krb5_error_code
krb5_read_tkt_policy(krb5_context context, krb5_ldap_context *ldap_context,
krb5_db_entry *entries, char *policy)
{
krb5_error_code st=0;
unsigned int mask=0, omask=0;
int tkt_mask=(KDB_MAX_LIFE_ATTR | KDB_MAX_RLIFE_ATTR | KDB_TKT_FLAGS_ATTR);
krb5_ldap_policy_params *tktpoldnparam=NULL;
if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
goto cleanup;
if ((mask & tkt_mask) == tkt_mask)
goto cleanup;
if (policy != NULL) {
st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask);
if (st && st != KRB5_KDB_NOENTRY) {
prepend_err_str(context, _("Error reading ticket policy. "), st,
st);
goto cleanup;
}
st = 0; /* reset the return status */
}
if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
if ((omask & KDB_MAX_LIFE_ATTR) == KDB_MAX_LIFE_ATTR)
entries->max_life = tktpoldnparam->maxtktlife;
else if (ldap_context->lrparams->max_life)
entries->max_life = ldap_context->lrparams->max_life;
}
if ((mask & KDB_MAX_RLIFE_ATTR) == 0) {
if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR)
entries->max_renewable_life = tktpoldnparam->maxrenewlife;
else if (ldap_context->lrparams->max_renewable_life)
entries->max_renewable_life = ldap_context->lrparams->max_renewable_life;
}
if ((mask & KDB_TKT_FLAGS_ATTR) == 0) {
if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR)
entries->attributes = tktpoldnparam->tktflags;
else if (ldap_context->lrparams->tktflags)
entries->attributes |= ldap_context->lrparams->tktflags;
}
krb5_ldap_free_policy(context, tktpoldnparam);
cleanup:
return st;
}
/*
* This function will display information about the given policy object,
* fetching the information from the LDAP Server.
*/
void
kdb5_ldap_view_policy(int argc, char *argv[])
{
char *me = progname;
krb5_ldap_policy_params *policyparams = NULL;
krb5_error_code retval = 0;
krb5_boolean print_usage = FALSE;
char *policy = NULL;
int mask = 0;
if (argc != 2) {
goto err_usage;
}
policy = strdup(argv[1]);
if (policy == NULL) {
com_err(me, ENOMEM, "while viewing policy");
exit_status++;
goto cleanup;
}
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
com_err(me, retval, "while viewing policy '%s'", policy);
exit_status++;
goto cleanup;
}
print_policy_params (policyparams, mask);
goto cleanup;
err_usage:
print_usage = TRUE;
cleanup:
krb5_ldap_free_policy (util_context, policyparams);
if (policy)
free (policy);
if (print_usage) {
db_usage(VIEW_POLICY);
}
return;
}
/*
* This function will create a ticket policy object with the
* specified attributes.
*/
void
kdb5_ldap_create_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
int mask = 0;
time_t date = 0;
time_t now = 0;
int i = 0;
/* Check for number of arguments */
if ((argc < 2) || (argc > 16)) {
goto err_usage;
}
/* Allocate memory for policy parameters structure */
policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
if (policyparams == NULL) {
retval = ENOMEM;
goto cleanup;
}
/* Get current time */
time (&now);
/* Parse all arguments */
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-maxtktlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, "while providing time specification");
goto err_nomsg;
}
policyparams->maxtktlife = date - now;
mask |= LDAP_POLICY_MAXTKTLIFE;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, "while providing time specification");
goto err_nomsg;
}
policyparams->maxrenewlife = date - now;
mask |= LDAP_POLICY_MAXRENEWLIFE;
} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_svr")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tix")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "needchange")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
else
goto err_usage;
mask |= LDAP_POLICY_TKTFLAGS;
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policyparams->policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policyparams->policy = strdup(argv[i]);
if (policyparams->policy == NULL) {
retval = ENOMEM;
com_err(me, retval, "while creating policy object");
goto err_nomsg;
}
}
}
/* policy DN is a mandatory argument. If not provided, print usage */
if (policyparams->policy == NULL)
goto err_usage;
if ((retval = init_ldap_realm (argc, argv))) {
com_err(me, retval, "while reading realm information");
goto err_nomsg;
}
/* Create object with all attributes provided */
if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
goto cleanup;
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (print_usage)
db_usage(CREATE_POLICY);
if (retval) {
if (!no_msg)
com_err(me, retval, "while creating policy object");
exit_status++;
}
return;
}
/*
* This function will modify the attributes of a given ticket
* policy object.
*/
void
kdb5_ldap_modify_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
char *policy = NULL;
int in_mask = 0, out_mask = 0;
time_t date = 0;
time_t now = 0;
int i = 0;
/* Check for number of arguments -- minimum is 3
since atleast one parameter should be given in
addition to 'modify_policy' and policy DN */
if ((argc < 3) || (argc > 16)) {
goto err_usage;
}
/* Parse all arguments, only to pick up policy DN (Pass 1) */
for (i = 1; i < argc; i++) {
/* Skip arguments next to 'maxtktlife'
and 'maxrenewlife' arguments */
if (!strcmp(argv[i], "-maxtktlife")) {
++i;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
++i;
}
/* Do nothing for ticket flag arguments */
else if (!strcmp((argv[i] + 1), "allow_postdated") ||
!strcmp((argv[i] + 1), "allow_forwardable") ||
!strcmp((argv[i] + 1), "allow_renewable") ||
!strcmp((argv[i] + 1), "allow_proxiable") ||
!strcmp((argv[i] + 1), "allow_dup_skey") ||
!strcmp((argv[i] + 1), "requires_preauth") ||
!strcmp((argv[i] + 1), "requires_hwauth") ||
!strcmp((argv[i] + 1), "allow_svr") ||
!strcmp((argv[i] + 1), "allow_tgs_req") ||
!strcmp((argv[i] + 1), "allow_tix") ||
!strcmp((argv[i] + 1), "needchange") ||
!strcmp((argv[i] + 1), "password_changing_service")) {
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
retval = ENOMEM;
com_err(me, retval, "while modifying policy object");
goto err_nomsg;
}
}
}
if (policy == NULL)
goto err_usage;
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
if (retval) {
com_err(me, retval, "while reading information of policy '%s'", policy);
goto err_nomsg;
}
/* Get current time */
time (&now);
/* Parse all arguments, but skip policy DN (Pass 2) */
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-maxtktlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, "while providing time specification");
goto err_nomsg;
}
policyparams->maxtktlife = date - now;
out_mask |= LDAP_POLICY_MAXTKTLIFE;
} else if (!strcmp(argv[i], "-maxrenewlife")) {
if (++i > argc - 1)
goto err_usage;
date = get_date(argv[i]);
if (date == (time_t)(-1)) {
retval = EINVAL;
com_err (me, retval, "while providing time specification");
goto err_nomsg;
}
policyparams->maxrenewlife = date - now;
out_mask |= LDAP_POLICY_MAXRENEWLIFE;
} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_svr")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "allow_tix")) {
if (*(argv[i]) == '+')
policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
else if (*(argv[i]) == '-')
policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "needchange")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
if (*(argv[i]) == '+')
policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
else if (*(argv[i]) == '-')
policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
else
goto err_usage;
out_mask |= LDAP_POLICY_TKTFLAGS;
} else {
/* Any other argument must be policy DN
-- skip it */
}
}
/* Modify attributes of object */
if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
goto cleanup;
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (policy)
free (policy);
if (print_usage)
db_usage(MODIFY_POLICY);
if (retval) {
if (!no_msg)
com_err(me, retval, "while modifying policy object");
exit_status++;
}
return;
}
/*
* This function will destroy the specified ticket policy
* object interactively, unless forced through an option.
*/
void
kdb5_ldap_destroy_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
char *policy = NULL;
int mask = 0;
int force = 0;
char buf[5] = {0};
int i = 0;
if ((argc < 2) || (argc > 3)) {
goto err_usage;
}
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "-force") == 0) {
force++;
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
retval = ENOMEM;
com_err(me, retval, "while destroying policy object");
goto err_nomsg;
}
}
}
if (policy == NULL)
goto err_usage;
if (!force) {
printf("This will delete the policy object '%s', are you sure?\n", policy);
printf("(type 'yes' to confirm)? ");
if (fgets(buf, sizeof(buf), stdin) == NULL) {
retval = EINVAL;
goto cleanup;
}
if (strcmp(buf, yes)) {
exit_status++;
goto cleanup;
}
}
if ((retval = init_ldap_realm (argc, argv)))
goto err_nomsg;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
goto cleanup;
if ((retval = krb5_ldap_delete_policy(util_context, policy)))
goto cleanup;
printf("** policy object '%s' deleted.\n", policy);
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (policy) {
free (policy);
}
if (print_usage) {
db_usage(DESTROY_POLICY);
}
if (retval) {
if (!no_msg)
com_err(me, retval, "while destroying policy object");
exit_status++;
}
return;
}