Пример #1
0
/*
 * Set vmwPasswordNeverExpires (if it doesn't have a value) to TRUE
 * on the domain administrator's account.
 */
DWORD
VmDirSetAdministratorPasswordNeverExpires(
    VOID
    )
{
    DWORD               dwError = 0;
    PCSTR               pszDomainDn = NULL;
    const CHAR          szAdministrator[] = "cn=Administrator,cn=Users";
    const CHAR          szTrue[] = "TRUE";
    PSTR                pszAdministratorDn = NULL;
    VDIR_OPERATION      op = {0};
    PSTR                pszLocalErrMsg = NULL;
    VDIR_ENTRY_ARRAY    entryArray = {0};
    PVDIR_ENTRY         pEntry = NULL;
    VDIR_BERVALUE       bervBlob = VDIR_BERVALUE_INIT;

    pszDomainDn = gVmdirServerGlobals.systemDomainDN.lberbv.bv_val;
    if (pszDomainDn == NULL)
    {
        dwError = ERROR_INVALID_STATE;
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    dwError = VmDirAllocateStringPrintf(&pszAdministratorDn, "%s,%s", szAdministrator, pszDomainDn);
    BAIL_ON_VMDIR_ERROR(dwError);

    dwError = VmDirSimpleEqualFilterInternalSearch(
                    pszDomainDn,
                    LDAP_SCOPE_SUBTREE,
                    ATTR_DN,
                    pszAdministratorDn,
                    &entryArray);
    BAIL_ON_VMDIR_ERROR(dwError);

    if (entryArray.iSize != 1)
    {
        dwError = VMDIR_ERROR_DATA_CONSTRAINT_VIOLATION;
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    pEntry = &(entryArray.pEntry[0]);

    if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
    {
        dwError = VmDirEntryUnpack( pEntry );
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    dwError = VmDirInitStackOperation( &op, VDIR_OPERATION_TYPE_INTERNAL, LDAP_REQ_MODIFY, NULL);
    BAIL_ON_VMDIR_ERROR_WITH_MSG(dwError, pszLocalErrMsg, "VmDirSetAdministratorPasswordNeverExpire: VmDirInitStackOperation failed: %u", dwError);

    op.pBEIF = VmDirBackendSelect(NULL);
    assert(op.pBEIF);

    op.reqDn.lberbv.bv_val = pEntry->dn.lberbv.bv_val;
    op.reqDn.lberbv.bv_len = pEntry->dn.lberbv.bv_len;
    op.request.modifyReq.dn.lberbv = op.reqDn.lberbv;

    bervBlob.lberbv.bv_val = (PSTR) szTrue;
    bervBlob.lberbv.bv_len = strlen(szTrue);
    dwError = VmDirAppendAMod( &op,
                               MOD_OP_REPLACE,
                               ATTR_PASSWORD_NEVER_EXPIRES,
                               ATTR_PASSWORD_NEVER_EXPIRES_LEN,
                               bervBlob.lberbv_val,
                               bervBlob.lberbv_len);
    BAIL_ON_VMDIR_ERROR(dwError);

    dwError = VmDirInternalModifyEntry(&op);
    BAIL_ON_VMDIR_ERROR(dwError);

cleanup:

    VmDirFreeEntryArrayContent(&entryArray);
    VmDirFreeOperationContent(&op);
    VMDIR_SAFE_FREE_STRINGA(pszAdministratorDn);
    return dwError;

error:

    VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
                     "VmDirSetAdministratorPasswordNeverExpires failed, (%u)", dwError);
    goto cleanup;
}
Пример #2
0
/*
 * Tweak indices entry to append building flag to newly added values.
 * e.g. user add a new index attribute "myuid eq unique"
 * we want to save it as "myuid eq unique (buildingflag)" instead.
 */
DWORD
VdirIndexingEntryAppendFlag(
    VDIR_MODIFICATION*   pMods,
    PVDIR_ENTRY          pEntry)
{
    DWORD   dwError = 0;
    DWORD   dwCnt = 0;
    PSTR    pszNewStr = NULL;
    PVDIR_ATTRIBUTE  pAttr = NULL;

    assert(pMods && pEntry && pEntry->allocType == ENTRY_STORAGE_FORMAT_NORMAL);


    // unpack entry, so we can manipulate its contents.
    dwError = VmDirEntryUnpack(pEntry);
    BAIL_ON_VMDIR_ERROR(dwError);

    pAttr = VmDirFindAttrByName(pEntry, ATTR_INDEX_DESC);
    if (!pAttr)
    {
        dwError = ERROR_INVALID_ENTRY;
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    for (dwCnt = 0; dwCnt < pAttr->numVals; dwCnt++)
    {
        DWORD iIdx = 0;
        for (iIdx = 0; iIdx < pMods->attr.numVals; iIdx++)
        {
            if (0 == VmDirStringCompareA(pAttr->vals[dwCnt].lberbv.bv_val, pMods->attr.vals[iIdx].lberbv.bv_val, FALSE))
            {
                dwError = VmDirAllocateStringAVsnprintf(
                              &pszNewStr,
                              "%s %s",
                              pAttr->vals[dwCnt].lberbv.bv_val,
                              ATTR_INDEX_BUILDING_FLAG);
                BAIL_ON_VMDIR_ERROR(dwError);

                VmDirFreeBervalArrayContent(&pAttr->vals[dwCnt], 1);

                pAttr->vals[dwCnt].lberbv.bv_val = pszNewStr;
                pszNewStr = NULL;
                pAttr->vals[dwCnt].bOwnBvVal = TRUE;
                pAttr->vals[dwCnt].lberbv.bv_len = VmDirStringLenA(pAttr->vals[dwCnt].lberbv.bv_val);

                dwError = VmDirSchemaBervalNormalize(
                              pEntry->pSchemaCtx,
                              pAttr->pATDesc,
                              &pAttr->vals[dwCnt]);
                BAIL_ON_VMDIR_ERROR(dwError);
            }
        }
    }

cleanup:

    return dwError;

error:

    VMDIR_SAFE_FREE_MEMORY(pszNewStr);

    goto cleanup;
}
Пример #3
0
/*
 * Set SRP Identifier's secret on existing entry with Password set
 */
DWORD
VmDirSRPSetIdentityData(
    PCSTR       pszUPN,
    PCSTR       pszClearTextPassword
    )
{
    DWORD               dwError = 0;
    VDIR_OPERATION      op = {0};
    PSTR                pszLocalErrMsg = NULL;
    VDIR_ENTRY_ARRAY    entryArray = {0};
    PVDIR_ENTRY         pEntry = NULL;
    PVDIR_ATTRIBUTE     pAttrSecret = NULL;
    VDIR_BERVALUE       bvUPN = VDIR_BERVALUE_INIT;
    VDIR_BERVALUE       bvClearTextPassword = VDIR_BERVALUE_INIT;
    VDIR_BERVALUE       bervSecretBlob = VDIR_BERVALUE_INIT;


    if ( IsNullOrEmptyString(pszUPN)    ||
         IsNullOrEmptyString(pszClearTextPassword)
        )
    {
        dwError = VMDIR_ERROR_INVALID_PARAMETER;
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    bvUPN.lberbv_val = (PSTR)pszUPN;
    bvUPN.lberbv_len = VmDirStringLenA(pszUPN);

    bvClearTextPassword.lberbv_val = (PSTR)pszClearTextPassword;
    bvClearTextPassword.lberbv_len = VmDirStringLenA(pszClearTextPassword);

    dwError = VmDirSimpleEqualFilterInternalSearch(
                    "",
                    LDAP_SCOPE_SUBTREE,
                    ATTR_KRB_UPN,
                    pszUPN,
                    &entryArray);
    BAIL_ON_VMDIR_ERROR(dwError);

    if (entryArray.iSize == 1)
    {
        pAttrSecret = VmDirFindAttrByName(&(entryArray.pEntry[0]), ATTR_SRP_SECRET);
        if (pAttrSecret)
        {
            dwError = VMDIR_ERROR_ENTRY_ALREADY_EXIST;
            BAIL_ON_VMDIR_ERROR(dwError);
        }
    }
    else
    {
        dwError = VMDIR_ERROR_DATA_CONSTRAINT_VIOLATION;
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    pEntry = &(entryArray.pEntry[0]);

    dwError = VdirPasswordCheck(&bvClearTextPassword, pEntry);
    BAIL_ON_VMDIR_ERROR(dwError);

    dwError = VmDirSRPCreateSecret(&bvUPN, &bvClearTextPassword, &bervSecretBlob);
    BAIL_ON_VMDIR_ERROR(dwError);


    if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
    {
        dwError = VmDirEntryUnpack( pEntry );
        BAIL_ON_VMDIR_ERROR(dwError);
    }

    dwError = VmDirInitStackOperation( &op, VDIR_OPERATION_TYPE_INTERNAL, LDAP_REQ_MODIFY, NULL);
    BAIL_ON_VMDIR_ERROR_WITH_MSG(dwError, pszLocalErrMsg, "VmDirSRPSetIdentityData: VmDirInitStackOperation failed: %u", dwError);

    op.pBEIF = VmDirBackendSelect(NULL);
    assert(op.pBEIF);

    op.reqDn.lberbv.bv_val = pEntry->dn.lberbv.bv_val;
    op.reqDn.lberbv.bv_len = pEntry->dn.lberbv.bv_len;
    op.request.modifyReq.dn.lberbv = op.reqDn.lberbv;

    dwError = VmDirAppendAMod( &op,
                               MOD_OP_ADD,
                               ATTR_SRP_SECRET,
                               ATTR_SRP_SECRET_LEN,
                               bervSecretBlob.lberbv_val,
                               bervSecretBlob.lberbv_len);
    BAIL_ON_VMDIR_ERROR(dwError);

    dwError = VmDirInternalModifyEntry(&op);
    BAIL_ON_VMDIR_ERROR(dwError);

cleanup:

    VmDirFreeBervalContent(&bervSecretBlob);
    VmDirFreeEntryArrayContent(&entryArray);
    VmDirFreeOperationContent(&op);
    return dwError;

error:

    VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
                     "VmDirSRPSetIdentityData (%s) failed, (%u)", VDIR_SAFE_STRING(pszUPN), dwError);
    goto cleanup;
}
Пример #4
0
int
VmDirApplyModsToEntryStruct(
    PVDIR_SCHEMA_CTX    pSchemaCtx,
    ModifyReq *         modReq,
    PVDIR_ENTRY         pEntry,
    PBOOLEAN            pbDnModified,
    PSTR*               ppszErrorMsg
    )
{
    int                 retVal = LDAP_SUCCESS;
    VDIR_MODIFICATION * currMod = NULL;
    VDIR_MODIFICATION * prevMod = NULL;
    PSTR                pszLocalErrorMsg = NULL;

    if (pSchemaCtx == NULL || modReq == NULL || pEntry == NULL || ppszErrorMsg == NULL)
    {
        retVal = VMDIR_ERROR_INVALID_PARAMETER;
        BAIL_ON_VMDIR_ERROR(retVal);
    }

    if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
    {
        retVal = VmDirEntryUnpack(pEntry);
        BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
                                        "EntryUnpack failed failed (%s)",
                                        VDIR_SAFE_STRING(pEntry->dn.lberbv.bv_val));
    }

    for (currMod = modReq->mods; currMod != NULL; )
    {
        switch (currMod->operation)
        {
            case MOD_OP_ADD:
            {
                PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);

                if (attr == NULL) // New attribute case
                {
                    retVal = AddAttrToEntryStruct(pEntry, &(currMod->attr));
                    BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
                                                    "AddAttrToEntryStruct failed (%s)",
                                                    VDIR_SAFE_STRING(currMod->attr.type.lberbv.bv_val));
                }
                else // Add values to an existing attribute case.
                {
                    retVal = CheckIfAnAttrValAlreadyExists(pSchemaCtx, attr, &(currMod->attr), &pszLocalErrorMsg);
                    BAIL_ON_VMDIR_ERROR(retVal);

                    retVal = AddAttrValsToEntryStruct(pEntry, attr, &(currMod->attr), &pszLocalErrorMsg);
                    BAIL_ON_VMDIR_ERROR(retVal);
                }
                prevMod = currMod;
                currMod = currMod->next;
                break;
            }
            case MOD_OP_DELETE:
            {
                PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);
                if (attr == NULL) // Attribute to be deleted does not exist in the entry
                {
                    if (currMod->attr.numVals == 0) // If whole attribute is to be deleted, ignore this mod.
                    {
                        currMod->ignore = TRUE;
                    }
                    else // If some specific attribute values are to be deleted from the attribute => error case
                    {
                        retVal = VMDIR_ERROR_NO_SUCH_ATTRIBUTE;
                        BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
                                                        "Attribute (%s) being deleted does not exists.",
                                                        VDIR_SAFE_STRING(currMod->attr.type.lberbv.bv_val));
                    }
                }
                else
                {
                    retVal = DelAttrValsFromEntryStruct(pSchemaCtx, pEntry, &(currMod->attr), &pszLocalErrorMsg);
                    if ((retVal == VMDIR_ERROR_NO_SUCH_ATTRIBUTE) &&
                        (VmDirStringCompareA(currMod->attr.type.lberbv.bv_val, ATTR_USER_PASSWORD, FALSE) == 0))
                    {   // for user password change, the old password supplied != existing record
                        retVal = VMDIR_ERROR_USER_INVALID_CREDENTIAL;
                    }
                    BAIL_ON_VMDIR_ERROR(retVal);
                }
                prevMod = currMod;
                currMod = currMod->next;
                break;
            }
            case MOD_OP_REPLACE:
            {
                // RFC 4511: Section 4.6:
                //  replace: replace all existing values of the modification attribute with the new values listed,
                //  creating the attribute if it did not already exist. A replace with no value will delete the entire
                // attribute if it exists, and it is ignored if the attribute does not exist.

                if (currMod->attr.numVals == 0)
                {
                    currMod->operation = MOD_OP_DELETE;
                    continue; // re-process the current altered modification
                }
                else
                {
                    VDIR_MODIFICATION * newDelMod = NULL;
                    PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);

                    if (attr == NULL) // New attribute case
                    {
                        currMod->operation = MOD_OP_ADD;
                        continue; // re-process the current altered modification
                    }
                    else // Real replace attribute values case
                    {
                        // If DN is being modified, may need to re-parent
                        if (VmDirStringCompareA(attr->type.lberbv.bv_val, ATTR_DN, FALSE) == 0)
                        {
                            if (pbDnModified)
                            {
                                *pbDnModified = TRUE;
                            }

                            retVal = GenerateNewParent(pEntry, &(currMod->attr));
                            BAIL_ON_VMDIR_ERROR(retVal);
                        }

                        // Setup Delete attribute and Add attribute mods. Change currMod->operation to ADD, and
                        // insert a DELETE mod for this attribute before this mod.

                        currMod->operation = MOD_OP_ADD;

                        retVal = VmDirAllocateMemory(sizeof(VDIR_MODIFICATION), (PVOID *)&newDelMod);
                        BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg), "no memory");

                        newDelMod->operation = MOD_OP_DELETE;
                        newDelMod->attr.pATDesc = currMod->attr.pATDesc;
                        newDelMod->attr.type.lberbv.bv_val = currMod->attr.type.lberbv.bv_val;
                        newDelMod->attr.type.lberbv.bv_len = currMod->attr.type.lberbv.bv_len;
                        newDelMod->next = currMod;

                        currMod = newDelMod;

                        if (prevMod == NULL)
                        {
                            modReq->mods = currMod;
                        }
                        else
                        {
                            prevMod->next = currMod;
                        }
                        continue;
                    }
                }
                break;
            }
            default:
                assert(FALSE);
        }
    }

cleanup:

    if (ppszErrorMsg)
    {
        *ppszErrorMsg = pszLocalErrorMsg;
    }
    else
    {
        VMDIR_SAFE_FREE_MEMORY(pszLocalErrorMsg);
    }

    return retVal;

error:

    goto cleanup;
}