/*
* Set vmwPasswordNeverExpires (if it doesn't have a value) to TRUE
* on the domain administrator's account.
*/
DWORD
VmDirSetAdministratorPasswordNeverExpires(
VOID
)
{
DWORD dwError = 0;
PCSTR pszDomainDn = NULL;
const CHAR szAdministrator[] = "cn=Administrator,cn=Users";
const CHAR szTrue[] = "TRUE";
PSTR pszAdministratorDn = NULL;
VDIR_OPERATION op = {0};
PSTR pszLocalErrMsg = NULL;
VDIR_ENTRY_ARRAY entryArray = {0};
PVDIR_ENTRY pEntry = NULL;
VDIR_BERVALUE bervBlob = VDIR_BERVALUE_INIT;
pszDomainDn = gVmdirServerGlobals.systemDomainDN.lberbv.bv_val;
if (pszDomainDn == NULL)
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirAllocateStringPrintf(&pszAdministratorDn, "%s,%s", szAdministrator, pszDomainDn);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSimpleEqualFilterInternalSearch(
pszDomainDn,
LDAP_SCOPE_SUBTREE,
ATTR_DN,
pszAdministratorDn,
&entryArray);
BAIL_ON_VMDIR_ERROR(dwError);
if (entryArray.iSize != 1)
{
dwError = VMDIR_ERROR_DATA_CONSTRAINT_VIOLATION;
BAIL_ON_VMDIR_ERROR(dwError);
}
pEntry = &(entryArray.pEntry[0]);
if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
{
dwError = VmDirEntryUnpack( pEntry );
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirInitStackOperation( &op, VDIR_OPERATION_TYPE_INTERNAL, LDAP_REQ_MODIFY, NULL);
BAIL_ON_VMDIR_ERROR_WITH_MSG(dwError, pszLocalErrMsg, "VmDirSetAdministratorPasswordNeverExpire: VmDirInitStackOperation failed: %u", dwError);
op.pBEIF = VmDirBackendSelect(NULL);
assert(op.pBEIF);
op.reqDn.lberbv.bv_val = pEntry->dn.lberbv.bv_val;
op.reqDn.lberbv.bv_len = pEntry->dn.lberbv.bv_len;
op.request.modifyReq.dn.lberbv = op.reqDn.lberbv;
bervBlob.lberbv.bv_val = (PSTR) szTrue;
bervBlob.lberbv.bv_len = strlen(szTrue);
dwError = VmDirAppendAMod( &op,
MOD_OP_REPLACE,
ATTR_PASSWORD_NEVER_EXPIRES,
ATTR_PASSWORD_NEVER_EXPIRES_LEN,
bervBlob.lberbv_val,
bervBlob.lberbv_len);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirInternalModifyEntry(&op);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VmDirFreeEntryArrayContent(&entryArray);
VmDirFreeOperationContent(&op);
VMDIR_SAFE_FREE_STRINGA(pszAdministratorDn);
return dwError;
error:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
"VmDirSetAdministratorPasswordNeverExpires failed, (%u)", dwError);
goto cleanup;
}
/*
* Tweak indices entry to append building flag to newly added values.
* e.g. user add a new index attribute "myuid eq unique"
* we want to save it as "myuid eq unique (buildingflag)" instead.
*/
DWORD
VdirIndexingEntryAppendFlag(
VDIR_MODIFICATION* pMods,
PVDIR_ENTRY pEntry)
{
DWORD dwError = 0;
DWORD dwCnt = 0;
PSTR pszNewStr = NULL;
PVDIR_ATTRIBUTE pAttr = NULL;
assert(pMods && pEntry && pEntry->allocType == ENTRY_STORAGE_FORMAT_NORMAL);
// unpack entry, so we can manipulate its contents.
dwError = VmDirEntryUnpack(pEntry);
BAIL_ON_VMDIR_ERROR(dwError);
pAttr = VmDirFindAttrByName(pEntry, ATTR_INDEX_DESC);
if (!pAttr)
{
dwError = ERROR_INVALID_ENTRY;
BAIL_ON_VMDIR_ERROR(dwError);
}
for (dwCnt = 0; dwCnt < pAttr->numVals; dwCnt++)
{
DWORD iIdx = 0;
for (iIdx = 0; iIdx < pMods->attr.numVals; iIdx++)
{
if (0 == VmDirStringCompareA(pAttr->vals[dwCnt].lberbv.bv_val, pMods->attr.vals[iIdx].lberbv.bv_val, FALSE))
{
dwError = VmDirAllocateStringAVsnprintf(
&pszNewStr,
"%s %s",
pAttr->vals[dwCnt].lberbv.bv_val,
ATTR_INDEX_BUILDING_FLAG);
BAIL_ON_VMDIR_ERROR(dwError);
VmDirFreeBervalArrayContent(&pAttr->vals[dwCnt], 1);
pAttr->vals[dwCnt].lberbv.bv_val = pszNewStr;
pszNewStr = NULL;
pAttr->vals[dwCnt].bOwnBvVal = TRUE;
pAttr->vals[dwCnt].lberbv.bv_len = VmDirStringLenA(pAttr->vals[dwCnt].lberbv.bv_val);
dwError = VmDirSchemaBervalNormalize(
pEntry->pSchemaCtx,
pAttr->pATDesc,
&pAttr->vals[dwCnt]);
BAIL_ON_VMDIR_ERROR(dwError);
}
}
}
cleanup:
return dwError;
error:
VMDIR_SAFE_FREE_MEMORY(pszNewStr);
goto cleanup;
}
/*
* Set SRP Identifier's secret on existing entry with Password set
*/
DWORD
VmDirSRPSetIdentityData(
PCSTR pszUPN,
PCSTR pszClearTextPassword
)
{
DWORD dwError = 0;
VDIR_OPERATION op = {0};
PSTR pszLocalErrMsg = NULL;
VDIR_ENTRY_ARRAY entryArray = {0};
PVDIR_ENTRY pEntry = NULL;
PVDIR_ATTRIBUTE pAttrSecret = NULL;
VDIR_BERVALUE bvUPN = VDIR_BERVALUE_INIT;
VDIR_BERVALUE bvClearTextPassword = VDIR_BERVALUE_INIT;
VDIR_BERVALUE bervSecretBlob = VDIR_BERVALUE_INIT;
if ( IsNullOrEmptyString(pszUPN) ||
IsNullOrEmptyString(pszClearTextPassword)
)
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
bvUPN.lberbv_val = (PSTR)pszUPN;
bvUPN.lberbv_len = VmDirStringLenA(pszUPN);
bvClearTextPassword.lberbv_val = (PSTR)pszClearTextPassword;
bvClearTextPassword.lberbv_len = VmDirStringLenA(pszClearTextPassword);
dwError = VmDirSimpleEqualFilterInternalSearch(
"",
LDAP_SCOPE_SUBTREE,
ATTR_KRB_UPN,
pszUPN,
&entryArray);
BAIL_ON_VMDIR_ERROR(dwError);
if (entryArray.iSize == 1)
{
pAttrSecret = VmDirFindAttrByName(&(entryArray.pEntry[0]), ATTR_SRP_SECRET);
if (pAttrSecret)
{
dwError = VMDIR_ERROR_ENTRY_ALREADY_EXIST;
BAIL_ON_VMDIR_ERROR(dwError);
}
}
else
{
dwError = VMDIR_ERROR_DATA_CONSTRAINT_VIOLATION;
BAIL_ON_VMDIR_ERROR(dwError);
}
pEntry = &(entryArray.pEntry[0]);
dwError = VdirPasswordCheck(&bvClearTextPassword, pEntry);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSRPCreateSecret(&bvUPN, &bvClearTextPassword, &bervSecretBlob);
BAIL_ON_VMDIR_ERROR(dwError);
if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
{
dwError = VmDirEntryUnpack( pEntry );
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirInitStackOperation( &op, VDIR_OPERATION_TYPE_INTERNAL, LDAP_REQ_MODIFY, NULL);
BAIL_ON_VMDIR_ERROR_WITH_MSG(dwError, pszLocalErrMsg, "VmDirSRPSetIdentityData: VmDirInitStackOperation failed: %u", dwError);
op.pBEIF = VmDirBackendSelect(NULL);
assert(op.pBEIF);
op.reqDn.lberbv.bv_val = pEntry->dn.lberbv.bv_val;
op.reqDn.lberbv.bv_len = pEntry->dn.lberbv.bv_len;
op.request.modifyReq.dn.lberbv = op.reqDn.lberbv;
dwError = VmDirAppendAMod( &op,
MOD_OP_ADD,
ATTR_SRP_SECRET,
ATTR_SRP_SECRET_LEN,
bervSecretBlob.lberbv_val,
bervSecretBlob.lberbv_len);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirInternalModifyEntry(&op);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VmDirFreeBervalContent(&bervSecretBlob);
VmDirFreeEntryArrayContent(&entryArray);
VmDirFreeOperationContent(&op);
return dwError;
error:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
"VmDirSRPSetIdentityData (%s) failed, (%u)", VDIR_SAFE_STRING(pszUPN), dwError);
goto cleanup;
}
int
VmDirApplyModsToEntryStruct(
PVDIR_SCHEMA_CTX pSchemaCtx,
ModifyReq * modReq,
PVDIR_ENTRY pEntry,
PBOOLEAN pbDnModified,
PSTR* ppszErrorMsg
)
{
int retVal = LDAP_SUCCESS;
VDIR_MODIFICATION * currMod = NULL;
VDIR_MODIFICATION * prevMod = NULL;
PSTR pszLocalErrorMsg = NULL;
if (pSchemaCtx == NULL || modReq == NULL || pEntry == NULL || ppszErrorMsg == NULL)
{
retVal = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(retVal);
}
if (pEntry->allocType == ENTRY_STORAGE_FORMAT_PACK)
{
retVal = VmDirEntryUnpack(pEntry);
BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
"EntryUnpack failed failed (%s)",
VDIR_SAFE_STRING(pEntry->dn.lberbv.bv_val));
}
for (currMod = modReq->mods; currMod != NULL; )
{
switch (currMod->operation)
{
case MOD_OP_ADD:
{
PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);
if (attr == NULL) // New attribute case
{
retVal = AddAttrToEntryStruct(pEntry, &(currMod->attr));
BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
"AddAttrToEntryStruct failed (%s)",
VDIR_SAFE_STRING(currMod->attr.type.lberbv.bv_val));
}
else // Add values to an existing attribute case.
{
retVal = CheckIfAnAttrValAlreadyExists(pSchemaCtx, attr, &(currMod->attr), &pszLocalErrorMsg);
BAIL_ON_VMDIR_ERROR(retVal);
retVal = AddAttrValsToEntryStruct(pEntry, attr, &(currMod->attr), &pszLocalErrorMsg);
BAIL_ON_VMDIR_ERROR(retVal);
}
prevMod = currMod;
currMod = currMod->next;
break;
}
case MOD_OP_DELETE:
{
PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);
if (attr == NULL) // Attribute to be deleted does not exist in the entry
{
if (currMod->attr.numVals == 0) // If whole attribute is to be deleted, ignore this mod.
{
currMod->ignore = TRUE;
}
else // If some specific attribute values are to be deleted from the attribute => error case
{
retVal = VMDIR_ERROR_NO_SUCH_ATTRIBUTE;
BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg),
"Attribute (%s) being deleted does not exists.",
VDIR_SAFE_STRING(currMod->attr.type.lberbv.bv_val));
}
}
else
{
retVal = DelAttrValsFromEntryStruct(pSchemaCtx, pEntry, &(currMod->attr), &pszLocalErrorMsg);
if ((retVal == VMDIR_ERROR_NO_SUCH_ATTRIBUTE) &&
(VmDirStringCompareA(currMod->attr.type.lberbv.bv_val, ATTR_USER_PASSWORD, FALSE) == 0))
{ // for user password change, the old password supplied != existing record
retVal = VMDIR_ERROR_USER_INVALID_CREDENTIAL;
}
BAIL_ON_VMDIR_ERROR(retVal);
}
prevMod = currMod;
currMod = currMod->next;
break;
}
case MOD_OP_REPLACE:
{
// RFC 4511: Section 4.6:
// replace: replace all existing values of the modification attribute with the new values listed,
// creating the attribute if it did not already exist. A replace with no value will delete the entire
// attribute if it exists, and it is ignored if the attribute does not exist.
if (currMod->attr.numVals == 0)
{
currMod->operation = MOD_OP_DELETE;
continue; // re-process the current altered modification
}
else
{
VDIR_MODIFICATION * newDelMod = NULL;
PVDIR_ATTRIBUTE attr = VmDirFindAttrByName(pEntry, currMod->attr.type.lberbv.bv_val);
if (attr == NULL) // New attribute case
{
currMod->operation = MOD_OP_ADD;
continue; // re-process the current altered modification
}
else // Real replace attribute values case
{
// If DN is being modified, may need to re-parent
if (VmDirStringCompareA(attr->type.lberbv.bv_val, ATTR_DN, FALSE) == 0)
{
if (pbDnModified)
{
*pbDnModified = TRUE;
}
retVal = GenerateNewParent(pEntry, &(currMod->attr));
BAIL_ON_VMDIR_ERROR(retVal);
}
// Setup Delete attribute and Add attribute mods. Change currMod->operation to ADD, and
// insert a DELETE mod for this attribute before this mod.
currMod->operation = MOD_OP_ADD;
retVal = VmDirAllocateMemory(sizeof(VDIR_MODIFICATION), (PVOID *)&newDelMod);
BAIL_ON_VMDIR_ERROR_WITH_MSG(retVal, (pszLocalErrorMsg), "no memory");
newDelMod->operation = MOD_OP_DELETE;
newDelMod->attr.pATDesc = currMod->attr.pATDesc;
newDelMod->attr.type.lberbv.bv_val = currMod->attr.type.lberbv.bv_val;
newDelMod->attr.type.lberbv.bv_len = currMod->attr.type.lberbv.bv_len;
newDelMod->next = currMod;
currMod = newDelMod;
if (prevMod == NULL)
{
modReq->mods = currMod;
}
else
{
prevMod->next = currMod;
}
continue;
}
}
break;
}
default:
assert(FALSE);
}
}
cleanup:
if (ppszErrorMsg)
{
*ppszErrorMsg = pszLocalErrorMsg;
}
else
{
VMDIR_SAFE_FREE_MEMORY(pszLocalErrorMsg);
}
return retVal;
error:
goto cleanup;
}