static krb5_error_code lookup_lockout_policy(krb5_context context, krb5_db_entry *entry, krb5_kvno *pw_max_fail, krb5_deltat *pw_failcnt_interval, krb5_deltat *pw_lockout_duration) { krb5_tl_data tl_data; krb5_error_code code; osa_princ_ent_rec adb; XDR xdrs; *pw_max_fail = 0; *pw_failcnt_interval = 0; *pw_lockout_duration = 0; tl_data.tl_data_type = KRB5_TL_KADM_DATA; code = krb5_dbe_lookup_tl_data(context, entry, &tl_data); if (code != 0 || tl_data.tl_data_length == 0) return code; memset(&adb, 0, sizeof(adb)); xdrmem_create(&xdrs, (char *)tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { xdr_destroy(&xdrs); return KADM5_XDR_FAILURE; } if (adb.policy != NULL) { osa_policy_ent_t policy = NULL; code = krb5_db2_get_policy(context, adb.policy, &policy); if (code == 0) { *pw_max_fail = policy->pw_max_fail; *pw_failcnt_interval = policy->pw_failcnt_interval; *pw_lockout_duration = policy->pw_lockout_duration; krb5_db2_free_policy(context, policy); } } xdr_destroy(&xdrs); xdrmem_create(&xdrs, NULL, 0, XDR_FREE); xdr_osa_princ_ent_rec(&xdrs, &adb); xdr_destroy(&xdrs); return 0; }
/* * Function: kdb_get_entry * * Purpose: Gets an entry from the kerberos database and breaks * it out into a krb5_db_entry and an osa_princ_ent_t. * * Arguments: * * handle (r) the server_handle * principal (r) the principal to get * kdb (w) krb5_db_entry to fill in * adb (w) osa_princ_ent_rec to fill in * * when the caller is done with kdb and adb, kdb_free_entry must be * called to release them. The adb record is filled in with the * contents of the KRB5_TL_KADM_DATA record; if that record doesn't * exist, an empty but valid adb record is returned. */ krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, krb5_principal principal, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; int nprincs; krb5_boolean more; krb5_tl_data tl_data; XDR xdrs; ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, &more); if (ret) return(ret); if (more) { krb5_db_free_principal(handle->context, kdb, nprincs); return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); } else if (nprincs != 1) { krb5_db_free_principal(handle->context, kdb, nprincs); return(KADM5_UNK_PRINC); } if (adb) { memset(adb, 0, sizeof(*adb)); tl_data.tl_data_type = KRB5_TL_KADM_DATA; /* * XXX Currently, lookup_tl_data always returns zero; it sets * tl_data->tl_data_length to zero if the type isn't found. * This should be fixed... */ if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) || (tl_data.tl_data_length == 0)) { /* there's no admin data. this can happen, if the admin server is put into production after some principals are created. In this case, return valid admin data (which is all zeros with the hist_kvno filled in), and when the entry is written, the admin data will get stored correctly. */ adb->admin_history_kvno = hist_kvno; return(ret); } /* Solaris Kerberos */ xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { xdr_destroy(&xdrs); krb5_db_free_principal(handle->context, kdb, 1); return(KADM5_XDR_FAILURE); } xdr_destroy(&xdrs); } return(0); }
void osa_free_princ_ent(osa_princ_ent_t val) { XDR xdrs; xdrmem_create(&xdrs, NULL, 0, XDR_FREE); xdr_osa_princ_ent_rec(&xdrs, val); free(val); }
/* * Function: kdb_get_entry * * Purpose: Gets an entry from the kerberos database and breaks * it out into a krb5_db_entry and an osa_princ_ent_t. * * Arguments: * * handle (r) the server_handle * principal (r) the principal to get * kdb (w) krb5_db_entry to create * adb (w) osa_princ_ent_rec to fill in * * when the caller is done with kdb and adb, kdb_free_entry must be * called to release them. The adb record is filled in with the * contents of the KRB5_TL_KADM_DATA record; if that record doesn't * exist, an empty but valid adb record is returned. */ krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, krb5_principal principal, krb5_db_entry **kdb_ptr, osa_princ_ent_rec *adb) { krb5_error_code ret; krb5_tl_data tl_data; XDR xdrs; krb5_db_entry *kdb; *kdb_ptr = NULL; ret = krb5_db_get_principal(handle->context, principal, KRB5_KDB_FLAG_ALIAS_OK, &kdb); if (ret == KRB5_KDB_NOENTRY) return(KADM5_UNK_PRINC); if (ret) return(ret); if (adb) { memset(adb, 0, sizeof(*adb)); tl_data.tl_data_type = KRB5_TL_KADM_DATA; /* * XXX Currently, lookup_tl_data always returns zero; it sets * tl_data->tl_data_length to zero if the type isn't found. * This should be fixed... */ if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) || (tl_data.tl_data_length == 0)) { /* there's no admin data. this can happen, if the admin server is put into production after some principals are created. In this case, return valid admin data (which is all zeros with the hist_kvno filled in), and when the entry is written, the admin data will get stored correctly. */ adb->admin_history_kvno = INITIAL_HIST_KVNO; *kdb_ptr = kdb; return(ret); } xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { xdr_destroy(&xdrs); krb5_db_free_principal(handle->context, kdb); return(KADM5_XDR_FAILURE); } xdr_destroy(&xdrs); } *kdb_ptr = kdb; return(0); }
krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { XDR xdrs; if (kdb) krb5_db_free_principal(handle->context, kdb, 1); if (adb) { xdrmem_create(&xdrs, NULL, 0, XDR_FREE); xdr_osa_princ_ent_rec(&xdrs, adb); xdr_destroy(&xdrs); } return(0); }
/* * Function: kdb_put_entry * * Purpose: Stores the osa_princ_ent_t and krb5_db_entry into to * database. * * Arguments: * * handle (r) the server_handle * kdb (r/w) the krb5_db_entry to store * adb (r) the osa_princ_db_ent to store * * Effects: * * The last modifier field of the kdb is set to the caller at now. * adb is encoded with xdr_osa_princ_ent_ret and stored in kbd as * KRB5_TL_KADM_DATA. kdb is then written to the database. */ krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; krb5_int32 now; XDR xdrs; krb5_tl_data tl_data; int one; ret = krb5_timeofday(handle->context, &now); if (ret) return(ret); ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, handle->current_caller); if (ret) return(ret); xdralloc_create(&xdrs, XDR_ENCODE); if(! xdr_osa_princ_ent_rec(&xdrs, adb)) { xdr_destroy(&xdrs); return(KADM5_XDR_FAILURE); } tl_data.tl_data_type = KRB5_TL_KADM_DATA; tl_data.tl_data_length = xdr_getpos(&xdrs); /* Solaris Kerberos */ tl_data.tl_data_contents = (unsigned char *) xdralloc_getdata(&xdrs); ret = krb5_dbe_update_tl_data(handle->context, kdb, &tl_data); xdr_destroy(&xdrs); if (ret) return(ret); one = 1; ret = krb5_db_put_principal(handle->context, kdb, &one); if (ret) return(ret); return(0); }
/* Decode the KADM_DATA from a DB entry.*/ static int get_adb(krb5_db_entry *dbe, osa_princ_ent_rec *adb) { XDR xdrs; int success; krb5_tl_data tl_data; krb5_error_code ret; memset(adb, 0, sizeof(*adb)); tl_data.tl_data_type = KRB5_TL_KADM_DATA; ret = krb5_dbe_lookup_tl_data(util_context, dbe, &tl_data); if (ret != 0 || tl_data.tl_data_length == 0) return 0; xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); success = xdr_osa_princ_ent_rec(&xdrs, adb); xdr_destroy(&xdrs); return success; }
/* * Function: kdb_put_entry * * Purpose: Stores the osa_princ_ent_t and krb5_db_entry into to * database. * * Arguments: * * handle (r) the server_handle * kdb (r/w) the krb5_db_entry to store * adb (r) the osa_princ_db_ent to store * * Effects: * * The last modifier field of the kdb is set to the caller at now. * adb is encoded with xdr_osa_princ_ent_ret and stored in kbd as * KRB5_TL_KADM_DATA. kdb is then written to the database. */ krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; krb5_int32 now; XDR xdrs; krb5_tl_data tl_data; ret = krb5_timeofday(handle->context, &now); if (ret) return(ret); ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, handle->current_caller); if (ret) return(ret); xdralloc_create(&xdrs, XDR_ENCODE); if(! xdr_osa_princ_ent_rec(&xdrs, adb)) { xdr_destroy(&xdrs); return(KADM5_XDR_FAILURE); } tl_data.tl_data_type = KRB5_TL_KADM_DATA; tl_data.tl_data_length = xdr_getpos(&xdrs); tl_data.tl_data_contents = (krb5_octet *)xdralloc_getdata(&xdrs); ret = krb5_dbe_update_tl_data(handle->context, kdb, &tl_data); xdr_destroy(&xdrs); if (ret) return(ret); /* we are always updating TL data */ kdb->mask |= KADM5_TL_DATA; ret = krb5_db_put_principal(handle->context, kdb); if (ret) return(ret); return(0); }