/*
* This function will list the DNs of policy objects under a specific
* sub-tree (entire tree by default)
*/
void
kdb5_ldap_list_policies(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
krb5_boolean print_usage = FALSE;
char *basedn = NULL;
char **list = NULL;
char **plist = NULL;
/* Check for number of arguments */
if ((argc != 1) && (argc != 3)) {
goto err_usage;
}
if ((retval = init_ldap_realm (argc, argv)))
goto cleanup;
retval = krb5_ldap_list_policy(util_context, basedn, &list);
if ((retval != 0) || (list == NULL))
goto cleanup;
for (plist = list; *plist != NULL; plist++) {
printf("%s\n", *plist);
}
goto cleanup;
err_usage:
print_usage = TRUE;
cleanup:
if (list != NULL) {
krb5_free_list_entries (list);
free (list);
}
if (basedn)
free (basedn);
if (print_usage) {
db_usage(LIST_POLICY);
}
if (retval) {
com_err(me, retval, "while listing policy objects");
exit_status++;
}
return;
}
krb5_error_code
krb5_ldap_delete_realm (krb5_context context, char *lrealm)
{
LDAP *ld = NULL;
krb5_error_code st = 0, tempst=0;
char **values=NULL, **subtrees=NULL, **policy=NULL;
LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL;
krb5_principal principal;
unsigned int l=0, ntree=0;
int i=0, j=0, mask=0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
krb5_ldap_realm_params *rparam=NULL;
SETUP_CONTEXT ();
if (lrealm == NULL) {
st = EINVAL;
k5_setmsg(context, st, _("Realm information not available"));
goto cleanup;
}
if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0)
goto cleanup;
/* get ldap handle */
GET_HANDLE ();
/* delete all the principals belonging to the realm in the tree */
{
char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256];
krb5_ldap_context lcontext;
realm = ldap_filter_correct (lrealm);
assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
strlen (realm) + 2 /* "*@" */ + 1);
snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
free (realm);
/* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
memset(&lcontext, 0, sizeof(krb5_ldap_context));
lcontext.lrparams = rparam;
if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
goto cleanup;
result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1,
sizeof(LDAPMessage *));
if (result_arr == NULL) {
st = ENOMEM;
goto cleanup;
}
for (l=0; l < ntree; ++l) {
LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
result_arr[l] = result;
}
}
/* NOTE: Here all the principals should be cached and the ldap handle should be freed,
* as a DAL-LDAP interface is called right down here. Caching might be constrained by
* availability of the memory. The caching is not done, however there would be limit
* on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not
* thread-safe this should suffice.
*/
for (j=0; (result=result_arr[j]) != NULL; ++j) {
for (ent = ldap_first_entry (ld, result); ent != NULL;
ent = ldap_next_entry (ld, ent)) {
if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
for (i = 0; values[i] != NULL; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
st=krb5_ldap_delete_principal(context, principal);
if (st && st != KRB5_KDB_NOENTRY)
goto cleanup;
}
krb5_free_principal(context, principal);
}
ldap_value_free(values);
}
}
}
/* Delete all password policies */
krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context);
/* Delete all ticket policies */
{
if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
prepend_err_str(context, _("Error reading ticket policy: "), st,
st);
goto cleanup;
}
for (i = 0; policy [i] != NULL; i++)
krb5_ldap_delete_policy(context, policy[i]);
}
/* Delete the realm object */
if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_DEL);
k5_setmsg(context, st, _("Realm Delete FAILED: %s"),
ldap_err2string(ost));
}
cleanup:
if (subtrees) {
for (l=0; l < ntree; ++l) {
if (subtrees[l])
free (subtrees[l]);
}
free (subtrees);
}
if (result_arr != NULL) {
for (l = 0; l < ntree; l++)
ldap_msgfree(result_arr[l]);
free(result_arr);
}
if (policy != NULL) {
for (i = 0; policy[i] != NULL; i++)
free (policy[i]);
free (policy);
}
krb5_ldap_free_realm_params(rparam);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
