DWORD VmDirTestDeleteContainerByDn( LDAP *pLd, PCSTR pszContainerDn ) { DWORD dwError = 0; DWORD dwIndex = 0; PVMDIR_STRING_LIST pObjectList = NULL; dwError = VmDirTestGetObjectList(pLd, pszContainerDn, &pObjectList); BAIL_ON_VMDIR_ERROR(dwError); for (dwIndex = 0; dwIndex < pObjectList->dwCount; ++dwIndex) { dwError = ldap_delete_ext_s( pLd, pObjectList->pStringList[dwIndex], NULL, NULL); if (dwError == LDAP_NOT_ALLOWED_ON_NONLEAF) { dwError = VmDirTestDeleteContainerByDn( pLd, pObjectList->pStringList[dwIndex]); BAIL_ON_VMDIR_ERROR(dwError); } } dwError = ldap_delete_ext_s(pLd, pszContainerDn, NULL, NULL); BAIL_ON_VMDIR_ERROR(dwError); cleanup: VmDirStringListFree(pObjectList); return dwError; error: goto cleanup; }
krb5_error_code ipadb_simple_delete(struct ipadb_context *ipactx, char *dn) { int ret; ret = ldap_delete_ext_s(ipactx->lcontext, dn, NULL, NULL); /* first test if we need to retry to connect */ if (ret != 0 && ipadb_need_retry(ipactx, ret)) { ret = ldap_delete_ext_s(ipactx->lcontext, dn, NULL, NULL); } return ipadb_simple_ldap_to_kerr(ret); }
/** * Delete contact from LDAP * * \param server AddressBook resource * \param contact GHashTable with object to delete */ void ldapsvr_delete_contact(LdapServer *server, GHashTable *contact) { LDAP *ld = NULL; gchar *dn; int rc; cm_return_if_fail(server != NULL || contact != NULL); ld = ldapsvr_connect(server->control); if (ld == NULL) { clean_up(ld, server, contact); return; } dn = g_hash_table_lookup(contact, "dn"); if (dn == NULL) { clean_up(ld, server, contact); return; } server->retVal = LDAPRC_SUCCESS; rc = ldap_delete_ext_s(ld, dn, NULL, NULL); if (rc) { g_printerr("ldap_modify for dn=%s\" failed[0x%x]: %s\n", dn, rc, ldaputil_get_error(ld)); server->retVal = LDAPRC_NODN; } clean_up(ld, server, contact); }
static int st_delete(SearchThread *st) { char *dn = NULL; int rval; int e; /* Decide what entry to modify, for this we need a table */ if (NULL == sdattable || sdt_getlen(sdattable) == 0) { fprintf(stderr, "-d option requires a DN file. Use -B file.\n"); return 0; } /* Get the target dn */ do { e = sdt_getrand(sdattable); } while (e < 0); dn = sdt_dn_get(sdattable, e); rval = ldap_delete_ext_s(st->ld, dn, NULL, NULL); if (rval != LDAP_SUCCESS) { if (rval == LDAP_NO_SUCH_OBJECT) { rval = LDAP_SUCCESS; } else { fprintf(stderr, "T%d: Failed to delete error=0x%x\n", st->id, rval); fprintf(stderr, "dn: %s\n", dn); } } return rval; }
krb5_error_code krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn) { LDAP *ld=NULL; krb5_error_code st=0; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; SETUP_CONTEXT (); /* get ldap handle */ GET_HANDLE (); if (dn == NULL) { st = EINVAL; k5_setmsg(context, st, _("Kerberos Container information is missing")); goto cleanup; } /* delete the kerberos container */ if ((st = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_ADD); k5_setmsg(context, st, _("Kerberos Container delete FAILED: %s"), ldap_err2string(ost)); goto cleanup; } cleanup: krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); }
/* ARGSUSED */ int _ns_ldap_delete_ext_s(char *service, int flags, char *dn, LDAPControl **serverctrls, LDAPControl **clientctrls) { LDAP *ld = __s_api_getLDAPconn(flags); return (ldap_delete_ext_s(ld, dn, serverctrls, clientctrls)); }
/* Delete an entry with the `dnstr` distinguished name on the server. */ int LDAPConnection_DelEntryStringDN(LDAPConnection *self, char *dnstr) { int rc = LDAP_SUCCESS; if (dnstr != NULL) { rc = ldap_delete_ext_s(self->ld, dnstr, NULL, NULL); if (rc != LDAP_SUCCESS) { PyObject *ldaperror = get_error_by_code(rc); PyErr_SetString(ldaperror, ldap_err2string(rc)); Py_DECREF(ldaperror); return -1; } } return 0; }
static krb5_error_code LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal) { krb5_error_code ret; LDAPMessage *msg, *e; char *dn = NULL; int rc, limit = LDAP_NO_LIMIT; ret = LDAP_principal2message(context, db, principal, &msg); if (ret) goto out; e = ldap_first_entry(HDB2LDAP(db), msg); if (e == NULL) { ret = HDB_ERR_NOENTRY; goto out; } dn = ldap_get_dn(HDB2LDAP(db), e); if (dn == NULL) { ret = HDB_ERR_NOENTRY; goto out; } rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit); if (rc != LDAP_SUCCESS) { ret = HDB_ERR_BADVERSION; krb5_set_error_message(context, ret, "ldap_set_option: %s", ldap_err2string(rc)); goto out; } rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL ); if (check_ldap(context, db, rc)) { ret = HDB_ERR_CANT_LOCK_DB; krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s", ldap_err2string(rc)); } else ret = 0; out: if (dn != NULL) free(dn); if (msg != NULL) ldap_msgfree(msg); return ret; }
static LibBalsaABErr libbalsa_address_book_ldap_remove_address(LibBalsaAddressBook *ab, LibBalsaAddress *address) { LibBalsaAddressBookLdap *ldap_ab = LIBBALSA_ADDRESS_BOOK_LDAP(ab); gchar *dn; int cnt, rc; g_return_val_if_fail(address, LBABERR_CANNOT_WRITE); g_return_val_if_fail(address->address_list, LBABERR_CANNOT_WRITE); if (ldap_ab->directory == NULL) { if( (rc=libbalsa_address_book_ldap_open_connection(ldap_ab)) != LDAP_SUCCESS) return LBABERR_CANNOT_CONNECT; } dn = g_strdup_printf("mail=%s,%s", (char*)address->address_list->data, ldap_ab->priv_book_dn); cnt = 0; do { rc = ldap_delete_ext_s(ldap_ab->directory, dn, NULL, NULL); switch(rc) { case LDAP_SUCCESS: g_free(dn); return LBABERR_OK; case LDAP_SERVER_DOWN: libbalsa_address_book_ldap_close_connection(ldap_ab); if( (rc=libbalsa_address_book_ldap_open_connection(ldap_ab)) != LDAP_SUCCESS) { g_free(dn); return LBABERR_CANNOT_CONNECT; } /* fall through */ default: fprintf(stderr, "ldap_delete for dn=“%s” failed[0x%x]: %s\n", dn, rc, ldap_err2string(rc)); } } while(cnt++<1); g_free(dn); libbalsa_address_book_set_status(ab, g_strdup(ldap_err2string(rc))); return LBABERR_CANNOT_WRITE; }
/*********************************************************************** * ldap_delete_sW (WLDAP32.@) * * Delete an entry from a directory tree (synchronous operation). * * PARAMS * ld [I] Pointer to an LDAP context. * dn [I] DN of the entry to delete. * * RETURNS * Success: LDAP_SUCCESS * Failure: An LDAP error code. */ ULONG CDECL ldap_delete_sW( WLDAP32_LDAP *ld, PWCHAR dn ) { ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED; #ifdef HAVE_LDAP char *dnU = NULL; TRACE( "(%p, %s)\n", ld, debugstr_w(dn) ); if (!ld) return WLDAP32_LDAP_PARAM_ERROR; if (dn) { dnU = strWtoU( dn ); if (!dnU) return WLDAP32_LDAP_NO_MEMORY; } ret = map_error( ldap_delete_ext_s( ld, dn ? dnU : "", NULL, NULL )); strfreeU( dnU ); #endif return ret; }
DWORD VmDirTestDeleteObjectByDNPrefix( PVMDIR_TEST_STATE pState, PCSTR pszDNPrefix ) { DWORD dwError = 0; PSTR pszDN = NULL; dwError = VmDirAllocateStringPrintf( &pszDN, "%s,%s", pszDNPrefix, pState->pszBaseDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = ldap_delete_ext_s(pState->pLd, pszDN, NULL, NULL); BAIL_ON_VMDIR_ERROR(dwError); cleanup: VMDIR_SAFE_FREE_STRINGA(pszDN); return dwError; error: goto cleanup; }
/*********************************************************************** * ldap_delete_ext_sW (WLDAP32.@) * * Delete an entry from a directory tree (synchronous operation). * * PARAMS * ld [I] Pointer to an LDAP context. * dn [I] DN of the entry to delete. * serverctrls [I] Array of LDAP server controls. * clientctrls [I] Array of LDAP client controls. * * RETURNS * Success: LDAP_SUCCESS * Failure: An LDAP error code. * * NOTES * The serverctrls and clientctrls parameters are optional and * should be set to NULL if not used. */ ULONG CDECL ldap_delete_ext_sW( WLDAP32_LDAP *ld, PWCHAR dn, PLDAPControlW *serverctrls, PLDAPControlW *clientctrls ) { ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED; #ifdef HAVE_LDAP char *dnU = NULL; LDAPControl **serverctrlsU = NULL, **clientctrlsU = NULL; TRACE( "(%p, %s, %p, %p)\n", ld, debugstr_w(dn), serverctrls, clientctrls ); if (!ld) return WLDAP32_LDAP_PARAM_ERROR; if (dn) { dnU = strWtoU( dn ); if (!dnU) goto exit; } if (serverctrls) { serverctrlsU = controlarrayWtoU( serverctrls ); if (!serverctrlsU) goto exit; } if (clientctrls) { clientctrlsU = controlarrayWtoU( clientctrls ); if (!clientctrlsU) goto exit; } ret = map_error( ldap_delete_ext_s( ld, dn ? dnU : "", serverctrlsU, clientctrlsU )); exit: strfreeU( dnU ); controlarrayfreeU( serverctrlsU ); controlarrayfreeU( clientctrlsU ); #endif return ret; }
/* * Delete all the children of an entry recursively until leaf nodes are reached. */ static int deletechildren( LDAP *ld, const char *base, int subentries ) { LDAPMessage *res, *e; int entries; int rc = LDAP_SUCCESS, srch_rc; static char *attrs[] = { LDAP_NO_ATTRS, NULL }; LDAPControl c, *ctrls[2], **ctrlsp = NULL; BerElement *ber = NULL; if ( verbose ) printf ( _("deleting children of: %s\n"), base ); if ( subentries ) { /* * Do a one level search at base for subentry children. */ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) { return EXIT_FAILURE; } rc = ber_printf( ber, "b", 1 ); if ( rc == -1 ) { ber_free( ber, 1 ); fprintf( stderr, _("Subentries control encoding error!\n")); return EXIT_FAILURE; } if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) { return EXIT_FAILURE; } c.ldctl_oid = LDAP_CONTROL_SUBENTRIES; c.ldctl_iscritical = 1; ctrls[0] = &c; ctrls[1] = NULL; ctrlsp = ctrls; } /* * Do a one level search at base for children. For each, delete its children. */ more:; srch_rc = ldap_search_ext_s( ld, base, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1, ctrlsp, NULL, NULL, sizelimit, &res ); switch ( srch_rc ) { case LDAP_SUCCESS: case LDAP_SIZELIMIT_EXCEEDED: break; default: tool_perror( "ldap_search", srch_rc, NULL, NULL, NULL, NULL ); return( srch_rc ); } entries = ldap_count_entries( ld, res ); if ( entries > 0 ) { int i; for (e = ldap_first_entry( ld, res ), i = 0; e != NULL; e = ldap_next_entry( ld, e ), i++ ) { char *dn = ldap_get_dn( ld, e ); if( dn == NULL ) { ldap_get_option( ld, LDAP_OPT_RESULT_CODE, &rc ); tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL ); ber_memfree( dn ); return rc; } rc = deletechildren( ld, dn, 0 ); if ( rc != LDAP_SUCCESS ) { tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL ); ber_memfree( dn ); return rc; } if ( verbose ) { printf( _("\tremoving %s\n"), dn ); } rc = ldap_delete_ext_s( ld, dn, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL ); ber_memfree( dn ); return rc; } if ( verbose ) { printf( _("\t%s removed\n"), dn ); } ber_memfree( dn ); } } ldap_msgfree( res ); if ( srch_rc == LDAP_SIZELIMIT_EXCEEDED ) { goto more; } return rc; }
/* * delete a principal from the directory. */ krb5_error_code krb5_ldap_delete_principal(krb5_context context, krb5_const_principal searchfor) { char *user=NULL, *DN=NULL, *strval[10] = {NULL}; LDAPMod **mods=NULL; LDAP *ld=NULL; int j=0, ptype=0, pcount=0, attrsetmask=0; krb5_error_code st=0; krb5_boolean singleentry=FALSE; KEY *secretkey=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_db_entry *entry = NULL; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); /* get the principal info */ if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry))) goto cleanup; if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) || ((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) || ((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) || ((st=krb5_get_userdn(context, entry, &(DN))) != 0)) goto cleanup; if (DN == NULL) { st = EINVAL; krb5_set_error_message(context, st, "DN information missing"); goto cleanup; } GET_HANDLE(); if (ptype == KDB_STANDALONE_PRINCIPAL_OBJECT) { st = ldap_delete_ext_s(ld, DN, NULL, NULL); if (st != LDAP_SUCCESS) { st = set_ldap_error (context, st, OP_DEL); goto cleanup; } } else { if (((st=krb5_unparse_name(context, searchfor, &user)) != 0) || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) goto cleanup; memset(strval, 0, sizeof(strval)); strval[0] = user; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE, strval)) != 0) goto cleanup; singleentry = (pcount == 1) ? TRUE: FALSE; if (singleentry == FALSE) { if (secretkey != NULL) { if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES, secretkey->keys)) != 0) goto cleanup; } } else { /* * If the Kerberos user principal to be deleted happens to be the last one associated * with the directory user object, then it is time to delete the other kerberos * specific attributes like krbmaxticketlife, i.e, unkerberize the directory user. * From the attrsetmask value, identify the attributes set on the directory user * object and delete them. * NOTE: krbsecretkey attribute has per principal entries. There can be chances that the * other principals' keys are exisiting/left-over. So delete all the values. */ while (attrsetmask) { if (attrsetmask & 1) { if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } attrsetmask >>= 1; ++j; } /* the same should be done with the objectclass attributes */ { char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL}; /* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */ int p, q, r=0, amask=0; if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); for (p=1, q=0; p<=4; p<<=1, ++q) if (p & amask) strval[r++] = attrvalues[q]; strval[r] = NULL; if (r > 0) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE, strval)) != 0) goto cleanup; } } } st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL); if (st != LDAP_SUCCESS) { st = set_ldap_error(context, st, OP_MOD); goto cleanup; } } cleanup: if (user) free (user); if (DN) free (DN); if (secretkey != NULL) { int i=0; while (i < secretkey->nkey) { free (secretkey->keys[i]->bv_val); free (secretkey->keys[i]); ++i; } free (secretkey->keys); free (secretkey); } krb5_ldap_free_principal(context, entry); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
static void *delete_thread(char *id) { LDAPMessage *res; char dn[BUFSIZ], name[40]; int num_entries, msgid, rc, parse_rc, finished, opcount; struct timeval zerotime; void *voidrc = (void *)0; zerotime.tv_sec = zerotime.tv_usec = 0L; printf("Starting delete_thread %s.\n", id); opcount = 0; tsd_setup(); rc = ldap_search_ext(ld, BASE, SCOPE, "(objectclass=*)", NULL, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &msgid); if (rc != LDAP_SUCCESS) { fprintf(stderr, "Thread %s error: Delete thread: " "ldap_search_ext: %s\n", id, ldap_err2string(rc)); exit(1); } finished = 0; num_entries = 0; while (!finished) { rc = ldap_result(ld, msgid, LDAP_MSG_ONE, &zerotime, &res); switch (rc) { case -1: rc = ldap_get_lderrno(ld, NULL, NULL); fprintf(stderr, "ldap_result: %s\n", ldap_err2string(rc)); exit(1); break; case 0: break; /* Keep track of the number of entries found. */ case LDAP_RES_SEARCH_ENTRY: num_entries++; break; case LDAP_RES_SEARCH_REFERENCE: break; case LDAP_RES_SEARCH_RESULT: finished = 1; parse_rc = ldap_parse_result(ld, res, &rc, NULL, NULL, NULL, NULL, 1); if (parse_rc != LDAP_SUCCESS) { fprintf(stderr, "Thread %s error: can't parse result code.\n", id); exit(1); } else { if (rc != LDAP_SUCCESS) { fprintf(stderr, "Thread %s error: ldap_search: %s\n", id, ldap_err2string(rc)); } else { printf("Thread %s: Got %d results.\n", id, num_entries); } } break; default: break; } } for (;;) { sprintf(name, "%d", get_random_id()); sprintf(dn, "cn=%s, " BASE, name); printf("Thread %s: Deleting entry (%s)\n", id, dn); if ((rc = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) { ldap_perror(ld, "ldap_delete_ext_s"); if (rc == LDAP_SERVER_DOWN) { perror("ldap_delete_ext_s"); voidrc = (void *)1; goto delete_cleanup_and_return; } } ++opcount; if (maxops != 0 && opcount >= maxops) { break; } } delete_cleanup_and_return: printf("Thread %s: attempted %d delete operations\n", id, opcount); set_ld_error(0, NULL, NULL, NULL); /* disposes of memory */ tsd_cleanup(); free(id); return voidrc; }
int ldap_delete_s( LDAP *ld, LDAP_CONST char *dn ) { return ldap_delete_ext_s( ld, dn, NULL, NULL ); }
static void do_addel( char *uri, char *manager, struct berval *passwd, char *entry, LDAPMod **attrs, int maxloop, int maxretries, int delay, int friendly, int chaserefs ) { LDAP *ld = NULL; int i = 0, do_retry = maxretries; int rc = LDAP_SUCCESS; int version = LDAP_VERSION3; retry:; ldap_initialize( &ld, uri ); if ( ld == NULL ) { tester_perror( "ldap_initialize", NULL ); exit( EXIT_FAILURE ); } (void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); (void) ldap_set_option( ld, LDAP_OPT_REFERRALS, chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF ); if ( do_retry == maxretries ) { fprintf( stderr, "PID=%ld - Add/Delete(%d): entry=\"%s\".\n", (long) pid, maxloop, entry ); } rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_sasl_bind_s", NULL ); switch ( rc ) { case LDAP_BUSY: case LDAP_UNAVAILABLE: if ( do_retry > 0 ) { do_retry--; if ( delay != 0 ) { sleep( delay ); } goto retry; } /* fallthru */ default: break; } exit( EXIT_FAILURE ); } for ( ; i < maxloop; i++ ) { /* add the entry */ rc = ldap_add_ext_s( ld, entry, attrs, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_add_ext_s", NULL ); switch ( rc ) { case LDAP_ALREADY_EXISTS: /* NOTE: this likely means * the delete failed * during the previous round... */ if ( !friendly ) { goto done; } break; case LDAP_BUSY: case LDAP_UNAVAILABLE: if ( do_retry > 0 ) { do_retry--; goto retry; } /* fall thru */ default: goto done; } } #if 0 /* wait a second for the add to really complete */ /* This masks some race conditions though. */ sleep( 1 ); #endif /* now delete the entry again */ rc = ldap_delete_ext_s( ld, entry, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_delete_ext_s", NULL ); switch ( rc ) { case LDAP_NO_SUCH_OBJECT: /* NOTE: this likely means * the add failed * during the previous round... */ if ( !friendly ) { goto done; } break; case LDAP_BUSY: case LDAP_UNAVAILABLE: if ( do_retry > 0 ) { do_retry--; goto retry; } /* fall thru */ default: goto done; } } } done:; fprintf( stderr, " PID=%ld - Add/Delete done (%d).\n", (long) pid, rc ); ldap_unbind_ext( ld, NULL, NULL ); }
krb5_error_code krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) { int l=0, kerberos_principal_object_type=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; char *user=NULL, *subtree=NULL, *principal_dn=NULL; char **values=NULL, *strval[10]= {NULL}, errbuf[1024]; struct berval **bersecretkey=NULL; LDAPMod **mods=NULL; krb5_boolean create_standalone_prinicipal=FALSE; krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; char *standalone_principal_dn=NULL; krb5_tl_data *tl_data=NULL; krb5_key_data **keys=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; osa_princ_ent_rec princ_ent; xargs_t xargs = {0}; char *polname = NULL; OPERATION optype; krb5_boolean found_entry = FALSE; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL) return EINVAL; /* get ldap handle */ GET_HANDLE(); if (is_principal_in_realm(ldap_context, entry->princ) != 0) { st = EINVAL; krb5_set_error_message(context, st, _("Principal does not belong to " "the default realm")); goto cleanup; } /* get the principal information to act on */ if (entry->princ) { if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) goto cleanup; } /* Identity the type of operation, it can be * add principal or modify principal. * hack if the entry->mask has KRB_PRINCIPAL flag set * then it is a add operation */ if (entry->mask & KADM5_PRINCIPAL) optype = ADD_PRINCIPAL; else optype = MODIFY_PRINCIPAL; if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) || ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0)) goto cleanup; if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) goto cleanup; if (entry->mask & KADM5_LOAD) { int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; char **subtreelist = NULL, *filter = NULL; /* A load operation is special, will do a mix-in (add krbprinc * attrs to a non-krb object entry) if an object exists with a * matching krbprincipalname attribute so try to find existing * object and set principal_dn. This assumes that the * krbprincipalname attribute is unique (only one object entry has * a particular krbprincipalname attribute). */ if (user == NULL) { /* must have principal name for search */ st = EINVAL; krb5_set_error_message(context, st, _("operation can not continue, principal " "name not found")); goto cleanup; } princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ if ((filter = malloc(princlen)) == NULL) { st = ENOMEM; goto cleanup; } snprintf(filter, princlen, FILTER"%s))", user); /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; found_entry = FALSE; /* search for entry with matching krbprincipalname attribute */ for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { result = NULL; if (principal_dn == NULL) { LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); } else { /* just look for entry with principal_dn */ LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); } if (st == LDAP_SUCCESS) { numlentries = ldap_count_entries(ld, result); if (numlentries > 1) { ldap_msgfree(result); free(filter); st = EINVAL; krb5_set_error_message(context, st, _("operation can not continue, " "more than one entry with " "principal name \"%s\" found"), user); goto cleanup; } else if (numlentries == 1) { found_entry = TRUE; if (principal_dn == NULL) { ent = ldap_first_entry(ld, result); if (ent != NULL) { /* setting principal_dn will cause that entry to be modified further down */ if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); st = set_ldap_error (context, st, 0); ldap_msgfree(result); free(filter); goto cleanup; } } } } if (result) ldap_msgfree(result); } else if (st != LDAP_NO_SUCH_OBJECT) { /* could not perform search, return with failure */ st = set_ldap_error (context, st, 0); free(filter); goto cleanup; } /* * If it isn't found then assume a standalone princ entry is to * be created. */ } /* end for (tree = 0; principal_dn == ... */ free(filter); if (found_entry == FALSE && principal_dn != NULL) { /* * if principal_dn is null then there is code further down to * deal with setting standalone_principal_dn. Also note that * this will set create_standalone_prinicipal true for * non-mix-in entries which is okay if loading from a dump. */ create_standalone_prinicipal = TRUE; standalone_principal_dn = strdup(principal_dn); CHECK_NULL(standalone_principal_dn); } } /* end if (entry->mask & KADM5_LOAD */ /* time to generate the DN information with the help of * containerdn, principalcontainerreference or * realmcontainerdn information */ if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ /* get the subtree information */ if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") && strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) { /* if the principal is a inter-realm principal, always created in the realm container */ subtree = strdup(ldap_context->lrparams->realmdn); } else if (xargs.containerdn) { if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { int ost = st; st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "), xargs.containerdn); prepend_err_str(context, errbuf, st, ost); } goto cleanup; } subtree = strdup(xargs.containerdn); } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { /* * Here the subtree should be changed with * principalcontainerreference attribute value */ subtree = strdup(ldap_context->lrparams->containerref); } else { subtree = strdup(ldap_context->lrparams->realmdn); } CHECK_NULL(subtree); if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", user, subtree) < 0) standalone_principal_dn = NULL; CHECK_NULL(standalone_principal_dn); /* * free subtree when you are done using the subtree * set the boolean create_standalone_prinicipal to TRUE */ create_standalone_prinicipal = TRUE; free(subtree); subtree = NULL; } /* * If the DN information is presented by the user, time to * validate the input to ensure that the DN falls under * any of the subtrees */ if (xargs.dn_from_kbd == TRUE) { /* make sure the DN falls in the subtree */ int tre=0, dnlen=0, subtreelen=0, ntrees=0; char **subtreelist=NULL; char *dn=NULL; krb5_boolean outofsubtree=TRUE; if (xargs.dn != NULL) { dn = xargs.dn; } else if (xargs.linkdn != NULL) { dn = xargs.linkdn; } else if (standalone_principal_dn != NULL) { /* * Even though the standalone_principal_dn is constructed * within this function, there is the containerdn input * from the user that can become part of the it. */ dn = standalone_principal_dn; } /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; for (tre=0; tre<ntrees; ++tre) { if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { outofsubtree = FALSE; break; } else { dnlen = strlen (dn); subtreelen = strlen(subtreelist[tre]); if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { outofsubtree = FALSE; break; } } } for (tre=0; tre < ntrees; ++tre) { free(subtreelist[tre]); } if (outofsubtree == TRUE) { st = EINVAL; krb5_set_error_message(context, st, _("DN is out of the realm subtree")); goto cleanup; } /* * dn value will be set either by dn, linkdn or the standalone_principal_dn * In the first 2 cases, the dn should be existing and in the last case we * are supposed to create the ldap object. so the below should not be * executed for the last case. */ if (standalone_principal_dn == NULL) { /* * If the ldap object is missing, this results in an error. */ /* * Search for krbprincipalname attribute here. * This is to find if a kerberos identity is already present * on the ldap object, in which case adding a kerberos identity * on the ldap object should result in an error. */ char *attributes[]= {"krbticketpolicyreference", "krbprincipalname", NULL}; LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); if (st == LDAP_SUCCESS) { ent = ldap_first_entry(ld, result); if (ent != NULL) { if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { krb_identity_exists = TRUE; ldap_value_free(values); } } ldap_msgfree(result); } else { st = set_ldap_error(context, st, OP_SEARCH); goto cleanup; } } } /* * If xargs.dn is set then the request is to add a * kerberos principal on a ldap object, but if * there is one already on the ldap object this * should result in an error. */ if (xargs.dn != NULL && krb_identity_exists == TRUE) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("ldap object is already kerberized")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (xargs.linkdn != NULL) { /* * link information can be changed using modprinc. * However, link information can be changed only on the * standalone kerberos principal objects. A standalone * kerberos principal object is of type krbprincipal * structural objectclass. * * NOTE: kerberos principals on an ldap object can't be * linked to other ldap objects. */ if (optype == MODIFY_PRINCIPAL && kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("link information can not be set/updated as the " "kerberos principal belongs to an ldap object")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } /* * Check the link information. If there is already a link * existing then this operation is not allowed. */ { char **linkdns=NULL; int j=0; if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) { snprintf(errbuf, sizeof(errbuf), _("Failed getting object references")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (linkdns != NULL) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("kerberos principal is already linked to a ldap " "object")); krb5_set_error_message(context, st, "%s", errbuf); for (j=0; linkdns[j] != NULL; ++j) free (linkdns[j]); free (linkdns); goto cleanup; } } establish_links = TRUE; } if (entry->mask & KADM5_LAST_SUCCESS) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->last_success)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_LAST_FAILED) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->last_failed)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free(strval[0]); } if (entry->mask & KADM5_FAIL_AUTH_COUNT) { krb5_kvno fail_auth_count; fail_auth_count = entry->fail_auth_count; if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) fail_auth_count++; st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_REPLACE, fail_auth_count); if (st != 0) goto cleanup; } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { int attr_mask = 0; krb5_boolean has_fail_count; /* Check if the krbLoginFailedCount attribute exists. (Through * krb5 1.8.1, it wasn't set in new entries.) */ st = krb5_get_attributes_mask(context, entry, &attr_mask); if (st != 0) goto cleanup; has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); /* * If the client library and server supports RFC 4525, * then use it to increment by one the value of the * krbLoginFailedCount attribute. Otherwise, assert the * (provided) old value by deleting it before adding. */ #ifdef LDAP_MOD_INCREMENT if (ldap_server_handle->server_info->modify_increment && has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_INCREMENT, 1); if (st != 0) goto cleanup; } else { #endif /* LDAP_MOD_INCREMENT */ if (has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_DELETE, entry->fail_auth_count); if (st != 0) goto cleanup; } st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_ADD, entry->fail_auth_count + 1); if (st != 0) goto cleanup; #ifdef LDAP_MOD_INCREMENT } #endif } else if (optype == ADD_PRINCIPAL) { /* Initialize krbLoginFailedCount in new entries to help avoid a * race during the first failed login. */ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_ADD, 0); } if (entry->mask & KADM5_MAX_LIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0) goto cleanup; } if (entry->mask & KADM5_MAX_RLIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, entry->max_renewable_life)) != 0) goto cleanup; } if (entry->mask & KADM5_ATTRIBUTES) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, entry->attributes)) != 0) goto cleanup; } if (entry->mask & KADM5_PRINCIPAL) { memset(strval, 0, sizeof(strval)); strval[0] = user; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } if (entry->mask & KADM5_PRINC_EXPIRE_TIME) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_PW_EXPIRATION) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_POLICY) { memset(&princ_ent, 0, sizeof(princ_ent)); for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) { if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { /* FIX ME: I guess the princ_ent should be freed after this call */ if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { goto cleanup; } } } if (princ_ent.aux_attributes & KADM5_POLICY) { memset(strval, 0, sizeof(strval)); if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) goto cleanup; strval[0] = polname; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } else { st = EINVAL; krb5_set_error_message(context, st, "Password policy value null"); goto cleanup; } } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) { /* * a load is special in that existing entries must have attrs that * removed. */ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) goto cleanup; } if (entry->mask & KADM5_POLICY_CLR) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) { krb5_kvno mkvno; if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0) goto cleanup; bersecretkey = krb5_encode_krbsecretkey (entry->key_data, entry->n_key_data, mkvno); if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) goto cleanup; if (!(entry->mask & KADM5_PRINCIPAL)) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } /* Update last password change whenever a new key is set */ { krb5_timestamp last_pw_changed; if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); if ((strval[0] = getstringtime(last_pw_changed)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } } /* Modify Key data ends here */ /* Set tl_data */ if (entry->tl_data != NULL) { int count = 0; struct berval **ber_tl_data = NULL; krb5_tl_data *ptr; krb5_timestamp unlock_time; for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL || ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK) continue; count++; } if (count != 0) { int j; ber_tl_data = (struct berval **) calloc (count + 1, sizeof (struct berval*)); if (ber_tl_data == NULL) { st = ENOMEM; goto cleanup; } for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { /* Ignore tl_data that are stored in separate directory * attributes */ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL || ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK) continue; if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) break; j++; } if (st == 0) { ber_tl_data[count] = NULL; st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, ber_tl_data); } for (j = 0; ber_tl_data[j] != NULL; j++) { free(ber_tl_data[j]->bv_val); free(ber_tl_data[j]); } free(ber_tl_data); if (st != 0) goto cleanup; } if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time)) != 0) goto cleanup; if (unlock_time != 0) { /* Update last admin unlock */ memset(strval, 0, sizeof(strval)); if ((strval[0] = getstringtime(unlock_time)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } } /* Directory specific attribute */ if (xargs.tktpolicydn != NULL) { int tmask=0; if (strlen(xargs.tktpolicydn) != 0) { st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: ")); strval[0] = xargs.tktpolicydn; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } else { /* if xargs.tktpolicydn is a empty string, then delete * already existing krbticketpolicyreference attr */ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } } if (establish_links == TRUE) { memset(strval, 0, sizeof(strval)); strval[0] = xargs.linkdn; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } /* * in case mods is NULL then return * not sure but can happen in a modprinc * so no need to return an error * addprinc will at least have the principal name * and the keys passed in */ if (mods == NULL) goto cleanup; if (create_standalone_prinicipal == TRUE) { memset(strval, 0, sizeof(strval)); strval[0] = "krbprincipal"; strval[1] = "krbprincipalaux"; strval[2] = "krbTicketPolicyAux"; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) { /* a load operation must replace an existing entry */ st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("Principal delete failed (trying to replace " "entry): %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } else { st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); } } if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } } else { /* * Here existing ldap object is modified and can be related * to any attribute, so always ensure that the ldap * object is extended with all the kerberos related * objectclasses so that there are no constraint * violations. */ { char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; int p, q, r=0, amask=0; if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, "objectclass", attrvalues, &amask)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); for (p=1, q=0; p<=2; p<<=1, ++q) { if ((p & amask) == 0) strval[r++] = attrvalues[q]; } if (r != 0) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; } } if (xargs.dn != NULL) st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); else st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_MOD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) entry->fail_auth_count++; } cleanup: if (user) free(user); free_xargs(xargs); if (standalone_principal_dn) free(standalone_principal_dn); if (principal_dn) free (principal_dn); if (polname != NULL) free(polname); if (subtree) free (subtree); if (bersecretkey) { for (l=0; bersecretkey[l]; ++l) { if (bersecretkey[l]->bv_val) free (bersecretkey[l]->bv_val); free (bersecretkey[l]); } free (bersecretkey); } if (keys) free (keys); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); }
static void * do_onerwthread( void *arg ) { int i, j, thisconn; LDAP **mlds, *ld; char thrstr[BUFSIZ]; char dn[256], uids[32], cns[32], *base; LDAPMod *attrp[5], attrs[4]; char *oc_vals[] = { "top", "OpenLDAPperson", NULL }; char *cn_vals[] = { NULL, NULL }; char *sn_vals[] = { NULL, NULL }; char *uid_vals[] = { NULL, NULL }; int ret; int adds = 0; int dels = 0; int rc, refcnt = 0; int idx = (ldap_pvt_thread_t *)arg - rtid; mlds = (LDAP **) calloc( sizeof(LDAP *), noconns); if (mlds == NULL) { thread_error( idx, "Memory error: thread calloc for noconns" ); exit( EXIT_FAILURE ); } snprintf(uids, sizeof(uids), "rwtest%04d", idx); snprintf(cns, sizeof(cns), "rwtest%04d", idx); /* add setup */ for (i = 0; i < 4; i++) { attrp[i] = &attrs[i]; attrs[i].mod_op = 0; } attrp[4] = NULL; attrs[0].mod_type = "objectClass"; attrs[0].mod_values = oc_vals; attrs[1].mod_type = "cn"; attrs[1].mod_values = cn_vals; cn_vals[0] = &cns[0]; attrs[2].mod_type = "sn"; attrs[2].mod_values = sn_vals; sn_vals[0] = &cns[0]; attrs[3].mod_type = "uid"; attrs[3].mod_values = uid_vals; uid_vals[0] = &uids[0]; for ( j = 0; j < outerloops; j++ ) { for(i = 0; i < noconns; i++) { mlds[i] = ldap_dup(lds[i]); if (mlds[i] == NULL) { thread_error( idx, "ldap_dup error" ); } } rc = ldap_get_option(mlds[0], LDAP_OPT_SESSION_REFCNT, &refcnt); snprintf(thrstr, BUFSIZ, "RW Thread conns: %d refcnt: %d (rc = %d)", noconns, refcnt, rc); thread_verbose(idx, thrstr); thisconn = (idx + j) % noconns; if (thisconn < 0 || thisconn >= noconns) thisconn = 0; if (mlds[thisconn] == NULL) { thread_error( idx, "(failed to dup)"); tester_perror( "ldap_dup", "(failed to dup)" ); exit( EXIT_FAILURE ); } snprintf(thrstr, BUFSIZ, "START RW Thread using conn %d", thisconn); thread_verbose(idx, thrstr); ld = mlds[thisconn]; if (entry != NULL) base = entry; else base = DEFAULT_BASE; snprintf(dn, 256, "cn=%s,%s", cns, base); adds = 0; dels = 0; for (i = 0; i < loops; i++) { ret = ldap_add_ext_s(ld, dn, &attrp[0], NULL, NULL); if (ret == LDAP_SUCCESS) { adds++; ret = ldap_delete_ext_s(ld, dn, NULL, NULL); if (ret == LDAP_SUCCESS) { dels++; rt_pass[idx]++; } else { thread_output(idx, ldap_err2string(ret)); rt_fail[idx]++; } } else { thread_output(idx, ldap_err2string(ret)); rt_fail[idx]++; } } snprintf(thrstr, BUFSIZ, "INNER STOP RW Thread using conn %d (%d/%d)", thisconn, adds, dels); thread_verbose(idx, thrstr); for(i = 0; i < noconns; i++) { (void) ldap_destroy(mlds[i]); mlds[i] = NULL; } } free( mlds ); return( NULL ); }
krb5_error_code krb5_ldap_delete_realm (krb5_context context, char *lrealm) { LDAP *ld = NULL; krb5_error_code st = 0, tempst=0; char **values=NULL, **subtrees=NULL, **policy=NULL; LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL; krb5_principal principal; unsigned int l=0, ntree=0; int i=0, j=0, mask=0; kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context = NULL; krb5_ldap_server_handle *ldap_server_handle = NULL; krb5_ldap_realm_params *rparam=NULL; SETUP_CONTEXT (); if (lrealm == NULL) { st = EINVAL; k5_setmsg(context, st, _("Realm information not available")); goto cleanup; } if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0) goto cleanup; /* get ldap handle */ GET_HANDLE (); /* delete all the principals belonging to the realm in the tree */ { char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256]; krb5_ldap_context lcontext; realm = ldap_filter_correct (lrealm); assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") + strlen (realm) + 2 /* "*@" */ + 1); snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm); free (realm); /* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */ memset(&lcontext, 0, sizeof(krb5_ldap_context)); lcontext.lrparams = rparam; if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0) goto cleanup; result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1, sizeof(LDAPMessage *)); if (result_arr == NULL) { st = ENOMEM; goto cleanup; } for (l=0; l < ntree; ++l) { LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr); result_arr[l] = result; } } /* NOTE: Here all the principals should be cached and the ldap handle should be freed, * as a DAL-LDAP interface is called right down here. Caching might be constrained by * availability of the memory. The caching is not done, however there would be limit * on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not * thread-safe this should suffice. */ for (j=0; (result=result_arr[j]) != NULL; ++j) { for (ent = ldap_first_entry (ld, result); ent != NULL; ent = ldap_next_entry (ld, ent)) { if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { st=krb5_ldap_delete_principal(context, principal); if (st && st != KRB5_KDB_NOENTRY) goto cleanup; } krb5_free_principal(context, principal); } ldap_value_free(values); } } } /* Delete all password policies */ krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context); /* Delete all ticket policies */ { if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) { prepend_err_str(context, _("Error reading ticket policy: "), st, st); goto cleanup; } for (i = 0; policy [i] != NULL; i++) krb5_ldap_delete_policy(context, policy[i]); } /* Delete the realm object */ if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) { int ost = st; st = translate_ldap_error (st, OP_DEL); k5_setmsg(context, st, _("Realm Delete FAILED: %s"), ldap_err2string(ost)); } cleanup: if (subtrees) { for (l=0; l < ntree; ++l) { if (subtrees[l]) free (subtrees[l]); } free (subtrees); } if (result_arr != NULL) { for (l = 0; l < ntree; l++) ldap_msgfree(result_arr[l]); free(result_arr); } if (policy != NULL) { for (i = 0; policy[i] != NULL; i++) free (policy[i]); free (policy); } krb5_ldap_free_realm_params(rparam); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return st; }
int LDAPDel::run() { return ldap_delete_ext_s(service->GetConnection(), dn.c_str(), NULL, NULL); }