Exemple #1
0
krb5_error_code
krb5_read_tkt_policy(krb5_context context, krb5_ldap_context *ldap_context,
                     krb5_db_entry *entries, char *policy)
{
    krb5_error_code             st=0;
    unsigned int                mask=0, omask=0;
    int                         tkt_mask=(KDB_MAX_LIFE_ATTR | KDB_MAX_RLIFE_ATTR | KDB_TKT_FLAGS_ATTR);
    krb5_ldap_policy_params     *tktpoldnparam=NULL;

    if ((st=krb5_get_attributes_mask(context, entries, &mask)) != 0)
        goto cleanup;

    if ((mask & tkt_mask) == tkt_mask)
        goto cleanup;

    if (policy != NULL) {
        st = krb5_ldap_read_policy(context, policy, &tktpoldnparam, &omask);
        if (st && st != KRB5_KDB_NOENTRY) {
            prepend_err_str(context, _("Error reading ticket policy. "), st,
                            st);
            goto cleanup;
        }

        st = 0; /* reset the return status */
    }

    if ((mask & KDB_MAX_LIFE_ATTR) == 0) {
        if ((omask & KDB_MAX_LIFE_ATTR) ==  KDB_MAX_LIFE_ATTR)
            entries->max_life = tktpoldnparam->maxtktlife;
        else if (ldap_context->lrparams->max_life)
            entries->max_life = ldap_context->lrparams->max_life;
    }

    if ((mask & KDB_MAX_RLIFE_ATTR) == 0) {
        if ((omask & KDB_MAX_RLIFE_ATTR) == KDB_MAX_RLIFE_ATTR)
            entries->max_renewable_life = tktpoldnparam->maxrenewlife;
        else if (ldap_context->lrparams->max_renewable_life)
            entries->max_renewable_life = ldap_context->lrparams->max_renewable_life;
    }

    if ((mask & KDB_TKT_FLAGS_ATTR) == 0) {
        if ((omask & KDB_TKT_FLAGS_ATTR) == KDB_TKT_FLAGS_ATTR)
            entries->attributes = tktpoldnparam->tktflags;
        else if (ldap_context->lrparams->tktflags)
            entries->attributes |= ldap_context->lrparams->tktflags;
    }
    krb5_ldap_free_policy(context, tktpoldnparam);

cleanup:
    return st;
}
/*
 * This function will display information about the given policy object,
 * fetching the information from the LDAP Server.
 */
void
kdb5_ldap_view_policy(int argc, char *argv[])
{
    char *me = progname;
    krb5_ldap_policy_params *policyparams = NULL;
    krb5_error_code retval = 0;
    krb5_boolean print_usage = FALSE;
    char *policy = NULL;
    int mask = 0;

    if (argc != 2) {
        goto err_usage;
    }

    policy = strdup(argv[1]);
    if (policy == NULL) {
        com_err(me, ENOMEM, "while viewing policy");
        exit_status++;
        goto cleanup;
    }

    if ((retval = init_ldap_realm (argc, argv)))
        goto cleanup;

    if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
        com_err(me, retval, "while viewing policy '%s'", policy);
        exit_status++;
        goto cleanup;
    }

    print_policy_params (policyparams, mask);

    goto cleanup;

err_usage:
    print_usage = TRUE;

cleanup:
    krb5_ldap_free_policy (util_context, policyparams);

    if (policy)
        free (policy);

    if (print_usage) {
        db_usage(VIEW_POLICY);
    }

    return;
}
/*
 * This function will create a ticket policy object with the
 * specified attributes.
 */
void
kdb5_ldap_create_policy(int argc, char *argv[])
{
    char *me = progname;
    krb5_error_code retval = 0;
    krb5_ldap_policy_params *policyparams = NULL;
    krb5_boolean print_usage = FALSE;
    krb5_boolean no_msg = FALSE;
    int mask = 0;
    time_t date = 0;
    time_t now = 0;
    int i = 0;

    /* Check for number of arguments */
    if ((argc < 2) || (argc > 16)) {
        goto err_usage;
    }

    /* Allocate memory for policy parameters structure */
    policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
    if (policyparams == NULL) {
        retval = ENOMEM;
        goto cleanup;
    }

    /* Get current time */
    time (&now);

    /* Parse all arguments */
    for (i = 1; i < argc; i++) {
        if (!strcmp(argv[i], "-maxtktlife")) {
            if (++i > argc - 1)
                goto err_usage;

            date = get_date(argv[i]);
            if (date == (time_t)(-1)) {
                retval = EINVAL;
                com_err (me, retval, "while providing time specification");
                goto err_nomsg;
            }

            policyparams->maxtktlife = date - now;

            mask |= LDAP_POLICY_MAXTKTLIFE;
        } else if (!strcmp(argv[i], "-maxrenewlife")) {
            if (++i > argc - 1)
                goto err_usage;

            date = get_date(argv[i]);
            if (date == (time_t)(-1)) {
                retval = EINVAL;
                com_err (me, retval, "while providing time specification");
                goto err_nomsg;
            }

            policyparams->maxrenewlife = date - now;

            mask |= LDAP_POLICY_MAXRENEWLIFE;
        } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_svr")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_tix")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "needchange")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
            else
                goto err_usage;

            mask |= LDAP_POLICY_TKTFLAGS;
        } else { /* Any other argument must be policy DN */
            /* First check if policy DN is already provided --
               if so, there's a usage error */
            if (policyparams->policy != NULL)
                goto err_usage;

            /* If not present already, fill up policy DN */
            policyparams->policy = strdup(argv[i]);
            if (policyparams->policy == NULL) {
                retval = ENOMEM;
                com_err(me, retval, "while creating policy object");
                goto err_nomsg;
            }
        }
    }

    /* policy DN is a mandatory argument. If not provided, print usage */
    if (policyparams->policy == NULL)
        goto err_usage;

    if ((retval = init_ldap_realm (argc, argv))) {
        com_err(me, retval, "while reading realm information");
        goto err_nomsg;
    }

    /* Create object with all attributes provided */
    if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
        goto cleanup;

    goto cleanup;

err_usage:
    print_usage = TRUE;

err_nomsg:
    no_msg = TRUE;

cleanup:
    /* Clean-up structure */
    krb5_ldap_free_policy (util_context, policyparams);

    if (print_usage)
        db_usage(CREATE_POLICY);

    if (retval) {
        if (!no_msg)
            com_err(me, retval, "while creating policy object");

        exit_status++;
    }

    return;
}
/*
 * This function will modify the attributes of a given ticket
 * policy object.
 */
void
kdb5_ldap_modify_policy(int argc, char *argv[])
{
    char *me = progname;
    krb5_error_code retval = 0;
    krb5_ldap_policy_params *policyparams = NULL;
    krb5_boolean print_usage = FALSE;
    krb5_boolean no_msg = FALSE;
    char *policy = NULL;
    int in_mask = 0, out_mask = 0;
    time_t date = 0;
    time_t now = 0;
    int i = 0;

    /* Check for number of arguments -- minimum is 3
       since atleast one parameter should be given in
       addition to 'modify_policy' and policy DN */
    if ((argc < 3) || (argc > 16)) {
        goto err_usage;
    }

    /* Parse all arguments, only to pick up policy DN (Pass 1) */
    for (i = 1; i < argc; i++) {
        /* Skip arguments next to 'maxtktlife'
           and 'maxrenewlife' arguments */
        if (!strcmp(argv[i], "-maxtktlife")) {
            ++i;
        } else if (!strcmp(argv[i], "-maxrenewlife")) {
            ++i;
        }
        /* Do nothing for ticket flag arguments */
        else if (!strcmp((argv[i] + 1), "allow_postdated") ||
                 !strcmp((argv[i] + 1), "allow_forwardable") ||
                 !strcmp((argv[i] + 1), "allow_renewable") ||
                 !strcmp((argv[i] + 1), "allow_proxiable") ||
                 !strcmp((argv[i] + 1), "allow_dup_skey") ||
                 !strcmp((argv[i] + 1), "requires_preauth") ||
                 !strcmp((argv[i] + 1), "requires_hwauth") ||
                 !strcmp((argv[i] + 1), "allow_svr") ||
                 !strcmp((argv[i] + 1), "allow_tgs_req") ||
                 !strcmp((argv[i] + 1), "allow_tix") ||
                 !strcmp((argv[i] + 1), "needchange") ||
                 !strcmp((argv[i] + 1), "password_changing_service")) {
        } else { /* Any other argument must be policy DN */
            /* First check if policy DN is already provided --
               if so, there's a usage error */
            if (policy != NULL)
                goto err_usage;

            /* If not present already, fill up policy DN */
            policy = strdup(argv[i]);
            if (policy == NULL) {
                retval = ENOMEM;
                com_err(me, retval, "while modifying policy object");
                goto err_nomsg;
            }
        }
    }

    if (policy == NULL)
        goto err_usage;

    if ((retval = init_ldap_realm (argc, argv)))
        goto cleanup;

    retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
    if (retval) {
        com_err(me, retval, "while reading information of policy '%s'", policy);
        goto err_nomsg;
    }

    /* Get current time */
    time (&now);

    /* Parse all arguments, but skip policy DN (Pass 2) */
    for (i = 1; i < argc; i++) {
        if (!strcmp(argv[i], "-maxtktlife")) {
            if (++i > argc - 1)
                goto err_usage;

            date = get_date(argv[i]);
            if (date == (time_t)(-1)) {
                retval = EINVAL;
                com_err (me, retval, "while providing time specification");
                goto err_nomsg;
            }

            policyparams->maxtktlife = date - now;

            out_mask |= LDAP_POLICY_MAXTKTLIFE;
        } else if (!strcmp(argv[i], "-maxrenewlife")) {
            if (++i > argc - 1)
                goto err_usage;

            date = get_date(argv[i]);
            if (date == (time_t)(-1)) {
                retval = EINVAL;
                com_err (me, retval, "while providing time specification");
                goto err_nomsg;
            }

            policyparams->maxrenewlife = date - now;

            out_mask |= LDAP_POLICY_MAXRENEWLIFE;
        } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_svr")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "allow_tix")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
            else if (*(argv[i]) == '-')
                policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "needchange")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
            if (*(argv[i]) == '+')
                policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
            else if (*(argv[i]) == '-')
                policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
            else
                goto err_usage;

            out_mask |= LDAP_POLICY_TKTFLAGS;
        } else {
            /* Any other argument must be policy DN
               -- skip it */
        }
    }

    /* Modify attributes of object */
    if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
        goto cleanup;

    goto cleanup;

err_usage:
    print_usage = TRUE;

err_nomsg:
    no_msg = TRUE;

cleanup:
    /* Clean-up structure */
    krb5_ldap_free_policy (util_context, policyparams);

    if (policy)
        free (policy);

    if (print_usage)
        db_usage(MODIFY_POLICY);

    if (retval) {
        if (!no_msg)
            com_err(me, retval, "while modifying policy object");

        exit_status++;
    }

    return;
}
/*
 * This function will destroy the specified ticket policy
 * object interactively, unless forced through an option.
 */
void
kdb5_ldap_destroy_policy(int argc, char *argv[])
{
    char *me = progname;
    krb5_error_code retval = 0;
    krb5_ldap_policy_params *policyparams = NULL;
    krb5_boolean print_usage = FALSE;
    krb5_boolean no_msg = FALSE;
    char *policy = NULL;
    int mask = 0;
    int force = 0;
    char buf[5] = {0};
    int i = 0;

    if ((argc < 2) || (argc > 3)) {
        goto err_usage;
    }

    for (i = 1; i < argc; i++) {
        if (strcmp(argv[i], "-force") == 0) {
            force++;
        } else { /* Any other argument must be policy DN */
            /* First check if policy DN is already provided --
               if so, there's a usage error */
            if (policy != NULL)
                goto err_usage;

            /* If not present already, fill up policy DN */
            policy = strdup(argv[i]);
            if (policy == NULL) {
                retval = ENOMEM;
                com_err(me, retval, "while destroying policy object");
                goto err_nomsg;
            }
        }
    }

    if (policy == NULL)
        goto err_usage;

    if (!force) {
        printf("This will delete the policy object '%s', are you sure?\n", policy);
        printf("(type 'yes' to confirm)? ");

        if (fgets(buf, sizeof(buf), stdin) == NULL) {
            retval = EINVAL;
            goto cleanup;
        }

        if (strcmp(buf, yes)) {
            exit_status++;
            goto cleanup;
        }
    }

    if ((retval = init_ldap_realm (argc, argv)))
        goto err_nomsg;

    if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
        goto cleanup;


    if ((retval = krb5_ldap_delete_policy(util_context, policy)))
        goto cleanup;

    printf("** policy object '%s' deleted.\n", policy);
    goto cleanup;


err_usage:
    print_usage = TRUE;

err_nomsg:
    no_msg = TRUE;

cleanup:
    /* Clean-up structure */
    krb5_ldap_free_policy (util_context, policyparams);

    if (policy) {
        free (policy);
    }

    if (print_usage) {
        db_usage(DESTROY_POLICY);
    }

    if (retval) {
        if (!no_msg)
            com_err(me, retval, "while destroying policy object");

        exit_status++;
    }

    return;
}