DWORD
VmDirTestReplaceBinaryAttributeValues(
LDAP *pLd,
PCSTR pszDN,
PCSTR pszAttribute,
BYTE *pbAttributeValue,
DWORD dwDataLength
)
{
DWORD dwError = 0;
BerValue *ppBerValues[2] = {NULL, NULL};
BerValue bvSecurityDescriptor = {0};
LDAPMod addReplace;
LDAPMod *mods[2];
/* Initialize the attribute, specifying 'modify' as the operation */
bvSecurityDescriptor.bv_val = pbAttributeValue;
bvSecurityDescriptor.bv_len = dwDataLength;
ppBerValues[0] = &bvSecurityDescriptor;
addReplace.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
addReplace.mod_type = (PSTR)pszAttribute;
addReplace.mod_bvalues = ppBerValues;
/* Fill the attributes array (remember it must be NULL-terminated) */
mods[0] = &addReplace;
mods[1] = NULL;
dwError = ldap_modify_ext_s(pLd, pszDN, mods, NULL, NULL);
return dwError;
}
DWORD
VdcLdapReplaceAttributeValues(
LDAP *pLd,
PCSTR pszDN,
PCSTR pszAttribute,
PCSTR *ppszAttributeValues
)
{
DWORD dwError = 0;
LDAPMod addReplace;
LDAPMod *mods[2];
/* Initialize the attribute, specifying 'ADD' as the operation */
addReplace.mod_op = LDAP_MOD_REPLACE;
addReplace.mod_type = (PSTR) pszAttribute;
addReplace.mod_values = (PSTR*) ppszAttributeValues;
/* Fill the attributes array (remember it must be NULL-terminated) */
mods[0] = &addReplace;
mods[1] = NULL;
/* ....initialize connection, etc. */
dwError = ldap_modify_ext_s(pLd, pszDN, mods, NULL, NULL);
return dwError;
}
static
DWORD
VMCAUpdateAttribute(
PVMCA_LDAP_CONTEXT pContext,
PCSTR pszObjectDN,
PSTR pszAttribute,
PSTR pszValue,
BOOL bAdd
)
{
DWORD dwError = 0;
LDAPMod mod_cert = {0};
LDAPMod *mods[] = { &mod_cert, NULL};
struct berval bercert = { 0 };
struct berval *bervals[] = {&bercert, NULL};
bercert.bv_len = (ULONG) strlen(pszValue);
bercert.bv_val = pszValue;
mod_cert.mod_op = (bAdd ? LDAP_MOD_ADD : LDAP_MOD_REPLACE)
| LDAP_MOD_BVALUES;
mod_cert.mod_type = pszAttribute;
mod_cert.mod_vals.modv_bvals = bervals;
dwError = ldap_modify_ext_s(
pContext->pConnection,
pszObjectDN,
mods,
NULL,
NULL);
BAIL_ON_ERROR(dwError);
error:
return dwError;
}
int LDAPModify::run()
{
LDAPMod **mods = LDAPService::BuildMods(attributes);
int i = ldap_modify_ext_s(service->GetConnection(), base.c_str(), mods, NULL, NULL);
LDAPService::FreeMods(mods);
return i;
}
krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx,
char *dn, LDAPMod **mods)
{
int ret;
ret = ldap_modify_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
/* first test if we need to retry to connect */
if (ret != 0 &&
ipadb_need_retry(ipactx, ret)) {
ret = ldap_modify_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
}
return ipadb_simple_ldap_to_kerr(ret);
}
/***********************************************************************
* ldap_modify_sW (WLDAP32.@)
*
* Change an entry in a directory tree (synchronous operation).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
* dn [I] DN of the entry to change.
* attrs [I] Pointer to an array of LDAPModW structures, each
* specifying an attribute and its values to change.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*/
ULONG CDECL ldap_modify_sW( WLDAP32_LDAP *ld, PWCHAR dn, LDAPModW *mods[] )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
char *dnU = NULL;
LDAPMod **modsU = NULL;
ret = WLDAP32_LDAP_NO_MEMORY;
TRACE( "(%p, %s, %p)\n", ld, debugstr_w(dn), mods );
if (!ld) return WLDAP32_LDAP_PARAM_ERROR;
if (dn) {
dnU = strWtoU( dn );
if (!dnU) goto exit;
}
if (mods) {
modsU = modarrayWtoU( mods );
if (!modsU) goto exit;
}
ret = map_error( ldap_modify_ext_s( ld, dn ? dnU : "", mods ? modsU : nullmods, NULL, NULL ));
exit:
strfreeU( dnU );
modarrayfreeU( modsU );
#endif
return ret;
}
/* ARGSUSED */
int _ns_ldap_modify_ext_s(char *service, int flags,
char *dn, LDAPMod **mods,
LDAPControl **serverctrls, LDAPControl **clientctrls)
{
LDAP *ld = __s_api_getLDAPconn(flags);
return (ldap_modify_ext_s(ld, dn, mods, serverctrls, clientctrls));
}
/***********************************************************************
* ldap_modify_ext_sW (WLDAP32.@)
*
* Change an entry in a directory tree (synchronous operation).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
* dn [I] DN of the entry to change.
* mods [I] Pointer to an array of LDAPModW structures, each
* specifying an attribute and its values to change.
* serverctrls [I] Array of LDAP server controls.
* clientctrls [I] Array of LDAP client controls.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*
* NOTES
* The serverctrls and clientctrls parameters are optional and
* should be set to NULL if not used.
*/
ULONG CDECL ldap_modify_ext_sW( WLDAP32_LDAP *ld, PWCHAR dn, LDAPModW *mods[],
PLDAPControlW *serverctrls, PLDAPControlW *clientctrls )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
char *dnU = NULL;
LDAPMod **modsU = NULL;
LDAPControl **serverctrlsU = NULL, **clientctrlsU = NULL;
ret = WLDAP32_LDAP_NO_MEMORY;
TRACE( "(%p, %s, %p, %p, %p)\n", ld, debugstr_w(dn), mods,
serverctrls, clientctrls );
if (!ld) return WLDAP32_LDAP_PARAM_ERROR;
if (dn) {
dnU = strWtoU( dn );
if (!dnU) goto exit;
}
if (mods) {
modsU = modarrayWtoU( mods );
if (!modsU) goto exit;
}
if (serverctrls) {
serverctrlsU = controlarrayWtoU( serverctrls );
if (!serverctrlsU) goto exit;
}
if (clientctrls) {
clientctrlsU = controlarrayWtoU( clientctrls );
if (!clientctrlsU) goto exit;
}
ret = map_error( ldap_modify_ext_s( ld, dn ? dnU : "", mods ? modsU : nullmods,
serverctrlsU, clientctrlsU ));
exit:
strfreeU( dnU );
modarrayfreeU( modsU );
controlarrayfreeU( serverctrlsU );
controlarrayfreeU( clientctrlsU );
#endif
return ret;
}
static int st_modify_nonidx(SearchThread *st)
{
LDAPMod *attrs[2];
LDAPMod attr_description;
int e;
int rval;
char *dn = NULL;
char *description = NULL;
char *description_values[2];
/* Decide what entry to modify, for this we need a table */
if (NULL == sdattable || sdt_getlen(sdattable) == 0) {
fprintf(stderr, "-m option requires a DN file. Use -B file.\n");
return 0;
}
/* Get the target dn */
do {
e = sdt_getrand(sdattable);
} while (e < 0);
dn = sdt_dn_get(sdattable, e);
description = PR_smprintf("%s modified at %lu", dn, time(NULL));
description_values[0] = description;
description_values[1] = NULL;
attrs[0] = &attr_description;
attrs[1] = NULL;
attr_description.mod_op = LDAP_MOD_REPLACE;
attr_description.mod_type = "description";
attr_description.mod_values = description_values;
rval = ldap_modify_ext_s(st->ld, dn, attrs, NULL, NULL);
if (rval != LDAP_SUCCESS) {
fprintf(stderr, "T%d: Failed to modify error=0x%x\n", st->id, rval);
fprintf(stderr, "dn: %s\n", dn);
}
PR_smprintf_free(description);
return rval;
}
static int st_modify_idx(SearchThread *st)
{
LDAPMod *attrs[2];
LDAPMod attr_telephonenumber;
int e;
int rval;
char *dn = NULL;
char telno[32];
char *telephonenumber_values[2];
/* Decide what entry to modify, for this we need a table */
if (NULL == sdattable || sdt_getlen(sdattable) == 0) {
fprintf(stderr, "-m option requires a DN file. Use -B file.\n");
return 0;
}
/* Get the target dn */
do {
e = sdt_getrand(sdattable);
} while (e < 0);
dn = sdt_dn_get(sdattable, e);
/* Make new mod values */
st_make_random_tel_number(telno);
telephonenumber_values[0] = telno;
telephonenumber_values[1] = NULL;
attrs[0] = &attr_telephonenumber;
attrs[1] = NULL;
attr_telephonenumber.mod_op = LDAP_MOD_REPLACE;
attr_telephonenumber.mod_type = "telephonenumber";
attr_telephonenumber.mod_values = telephonenumber_values;
rval = ldap_modify_ext_s(st->ld, dn, attrs, NULL, NULL);
if (rval != LDAP_SUCCESS) {
fprintf(stderr, "T%d: Failed to modify error=0x%x\n", st->id, rval);
fprintf(stderr, "dn: %s\n", dn);
}
return rval;
}
/* Preform a LDAP add or modify operation depend on the `mod` parameter. */
PyObject *
add_or_modify(LDAPEntry *self, int mod) {
int rc = -1;
char *dnstr = NULL;
LDAPMod **mods = NULL;
PyObject *tmp;
/* Get DN string. */
tmp = PyObject_Str(self->dn);
dnstr = PyObject2char(tmp);
Py_DECREF(tmp);
if (dnstr == NULL || strlen(dnstr) == 0) {
PyErr_SetString(PyExc_AttributeError, "Missing distinguished name.");
return NULL;
}
mods = LDAPEntry_CreateLDAPMods(self);
if (mods == NULL) {
PyErr_SetString(PyExc_MemoryError, "Create LDAPMods is failed.");
return NULL;
}
if (mod == 0) {
rc = ldap_add_ext_s(self->client->ld, dnstr, mods, NULL, NULL);
} else {
rc = ldap_modify_ext_s(self->client->ld, dnstr, mods, NULL, NULL);
}
if (rc != LDAP_SUCCESS) {
//TODO Proper errors
PyObject *ldaperror = get_error("LDAPError");
PyErr_SetString(ldaperror, ldap_err2string(rc));
Py_DECREF(ldaperror);
LDAPEntry_DismissLDAPMods(self, mods);
free(dnstr);
return NULL;
}
free(dnstr);
LDAPEntry_DismissLDAPMods(self, mods);
return Py_None;
}
/**
* Deside which other attributes needs updating
*
* \param ld LDAP resource
* \param server AddressBook resource
* \param dn dn for the entry
* \param contact GHashTable with information for the current contact
*/
void ldapsvr_handle_other_attributes(LDAP *ld, LdapServer *server, char *dn, GHashTable *contact) {
GList *node;
gboolean CHECKED_ATTRIBUTE[ATTRIBUTE_SIZE + 1];
LDAPMod *mods[ATTRIBUTE_SIZE + 1];
LDAPMod modarr[ATTRIBUTE_SIZE];
gint cnt = 0;
char *attr[ATTRIBUTE_SIZE + 1][2];
int mod_op, rc, i;
cm_return_if_fail(server != NULL || dn != NULL || contact != NULL);
for (i = 0; i <= ATTRIBUTE_SIZE; i++) {
CHECKED_ATTRIBUTE[i] = FALSE;
attr[i][0] = attr[i][1] = NULL;
}
node = g_hash_table_lookup(contact , "attribute");
while (node) {
AttrKeyValue *item = node->data;
if (item) {
int index = get_attribute_index(item->key);
if (index >= 0) {
debug_print("Found other attribute: %s = %s\n",
item->key?item->key:"null", item->value?item->value:"null");
mod_op = ldapsvr_deside_operation(ld, server, dn, item->key, item->value);
/* Only consider attributes which we no how to handle.
* Set to TRUE in CHECKED_ATTRIBUTE array to indicate no further action
*/
if (mod_op < 0) {
CHECKED_ATTRIBUTE[index] = TRUE;
node = g_list_next(node);
continue;
}
if (mod_op == LDAP_MOD_DELETE) {
/* Setting param to NULL instructs OpenLDAP to remove any
* value stored for this attribute and remove the attribute
* completely. Should multiple instances of an attribute be
* allowed in the future param is required to have the value
* store for the attribute which is going to be deleted
*/
item->value = NULL;
}
if (mod_op == LDAP_MOD_REPLACE && strcmp(item->value, "") == 0) {
/* Having an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we treate this as a request for deleting
* the attribute.
*/
mod_op = LDAP_MOD_DELETE;
item->value = NULL;
}
if (mod_op == LDAP_MOD_ADD && strcmp(item->value, "") == 0) {
/* Adding an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we silently refuse to add this entry
*/
}
else {
SETMOD(mods[cnt], modarr[cnt], mod_op, g_strdup(item->key), attr[cnt], g_strdup(item->value));
cnt++;
CHECKED_ATTRIBUTE[index] = TRUE;
}
}
}
node = g_list_next(node);
}
char **attribs = ldapctl_full_attribute_array(server->control);
for (i = 0; i < ATTRIBUTE_SIZE; i++) {
/* Attributes which holds no information are to be removed */
if (CHECKED_ATTRIBUTE[i] == FALSE) {
/* Only consider those attributes which is currently part of the search criteria.
* If attributes are not part of the search criteria they would seem to hold
* no information since their values will not be populated in the GUI
*/
if (!strcmp(ATTRIBUTE[i], "jpegPhoto")) {
debug_print("not updating jpegPhoto\n");
continue;
}
if (ldapsvr_check_search_attributes(attribs, (char *) ATTRIBUTE[i])) {
mod_op = ldapsvr_deside_operation(ld, server, dn, (char *) ATTRIBUTE[i], "");
if (mod_op == LDAP_MOD_DELETE) {
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_DELETE, g_strdup((char *) ATTRIBUTE[i]), attr[cnt], NULL);
cnt++;
}
}
}
}
ldapctl_free_attribute_array(attribs);
mods[cnt] = NULL;
if (debug_get_mode())
ldapsvr_print_ldapmod(mods);
server->retVal = LDAPRC_SUCCESS;
rc = ldap_modify_ext_s(ld, dn, mods, NULL, NULL);
if (rc) {
switch (rc) {
case LDAP_ALREADY_EXISTS:
server->retVal = LDAPRC_ALREADY_EXIST;
break;
default:
g_printerr("ldap_modify for dn=%s\" failed[0x%x]: %s\n", dn, rc, ldaputil_get_error(ld));
if (rc == 0x8)
server->retVal = LDAPRC_STRONG_AUTH;
else
server->retVal = LDAPRC_NAMING_VIOLATION;
}
}
else {
char **attribs = ldapctl_full_attribute_array(server->control);
for (i = 0; i < ATTRIBUTE_SIZE; i++) {
if (!strcmp(ATTRIBUTE[i], "jpegPhoto")) {
debug_print("not updating jpegPhoto\n");
continue;
}
if (ldapsvr_check_search_attributes(attribs, (char *) ATTRIBUTE[i])) {
if (CHECKED_ATTRIBUTE[i] == FALSE) {
AddrItemObject *aio = addrcache_get_object(server->addressCache, g_hash_table_lookup(contact , "uid"));
ItemPerson *person = (ItemPerson *) aio;
addritem_person_remove_attribute(person, (const gchar *) ATTRIBUTE[i]);
}
}
}
ldapctl_free_attribute_array(attribs);
}
}
static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
{
LDAPMod **mods = NULL;
krb5_error_code ret;
const char *errfn;
int rc;
LDAPMessage *msg = NULL, *e = NULL;
char *dn = NULL, *name = NULL;
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->entry.principal, &name);
if (ret) {
free(name);
return ret;
}
ret = hdb_seal_keys(context, db, &entry->entry);
if (ret)
goto out;
/* turn new entry into LDAPMod array */
ret = LDAP_entry2mods(context, db, entry, e, &mods);
if (ret)
goto out;
if (e == NULL) {
ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
if (ret < 0) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "asprintf: out of memory");
goto out;
}
} else if (flags & HDB_F_REPLACE) {
/* Entry exists, and we're allowed to replace it. */
dn = ldap_get_dn(HDB2LDAP(db), e);
} else {
/* Entry exists, but we're not allowed to replace it. Bail. */
ret = HDB_ERR_EXISTS;
goto out;
}
/* write entry into directory */
if (e == NULL) {
/* didn't exist before */
rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
errfn = "ldap_add_ext_s";
} else {
/* already existed, send deltas only */
rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
errfn = "ldap_modify_ext_s";
}
if (check_ldap(context, db, rc)) {
char *ld_error = NULL;
ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
&ld_error);
ret = HDB_ERR_CANT_LOCK_DB;
krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
errfn, name, dn, ldap_err2string(rc), ld_error);
} else
ret = 0;
out:
/* free stuff */
if (dn)
free(dn);
if (msg)
ldap_msgfree(msg);
if (mods)
ldap_mods_free(mods, 1);
if (name)
free(name);
return ret;
}
static void *modify_thread(char *id) {
LDAPMessage *res;
LDAPMessage *e;
int i, modentry, num_entries, msgid, parse_rc, finished;
int rc, opcount;
LDAPMod mod;
LDAPMod *mods[2];
char *vals[2];
char *dn;
ldapmsgwrapper *list, *lmwp, *lastlmwp;
struct timeval zerotime;
void *voidrc = (void *)0;
zerotime.tv_sec = zerotime.tv_usec = 0L;
printf("Starting modify_thread %s.\n", id);
opcount = 0;
tsd_setup();
rc = ldap_search_ext(ld, BASE, SCOPE, "(objectclass=*)", NULL, 0, NULL, NULL,
NULL, LDAP_NO_LIMIT, &msgid);
if (rc != LDAP_SUCCESS) {
fprintf(stderr,
"Thread %s error: Modify thread: "
"ldap_search_ext: %s\n",
id, ldap_err2string(rc));
exit(1);
}
list = lastlmwp = NULL;
finished = 0;
num_entries = 0;
while (!finished) {
rc = ldap_result(ld, msgid, LDAP_MSG_ONE, &zerotime, &res);
switch (rc) {
case -1:
rc = ldap_get_lderrno(ld, NULL, NULL);
fprintf(stderr, "ldap_result: %s\n", ldap_err2string(rc));
exit(1);
break;
case 0:
break;
/* Keep track of the number of entries found. */
case LDAP_RES_SEARCH_ENTRY:
num_entries++;
if ((lmwp = (ldapmsgwrapper *)malloc(sizeof(ldapmsgwrapper))) == NULL) {
fprintf(stderr, "Thread %s: Modify thread: Cannot malloc\n", id);
exit(1);
}
lmwp->lmw_messagep = res;
lmwp->lmw_next = NULL;
if (lastlmwp == NULL) {
list = lastlmwp = lmwp;
} else {
lastlmwp->lmw_next = lmwp;
}
lastlmwp = lmwp;
break;
case LDAP_RES_SEARCH_REFERENCE:
break;
case LDAP_RES_SEARCH_RESULT:
finished = 1;
parse_rc = ldap_parse_result(ld, res, &rc, NULL, NULL, NULL, NULL, 1);
if (parse_rc != LDAP_SUCCESS) {
fprintf(stderr, "Thread %s error: can't parse result code.\n", id);
exit(1);
} else {
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Thread %s error: ldap_search: %s\n", id,
ldap_err2string(rc));
} else {
printf("Thread %s: Got %d results.\n", id, num_entries);
}
}
break;
default:
break;
}
}
mods[0] = &mod;
mods[1] = NULL;
vals[0] = "bar";
vals[1] = NULL;
for (;;) {
modentry = random() % num_entries;
for (i = 0, lmwp = list; lmwp != NULL && i < modentry;
i++, lmwp = lmwp->lmw_next) {
/* NULL */
}
if (lmwp == NULL) {
fprintf(stderr,
"Thread %s: Modify thread could not find entry %d of %d\n", id,
modentry, num_entries);
continue;
}
e = lmwp->lmw_messagep;
printf("Thread %s: Modify thread picked entry %d of %d\n", id, i,
num_entries);
dn = ldap_get_dn(ld, e);
mod.mod_op = LDAP_MOD_REPLACE;
mod.mod_type = "description";
mod.mod_values = vals;
printf("Thread %s: Modifying (%s)\n", id, dn);
rc = ldap_modify_ext_s(ld, dn, mods, NULL, NULL);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "ldap_modify_ext_s: %s\n", ldap_err2string(rc));
if (rc == LDAP_SERVER_DOWN) {
perror("ldap_modify_ext_s");
voidrc = (void *)1;
goto modify_cleanup_and_return;
}
}
free(dn);
++opcount;
if (maxops != 0 && opcount >= maxops) {
break;
}
}
modify_cleanup_and_return:
printf("Thread %s: attempted %d modify operations\n", id, opcount);
set_ld_error(0, NULL, NULL, NULL); /* disposes of memory */
tsd_cleanup();
free(id);
return voidrc;
}
/* Replace attribute on all matched entries */
DWORD
VdcLdapReplaceAttrOnEntries(
LDAP *pLd,
PCSTR pszBase,
int ldapScope,
PCSTR pszFilter,
PCSTR pAttrName,
PCSTR pAttrVal
)
{
DWORD dwError = 0;
LDAPMessage *pResult = NULL;
PSTR pszDn = NULL;
PCSTR ppszAttrs[] = {ATTR_DN, NULL};
LDAPMod mod = {0};
LDAPMod* mods[2] = {&mod, NULL};
PSTR vals[2] = {0};
int totalCnt = 0;
int failedCnt = 0;
int alreadyUpdatedCnt = 0;
PSTR oldAttrVal = NULL;
mod.mod_op = LDAP_MOD_REPLACE;
mod.mod_type = (PSTR)pAttrName;
vals[0] = (PSTR)pAttrVal;
vals[1] = NULL;
mod.mod_vals.modv_strvals = vals;
dwError = ldap_search_ext_s(
pLd,
pszBase,
ldapScope,
pszFilter ? pszFilter : "",
(PSTR*)ppszAttrs,
0,
NULL,
NULL,
NULL,
-1,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
if (ldap_count_entries(pLd, pResult) > 0)
{
LDAPMessage* pEntry = ldap_first_entry(pLd, pResult);
for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry))
{
if (pszDn)
{
ldap_memfree(pszDn);
pszDn = NULL;
}
pszDn = ldap_get_dn(pLd, pEntry);
VMDIR_SAFE_FREE_STRINGA(oldAttrVal);
dwError = VdcLdapGetAttributeValue( pLd,
pszDn,
pAttrName,
&oldAttrVal);
if (dwError == LDAP_SUCCESS && VmDirStringCompareA(oldAttrVal, pAttrVal, FALSE)==0)
{
totalCnt++;
alreadyUpdatedCnt++;
continue;
}
dwError = ldap_modify_ext_s( pLd, pszDn, mods, NULL, NULL);
if (dwError != LDAP_SUCCESS)
{
failedCnt++;
}
totalCnt++;
}
}
cleanup:
if (pResult)
{
ldap_msgfree(pResult);
pResult = NULL;
}
if (pszDn)
{
ldap_memfree(pszDn);
pszDn = NULL;
}
VMDIR_SAFE_FREE_STRINGA(oldAttrVal);
return dwError;
error:
goto cleanup;
}
int
LDAP_CALL
ldap_modify_s( LDAP *ld, const char *dn, LDAPMod **mods )
{
return( ldap_modify_ext_s( ld, dn, mods, NULL, NULL ));
}
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
{
int l=0, kerberos_principal_object_type=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
char **values=NULL, *strval[10]= {NULL}, errbuf[1024];
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone_prinicipal=FALSE;
krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs = {0};
char *polname = NULL;
OPERATION optype;
krb5_boolean found_entry = FALSE;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
return EINVAL;
/* get ldap handle */
GET_HANDLE();
if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
st = EINVAL;
krb5_set_error_message(context, st, _("Principal does not belong to "
"the default realm"));
goto cleanup;
}
/* get the principal information to act on */
if (entry->princ) {
if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
}
/* Identity the type of operation, it can be
* add principal or modify principal.
* hack if the entry->mask has KRB_PRINCIPAL flag set
* then it is a add operation
*/
if (entry->mask & KADM5_PRINCIPAL)
optype = ADD_PRINCIPAL;
else
optype = MODIFY_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
goto cleanup;
if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
goto cleanup;
if (entry->mask & KADM5_LOAD) {
int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
char **subtreelist = NULL, *filter = NULL;
/* A load operation is special, will do a mix-in (add krbprinc
* attrs to a non-krb object entry) if an object exists with a
* matching krbprincipalname attribute so try to find existing
* object and set principal_dn. This assumes that the
* krbprincipalname attribute is unique (only one object entry has
* a particular krbprincipalname attribute).
*/
if (user == NULL) {
/* must have principal name for search */
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, principal "
"name not found"));
goto cleanup;
}
princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", user);
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
found_entry = FALSE;
/* search for entry with matching krbprincipalname attribute */
for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
result = NULL;
if (principal_dn == NULL) {
LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
} else {
/* just look for entry with principal_dn */
LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
}
if (st == LDAP_SUCCESS) {
numlentries = ldap_count_entries(ld, result);
if (numlentries > 1) {
ldap_msgfree(result);
free(filter);
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, "
"more than one entry with "
"principal name \"%s\" found"),
user);
goto cleanup;
} else if (numlentries == 1) {
found_entry = TRUE;
if (principal_dn == NULL) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
/* setting principal_dn will cause that entry to be modified further down */
if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
st = set_ldap_error (context, st, 0);
ldap_msgfree(result);
free(filter);
goto cleanup;
}
}
}
}
if (result)
ldap_msgfree(result);
} else if (st != LDAP_NO_SUCH_OBJECT) {
/* could not perform search, return with failure */
st = set_ldap_error (context, st, 0);
free(filter);
goto cleanup;
}
/*
* If it isn't found then assume a standalone princ entry is to
* be created.
*/
} /* end for (tree = 0; principal_dn == ... */
free(filter);
if (found_entry == FALSE && principal_dn != NULL) {
/*
* if principal_dn is null then there is code further down to
* deal with setting standalone_principal_dn. Also note that
* this will set create_standalone_prinicipal true for
* non-mix-in entries which is okay if loading from a dump.
*/
create_standalone_prinicipal = TRUE;
standalone_principal_dn = strdup(principal_dn);
CHECK_NULL(standalone_principal_dn);
}
} /* end if (entry->mask & KADM5_LOAD */
/* time to generate the DN information with the help of
* containerdn, principalcontainerreference or
* realmcontainerdn information
*/
if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
/* get the subtree information */
if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
/* if the principal is a inter-realm principal, always created in the realm container */
subtree = strdup(ldap_context->lrparams->realmdn);
} else if (xargs.containerdn) {
if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "),
xargs.containerdn);
prepend_err_str(context, errbuf, st, ost);
}
goto cleanup;
}
subtree = strdup(xargs.containerdn);
} else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
/*
* Here the subtree should be changed with
* principalcontainerreference attribute value
*/
subtree = strdup(ldap_context->lrparams->containerref);
} else {
subtree = strdup(ldap_context->lrparams->realmdn);
}
CHECK_NULL(subtree);
if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
user, subtree) < 0)
standalone_principal_dn = NULL;
CHECK_NULL(standalone_principal_dn);
/*
* free subtree when you are done using the subtree
* set the boolean create_standalone_prinicipal to TRUE
*/
create_standalone_prinicipal = TRUE;
free(subtree);
subtree = NULL;
}
/*
* If the DN information is presented by the user, time to
* validate the input to ensure that the DN falls under
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
/* make sure the DN falls in the subtree */
int tre=0, dnlen=0, subtreelen=0, ntrees=0;
char **subtreelist=NULL;
char *dn=NULL;
krb5_boolean outofsubtree=TRUE;
if (xargs.dn != NULL) {
dn = xargs.dn;
} else if (xargs.linkdn != NULL) {
dn = xargs.linkdn;
} else if (standalone_principal_dn != NULL) {
/*
* Even though the standalone_principal_dn is constructed
* within this function, there is the containerdn input
* from the user that can become part of the it.
*/
dn = standalone_principal_dn;
}
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
for (tre=0; tre<ntrees; ++tre) {
if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
outofsubtree = FALSE;
break;
} else {
dnlen = strlen (dn);
subtreelen = strlen(subtreelist[tre]);
if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
}
}
}
for (tre=0; tre < ntrees; ++tre) {
free(subtreelist[tre]);
}
if (outofsubtree == TRUE) {
st = EINVAL;
krb5_set_error_message(context, st,
_("DN is out of the realm subtree"));
goto cleanup;
}
/*
* dn value will be set either by dn, linkdn or the standalone_principal_dn
* In the first 2 cases, the dn should be existing and in the last case we
* are supposed to create the ldap object. so the below should not be
* executed for the last case.
*/
if (standalone_principal_dn == NULL) {
/*
* If the ldap object is missing, this results in an error.
*/
/*
* Search for krbprincipalname attribute here.
* This is to find if a kerberos identity is already present
* on the ldap object, in which case adding a kerberos identity
* on the ldap object should result in an error.
*/
char *attributes[]= {"krbticketpolicyreference", "krbprincipalname", NULL};
LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
if (st == LDAP_SUCCESS) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
ldap_value_free(values);
}
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
krb_identity_exists = TRUE;
ldap_value_free(values);
}
}
ldap_msgfree(result);
} else {
st = set_ldap_error(context, st, OP_SEARCH);
goto cleanup;
}
}
}
/*
* If xargs.dn is set then the request is to add a
* kerberos principal on a ldap object, but if
* there is one already on the ldap object this
* should result in an error.
*/
if (xargs.dn != NULL && krb_identity_exists == TRUE) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("ldap object is already kerberized"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (xargs.linkdn != NULL) {
/*
* link information can be changed using modprinc.
* However, link information can be changed only on the
* standalone kerberos principal objects. A standalone
* kerberos principal object is of type krbprincipal
* structural objectclass.
*
* NOTE: kerberos principals on an ldap object can't be
* linked to other ldap objects.
*/
if (optype == MODIFY_PRINCIPAL &&
kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("link information can not be set/updated as the "
"kerberos principal belongs to an ldap object"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
/*
* Check the link information. If there is already a link
* existing then this operation is not allowed.
*/
{
char **linkdns=NULL;
int j=0;
if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
snprintf(errbuf, sizeof(errbuf),
_("Failed getting object references"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (linkdns != NULL) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("kerberos principal is already linked to a ldap "
"object"));
krb5_set_error_message(context, st, "%s", errbuf);
for (j=0; linkdns[j] != NULL; ++j)
free (linkdns[j]);
free (linkdns);
goto cleanup;
}
}
establish_links = TRUE;
}
if (entry->mask & KADM5_LAST_SUCCESS) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_success)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_LAST_FAILED) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free(strval[0]);
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
krb5_kvno fail_auth_count;
fail_auth_count = entry->fail_auth_count;
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
fail_auth_count++;
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_REPLACE,
fail_auth_count);
if (st != 0)
goto cleanup;
} else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
int attr_mask = 0;
krb5_boolean has_fail_count;
/* Check if the krbLoginFailedCount attribute exists. (Through
* krb5 1.8.1, it wasn't set in new entries.) */
st = krb5_get_attributes_mask(context, entry, &attr_mask);
if (st != 0)
goto cleanup;
has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
/*
* If the client library and server supports RFC 4525,
* then use it to increment by one the value of the
* krbLoginFailedCount attribute. Otherwise, assert the
* (provided) old value by deleting it before adding.
*/
#ifdef LDAP_MOD_INCREMENT
if (ldap_server_handle->server_info->modify_increment &&
has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_INCREMENT, 1);
if (st != 0)
goto cleanup;
} else {
#endif /* LDAP_MOD_INCREMENT */
if (has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods,
"krbLoginFailedCount",
LDAP_MOD_DELETE,
entry->fail_auth_count);
if (st != 0)
goto cleanup;
}
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD,
entry->fail_auth_count + 1);
if (st != 0)
goto cleanup;
#ifdef LDAP_MOD_INCREMENT
}
#endif
} else if (optype == ADD_PRINCIPAL) {
/* Initialize krbLoginFailedCount in new entries to help avoid a
* race during the first failed login. */
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD, 0);
}
if (entry->mask & KADM5_MAX_LIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_MAX_RLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
entry->max_renewable_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_ATTRIBUTES) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
entry->attributes)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_PW_EXPIRATION) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
LDAP_MOD_REPLACE,
strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_POLICY) {
memset(&princ_ent, 0, sizeof(princ_ent));
for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
/* FIX ME: I guess the princ_ent should be freed after this call */
if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
goto cleanup;
}
}
}
if (princ_ent.aux_attributes & KADM5_POLICY) {
memset(strval, 0, sizeof(strval));
if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
goto cleanup;
strval[0] = polname;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
st = EINVAL;
krb5_set_error_message(context, st, "Password policy value null");
goto cleanup;
}
} else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
/*
* a load is special in that existing entries must have attrs that
* removed.
*/
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_POLICY_CLR) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
krb5_kvno mkvno;
if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
goto cleanup;
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
entry->n_key_data, mkvno);
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
if (!(entry->mask & KADM5_PRINCIPAL)) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods,
"krbpasswordexpiration",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
/* Update last password change whenever a new key is set */
{
krb5_timestamp last_pw_changed;
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
&last_pw_changed)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
} /* Modify Key data ends here */
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
count++;
}
if (count != 0) {
int j;
ber_tl_data = (struct berval **) calloc (count + 1,
sizeof (struct berval*));
if (ber_tl_data == NULL) {
st = ENOMEM;
goto cleanup;
}
for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
/* Ignore tl_data that are stored in separate directory
* attributes */
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
}
if (st == 0) {
ber_tl_data[count] = NULL;
st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
LDAP_MOD_REPLACE |
LDAP_MOD_BVALUES, ber_tl_data);
}
for (j = 0; ber_tl_data[j] != NULL; j++) {
free(ber_tl_data[j]->bv_val);
free(ber_tl_data[j]);
}
free(ber_tl_data);
if (st != 0)
goto cleanup;
}
if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time)) != 0)
goto cleanup;
if (unlock_time != 0) {
/* Update last admin unlock */
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(unlock_time)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
}
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
int tmask=0;
if (strlen(xargs.tktpolicydn) != 0) {
st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: "));
strval[0] = xargs.tktpolicydn;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
/* if xargs.tktpolicydn is a empty string, then delete
* already existing krbticketpolicyreference attr */
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
}
if (establish_links == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = xargs.linkdn;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
/*
* in case mods is NULL then return
* not sure but can happen in a modprinc
* so no need to return an error
* addprinc will at least have the principal name
* and the keys passed in
*/
if (mods == NULL)
goto cleanup;
if (create_standalone_prinicipal == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = "krbprincipal";
strval[1] = "krbprincipalaux";
strval[2] = "krbTicketPolicyAux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
/* a load operation must replace an existing entry */
st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf),
_("Principal delete failed (trying to replace "
"entry): %s"), ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
} else {
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
}
}
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
} else {
/*
* Here existing ldap object is modified and can be related
* to any attribute, so always ensure that the ldap
* object is extended with all the kerberos related
* objectclasses so that there are no constraint
* violations.
*/
{
char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
"objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=2; p<<=1, ++q) {
if ((p & amask) == 0)
strval[r++] = attrvalues[q];
}
if (r != 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
}
}
if (xargs.dn != NULL)
st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
else
st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
entry->fail_auth_count++;
}
cleanup:
if (user)
free(user);
free_xargs(xargs);
if (standalone_principal_dn)
free(standalone_principal_dn);
if (principal_dn)
free (principal_dn);
if (polname != NULL)
free(polname);
if (subtree)
free (subtree);
if (bersecretkey) {
for (l=0; bersecretkey[l]; ++l) {
if (bersecretkey[l]->bv_val)
free (bersecretkey[l]->bv_val);
free (bersecretkey[l]);
}
free (bersecretkey);
}
if (keys)
free (keys);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
int
ldap_modify_s( LDAP *ld, LDAP_CONST char *dn, LDAPMod **mods )
{
return ldap_modify_ext_s( ld, dn, mods, NULL, NULL );
}
DWORD
VmDirChangePassword(
PCSTR pszHostName,
PCSTR pszUserUPN,
PCSTR pszOldPassword,
PCSTR pszNewPassword)
{
DWORD dwError = 0;
LDAP* pLd = NULL;
LDAPMod mod[2] = {{0}};
LDAPMod* mods[3] = {&mod[0], &mod[1], NULL};
PSTR vals_new[2] = {(PSTR)pszNewPassword, NULL};
PSTR vals_old[2] = {(PSTR)pszOldPassword, NULL};
PSTR pszUserDN = NULL;
if (IsNullOrEmptyString(pszHostName) ||
IsNullOrEmptyString(pszUserUPN) ||
IsNullOrEmptyString(pszOldPassword) ||
IsNullOrEmptyString(pszNewPassword))
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirSafeLDAPBindExt1(
&pLd,
pszHostName,
pszUserUPN,
pszOldPassword,
MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = _VmDirFindUserDN(
pLd,
pszUserUPN,
&pszUserDN);
BAIL_ON_VMDIR_ERROR(dwError);
mod[0].mod_op = LDAP_MOD_ADD;
mod[0].mod_type = ATTR_USER_PASSWORD;
mod[0].mod_vals.modv_strvals = vals_new;
mod[1].mod_op = LDAP_MOD_DELETE;
mod[1].mod_type = ATTR_USER_PASSWORD;
mod[1].mod_vals.modv_strvals = vals_old;
dwError = ldap_modify_ext_s(
pLd,
pszUserDN,
mods,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_MEMORY(pszUserDN);
if (pLd)
{
ldap_unbind_ext_s(pLd, NULL, NULL);
}
return dwError;
error:
VmDirLog(LDAP_DEBUG_TRACE, "VmDirChangePassword failed with error (%u)\n", dwError);
goto cleanup;
}
/**
* Update contact to LDAP
*
* \param server AddressBook resource
* \param contact GHashTable with object to update
*/
void ldapsvr_update_contact(LdapServer *server, GHashTable *contact) {
LDAP *ld = NULL;
LDAPMod *mods[MODSIZE];
LDAPMod modarr[4];
gint cnt = 0;
gchar *param, *dn;
Rdn *NoRemove = NULL;
char *cn[] = {NULL, NULL};
char *givenName[] = {NULL, NULL};
char **mail = NULL;
char *sn[] = {NULL, NULL};
GList *mailList;
int mod_op;
cm_return_if_fail(server != NULL || contact != NULL);
ld = ldapsvr_connect(server->control);
if (ld == NULL) {
clean_up(ld, server, contact);
return;
}
dn = g_hash_table_lookup(contact, "dn");
if (dn == NULL) {
clean_up(ld, server, contact);
return;
}
NoRemove = ldapsvr_modify_dn(contact, dn);
if (NoRemove) {
/* We are trying to change RDN */
gchar *newRdn = g_strdup_printf("%s=%s", NoRemove->attribute, NoRemove->value);
#ifdef OPEN_LDAP_API_AT_LEAST_3000
int rc = ldap_rename_s(ld, dn, newRdn, NULL, 1, NULL, NULL);
#else
/* This is deprecated as of OpenLDAP-2.3.0 */
int rc = ldap_modrdn2_s(ld, dn, newRdn, 1);
#endif
if(rc != LDAP_SUCCESS) {
if (rc == LDAP_ALREADY_EXISTS) {
/* We are messing with a contact with more than one listed email
* address and the email we are changing is not the one used for dn
*/
/* It needs to be able to handle renaming errors to an already defined
* dn. For now we just refuse the update. It will be caught later on as
* a LDAPRC_NAMING_VIOLATION error.
*/
}
else {
g_printerr("Current dn: %s\n", dn);
g_printerr("new dn: %s\n", newRdn);
g_printerr("LDAP Error(ldap_modrdn2_s) failed[0x%x]: %s\n", rc, ldaputil_get_error(ld));
g_free(newRdn);
clean_up(ld, server, contact);
return;
}
}
else {
ItemPerson *person = g_hash_table_lookup(contact, "person");
g_free(newRdn);
dn = g_strdup(NoRemove->new_dn);
g_hash_table_replace(contact, "dn", dn);
if (person) {
g_free(person->externalID);
person->externalID = dn;
}
}
}
else {
server->retVal = LDAPRC_NODN;
clean_up(ld, server, contact);
return;
}
param = g_hash_table_lookup(contact , "cn");
mod_op = ldapsvr_deside_operation(ld, server, dn, "displayName", param);
if (mod_op >= 0 && (strcmp(param, NoRemove->value) != 0 && strcmp("cn", NoRemove->attribute) != 0)) {
if (mod_op == LDAP_MOD_DELETE) {
/* Setting param to NULL instructs OpenLDAP to remove any
* value stored for this attribute and remove the attribute
* completely. Should multiple instances of an attribute be
* allowed in the future param is required to have the value
* store for the attribute which is going to be deleted
*/
param = NULL;
}
if (mod_op == LDAP_MOD_REPLACE && strcmp(param, "") == 0) {
/* Having an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we treate this as a request for deleting
* the attribute.
*/
mod_op = LDAP_MOD_DELETE;
param = NULL;
}
if (mod_op == LDAP_MOD_ADD && strcmp(param, "") == 0) {
/* Adding an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we silently refuse to add this entry
*/
}
else {
SETMOD(mods[cnt], modarr[cnt], mod_op, "displayName", cn, param);
cnt++;
g_hash_table_insert(contact, "displayName", param);
}
}
param = g_hash_table_lookup(contact , "givenName");
mod_op = ldapsvr_deside_operation(ld, server, dn, "givenName", param);
if (mod_op >= 0 && (strcmp(param, NoRemove->value) != 0 && strcmp("givenName", NoRemove->attribute) != 0)) {
if (mod_op == LDAP_MOD_DELETE) {
/* Setting param to NULL instructs OpenLDAP to remove any
* value stored for this attribute and remove the attribute
* completely. Should multiple instances of an attribute be
* allowed in the future param is required to have the value
* store for the attribute which is going to be deleted
*/
param = NULL;
}
if (mod_op == LDAP_MOD_REPLACE && strcmp(param, "") == 0) {
/* Having an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we treate this as a request for deleting
* the attribute.
*/
mod_op = LDAP_MOD_DELETE;
param = NULL;
}
if (mod_op == LDAP_MOD_ADD && strcmp(param, "") == 0) {
/* Adding an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we silently refuse to add this entry
*/
}
else {
SETMOD(mods[cnt], modarr[cnt], mod_op, "givenName", givenName, param);
cnt++;
}
}
mailList = g_hash_table_lookup(contact , "mail");
if (mailList) {
debug_print("# of mail: %d\n", g_list_length(mailList));
if (!(strcmp("mail", NoRemove->attribute) == 0 && g_list_length(mailList) == 1)) {
char **tmp;
tmp = g_malloc(sizeof(*tmp) * (g_list_length(mailList)+1));
mail = tmp;
while (mailList) {
EmailKeyValue *item = mailList->data;
*tmp++ = g_strdup((gchar *) item->mail);
mailList = g_list_next(mailList);
}
*tmp = NULL;
/*
* At least one email address is required
* in which case it will always be a replace
*/
SETMODS(mods[cnt], modarr[cnt], LDAP_MOD_REPLACE, "mail", mail);
cnt++;
}
}
else {
/*
* an error condition since at least one email adress
* is required. Should never occur though.
*/
}
param = g_hash_table_lookup(contact , "sn");
mod_op = ldapsvr_deside_operation(ld, server, dn, "sn", param);
if (mod_op >= 0 && (strcmp(param, NoRemove->value) != 0 && strcmp("sn", NoRemove->attribute) != 0)) {
if (mod_op == LDAP_MOD_DELETE) {
/* Setting param to NULL instructs OpenLDAP to remove any
* value stored for this attribute and remove the attribute
* completely. Should multiple instances of an attribute be
* allowed in the future param is required to have the value
* store for the attribute which is going to be deleted
*/
param = NULL;
}
if (mod_op == LDAP_MOD_REPLACE && strcmp(param, "") == 0) {
/* Having an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we treate this as a request for deleting
* the attribute.
*/
mod_op = LDAP_MOD_DELETE;
param = NULL;
}
if (mod_op == LDAP_MOD_ADD && strcmp(param, "") == 0) {
/* Adding an empty string is considered a syntax error in
* ldap. E.g attributes with empty strings are not allowed
* in which case we silently refuse to add this entry
*/
}
else {
SETMOD(mods[cnt], modarr[cnt], mod_op, "sn", sn, param);
cnt++;
}
}
debug_print("newDN: %s\n", dn);
if (NoRemove)
rdn_free(NoRemove);
server->retVal = LDAPRC_SUCCESS;
if (cnt > 0) {
int rc;
mods[cnt] = NULL;
rc = ldap_modify_ext_s(ld, dn, mods, NULL, NULL);
if (rc) {
g_printerr("ldap_modify for dn=%s\" failed[0x%x]: %s\n",
dn, rc, ldaputil_get_error(ld));
server->retVal = LDAPRC_NAMING_VIOLATION;
}
if (mail)
g_free(mail);
}
ldapsvr_handle_other_attributes(ld, server, dn, contact);
/* If we do not make changes persistent at this point then changes
* will be lost if the user makes new search on the same server since
* changes are only present in Claws' internal cache. This issue has to
* be solved in addressbook.c since this involves access to structures
* which are only accessible in addressbook.c */
clean_up(ld, server, contact);
}
/*
* delete a principal from the directory.
*/
krb5_error_code
krb5_ldap_delete_principal(krb5_context context,
krb5_const_principal searchfor)
{
char *user=NULL, *DN=NULL, *strval[10] = {NULL};
LDAPMod **mods=NULL;
LDAP *ld=NULL;
int j=0, ptype=0, pcount=0, attrsetmask=0;
krb5_error_code st=0;
krb5_boolean singleentry=FALSE;
KEY *secretkey=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_db_entry *entry = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
/* get the principal info */
if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry)))
goto cleanup;
if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) ||
((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) ||
((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) ||
((st=krb5_get_userdn(context, entry, &(DN))) != 0))
goto cleanup;
if (DN == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "DN information missing");
goto cleanup;
}
GET_HANDLE();
if (ptype == KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = ldap_delete_ext_s(ld, DN, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_DEL);
goto cleanup;
}
} else {
if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
|| ((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
strval)) != 0)
goto cleanup;
singleentry = (pcount == 1) ? TRUE: FALSE;
if (singleentry == FALSE) {
if (secretkey != NULL) {
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
secretkey->keys)) != 0)
goto cleanup;
}
} else {
/*
* If the Kerberos user principal to be deleted happens to be the last one associated
* with the directory user object, then it is time to delete the other kerberos
* specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
* From the attrsetmask value, identify the attributes set on the directory user
* object and delete them.
* NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
* other principals' keys are exisiting/left-over. So delete all the values.
*/
while (attrsetmask) {
if (attrsetmask & 1) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
NULL)) != 0)
goto cleanup;
}
attrsetmask >>= 1;
++j;
}
/* the same should be done with the objectclass attributes */
{
char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=4; p<<=1, ++q)
if (p & amask)
strval[r++] = attrvalues[q];
strval[r] = NULL;
if (r > 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
strval)) != 0)
goto cleanup;
}
}
}
st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error(context, st, OP_MOD);
goto cleanup;
}
}
cleanup:
if (user)
free (user);
if (DN)
free (DN);
if (secretkey != NULL) {
int i=0;
while (i < secretkey->nkey) {
free (secretkey->keys[i]->bv_val);
free (secretkey->keys[i]);
++i;
}
free (secretkey->keys);
free (secretkey);
}
krb5_ldap_free_principal(context, entry);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
krb5_error_code
krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
int mask)
{
LDAP *ld=NULL;
krb5_error_code st=0;
char **strval=NULL, *strvalprc[5]={NULL};
LDAPMod **mods = NULL;
int objectmask=0,k=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
if (mask == 0)
return 0;
if (rparams == NULL) {
st = EINVAL;
return st;
}
SETUP_CONTEXT ();
/* Check validity of arguments */
if (ldap_context->container_dn == NULL ||
rparams->tl_data == NULL ||
rparams->tl_data->tl_data_contents == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
0) {
st = EINVAL;
goto cleanup;
}
/* get ldap handle */
GET_HANDLE ();
/* SUBTREE ATTRIBUTE */
if (mask & LDAP_REALM_SUBTREE) {
if ( rparams->subtree!=NULL) {
/*replace the subtrees with the present if the subtrees are present*/
for(k=0;k<rparams->subtreecount && rparams->subtree[k]!=NULL;k++) {
if (strlen(rparams->subtree[k]) != 0) {
st = checkattributevalue(ld, rparams->subtree[k], "Objectclass", subtreeclass,
&objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, _("subtree value: "));
}
}
strval = rparams->subtree;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_REPLACE,
strval)) != 0) {
goto cleanup;
}
}
}
/* CONTAINERREF ATTRIBUTE */
if (mask & LDAP_REALM_CONTREF) {
if (strlen(rparams->containerref) != 0 ) {
st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass,
&objectmask);
CHECK_CLASS_VALIDITY(st, objectmask,
_("container reference value: "));
strvalprc[0] = rparams->containerref;
strvalprc[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbPrincContainerRef", LDAP_MOD_REPLACE,
strvalprc)) != 0)
goto cleanup;
}
}
/* SEARCHSCOPE ATTRIBUTE */
if (mask & LDAP_REALM_SEARCHSCOPE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_REPLACE,
(rparams->search_scope == LDAP_SCOPE_ONELEVEL
|| rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
goto cleanup;
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_REPLACE,
rparams->max_renewable_life)) != 0)
goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_REPLACE,
rparams->max_life)) != 0)
goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_REPLACE,
rparams->tktflags)) != 0)
goto cleanup;
}
/* Realm modify opearation */
if (mods != NULL) {
if ((st=ldap_modify_ext_s(ld, rparams->realmdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
cleanup:
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
static void
do_modify( char *uri, char *manager,
struct berval *passwd, char *entry, char* attr, char* value,
int maxloop, int maxretries, int delay, int friendly, int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
struct ldapmod mod;
struct ldapmod *mods[2];
char *values[2];
int version = LDAP_VERSION3;
values[0] = value;
values[1] = NULL;
mod.mod_op = LDAP_MOD_ADD;
mod.mod_type = attr;
mod.mod_values = values;
mods[0] = &mod;
mods[1] = NULL;
retry:
;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Modify(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( delay > 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
for ( ; i < maxloop; i++ ) {
mod.mod_op = LDAP_MOD_ADD;
rc = ldap_modify_ext_s( ld, entry, mods, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_modify_ext_s", NULL );
switch ( rc ) {
case LDAP_TYPE_OR_VALUE_EXISTS:
/* NOTE: this likely means
* the second modify failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
mod.mod_op = LDAP_MOD_DELETE;
rc = ldap_modify_ext_s( ld, entry, mods, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_modify_ext_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_ATTRIBUTE:
/* NOTE: this likely means
* the first modify failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
}
done:
;
fprintf( stderr, " PID=%ld - Modify done (%d).\n", (long) pid, rc );
ldap_unbind_ext( ld, NULL, NULL );
}
static LibBalsaABErr
libbalsa_address_book_ldap_modify_address(LibBalsaAddressBook *ab,
LibBalsaAddress *address,
LibBalsaAddress *newval)
{
gchar *dn;
LDAPMod *mods[5];
LDAPMod modarr[4];
int rc, cnt;
char *cn[] = {NULL, NULL};
char *gn[] = {NULL, NULL};
char *org[] = {NULL, NULL};
char *sn[] = {NULL, NULL};
LibBalsaAddressBookLdap *ldap_ab = LIBBALSA_ADDRESS_BOOK_LDAP(ab);
g_return_val_if_fail(address, LBABERR_CANNOT_WRITE);
g_return_val_if_fail(address->address_list, LBABERR_CANNOT_WRITE);
g_return_val_if_fail(newval->address_list, LBABERR_CANNOT_WRITE);
if(!STREQ(address->address_list->data,newval->address_list->data)) {
/* email address has changed, we have to remove old entry and
* add a new one. */
if( (rc=libbalsa_address_book_ldap_add_address(ab, newval))
!= LBABERR_OK)
return rc;
return libbalsa_address_book_ldap_remove_address(ab, address);
}
/* the email address has not changed, continue with changing other
* attributes. */
if (ldap_ab->directory == NULL) {
if( (rc=libbalsa_address_book_ldap_open_connection(ldap_ab))
!= LDAP_SUCCESS)
return LBABERR_CANNOT_CONNECT;
}
dn = g_strdup_printf("mail=%s,%s",
(char*)address->address_list->data,
ldap_ab->priv_book_dn);
cnt = 0;
if(!STREQ(address->full_name,newval->full_name)) {
if(newval->full_name)
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_REPLACE,"cn",cn,
newval->full_name);
else
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_DELETE,"cn",cn,
address->full_name);
cnt++;
}
if(!STREQ(address->first_name,newval->first_name)) {
if(newval->first_name)
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_REPLACE,"givenName",gn,
newval->first_name);
else
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_DELETE,"givenName",gn,
address->first_name);
cnt++;
}
if(!STREQ(address->last_name,newval->last_name)) {
if(newval->last_name)
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_REPLACE,"sn",sn,
newval->last_name);
else
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_DELETE,"sn",sn,
address->last_name);
cnt++;
}
if(!STREQ(address->organization,newval->organization)) {
if(newval->organization)
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_REPLACE,"o",
org, newval->organization);
else
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_DELETE,"o",
org, address->organization);
cnt++;
}
mods[cnt] = NULL;
if(cnt == 0) {
/* nothing to modify */
g_free(dn);
return LBABERR_OK;
}
cnt = 0;
do {
rc = ldap_modify_ext_s(ldap_ab->directory, dn, mods, NULL, NULL);
switch(rc) {
case LDAP_SUCCESS: return LBABERR_OK;
case LDAP_SERVER_DOWN:
libbalsa_address_book_ldap_close_connection(ldap_ab);
if( (rc=libbalsa_address_book_ldap_open_connection(ldap_ab))
!= LDAP_SUCCESS) {
g_free(dn);
return LBABERR_CANNOT_CONNECT;
}
/* fall through */
default:
fprintf(stderr, "ldap_modify for dn=“%s” failed[0x%x]: %s\n",
dn, rc, ldap_err2string(rc));
}
} while(cnt++<1);
g_free(dn);
libbalsa_address_book_set_status(ab,
g_strdup(ldap_err2string(rc)));
return LBABERR_CANNOT_WRITE;
}