCTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defenctype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_enctype(argv[i], - &rparams->defenctype))) { - com_err(argv[0], retval, "'%s' specified for defenctype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFENCTYPE; - } - else if (!strcmp(argv[i], "-salttypes")) { - if (++i > argc-1) - goto err_usage; - if (rmask & LDAP_REALM_SUPPSALTTYPE) - free(rparams->suppsalttypes); - rparams->suppsalttypes = (krb5_int32 *)malloc( - sizeof(krb5_int32) * MAX_LIST_ENTRIES); - if (rparams->suppsalttypes == NULL) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], - &rparams->suppsalttypes[j]))) { - com_err(argv[0], retval, "'%s' specified for salttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - rparams->suppsalttypes[j] = END_OF_LIST; - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - /* Going to replace the existing value by this new value. Hence - * setting flag indicating that add or clear options will be ignored - */ - newsalttypes = 1; - krb5_free_list_entries(list); - } - else if (!strcmp(argv[i], "-clearsalttypes")) { - if (++i > argc-1) - goto err_usage; - if ((!newsalttypes) && (rparams->suppsalttypes != NULL)) { - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for clearsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_DELETE); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-addsalttypes")) { - if (++i > argc-1) - goto err_usage; - if (!newsalttypes) { - int *tmp; - if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) - goto cleanup; - - existing_entries = list_count_int_array(rparams->suppsalttypes); - list_entries = list_count_str_array(list); - - tmp = (krb5_int32 *) realloc (rparams->suppsalttypes, - sizeof(krb5_int32) * (existing_entries+list_entries+1)); - if (tmp == NULL) { - retval = ENOMEM; - goto cleanup; - } - rparams->suppsalttypes = tmp; - - for(j = 0; list[j] != NULL; j++) { - if ((retval = krb5_string_to_salttype(list[j], &tlist[j]))) { - com_err(argv[0], retval, "'%s' specified for addsalttypes, " - "while modifying information of realm '%s'", - list[j], global_params.realm); - goto err_nomsg; - } - } - tlist[j] = END_OF_LIST; - j = list_modify_int_array(rparams->suppsalttypes, (const int*)tlist, - LIST_MODE_ADD); - qsort(rparams->suppsalttypes, (size_t)j, sizeof(krb5_int32), - compare_int); - mask |= LDAP_REALM_SUPPSALTTYPE; - krb5_free_list_entries(list); - } - } - else if (!strcmp(argv[i], "-defsalttype")) { - if (++i > argc-1) - goto err_usage; - if ((retval = krb5_string_to_salttype(argv[i], - &rparams->defsalttype))) { - com_err(argv[0], retval, "'%s' specified for defsalttype, " - "while modifying information of realm '%s'", - argv[i], global_params.realm); - goto err_nomsg; - } - mask |= LDAP_REALM_DEFSALTTYPE; - } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { mask|=ret_mask; @@ -2169,50 +1834,6 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (num_entry_printed == 0) printf("\n"); } - if (mask & LDAP_REALM_SUPPENCTYPE) { - printf("%25s:", "Supported Enc Types"); - if (rparams->suppenctypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppenctypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_enctype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } - if (mask & LDAP_REALM_DEFENCTYPE) { - retval = krb5_enctype_to_string(rparams->defenctype, buff, BUFF_LEN); - if (retval == 0) { - printf("%25s: %-50s\n", "Default Enc Type", buff); - } - } - if (mask & LDAP_REALM_SUPPSALTTYPE) { - printf("%25s:", "Supported Salt Types"); - if (rparams->suppsalttypes != NULL) { - num_entry_printed = 0; - for(tmplist = rparams->suppsalttypes; *tmplist != END_OF_LIST; - tmplist++) { - retval = krb5_salttype_to_string(*tmplist, buff, BUFF_LEN); - if (retval == 0) { - if (num_entry_printed) - printf(" %25s %-50s\n", " ", buff); - else - printf(" %-50s\n", buff); - num_entry_printed++; - } - } - } - if (num_entry_printed == 0) - printf("\n"); - } if (mask & LDAP_REALM_MAXTICKETLIFE) { printf("%25s:", "Maximum Ticket Life"); printf(" %s \n", strdur(rparams->max_life)); @@ -2222,10 +1843,11 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) printf("%25s:", "Maximum Renewable Life"); printf(" %s \n", strdur(rparams->max_renewable_life)); } - printf("%25s: ", "Ticket flags"); - if (mask & LDAP_POLICY_TKTFLAGS) { + + if (mask & LDAP_REALM_KRBTICKETFLAGS) { int ticketflags = rparams->tktflags; + printf("%25s: ", "Ticket flags"); if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) printf("%s ","DISALLOW_POSTDATED"); @@ -2261,16 +1883,9 @@ static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) printf("%s ","PWCHANGE_SERVICE"); - } - if (mask & LDAP_REALM_DEFSALTTYPE) { - retval = krb5_salttype_to_string(rparams->defsalttype, buff, BUFF_LEN); - if (retval == 0) { - printf("\n%25s: %-50s\n", "Default Salt Type", buff); - } + printf("\n"); } - /* if (mask & LDAP_REALM_POLICYREFERENCE) - printf("%25s: %-50s\n", "Policy Reference", rparams->policyreference);*/ return; diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 69e3b76..1ce08fe 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1743,9 +1743,12 @@ kdb5_ldap_set_service_password(argc, argv) errcode = tohex(pwd, &hex); if (errcode != 0) { - if(hex.length != 0) + if(hex.length != 0) { + memset(hex.data, 0, hex.length); free(hex.data); + } com_err(me, errcode, "Failed to convert the password to hex"); + memset(passwd, 0, passwd_len); goto cleanup; } /* Password = {CRYPT}<encrypted password>:<encrypted key> */ @@ -1754,6 +1757,7 @@ kdb5_ldap_set_service_password(argc, argv) if (encrypted_passwd.value == NULL) { com_err(me, ENOMEM, "while setting service object password"); memset(passwd, 0, passwd_len); + memset(hex.data, 0, hex.length); free(hex.data); goto cleanup; } @@ -1761,6 +1765,8 @@ kdb5_ldap_set_service_password(argc, argv) 1 + 5 + hex.length + 1] = '\0'; sprintf((char *)encrypted_passwd.value, "%s#{HEX}%s\n", service_object, hex.data); encrypted_passwd.len = strlen((char *)encrypted_passwd.value); + memset(hex.data, 0, hex.length); + free(hex.data); } /* We should check if the file exists and we have permission to write into that file */ @@ -1912,8 +1918,10 @@ cleanup: if (passwd) free(passwd); - if (encrypted_passwd.value) + if (encrypted_passwd.value) { + memset(encrypted_passwd.value, 0, encrypted_passwd.len); free(encrypted_passwd.value); + } if (pfile) fclose(pfile); @@ -1949,6 +1957,7 @@ kdb5_ldap_stash_service_password(argc, argv) FILE *pfile = NULL; krb5_boolean print_usage = FALSE; krb5_data hexpasswd = {0, 0, NULL}; + mode_t old_mode = 0; /* * Format: @@ -2047,16 +2056,17 @@ done: ret = tohex(pwd, &hexpasswd); if(ret != 0){ - if(hexpasswd.length != 0) - free(hexpasswd.data); com_err(me, ret, "Failed to convert the password to hexadecimal"); + memset(passwd, 0, passwd_len); goto cleanup; } } + memset(passwd, 0, passwd_len); /* TODO: file lock for the service passowrd file */ /* set password in the file */ + old_mode = umask(0177); pfile = fopen(file_name, "a+"); if (pfile == NULL) { com_err(me, errno, "Failed to open file %s: %s", file_name, @@ -2064,6 +2074,7 @@ done: goto cleanup; } rewind (pfile); + umask(old_mode); while (fgets (line, MAX_LEN, pfile) != NULL) { if ((str = strstr (line, service_object)) != NULL) { @@ -2162,6 +2173,11 @@ done: cleanup: + if(hexpasswd.length != 0) { + memset(hexpasswd.data, 0, hexpasswd.length); + free(hexpasswd.data); + } + if (service_object) free(service_object); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M index 20dc3e7..5ff7615 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M @@ -29,7 +29,7 @@ a Kerberos realm. Specifies the SSL port number of the LDAP server. .SH COMMANDS .TP -\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBcreate\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-k\fP\ \fImkeytype\fP] [\fB\-m\fP|\fB\-P\fP\ \fIpassword\fP|\fB\-sf\fP\ \fIstashfilename\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP] [\fB\-admindn\fP\ \fIadmin_service_list\fP] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Creates realm in directory. Options: .RS .TP @@ -41,18 +41,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. This is also a part of supported enctypes list. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt types for the realm. -.TP \fB\-k\fP\ \fImkeytype\fP Specifies the key type of the master key in the database; the default is that given in @@ -235,7 +223,7 @@ Re-enter KDC database master key to verify: .RE .TP -\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-enctypes\fP\ \fIsupported_enc_types\fP | [\fB\-clearenctypes\fP\ \fIenc_type_list\fP] [\fB\-addenctypes\fP\ \fIenc_type_list\fP]] [\fB\-defenctype\fP\ \fIdefault_enc_type\fP] [\fB\-salttypes\fP\ \fIsupported_salt_types\fP | [\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP] [\fB\-addsalttypes\fP\ \fIsalt_type_list\fP]] [\fB\-defsalttype\fP\ \fIdefault_salt_type\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] +\fBmodify\fP [\fB\-subtree\fP\ \fIsubtree_dn\fP] [\fB\-sscope\fP\ \fIsearch_scope\fP] [\fB\-r\fP\ \fIrealm\fP] [\fB\-kdcdn\fP\ \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP\ \fIkdc_service_list\fP] [\fB\-addkdcdn\fP\ \fIkdc_service_list\fP]] [\fB\-admindn\fP\ \fIadmin_service_list\fP | [\fB\-clearadmindn\fP\ \fIadmin_service_list\fP] [\fB\-addadmindn\fP\ \fIadmin_service_list\fP]] [\fB\-pwddn\fP\ \fIpasswd_service_list\fP | [\fB\-clearpwddn\fP\ \fIpasswd_service_list\fP] [\fB\-addpwddn\fP\ \fIpasswd_service_list\fP]] [\fB\-maxtktlife\fP\ \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP\ \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] Modifies the attributes of a realm. Options: .RS @@ -248,34 +236,6 @@ Specifies the scope for searching the principals under the .IR subtree . The possible values are 1 or one (one level), 2 or sub (subtree). .TP -\fB\-enctypes\fP\ \fIsupported_enc_types\fP -Specifies the encryption types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be removed from the supported encryption types -of the realm. This is a colon-separated list. -.TP -\fB\-addenctypes\fP\ \fIenc_type_list\fP -Specifies the encryption types that need to be added to the supported encryption types of the -realm. This is a colon-separated list. -.TP -\fB\-defenctype\fP\ \fIdefault_enc_type\fP -Specifies the default encryption type for the realm. -.TP -\fB\-salttypes\fP\ \fIsupported_salt_types\fP -Specifies the salt types supported by the realm. This is a colon-separated list. -.TP -\fB\-clearsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be removed from the supported salt types of the realm. -This is a colon-separated list. -.TP -\fB\-addsalttypes\fP\ \fIsalt_type_list\fP -Specifies the salt types that need to be added to the supported salt types of the realm. This -is a colon-separated list. -.TP -\fB\-defsalttype\fP\ \fIdefault_salt_type\fP -Specifies the default salt type for the realm. -.TP \fB\-maxtktlife\fP\ \fImax_ticket_life\fP Specifies maximum ticket life for principals in this realm. .TP @@ -476,14 +436,6 @@ Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org SearchScope: ONE - Supported Enc Types: DES cbc mode with RSA-MD5 - Triple DES cbc mode with HMAC/sha1 - Default Enc Type: Triple DES cbc mode with HMAC/sha1 - Supported Salt Types: Version 5 - Version 4 - Special - AFS version 3 - Default Salt Type: Version 5 Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c index 8891515..4b07b27 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -107,7 +107,7 @@ krb5_boolean manual_mkey = FALSE; void usage() { fprintf(stderr, "Usage: " -"kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" +"kdb5_ldap_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]\n" "\tcmd [cmd_options]\n" /* Create realm */ @@ -116,8 +116,6 @@ void usage() "\t\t[-kdcdn kdc_service_list] [-admindn admin_service_list]\n" "\t\t[-pwddn passwd_service_list]\n" #endif -"\t\t[-enctypes supported_enc_types] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types] [-defsalttype default_salt_type]\n" "\t\t[-m|-P password|-sf stashfilename] [-k mkeytype]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" @@ -131,10 +129,6 @@ void usage() "\t\t[-addadmindn admin_service_list]] [-pwddn passwd_service_list |\n" "\t\t[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]\n" #endif -"\t\t[-enctypes supported_enc_types | [-clearenctypes enc_type_list]\n" -"\t\t[-addenctypes enc_type_list]] [-defenctype default_enc_type]\n" -"\t\t[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]\n" -"\t\t[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]\n" "\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" "\t\t[ticket_flags] [-r realm]\n" /* View realm */ @@ -508,6 +502,8 @@ int main(argc, argv) goto cleanup; } + ldap_context->kcontext = util_context; + /* If LDAP parameters are specified, replace them with the values from config */ if (ldapmask & CMD_LDAP_D) { /* If password is not specified, prompt for it */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index 1b650c5..c6cec57 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -31,7 +31,7 @@ SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(SUPPORT_DEPLIB) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(SUPPORT_LIB) -lldap -llber $(LIBS) +SHLIB_EXPLIBS= $(GSSRPC_LIBS) -lkrb5 -lk5crypto $(COM_ERR_LIB) $(SUPPORT_LIB) -lldap -llber $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 358bf15..7c36224 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -236,6 +236,7 @@ krb5_error_code krb5_ldap_open( krb5_context context, goto clean_n_exit; } + ldap_context->kcontext = context; while ( t_ptr && *t_ptr ) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 888fed0..2bb3b85 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -201,6 +201,7 @@ typedef struct _krb5_ldap_context { k5_mutex_t hndl_lock; krb5_ldap_krbcontainer_params *krbcontainer; krb5_ldap_realm_params *lrparams; + krb5_context kcontext; /* to set the error code and message */ } krb5_ldap_context; @@ -259,4 +260,24 @@ krb5_ldap_read_startup_information(krb5_context ); int has_sasl_external_mech(krb5_context, char *); +/* DAL functions */ + +krb5_error_code +krb5_ldap_set_option( krb5_context, int, void * ); + +krb5_error_code +krb5_ldap_lock( krb5_context, int ); + +krb5_error_code +krb5_ldap_unlock( krb5_context ); + +krb5_error_code +krb5_ldap_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context, char ** ); + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context, long ); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index b0902d2..5832554 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -161,7 +161,8 @@ krb5_ldap_initialize(ldap_context, server_info) if((ldap_server_handle->ldap_handle=ldap_init(server_info->server_name, port)) == NULL) { st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (0, st, "%s", strerror(errno)); + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, st, "%s", strerror(errno)); goto err_out; } @@ -170,7 +171,8 @@ krb5_ldap_initialize(ldap_context, server_info) server_info->server_status = ON; krb5_update_ldap_handle(ldap_server_handle, server_info); } else { - krb5_set_error_message (0, KRB5_KDB_ACCESS_ERROR, "%s", + if (ldap_context->kcontext) + krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s", ldap_err2string(st)); st = KRB5_KDB_ACCESS_ERROR; server_info->server_status = OFF; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 153a3c6..af06164 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1469,3 +1469,52 @@ krb5_add_int_mem_ldap_mod(mods, attribute, op, value) return ENOMEM; return 0; } + +krb5_error_code +krb5_ldap_set_option( krb5_context kcontext, int option, void *value ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_lock( krb5_context kcontext, int mode ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_unlock( krb5_context kcontext ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_free_supported_realms( krb5_context kcontext, char **realms ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_errcode_2_string( krb5_context kcontext, long err_code ) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 6509ff9..52c113c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -205,10 +205,7 @@ krb5_ldap_get_principal(context, searchfor, entries, nentries, more) if(attr_present == TRUE){ if ((st=store_tl_data(&userinfo_tl_data, KDB_TL_TKTPOLICYDN, policydn)) != 0) goto cleanup; - } - if(!(mask & KDB_MAX_LIFE_ATTR) && !(mask & KDB_MAX_RLIFE_ATTR) && !(mask & KDB_TKT_FLAGS_ATTR)){ - if (attr_present == TRUE) - mask |= KDB_POL_REF_ATTR; + mask |= KDB_POL_REF_ATTR; } /* KRBPWDPOLICYREFERENCE */ @@ -1068,7 +1065,7 @@ krb5_read_tkt_policyreference(context, ldap_context, entries, policydn) if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0) goto cleanup; - if ((mask & tkt_mask) != tkt_mask) { + if ((mask & tkt_mask) == 0) { if (policydn != NULL) { st = krb5_ldap_read_policy(context, policydn, &tktpoldnparam, &omask); if (st && st != KRB5_KDB_NOENTRY) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 2ac8219..87f619c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -1648,3 +1648,21 @@ krb5_ldap_free_realm_params(rparams) } return; } + +/* DAL functions */ + +krb5_error_code +krb5_ldap_create_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section, char **db_args) +{ + krb5_error_code status = KRB5_KDB_PLUGIN_OP_NOTSUPP; + krb5_set_error_message( kcontext, status, "LDAP %s", error_message( status ) ); + return status; +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index fabc316..21d7d87 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -68,7 +68,6 @@ typedef struct _krb5_ldap_realm_params { krb5_int32 defsalttype; krb5_enctype *suppenctypes; krb5_int32 *suppsalttypes; - char **ldapservers; char **kdcservers; char **adminservers; char **passwdservers; @@ -96,4 +95,10 @@ krb5_ldap_read_realm_params(krb5_context , char *, krb5_ldap_realm_params **, in void krb5_ldap_free_realm_params(krb5_ldap_realm_params *); +krb5_error_code +krb5_ldap_create_realm_1(krb5_context, char *, char **); + +krb5_error_code +krb5_ldap_delete_realm_1(krb5_context, char *, char **); + #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 865fe21..702f548 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -136,6 +136,26 @@ krb5_ldap_readpassword(context, ldap_context, password) CT.len = strlen((char *)CT.value); st = dec_password(CT, &PT); if(st != 0){ + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, "Password has zero length"); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, "Password corrupted"); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, "Not a hexadecimal password"); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; + } goto rp_exit; } *password = PT.value; @@ -192,6 +212,11 @@ tohex(in, ret) * <secret> := {HEX}<password in hexadecimal> * * <password> is the actual eDirectory password of the service + * Return values: + * ERR_NO_MEM - No Memory + * ERR_PWD_ZERO - Password has zero length + * ERR_PWD_BAD - Passowrd corrupted + * ERR_PWD_NOT_HEX - Not a hexadecimal password */ int dec_password(struct data pwd, struct data *ret){ @@ -202,8 +227,7 @@ int dec_password(struct data pwd, struct data *ret){ ret->value = NULL; if (pwd.len == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Password has zero length"); + err = ERR_PWD_ZERO; ret->len = 0; goto cleanup; } @@ -214,14 +238,13 @@ int dec_password(struct data pwd, struct data *ret){ if((pwd.len - strlen("{HEX}")) % 2 != 0){ /* A hexadecimal encoded password should have even length */ - err = EINVAL; - krb5_set_error_message (0, err, "Password corrupted"); + err = ERR_PWD_BAD; ret->len = 0; goto cleanup; } ret->value = (unsigned char *)malloc((pwd.len - strlen("{HEX}")) / 2 + 1); if(ret->value == NULL){ - err = ENOMEM; + err = ERR_NO_MEM; ret->len = 0; goto cleanup; } @@ -231,8 +254,7 @@ int dec_password(struct data pwd, struct data *ret){ int k; /* Check if it is a hexadecimal number */ if (isxdigit(pwd.value[i]) == 0 || isxdigit(pwd.value[i + 1]) == 0) { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } @@ -241,8 +263,7 @@ int dec_password(struct data pwd, struct data *ret){ } goto cleanup; } else { - err = EINVAL; - krb5_set_error_message (0, err, "Not a hexadecimal password"); + err = ERR_PWD_NOT_HEX; ret->len = 0; goto cleanup; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h index c51d1a1..bd7e3dc 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h @@ -37,6 +37,11 @@ struct data{ unsigned char *value; }; +#define ERR_NO_MEM 1 +#define ERR_PWD_ZERO 2 +#define ERR_PWD_BAD 3 +#define ERR_PWD_NOT_HEX 4 + int dec_password(struct data, struct data *); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 2e75b7e..8178271 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -39,3 +39,11 @@ krb5_ldap_free krb5_ldap_set_mkey krb5_ldap_get_mkey disjoint_members +krb5_ldap_create_realm_1 +krb5_ldap_delete_realm_1 +krb5_ldap_set_option +krb5_ldap_lock +krb5_ldap_unlock +krb5_ldap_supported_realms +krb5_ldap_free_supported_realms +krb5_ldap_errcode_2_string |