/* * Get the number of times an object has been referred to in a realm. This is * needed to find out if deleting the attribute will cause dangling links. * * An LDAP handle may be optionally specified to prevent race condition - there * are a limited number of LDAP handles. */ krb5_error_code krb5_ldap_get_reference_count(krb5_context context, char *dn, char *refattr, int *count, LDAP *ld) { int n, st, tempst, gothandle = 0; unsigned int i, ntrees = 0; char *refcntattr[2]; char *filter = NULL, *corrected = NULL, **subtree = NULL; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; LDAPMessage *result = NULL; if (dn == NULL || refattr == NULL) { st = EINVAL; goto cleanup; } SETUP_CONTEXT(); if (ld == NULL) { GET_HANDLE(); gothandle = 1; } refcntattr[0] = refattr; refcntattr[1] = NULL; corrected = ldap_filter_correct(dn); if (corrected == NULL) { st = ENOMEM; goto cleanup; } if (asprintf(&filter, "%s=%s", refattr, corrected) < 0) { filter = NULL; st = ENOMEM; goto cleanup; } st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees); if (st) goto cleanup; for (i = 0, *count = 0; i < ntrees; i++) { LDAP_SEARCH(subtree[i], LDAP_SCOPE_SUBTREE, filter, refcntattr); n = ldap_count_entries(ld, result); if (n == -1) { int ret, errcode = 0; ret = ldap_parse_result(ld, result, &errcode, NULL, NULL, NULL, NULL, 0); if (ret != LDAP_SUCCESS) errcode = ret; st = translate_ldap_error(errcode, OP_SEARCH); goto cleanup; } ldap_msgfree(result); result = NULL; *count += n; } cleanup: free(filter); ldap_msgfree(result); for (i = 0; i < ntrees; i++) free(subtree[i]); free(subtree); free(corrected); if (gothandle) krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
krb5_error_code krb5_ldap_iterate(krb5_context context, char *match_expr, krb5_error_code (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg) { krb5_db_entry entry; krb5_principal principal; char **subtree=NULL, *princ_name=NULL, *realm=NULL, **values=NULL, *filter=NULL; unsigned int tree=0, ntree=1, i=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; char *default_match_expr = "*"; /* Clear the global error string */ krb5_clear_error_message(context); memset(&entry, 0, sizeof(krb5_db_entry)); SETUP_CONTEXT(); realm = ldap_context->lrparams->realm_name; if (realm == NULL) { realm = context->default_realm; if (realm == NULL) { st = EINVAL; krb5_set_error_message(context, st, "Default realm not set"); goto cleanup; } } /* * If no match_expr then iterate through all krb princs like the db2 plugin */ if (match_expr == NULL) match_expr = default_match_expr; if (asprintf(&filter, FILTER"%s))", match_expr) < 0) filter = NULL; CHECK_NULL(filter); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0) goto cleanup; GET_HANDLE(); for (tree=0; tree < ntree; ++tree) { LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { values=ldap_get_values(ld, ent, "krbcanonicalname"); if (values == NULL) values=ldap_get_values(ld, ent, "krbprincipalname"); if (values != NULL) { for (i=0; values[i] != NULL; ++i) { if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0) continue; if (krb5_parse_name(context, princ_name, &principal) != 0) continue; if (is_principal_in_realm(ldap_context, principal) == 0) { if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal, &entry)) != 0) goto cleanup; (*func)(func_arg, &entry); krb5_dbe_free_contents(context, &entry); (void) krb5_free_principal(context, principal); free(princ_name); break; } (void) krb5_free_principal(context, principal); free(princ_name); } ldap_value_free(values); } } /* end of for (ent= ... */ ldap_msgfree(result); } /* end of for (tree= ... */ cleanup: if (filter) free (filter); for (;ntree; --ntree) if (subtree[ntree-1]) free (subtree[ntree-1]); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
krb5_error_code krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, unsigned int flags, krb5_db_entry **entry_ptr) { char *user=NULL, *filter=NULL, *filtuser=NULL; unsigned int tree=0, ntrees=1, princlen=0; krb5_error_code tempst=0, st=0; char **values=NULL, **subtree=NULL, *cname=NULL; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_principal cprinc=NULL; krb5_boolean found=FALSE; krb5_db_entry *entry = NULL; *entry_ptr = NULL; /* Clear the global error string */ krb5_clear_error_message(context); if (searchfor == NULL) return EINVAL; dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { krb5_set_error_message(context, st, _("Principal does not belong to realm")); goto cleanup; } if ((st=krb5_unparse_name(context, searchfor, &user)) != 0) goto cleanup; if ((st=krb5_ldap_unparse_principal_name(user)) != 0) goto cleanup; filtuser = ldap_filter_correct(user); if (filtuser == NULL) { st = ENOMEM; goto cleanup; } princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ if ((filter = malloc(princlen)) == NULL) { st = ENOMEM; goto cleanup; } snprintf(filter, princlen, FILTER"%s))", filtuser); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) goto cleanup; GET_HANDLE(); for (tree=0; tree < ntrees && !found; ++tree) { LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) { /* get the associated directory user information */ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { int i; /* a wild-card in a principal name can return a list of kerberos principals. * Make sure that the correct principal is returned. * NOTE: a principalname k* in ldap server will return all the principals starting with a k */ for (i=0; values[i] != NULL; ++i) { if (strcmp(values[i], user) == 0) { found = TRUE; break; } } ldap_value_free(values); if (!found) /* no matching principal found */ continue; } if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ if (flags & KRB5_KDB_FLAG_ALIAS_OK) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; st = krb5_parse_name(context, cname, &cprinc); if (st != 0) goto cleanup; } else /* No canonicalization, so don't return aliases. */ found = FALSE; } ldap_value_free(values); if (!found) continue; } entry = k5alloc(sizeof(*entry), &st); if (entry == NULL) goto cleanup; if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, cprinc ? cprinc : searchfor, entry)) != 0) goto cleanup; } ldap_msgfree(result); result = NULL; } /* for (tree=0 ... */ if (found) { *entry_ptr = entry; entry = NULL; } else st = KRB5_KDB_NOENTRY; cleanup: ldap_msgfree(result); krb5_ldap_free_principal(context, entry); if (filter) free (filter); if (subtree) { for (; ntrees; --ntrees) if (subtree[ntrees-1]) free (subtree[ntrees-1]); free (subtree); } if (ldap_server_handle) krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); if (user) free(user); if (filtuser) free(filtuser); if (cname) free(cname); if (cprinc) krb5_free_principal(context, cprinc); return st; }
krb5_error_code krb5_ldap_read_realm_params(krb5_context context, char *lrealm, krb5_ldap_realm_params **rlparamp, int *mask) { char **values=NULL; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; krb5_ldap_realm_params *rlparams=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; int x=0; SETUP_CONTEXT (); /* validate the input parameter */ if (lrealm == NULL || ldap_context->container_dn == NULL) { st = EINVAL; goto cleanup; } /* get ldap handle */ GET_HANDLE (); /* Initialize realm container structure */ rlparams =(krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params)); CHECK_NULL(rlparams); memset(rlparams, 0, sizeof(krb5_ldap_realm_params)); /* allocate tl_data structure to store MASK information */ rlparams->tl_data = malloc (sizeof(krb5_tl_data)); if (rlparams->tl_data == NULL) { st = ENOMEM; goto cleanup; } memset(rlparams->tl_data, 0, sizeof(krb5_tl_data)); rlparams->tl_data->tl_data_type = KDB_TL_USER_INFO; /* set the mask parameter to 0 */ *mask = 0; /* set default values */ rlparams->search_scope = LDAP_SCOPE_SUBTREE; if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, ldap_context->container_dn) < 0) { rlparams->realmdn = NULL; st = ENOMEM; goto cleanup; } /* populate the realm name in the structure */ rlparams->realm_name = strdup(lrealm); CHECK_NULL(rlparams->realm_name); LDAP_SEARCH(rlparams->realmdn, LDAP_SCOPE_BASE, "(objectclass=krbRealmContainer)", realm_attributes); if ((st = ldap_count_entries(ld, result)) <= 0) { /* This could happen when the DN used to bind and read the realm object * does not have sufficient rights to read its attributes */ st = KRB5_KDB_ACCESS_ERROR; /* return some other error ? */ goto cleanup; } ent = ldap_first_entry (ld, result); if (ent == NULL) { ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st); #if 0 st = translate_ldap_error(st, OP_SEARCH); #endif goto cleanup; } /* Read the attributes */ { if ((values=ldap_get_values(ld, ent, "krbSubTrees")) != NULL) { rlparams->subtreecount = ldap_count_values(values); rlparams->subtree = (char **) malloc(sizeof(char *) * (rlparams->subtreecount + 1)); if (rlparams->subtree == NULL) { st = ENOMEM; goto cleanup; } for (x=0; x<rlparams->subtreecount; x++) { rlparams->subtree[x] = strdup(values[x]); if (rlparams->subtree[x] == NULL) { st = ENOMEM; goto cleanup; } } rlparams->subtree[rlparams->subtreecount] = NULL; *mask |= LDAP_REALM_SUBTREE; ldap_value_free(values); } if((values=ldap_get_values(ld, ent, "krbPrincContainerRef")) != NULL) { rlparams->containerref = strdup(values[0]); if(rlparams->containerref == NULL) { st = ENOMEM; goto cleanup; } *mask |= LDAP_REALM_CONTREF; ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbSearchScope")) != NULL) { rlparams->search_scope=atoi(values[0]); /* searchscope can be ONE-LEVEL or SUBTREE, else default to SUBTREE */ if (!(rlparams->search_scope==1 || rlparams->search_scope==2)) rlparams->search_scope = LDAP_SCOPE_SUBTREE; *mask |= LDAP_REALM_SEARCHSCOPE; ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbMaxTicketLife")) != NULL) { rlparams->max_life = atoi(values[0]); *mask |= LDAP_REALM_MAXTICKETLIFE; ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbMaxRenewableAge")) != NULL) { rlparams->max_renewable_life = atoi(values[0]); *mask |= LDAP_REALM_MAXRENEWLIFE; ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbTicketFlags")) != NULL) { rlparams->tktflags = atoi(values[0]); *mask |= LDAP_REALM_KRBTICKETFLAGS; ldap_value_free(values); } } rlparams->mask = *mask; *rlparamp = rlparams; st = store_tl_data(rlparams->tl_data, KDB_TL_MASK, mask); cleanup: /* if there is an error, free allocated structures */ if (st != 0) { krb5_ldap_free_realm_params(rlparams); *rlparamp=NULL; } ldap_msgfree(result); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
krb5_error_code krb5_ldap_delete_realm (krb5_context context, char *lrealm) { LDAP *ld = NULL; krb5_error_code st = 0, tempst=0; char **values=NULL, **subtrees=NULL, **policy=NULL; LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL; krb5_principal principal; unsigned int l=0, ntree=0; int i=0, j=0, mask=0; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; krb5_ldap_realm_params *rparam=NULL; SETUP_CONTEXT (); if (lrealm == NULL) { st = EINVAL; k5_setmsg(context, st, _("Realm information not available")); goto cleanup; } if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0) goto cleanup; /* get ldap handle */ GET_HANDLE (); /* delete all the principals belonging to the realm in the tree */ { char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256]; krb5_ldap_context lcontext; realm = ldap_filter_correct (lrealm); assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") + strlen (realm) + 2 /* "*@" */ + 1); snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm); free (realm); /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */ memset(&lcontext, 0, sizeof(krb5_ldap_context)); lcontext.lrparams = rparam; if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0) goto cleanup; result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1, sizeof(LDAPMessage *)); if (result_arr == NULL) { st = ENOMEM; goto cleanup; } for (l=0; l < ntree; ++l) { LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); result_arr[l] = result; } } /* NOTE: Here all the principals should be cached and the ldap handle should be freed, * as a DAL-LDAP interface is called right down here. Caching might be constrained by * availability of the memory. The caching is not done, however there would be limit * on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not * thread-safe this should suffice. */ for (j=0; (result=result_arr[j]) != NULL; ++j) { for (ent = ldap_first_entry (ld, result); ent != NULL; ent = ldap_next_entry (ld, ent)) { if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { st=krb5_ldap_delete_principal(context, principal); if (st && st != KRB5_KDB_NOENTRY) goto cleanup; } krb5_free_principal(context, principal); } ldap_value_free(values); } } } /* Delete all password policies */ krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context); /* Delete all ticket policies */ { if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) { prepend_err_str(context, _("Error reading ticket policy: "), st, st); goto cleanup; } for (i = 0; policy [i] != NULL; i++) krb5_ldap_delete_policy(context, policy[i]); } /* Delete the realm object */ if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_DEL); k5_setmsg(context, st, _("Realm Delete FAILED: %s"), ldap_err2string(ost)); } cleanup: if (subtrees) { for (l=0; l < ntree; ++l) { if (subtrees[l]) free (subtrees[l]); } free (subtrees); } if (result_arr != NULL) { for (l = 0; l < ntree; l++) ldap_msgfree(result_arr[l]); free(result_arr); } if (policy != NULL) { for (i = 0; policy[i] != NULL; i++) free (policy[i]); free (policy); } krb5_ldap_free_realm_params(rparam); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
krb5_error_code krb5_ldap_list_realm(krb5_context context, char ***realms) { char **values = NULL; unsigned int i = 0; int count = 0; krb5_error_code st = 0, tempst = 0; LDAP *ld = NULL; LDAPMessage *result = NULL, *ent = NULL; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; SETUP_CONTEXT (); /* get the kerberos container DN information */ if (ldap_context->container_dn == NULL) { if ((st = krb5_ldap_read_krbcontainer_dn(context, &(ldap_context->container_dn))) != 0) goto cleanup; } /* get ldap handle */ GET_HANDLE (); { char *cn[] = {"cn", NULL}; LDAP_SEARCH(ldap_context->container_dn, LDAP_SCOPE_ONELEVEL, "(objectclass=krbRealmContainer)", cn); } *realms = NULL; count = ldap_count_entries (ld, result); if (count == -1) { ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st); st = set_ldap_error (context, st, OP_SEARCH); goto cleanup; } *realms = calloc((unsigned int) count+1, sizeof (char *)); CHECK_NULL(*realms); for (ent = ldap_first_entry(ld, result), count = 0; ent != NULL; ent = ldap_next_entry(ld, ent)) { if ((values = ldap_get_values (ld, ent, "cn")) != NULL) { (*realms)[count] = strdup(values[0]); CHECK_NULL((*realms)[count]); count += 1; ldap_value_free(values); } } /* for (ent= ... */ cleanup: /* some error, free up all the memory */ if (st != 0) { if (*realms) { for (i=0; (*realms)[i] != NULL; ++i) { free ((*realms)[i]); } free (*realms); *realms = NULL; } } /* If there are no elements, still return a NULL terminated array */ ldap_msgfree(result); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }