static krb5_error_code v5_convert(krb5_context context, krb5_ccache id, krb5_creds *cred, uid_t uid, const char *cell, struct kafs_token *kt) { krb5_error_code ret; char *c, *val; c = strdup(cell); if (c == NULL) return ENOMEM; _kafs_foldup(c, c); krb5_appdefault_string (context, "libkafs", c, "afs-use-524", "2b", &val); free(c); if (strcasecmp(val, "local") == 0 || strcasecmp(val, "2b") == 0) ret = v5_to_kt(cred, uid, kt, 1); else ret = v5_to_kt(cred, uid, kt, 0); free(val); return ret; }
KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_appdefault_time(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, time_t def_val, time_t *ret_val) { krb5_deltat t; char *val; krb5_appdefault_string(context, appname, realm, option, NULL, &val); if (val == NULL) { *ret_val = def_val; return; } if (krb5_string_to_deltat(val, &t)) *ret_val = def_val; else *ret_val = t; free(val); }
/* * Load a string option from Kerberos appdefaults. Takes the Kerberos * context, the option, and the result location. * * This requires an annoying workaround because one cannot specify a default * value of NULL with MIT Kerberos, since MIT Kerberos unconditionally calls * strdup on the default value. There's also no way to determine if memory * allocation failed while parsing or while setting the default value, so we * don't return an error code. */ void sync_config_string(krb5_context ctx, const char *opt, char **result) { realm_type realm; char *value = NULL; /* Obtain the string from [appdefaults]. */ realm = default_realm(ctx); krb5_appdefault_string(ctx, "krb5-sync", realm, opt, "", &value); free_default_realm(ctx, realm); /* If we got something back, store it in result. */ if (value != NULL) { if (value[0] != '\0') { free(*result); *result = strdup(value); } krb5_free_string(ctx, value); } }
static krb5_error_code v5_convert(krb5_context context, krb5_ccache id, krb5_creds *cred, uid_t uid, const char *cell, struct kafs_token *kt) { krb5_error_code ret; char *c, *val; c = strdup(cell); if (c == NULL) return ENOMEM; _kafs_foldup(c, c); krb5_appdefault_string (context, "libkafs", c, "afs-use-524", "2b", &val); free(c); if (strcasecmp(val, "local") == 0 || strcasecmp(val, "2b") == 0) ret = v5_to_kt(cred, uid, kt, 1); else if(strcasecmp(val, "yes") == 0 || strcasecmp(val, "true") == 0 || atoi(val)) { struct credentials cred4; if (id == NULL) ret = krb524_convert_creds_kdc(context, cred, &cred4); else ret = krb524_convert_creds_kdc_ccache(context, id, cred, &cred4); if (ret) goto out; ret = _kafs_v4_to_kt(&cred4, uid, kt); } else ret = v5_to_kt(cred, uid, kt, 0); out: free(val); return ret; }
/* * Load a list option from Kerberos appdefaults. Takes the Kerberos context, * the option, and the result location. The option is read as a string and * the split on spaces and tabs into a list. * * This requires an annoying workaround because one cannot specify a default * value of NULL with MIT Kerberos, since MIT Kerberos unconditionally calls * strdup on the default value. There's also no way to determine if memory * allocation failed while parsing or while setting the default value. */ krb5_error_code sync_config_list(krb5_context ctx, const char *opt, struct vector **result) { realm_type realm; char *value = NULL; /* Obtain the string from [appdefaults]. */ realm = default_realm(ctx); krb5_appdefault_string(ctx, "krb5-sync", realm, opt, "", &value); free_default_realm(ctx, realm); /* If we got something back, store it in result. */ if (value != NULL) { if (value[0] != '\0') { *result = sync_vector_split_multi(value, " \t", *result); if (*result == NULL) return sync_error_system(ctx, "cannot allocate memory"); } krb5_free_string(ctx, value); } return 0; }
static char * get_user_realm(krb5_context context) { krb5_error_code ret; char *user_realm = NULL; /* * If memory allocation fails, we don't try to use the wrong realm, * that will trigger misleading error messages complicate support. */ krb5_appdefault_string(context, "kinit", NULL, "user_realm", "", &user_realm); if (user_realm == NULL) { ret = krb5_enomem(context); krb5_err(context, 1, ret, "krb5_appdefault_string"); } if (*user_realm == 0) { free(user_realm); user_realm = NULL; } return user_realm; }
int is_admin(struct rekey_session *sess) { static int ldap_initialized=0; char *username=NULL; LDAP *l=NULL; int v, ssl_hard=LDAP_OPT_X_TLS_HARD, rc, ret=0; struct timeval tv; LDAPMessage *response=NULL; char *reason, *filter; char *ldap_url, *ldap_base, *ldap_filter, *ldap_binddn; char *ldap_pwfile, *ldap_cacertdir; char ldap_pwbuf[257]; #ifdef HAVE_KRB5_REALM krb5_realm *realm; #else krb5_data rdata; krb5_data *realm = &rdata; #endif #if !defined(LDAP_OPT_X_TLS_PROTOCOL_MIN) SSL_CTX *sslctx; #endif if (!princ_ncomp_eq(sess->kctx, sess->princ, 2) || !compare_princ_comp(sess->kctx, sess->princ, 1, "admin")) { goto freeall; } if (!(username=dup_comp_string(sess->kctx, sess->princ, 0))) { prtmsg("Failed to extract username for admin check"); goto freeall; } #ifdef HAVE_KRB5_REALM realm=sess->realm; #else rdata.data=sess->realm; rdata.length=strlen(sess->realm); #endif krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_uri", LDAP_URI, &ldap_url); krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_base", LDAP_BASEDN, &ldap_base); krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_filter", USER_INGROUP_FILTER, &ldap_filter); krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_binddn", LDAP_BINDDN, &ldap_binddn); krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_pwfile", LDAP_PWFILE, &ldap_pwfile); krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_cacertdir", "/etc/andy/ldapcerts", &ldap_cacertdir); if (strlen(ldap_pwfile) > 0) { int fd=open(ldap_pwfile, O_RDONLY); ssize_t rsize; if (fd < 0) { prtmsg("Failed to open LDAP password file %s: %s", ldap_pwfile, strerror(errno)); goto freeall; } rsize=read(fd, ldap_pwbuf, 256); if (rsize < 0) { prtmsg("Failed to read from LDAP password file %s: %s", ldap_pwfile, strerror(errno)); goto freeall; } if (rsize > 255) { prtmsg("LDAP password file %s is too large. limit to 255 characters", ldap_pwfile); goto freeall; } while(rsize > 0 && isspace(ldap_pwbuf[rsize-1])) rsize--; ldap_pwbuf[rsize]=0; } if (!ldap_initialized) { LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_hard); LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTDIR, ldap_cacertdir); LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, "HIGH:!ADH:!eNULL:-SSLv2"); #if defined(LDAP_OPT_X_TLS_PROTOCOL_MIN) v=LDAP_OPT_X_TLS_PROTOCOL_TLS1_0; LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, &v); #else extern int ldap_pvt_tls_init(); extern int ldap_pvt_tls_init_def_ctx( int is_server ); ldap_pvt_tls_init(); ldap_pvt_tls_init_def_ctx(0); LDAP_GET_OPTION(NULL, LDAP_OPT_X_TLS_CTX, &sslctx); if (sslctx) { SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3); } #endif ldap_initialized=1; } errno=0; rc = ldap_initialize(&l, ldap_url); if (rc!=LDAP_SUCCESS) { prtmsg("Failed to initialize ldap for %s: %s%s%s", ldap_url, ldap_err2string(rc),(errno==0)?"":": ", (errno==0)?"":strerror(errno)); goto freeall; } v=LDAP_VERSION3; LDAP_SET_OPTION(l, LDAP_OPT_PROTOCOL_VERSION, &v); LDAP_SET_OPTION(l, LDAP_OPT_X_TLS, &ssl_hard); errno=0; #if 0 rc = ldap_sasl_interactive_bind_s(l, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_QUIET, do_sasl_interact, NULL); #else rc = ldap_bind_s(l, ldap_binddn, ldap_pwbuf, LDAP_AUTH_SIMPLE); #endif if (rc!=LDAP_SUCCESS) { prtmsg("Failed to connect or authenticate to ldap for %s: %s%s%s", LDAP_URI, ldap_err2string(rc),(errno==0)?"":": ", (errno==0)?"":strerror(errno)); goto freeall; } tv.tv_sec=30; tv.tv_usec=0; rc = ldap_search_ext_s(l, rekey_admin_group, LDAP_SCOPE_BASE, NO_FILTER, no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response); if (rc != LDAP_SUCCESS) { prtmsg("Failed to verify group %s existence (searching): %s%s%s", rekey_admin_group, ldap_err2string(rc),(errno==0)?"":": ", (errno==0)?"":strerror(errno)); goto freeall; } reason=aasprintf("verify group %s existence", rekey_admin_group); if (!verify_op_success(l, reason, response)) goto freeall; ldap_msgfree(response); response=NULL; filter=aasprintf(ldap_filter, username, rekey_admin_group); rc = ldap_search_ext_s(l, ldap_base, LDAP_SCOPE_SUB, filter, no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response); if (rc != LDAP_SUCCESS) { prtmsg("Failed to check user %s admin permission (searching): %s%s%s", username, ldap_err2string(rc),(errno==0)?"":": ", (errno==0)?"":strerror(errno)); goto freeall; } reason=aasprintf("check user %s admin permission", username); if (!verify_single_result(l, 0, reason, response)) goto freeall; ret=1; freeall: ldap_msgfree(response); if (l) ldap_unbind_ext_s(l, NULL, NULL); free(username); return ret; }