diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-07-15 04:18:00 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-07-15 04:18:00 +0000 |
commit | 0bc31d0cba884ff4103f254dd9daf678e2a9a6c5 (patch) | |
tree | 01b0818ea7e1f1ef6283f8275f7b1b402e85484d /src/plugins/kdb/ldap/libkdb_ldap | |
parent | 002d9a7e7cb50e71c9ffdf3b2cf60bac3b374235 (diff) | |
download | krb5-0bc31d0cba884ff4103f254dd9daf678e2a9a6c5.zip krb5-0bc31d0cba884ff4103f254dd9daf678e2a9a6c5.tar.gz krb5-0bc31d0cba884ff4103f254dd9daf678e2a9a6c5.tar.bz2 |
Add check_allowed_to_delegate to the DAL with a corresponding libkdb5
API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of
db_invoke. Remove db_invoke since it no longer has any methods.
ticket: 6749
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24189 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/ldap/libkdb_ldap')
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/Makefile.in | 2 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c | 88 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 31 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 13 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 2 |
5 files changed, 38 insertions, 98 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index bc6c27a..8331650 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -52,7 +52,6 @@ SRCS= $(srcdir)/kdb_ldap.c \ $(srcdir)/princ_xdr.c \ $(srcdir)/ldap_fetch_mkey.c \ $(srcdir)/ldap_service_stash.c \ - $(srcdir)/kdb_ext.c \ $(srcdir)/kdb_xdr.c \ $(srcdir)/ldap_err.c \ $(srcdir)/lockout.c \ @@ -74,7 +73,6 @@ STLIBOBJS= kdb_ldap.o \ princ_xdr.o \ ldap_fetch_mkey.o \ ldap_service_stash.o \ - kdb_ext.o \ kdb_xdr.o \ ldap_err.o \ lockout.o diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c deleted file mode 100644 index 75b4543..0000000 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c +++ /dev/null @@ -1,88 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * plugins/kdb/ldap/kdb_ext.c - * - * Copyright (C) 2009 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * - */ - -#include "k5-int.h" -#include "kdb.h" -#include <stdio.h> -#include <errno.h> -#include "kdb_ldap.h" - -static krb5_error_code -krb5_ldap_check_allowed_to_delegate(krb5_context context, - unsigned int method, - const krb5_data *request, - krb5_data *response) -{ - const kdb_check_allowed_to_delegate_req *req; - krb5_error_code code; - krb5_tl_data *tlp; - - req = (const kdb_check_allowed_to_delegate_req *)request->data; - - code = KRB5KDC_ERR_POLICY; - - for (tlp = req->server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { - krb5_principal acl; - - if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - - if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) - continue; - - if (krb5_principal_compare(context, req->proxy, acl)) { - code = 0; - krb5_free_principal(context, acl); - break; - } - krb5_free_principal(context, acl); - } - - return code; -} - -krb5_error_code -krb5_ldap_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep) -{ - krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP; - - switch (method) { - case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: - code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep); - break; - default: - break; - } - - return code; -} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index eaf10cf..5e05511 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -549,3 +549,34 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, { (void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code); } + +krb5_error_code +krb5_ldap_check_allowed_to_delegate(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy) +{ + krb5_error_code code; + krb5_tl_data *tlp; + + code = KRB5KDC_ERR_POLICY; + + for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { + krb5_principal acl; + + if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + + if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) + continue; + + if (krb5_principal_compare(context, proxy, acl)) { + code = 0; + krb5_free_principal(context, acl); + break; + } + krb5_free_principal(context, acl); + } + + return code; +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 939defb..8531b8c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -307,6 +307,12 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); +krb5_error_code +krb5_ldap_check_allowed_to_delegate(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); + /* DAL functions */ @@ -337,11 +343,4 @@ krb5_ldap_lockout_audit(krb5_context context, krb5_timestamp stamp, krb5_error_code status); -/* kdb_ext.c */ -krb5_error_code -krb5_ldap_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep); - #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 6692c71..c10700f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -46,4 +46,4 @@ krb5_ldap_set_mkey_list krb5_ldap_get_mkey_list krb5_ldap_check_policy_as krb5_ldap_audit_as_req -krb5_ldap_invoke +krb5_ldap_check_allowed_to_delegate |