/*
* This function will destroy the specified ticket policy
* object interactively, unless forced through an option.
*/
void
kdb5_ldap_destroy_policy(int argc, char *argv[])
{
char *me = progname;
krb5_error_code retval = 0;
krb5_ldap_policy_params *policyparams = NULL;
krb5_boolean print_usage = FALSE;
krb5_boolean no_msg = FALSE;
char *policy = NULL;
int mask = 0;
int force = 0;
char buf[5] = {0};
int i = 0;
if ((argc < 2) || (argc > 3)) {
goto err_usage;
}
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "-force") == 0) {
force++;
} else { /* Any other argument must be policy DN */
/* First check if policy DN is already provided --
if so, there's a usage error */
if (policy != NULL)
goto err_usage;
/* If not present already, fill up policy DN */
policy = strdup(argv[i]);
if (policy == NULL) {
retval = ENOMEM;
com_err(me, retval, "while destroying policy object");
goto err_nomsg;
}
}
}
if (policy == NULL)
goto err_usage;
if (!force) {
printf("This will delete the policy object '%s', are you sure?\n", policy);
printf("(type 'yes' to confirm)? ");
if (fgets(buf, sizeof(buf), stdin) == NULL) {
retval = EINVAL;
goto cleanup;
}
if (strcmp(buf, yes)) {
exit_status++;
goto cleanup;
}
}
if ((retval = init_ldap_realm (argc, argv)))
goto err_nomsg;
if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
goto cleanup;
if ((retval = krb5_ldap_delete_policy(util_context, policy)))
goto cleanup;
printf("** policy object '%s' deleted.\n", policy);
goto cleanup;
err_usage:
print_usage = TRUE;
err_nomsg:
no_msg = TRUE;
cleanup:
/* Clean-up structure */
krb5_ldap_free_policy (util_context, policyparams);
if (policy) {
free (policy);
}
if (print_usage) {
db_usage(DESTROY_POLICY);
}
if (retval) {
if (!no_msg)
com_err(me, retval, "while destroying policy object");
exit_status++;
}
return;
}
krb5_error_code
krb5_ldap_delete_realm (krb5_context context, char *lrealm)
{
LDAP *ld = NULL;
krb5_error_code st = 0, tempst=0;
char **values=NULL, **subtrees=NULL, **policy=NULL;
LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL;
krb5_principal principal;
unsigned int l=0, ntree=0;
int i=0, j=0, mask=0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
krb5_ldap_realm_params *rparam=NULL;
SETUP_CONTEXT ();
if (lrealm == NULL) {
st = EINVAL;
k5_setmsg(context, st, _("Realm information not available"));
goto cleanup;
}
if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0)
goto cleanup;
/* get ldap handle */
GET_HANDLE ();
/* delete all the principals belonging to the realm in the tree */
{
char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256];
krb5_ldap_context lcontext;
realm = ldap_filter_correct (lrealm);
assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
strlen (realm) + 2 /* "*@" */ + 1);
snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
free (realm);
/* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
memset(&lcontext, 0, sizeof(krb5_ldap_context));
lcontext.lrparams = rparam;
if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
goto cleanup;
result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1,
sizeof(LDAPMessage *));
if (result_arr == NULL) {
st = ENOMEM;
goto cleanup;
}
for (l=0; l < ntree; ++l) {
LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
result_arr[l] = result;
}
}
/* NOTE: Here all the principals should be cached and the ldap handle should be freed,
* as a DAL-LDAP interface is called right down here. Caching might be constrained by
* availability of the memory. The caching is not done, however there would be limit
* on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not
* thread-safe this should suffice.
*/
for (j=0; (result=result_arr[j]) != NULL; ++j) {
for (ent = ldap_first_entry (ld, result); ent != NULL;
ent = ldap_next_entry (ld, ent)) {
if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
for (i = 0; values[i] != NULL; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
st=krb5_ldap_delete_principal(context, principal);
if (st && st != KRB5_KDB_NOENTRY)
goto cleanup;
}
krb5_free_principal(context, principal);
}
ldap_value_free(values);
}
}
}
/* Delete all password policies */
krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context);
/* Delete all ticket policies */
{
if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
prepend_err_str(context, _("Error reading ticket policy: "), st,
st);
goto cleanup;
}
for (i = 0; policy [i] != NULL; i++)
krb5_ldap_delete_policy(context, policy[i]);
}
/* Delete the realm object */
if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_DEL);
k5_setmsg(context, st, _("Realm Delete FAILED: %s"),
ldap_err2string(ost));
}
cleanup:
if (subtrees) {
for (l=0; l < ntree; ++l) {
if (subtrees[l])
free (subtrees[l]);
}
free (subtrees);
}
if (result_arr != NULL) {
for (l = 0; l < ntree; l++)
ldap_msgfree(result_arr[l]);
free(result_arr);
}
if (policy != NULL) {
for (i = 0; policy[i] != NULL; i++)
free (policy[i]);
free (policy);
}
krb5_ldap_free_realm_params(rparam);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
