/* * This function will destroy the specified ticket policy * object interactively, unless forced through an option. */ void kdb5_ldap_destroy_policy(int argc, char *argv[]) { char *me = progname; krb5_error_code retval = 0; krb5_ldap_policy_params *policyparams = NULL; krb5_boolean print_usage = FALSE; krb5_boolean no_msg = FALSE; char *policy = NULL; int mask = 0; int force = 0; char buf[5] = {0}; int i = 0; if ((argc < 2) || (argc > 3)) { goto err_usage; } for (i = 1; i < argc; i++) { if (strcmp(argv[i], "-force") == 0) { force++; } else { /* Any other argument must be policy DN */ /* First check if policy DN is already provided -- if so, there's a usage error */ if (policy != NULL) goto err_usage; /* If not present already, fill up policy DN */ policy = strdup(argv[i]); if (policy == NULL) { retval = ENOMEM; com_err(me, retval, "while destroying policy object"); goto err_nomsg; } } } if (policy == NULL) goto err_usage; if (!force) { printf("This will delete the policy object '%s', are you sure?\n", policy); printf("(type 'yes' to confirm)? "); if (fgets(buf, sizeof(buf), stdin) == NULL) { retval = EINVAL; goto cleanup; } if (strcmp(buf, yes)) { exit_status++; goto cleanup; } } if ((retval = init_ldap_realm (argc, argv))) goto err_nomsg; if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) goto cleanup; if ((retval = krb5_ldap_delete_policy(util_context, policy))) goto cleanup; printf("** policy object '%s' deleted.\n", policy); goto cleanup; err_usage: print_usage = TRUE; err_nomsg: no_msg = TRUE; cleanup: /* Clean-up structure */ krb5_ldap_free_policy (util_context, policyparams); if (policy) { free (policy); } if (print_usage) { db_usage(DESTROY_POLICY); } if (retval) { if (!no_msg) com_err(me, retval, "while destroying policy object"); exit_status++; } return; }
krb5_error_code krb5_ldap_delete_realm (krb5_context context, char *lrealm) { LDAP *ld = NULL; krb5_error_code st = 0, tempst=0; char **values=NULL, **subtrees=NULL, **policy=NULL; LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL; krb5_principal principal; unsigned int l=0, ntree=0; int i=0, j=0, mask=0; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; krb5_ldap_realm_params *rparam=NULL; SETUP_CONTEXT (); if (lrealm == NULL) { st = EINVAL; k5_setmsg(context, st, _("Realm information not available")); goto cleanup; } if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0) goto cleanup; /* get ldap handle */ GET_HANDLE (); /* delete all the principals belonging to the realm in the tree */ { char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256]; krb5_ldap_context lcontext; realm = ldap_filter_correct (lrealm); assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") + strlen (realm) + 2 /* "*@" */ + 1); snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm); free (realm); /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */ memset(&lcontext, 0, sizeof(krb5_ldap_context)); lcontext.lrparams = rparam; if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0) goto cleanup; result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1, sizeof(LDAPMessage *)); if (result_arr == NULL) { st = ENOMEM; goto cleanup; } for (l=0; l < ntree; ++l) { LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); result_arr[l] = result; } } /* NOTE: Here all the principals should be cached and the ldap handle should be freed, * as a DAL-LDAP interface is called right down here. Caching might be constrained by * availability of the memory. The caching is not done, however there would be limit * on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not * thread-safe this should suffice. */ for (j=0; (result=result_arr[j]) != NULL; ++j) { for (ent = ldap_first_entry (ld, result); ent != NULL; ent = ldap_next_entry (ld, ent)) { if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { st=krb5_ldap_delete_principal(context, principal); if (st && st != KRB5_KDB_NOENTRY) goto cleanup; } krb5_free_principal(context, principal); } ldap_value_free(values); } } } /* Delete all password policies */ krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context); /* Delete all ticket policies */ { if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) { prepend_err_str(context, _("Error reading ticket policy: "), st, st); goto cleanup; } for (i = 0; policy [i] != NULL; i++) krb5_ldap_delete_policy(context, policy[i]); } /* Delete the realm object */ if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_DEL); k5_setmsg(context, st, _("Realm Delete FAILED: %s"), ldap_err2string(ost)); } cleanup: if (subtrees) { for (l=0; l < ntree; ++l) { if (subtrees[l]) free (subtrees[l]); } free (subtrees); } if (result_arr != NULL) { for (l = 0; l < ntree; l++) ldap_msgfree(result_arr[l]); free(result_arr); } if (policy != NULL) { for (i = 0; policy[i] != NULL; i++) free (policy[i]); free (policy); } krb5_ldap_free_realm_params(rparam); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }