/***********************************************************************
* ldap_add_sW (WLDAP32.@)
*
* Add an entry to a directory tree (synchronous operation).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
* dn [I] DN of the entry to add.
* attrs [I] Pointer to an array of LDAPModW structures, each
* specifying an attribute and its values to add.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*/
ULONG CDECL ldap_add_sW( WLDAP32_LDAP *ld, PWCHAR dn, LDAPModW *attrs[] )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
char *dnU = NULL;
LDAPMod **attrsU = NULL;
ret = WLDAP32_LDAP_NO_MEMORY;
TRACE( "(%p, %s, %p)\n", ld, debugstr_w(dn), attrs );
if (!ld) return WLDAP32_LDAP_PARAM_ERROR;
if (dn) {
dnU = strWtoU( dn );
if (!dnU) goto exit;
}
if (attrs) {
attrsU = modarrayWtoU( attrs );
if (!attrsU) goto exit;
}
ret = map_error( ldap_add_ext_s( ld, dn ? dnU : "", attrs ? attrsU : nullattrs, NULL, NULL ));
exit:
strfreeU( dnU );
modarrayfreeU( attrsU );
#endif
return ret;
}
DWORD
VdcLdapAddGroup(
LDAP* pLd,
PCSTR pszDN,
PCSTR pszCN
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {pszCN, NULL};
PCSTR valssAMActName[] = {pszCN, NULL};
PCSTR valsClass[] = {OC_TOP, OC_GROUP, NULL};
LDAPMod mod[3]={
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_SAM_ACCOUNT_NAME, {(PSTR*)valssAMActName}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}}
};
LDAPMod* attrs[] = {&mod[0], &mod[1], &mod[2], NULL};
dwError = ldap_add_ext_s(
pLd,
pszDN,
attrs,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
return dwError;
error:
goto cleanup;
}
krb5_error_code
krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
{
LDAP *ld=NULL;
char *strval[2]={NULL}, **rdns=NULL;
LDAPMod **mods = NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
SETUP_CONTEXT ();
/* get ldap handle */
GET_HANDLE ();
if (dn == NULL) {
st = EINVAL;
k5_setmsg(context, st, _("Kerberos Container information is missing"));
goto cleanup;
}
strval[0] = "krbContainer";
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
rdns = ldap_explode_dn(dn, 1);
if (rdns == NULL) {
st = EINVAL;
k5_setmsg(context, st, _("Invalid Kerberos container DN"));
goto cleanup;
}
strval[0] = rdns[0];
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
/* create the kerberos container */
st = ldap_add_ext_s(ld, dn, mods, NULL, NULL);
if (st == LDAP_ALREADY_EXISTS)
st = LDAP_SUCCESS;
if (st != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
k5_setmsg(context, st, _("Kerberos Container create FAILED: %s"),
ldap_err2string(ost));
goto cleanup;
}
cleanup:
if (rdns)
ldap_value_free (rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
int LDAPAdd::run()
{
LDAPMod **mods = LDAPService::BuildMods(attributes);
int i = ldap_add_ext_s(service->GetConnection(), dn.c_str(), mods, NULL, NULL);
LDAPService::FreeMods(mods);
return i;
}
krb5_error_code ipadb_simple_add(struct ipadb_context *ipactx,
char *dn, LDAPMod **mods)
{
int ret;
ret = ldap_add_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
/* first test if we need to retry to connect */
if (ret != 0 &&
ipadb_need_retry(ipactx, ret)) {
ret = ldap_add_ext_s(ipactx->lcontext, dn, mods, NULL, NULL);
}
return ipadb_simple_ldap_to_kerr(ret);
}
DWORD
VdcLdapAddContainer(
LDAP* pLd,
PCSTR pszDN,
PCSTR pszCN
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {pszCN, NULL};
PCSTR valsClass[] = {OC_TOP, OC_CONTAINER, NULL};
LDAPMod mod[2]={
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}}
};
LDAPMod* attrs[] = {&mod[0], &mod[1], NULL};
dwError = ldap_add_ext_s(
pLd,
pszDN,
attrs,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
return dwError;
error:
goto cleanup;
}
/* ARGSUSED */
int _ns_ldap_add_ext_s(char *service, int flags,
char *dn, LDAPMod **attrs,
LDAPControl ** serverctrls, LDAPControl **clientctrls)
{
LDAP *ld = __s_api_getLDAPconn(flags);
return (ldap_add_ext_s(ld, dn, attrs, serverctrls, clientctrls));
}
DWORD
VmDirTestCreateContainer(
PVMDIR_TEST_STATE pState,
PCSTR pszContainer,
PCSTR pszAcl /* OPTIONAL */
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {pszContainer, NULL};
PCSTR valsClass[] = {"top", "container", NULL};
PCSTR valsAcl[] = {pszAcl, NULL};
PSTR pszDN = NULL;
LDAPMod mod[]={
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}},
{LDAP_MOD_ADD, ATTR_ACL_STRING, {(PSTR*)valsAcl}},
};
LDAPMod *attrs[] = {&mod[0], &mod[1], &mod[2], NULL};
if (IsNullOrEmptyString(pszContainer))
{
valsCn[0] = VmDirTestGetTestContainerCn(pState);
dwError = VmDirAllocateStringPrintf(
&pszDN,
"cn=%s,%s",
VmDirTestGetTestContainerCn(pState),
pState->pszBaseDN);
BAIL_ON_VMDIR_ERROR(dwError);
}
else
{
dwError = VmDirAllocateStringPrintf(
&pszDN,
"cn=%s,cn=%s,%s",
pszContainer,
VmDirTestGetTestContainerCn(pState),
pState->pszBaseDN);
BAIL_ON_VMDIR_ERROR(dwError);
}
if (IsNullOrEmptyString(pszAcl))
{
attrs[2] = NULL;
}
dwError = ldap_add_ext_s(
pState->pLd, pszDN, attrs, NULL, NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszDN);
return dwError;
error:
goto cleanup;
}
static
DWORD
VMCACreateCAObject(
PVMCA_LDAP_CONTEXT pContext,
PCSTR pszCACN,
PCSTR pszCADN
)
{
DWORD dwError = 0;
PSTR ppszObjectClassValues[] =
{
"vmwCertificationAuthority",
"pkiCA",
"top",
NULL
};
char* modv_cn[] = { (PSTR)pszCACN, NULL };
LDAPMod mod_object = {0};
LDAPMod mod_cn = {0};
LDAPMod *mods[] = { &mod_object, &mod_cn, NULL };
mod_cn.mod_op = LDAP_MOD_ADD;
mod_cn.mod_type = ATTR_CN;
mod_cn.mod_values = modv_cn;
mod_object.mod_op = LDAP_MOD_ADD;
mod_object.mod_type = ATTR_OBJECTCLASS;
mod_object.mod_values = ppszObjectClassValues;
dwError = ldap_add_ext_s(
pContext->pConnection,
(PSTR)pszCADN,
mods,
NULL,
NULL
);
BAIL_ON_ERROR(dwError);
cleanup:
return dwError;
error :
goto cleanup;
}
/***********************************************************************
* ldap_add_ext_sW (WLDAP32.@)
*
* Add an entry to a directory tree (synchronous operation).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
* dn [I] DN of the entry to add.
* attrs [I] Pointer to an array of LDAPModW structures, each
* specifying an attribute and its values to add.
* serverctrls [I] Array of LDAP server controls.
* clientctrls [I] Array of LDAP client controls.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*
* NOTES
* The serverctrls and clientctrls parameters are optional and
* should be set to NULL if not used.
*/
ULONG CDECL ldap_add_ext_sW( WLDAP32_LDAP *ld, PWCHAR dn, LDAPModW *attrs[],
PLDAPControlW *serverctrls, PLDAPControlW *clientctrls )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
char *dnU = NULL;
LDAPMod **attrsU = NULL;
LDAPControl **serverctrlsU = NULL, **clientctrlsU = NULL;
ret = WLDAP32_LDAP_NO_MEMORY;
TRACE( "(%p, %s, %p, %p, %p)\n", ld, debugstr_w(dn), attrs,
serverctrls, clientctrls );
if (!ld) return WLDAP32_LDAP_PARAM_ERROR;
if (dn) {
dnU = strWtoU( dn );
if (!dnU) goto exit;
}
if (attrs) {
attrsU = modarrayWtoU( attrs );
if (!attrsU) goto exit;
}
if (serverctrls) {
serverctrlsU = controlarrayWtoU( serverctrls );
if (!serverctrlsU) goto exit;
}
if (clientctrls) {
clientctrlsU = controlarrayWtoU( clientctrls );
if (!clientctrlsU) goto exit;
}
ret = map_error( ldap_add_ext_s( ld, dn ? dnU : "", attrs ? attrsU : nullattrs,
serverctrlsU, clientctrlsU ));
exit:
strfreeU( dnU );
modarrayfreeU( attrsU );
controlarrayfreeU( serverctrlsU );
controlarrayfreeU( clientctrlsU );
#endif
return ret;
}
DWORD
VmDirTestCreateClass(
PVMDIR_TEST_STATE pState,
PCSTR pszClassName
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {pszClassName, NULL};
PCSTR valsClass[] = {"classschema", NULL};
PCSTR valsSubclass[] = {OC_TOP, NULL};
PCSTR valsGovernsId[] = {"111.111.4.001", NULL};
PCSTR valsCategory[] = {"1", NULL};
PSTR pszDN = NULL;
LDAPMod mod[]={
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}},
{LDAP_MOD_ADD, "governsid", {(PSTR*)valsGovernsId}},
{LDAP_MOD_ADD, "objectclasscategory", {(PSTR*)valsCategory}},
{LDAP_MOD_ADD, "subclassof", {(PSTR*)valsSubclass}},
};
LDAPMod *attrs[] = {&mod[0], &mod[1], &mod[2], &mod[3], &mod[4], NULL};
dwError = VmDirAllocateStringPrintf(
&pszDN,
"cn=%s,cn=schemacontext",
pszClassName);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = ldap_add_ext_s(
pState->pLd,
pszDN,
attrs,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszDN);
return dwError;
error:
goto cleanup;
}
DWORD
VmDirTestCreateObjectByDNPrefix(
PVMDIR_TEST_STATE pState,
PCSTR pszDNPrefix,
PCSTR pszClassName
)
{
DWORD dwError = 0;
PSTR pszCN = NULL;
PSTR pszDN = NULL;
PSTR valsCn[] = { NULL, NULL };
PSTR valsClass[] = { NULL, NULL };
LDAPMod mod[]=
{
{ LDAP_MOD_ADD, ATTR_CN, { valsCn } },
{ LDAP_MOD_ADD, ATTR_OBJECT_CLASS, { valsClass } },
};
LDAPMod *attrs[] = {&mod[0], &mod[1], NULL};
dwError = VmDirDnLastRDNToCn(pszDNPrefix, &pszCN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirAllocateStringPrintf(
&pszDN, "%s,%s", pszDNPrefix, pState->pszBaseDN);
BAIL_ON_VMDIR_ERROR(dwError);
valsCn[0] = pszCN;
valsClass[0] = (PSTR)pszClassName;
dwError = ldap_add_ext_s(pState->pLd, pszDN, attrs, NULL, NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszCN);
VMDIR_SAFE_FREE_STRINGA(pszDN);
return dwError;
error:
goto cleanup;
}
/* Preform a LDAP add or modify operation depend on the `mod` parameter. */
PyObject *
add_or_modify(LDAPEntry *self, int mod) {
int rc = -1;
char *dnstr = NULL;
LDAPMod **mods = NULL;
PyObject *tmp;
/* Get DN string. */
tmp = PyObject_Str(self->dn);
dnstr = PyObject2char(tmp);
Py_DECREF(tmp);
if (dnstr == NULL || strlen(dnstr) == 0) {
PyErr_SetString(PyExc_AttributeError, "Missing distinguished name.");
return NULL;
}
mods = LDAPEntry_CreateLDAPMods(self);
if (mods == NULL) {
PyErr_SetString(PyExc_MemoryError, "Create LDAPMods is failed.");
return NULL;
}
if (mod == 0) {
rc = ldap_add_ext_s(self->client->ld, dnstr, mods, NULL, NULL);
} else {
rc = ldap_modify_ext_s(self->client->ld, dnstr, mods, NULL, NULL);
}
if (rc != LDAP_SUCCESS) {
//TODO Proper errors
PyObject *ldaperror = get_error("LDAPError");
PyErr_SetString(ldaperror, ldap_err2string(rc));
Py_DECREF(ldaperror);
LDAPEntry_DismissLDAPMods(self, mods);
free(dnstr);
return NULL;
}
free(dnstr);
LDAPEntry_DismissLDAPMods(self, mods);
return Py_None;
}
DWORD
VmDirTestCreateObject(
PVMDIR_TEST_STATE pState,
PCSTR pszContainer,
PCSTR pszClassName,
PCSTR pszObjectName
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {pszObjectName, NULL};
PCSTR valsClass[] = {"classschema", NULL};
PSTR pszDN = NULL;
LDAPMod mod[]={
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}},
};
LDAPMod *attrs[] = {&mod[0], &mod[1], NULL};
dwError = VmDirAllocateStringPrintf(
&pszDN,
"cn=%s,cn=%s,cn=%s,%s",
pszClassName,
pszContainer,
VmDirTestGetTestContainerCn(pState),
pState->pszBaseDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = ldap_add_ext_s(pState->pLd, pszDN, attrs, NULL, NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszDN);
return dwError;
error:
goto cleanup;
}
int ldap_do_add(const char *account, const char *crypted, const char *email)
{
char newdn[MAXLEN];
LDAPMod **mods;
int rc, i;
int num_mods;
char *passbuf = NULL;
if(!admin_bind && LDAP_SUCCESS != ( rc = ldap_do_admin_bind())) {
log_module(MAIN_LOG, LOG_ERROR, "failed to bind as admin");
return rc;
}
if (crypted != NULL)
passbuf = make_password(crypted);
snprintf(newdn, MAXLEN-1, nickserv_conf.ldap_dn_fmt, account);
mods = make_mods_add(account, (crypted != NULL ? passbuf : crypted), email, &num_mods);
if(!mods) {
log_module(MAIN_LOG, LOG_ERROR, "Error building mods for ldap_add");
return LDAP_OTHER;
}
rc = ldap_add_ext_s(ld, newdn, mods, NULL, NULL);
if(rc != LDAP_SUCCESS && rc!= LDAP_ALREADY_EXISTS) {
log_module(MAIN_LOG, LOG_ERROR, "Error adding ldap account: %s -- %s", account, ldap_err2string(rc));
// return rc;
}
//ldap_unbind_s(ld);
for(i = 0; i < num_mods; i++) {
free(mods[i]->mod_type);
free(mods[i]);
}
free(mods);
if (crypted != NULL)
free(passbuf);
return rc;
}
static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
{
LDAPMod **mods = NULL;
krb5_error_code ret;
const char *errfn;
int rc;
LDAPMessage *msg = NULL, *e = NULL;
char *dn = NULL, *name = NULL;
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->entry.principal, &name);
if (ret) {
free(name);
return ret;
}
ret = hdb_seal_keys(context, db, &entry->entry);
if (ret)
goto out;
/* turn new entry into LDAPMod array */
ret = LDAP_entry2mods(context, db, entry, e, &mods);
if (ret)
goto out;
if (e == NULL) {
ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
if (ret < 0) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "asprintf: out of memory");
goto out;
}
} else if (flags & HDB_F_REPLACE) {
/* Entry exists, and we're allowed to replace it. */
dn = ldap_get_dn(HDB2LDAP(db), e);
} else {
/* Entry exists, but we're not allowed to replace it. Bail. */
ret = HDB_ERR_EXISTS;
goto out;
}
/* write entry into directory */
if (e == NULL) {
/* didn't exist before */
rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
errfn = "ldap_add_ext_s";
} else {
/* already existed, send deltas only */
rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
errfn = "ldap_modify_ext_s";
}
if (check_ldap(context, db, rc)) {
char *ld_error = NULL;
ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
&ld_error);
ret = HDB_ERR_CANT_LOCK_DB;
krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
errfn, name, dn, ldap_err2string(rc), ld_error);
} else
ret = 0;
out:
/* free stuff */
if (dn)
free(dn);
if (msg)
ldap_msgfree(msg);
if (mods)
ldap_mods_free(mods, 1);
if (name)
free(name);
return ret;
}
krb5_error_code
krb5_ldap_create_krbcontainer(krb5_context context,
const
krb5_ldap_krbcontainer_params *krbcontparams)
{
LDAP *ld=NULL;
char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL;
int pmask=0;
LDAPMod **mods = NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
SETUP_CONTEXT ();
/* get ldap handle */
GET_HANDLE ();
if (krbcontparams != NULL && krbcontparams->DN != NULL) {
kerberoscontdn = krbcontparams->DN;
} else {
st = EINVAL;
krb5_set_error_message(context, st,
_("Kerberos Container information is missing"));
goto cleanup;
}
strval[0] = "krbContainer";
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
rdns = ldap_explode_dn(kerberoscontdn, 1);
if (rdns == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Invalid Kerberos container DN"));
goto cleanup;
}
strval[0] = rdns[0];
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
/* check if the policy reference value exists and is of krbticketpolicyreference object class */
if (krbcontparams && krbcontparams->policyreference) {
st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
&pmask);
CHECK_CLASS_VALIDITY(st, pmask, _("ticket policy object value: "));
strval[0] = krbcontparams->policyreference;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD,
strval)) != 0)
goto cleanup;
}
/* create the kerberos container */
if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st,
_("Kerberos Container create FAILED: %s"),
ldap_err2string(ost));
goto cleanup;
}
cleanup:
if (rdns)
ldap_value_free (rdns);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
static void *
do_onerwthread( void *arg )
{
int i, j, thisconn;
LDAP **mlds, *ld;
char thrstr[BUFSIZ];
char dn[256], uids[32], cns[32], *base;
LDAPMod *attrp[5], attrs[4];
char *oc_vals[] = { "top", "OpenLDAPperson", NULL };
char *cn_vals[] = { NULL, NULL };
char *sn_vals[] = { NULL, NULL };
char *uid_vals[] = { NULL, NULL };
int ret;
int adds = 0;
int dels = 0;
int rc, refcnt = 0;
int idx = (ldap_pvt_thread_t *)arg - rtid;
mlds = (LDAP **) calloc( sizeof(LDAP *), noconns);
if (mlds == NULL) {
thread_error( idx, "Memory error: thread calloc for noconns" );
exit( EXIT_FAILURE );
}
snprintf(uids, sizeof(uids), "rwtest%04d", idx);
snprintf(cns, sizeof(cns), "rwtest%04d", idx);
/* add setup */
for (i = 0; i < 4; i++) {
attrp[i] = &attrs[i];
attrs[i].mod_op = 0;
}
attrp[4] = NULL;
attrs[0].mod_type = "objectClass";
attrs[0].mod_values = oc_vals;
attrs[1].mod_type = "cn";
attrs[1].mod_values = cn_vals;
cn_vals[0] = &cns[0];
attrs[2].mod_type = "sn";
attrs[2].mod_values = sn_vals;
sn_vals[0] = &cns[0];
attrs[3].mod_type = "uid";
attrs[3].mod_values = uid_vals;
uid_vals[0] = &uids[0];
for ( j = 0; j < outerloops; j++ ) {
for(i = 0; i < noconns; i++) {
mlds[i] = ldap_dup(lds[i]);
if (mlds[i] == NULL) {
thread_error( idx, "ldap_dup error" );
}
}
rc = ldap_get_option(mlds[0], LDAP_OPT_SESSION_REFCNT, &refcnt);
snprintf(thrstr, BUFSIZ,
"RW Thread conns: %d refcnt: %d (rc = %d)",
noconns, refcnt, rc);
thread_verbose(idx, thrstr);
thisconn = (idx + j) % noconns;
if (thisconn < 0 || thisconn >= noconns)
thisconn = 0;
if (mlds[thisconn] == NULL) {
thread_error( idx, "(failed to dup)");
tester_perror( "ldap_dup", "(failed to dup)" );
exit( EXIT_FAILURE );
}
snprintf(thrstr, BUFSIZ, "START RW Thread using conn %d", thisconn);
thread_verbose(idx, thrstr);
ld = mlds[thisconn];
if (entry != NULL)
base = entry;
else
base = DEFAULT_BASE;
snprintf(dn, 256, "cn=%s,%s", cns, base);
adds = 0;
dels = 0;
for (i = 0; i < loops; i++) {
ret = ldap_add_ext_s(ld, dn, &attrp[0], NULL, NULL);
if (ret == LDAP_SUCCESS) {
adds++;
ret = ldap_delete_ext_s(ld, dn, NULL, NULL);
if (ret == LDAP_SUCCESS) {
dels++;
rt_pass[idx]++;
} else {
thread_output(idx, ldap_err2string(ret));
rt_fail[idx]++;
}
} else {
thread_output(idx, ldap_err2string(ret));
rt_fail[idx]++;
}
}
snprintf(thrstr, BUFSIZ,
"INNER STOP RW Thread using conn %d (%d/%d)",
thisconn, adds, dels);
thread_verbose(idx, thrstr);
for(i = 0; i < noconns; i++) {
(void) ldap_destroy(mlds[i]);
mlds[i] = NULL;
}
}
free( mlds );
return( NULL );
}
static void *add_thread(char *id) {
LDAPMod mod[4];
LDAPMod *mods[5];
char dn[BUFSIZ], name[40];
char *cnvals[2], *snvals[2], *pwdvals[2], *ocvals[3];
int i, rc, opcount;
void *voidrc = (void *)0;
printf("Starting add_thread %s.\n", id);
opcount = 0;
tsd_setup();
for (i = 0; i < 4; i++) {
mods[i] = &mod[i];
}
mods[4] = NULL;
mod[0].mod_op = 0;
mod[0].mod_type = "cn";
mod[0].mod_values = cnvals;
cnvals[1] = NULL;
mod[1].mod_op = 0;
mod[1].mod_type = "sn";
mod[1].mod_values = snvals;
snvals[1] = NULL;
mod[2].mod_op = 0;
mod[2].mod_type = "objectclass";
mod[2].mod_values = ocvals;
ocvals[0] = "top";
ocvals[1] = "person";
ocvals[2] = NULL;
mod[3].mod_op = 0;
mod[3].mod_type = "userPassword";
mod[3].mod_values = pwdvals;
pwdvals[1] = NULL;
mods[4] = NULL;
for (;;) {
sprintf(name, "%d", get_random_id());
sprintf(dn, "cn=%s, " BASE, name);
cnvals[0] = name;
snvals[0] = name;
pwdvals[0] = name;
printf("Thread %s: Adding entry (%s)\n", id, dn);
rc = ldap_add_ext_s(ld, dn, mods, NULL, NULL);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "ldap_add_ext_s: %s\n", ldap_err2string(rc));
if (rc == LDAP_SERVER_DOWN) {
perror("ldap_add_ext_s");
voidrc = (void *)1;
goto add_cleanup_and_return;
}
}
++opcount;
if (maxops != 0 && opcount >= maxops) {
break;
}
}
add_cleanup_and_return:
printf("Thread %s: attempted %d add operations\n", id, opcount);
set_ld_error(0, NULL, NULL, NULL); /* disposes of memory */
tsd_cleanup();
free(id);
return voidrc;
}
static int at_add(AddThread *at)
{
LDAPMod *attrs[10];
LDAPMod attr_cn, attr_sn, attr_givenname,
attr_objectclass, attr_uid, attr_mail, attr_telephonenumber,
attr_audio, attr_password;
struct berval audio_berval;
struct berval *audio_values[2];
char dn[100], uid[10], telno[20], *sn, *givenname, cn[50], mail[50];
char *cn_values[2], *sn_values[2], *givenname_values[2];
char *uid_values[2], *mail_values[2], *telno_values[2];
#if 1
char *objectclass_values[] = { "top", "person", "organizationalPerson",
"inetOrgPerson", NULL };
#else
char *objectclass_values[] = { "inetOrgPerson", NULL };
#endif
int ret;
/* make up the strings */
sprintf(uid, "%lu", getID());
at_random_tel_number(telno);
sn = nt_getrand(family_names);
givenname = nt_getrand(given_names);
sprintf(cn, "%s %s %s", givenname, sn, uid);
sprintf(mail, "*****@*****.**", givenname, uid);
sprintf(dn, "cn=%s,%s", cn, suffix);
cn_values[0] = cn;
cn_values[1] = NULL;
sn_values[0] = sn;
sn_values[1] = NULL;
givenname_values[0] = givenname;
givenname_values[1] = NULL;
uid_values[0] = uid;
uid_values[1] = NULL;
mail_values[0] = mail;
mail_values[1] = NULL;
telno_values[0] = telno;
telno_values[1] = NULL;
attrs[0] = &attr_objectclass;
attrs[1] = &attr_cn;
attrs[2] = &attr_sn;
attrs[3] = &attr_givenname;
attrs[4] = &attr_uid;
attrs[5] = &attr_password;
attrs[6] = &attr_mail;
attrs[7] = &attr_telephonenumber;
if (blobsize > 0) {
audio_values[0] = &audio_berval;
audio_values[1] = 0;
audio_berval.bv_len = (blobsize > 32000) ?
((long)rand() * 1039) % blobsize :
(rand() % blobsize);
audio_berval.bv_val = at->blob;
attr_audio.mod_op = LDAP_MOD_BVALUES;
attr_audio.mod_type = "audio";
attr_audio.mod_values = (char **)&audio_values;
attrs[8] = &attr_audio;
attrs[9] = 0;
}
else
attrs[8] = 0;
attr_cn.mod_op = LDAP_MOD_ADD;
attr_cn.mod_type = "cn";
attr_cn.mod_values = cn_values;
attr_sn.mod_op = LDAP_MOD_ADD;
attr_sn.mod_type = "sn";
attr_sn.mod_values = sn_values;
attr_givenname.mod_op = LDAP_MOD_ADD;
attr_givenname.mod_type = "givenname";
attr_givenname.mod_values = givenname_values;
attr_objectclass.mod_op = LDAP_MOD_ADD;
attr_objectclass.mod_type = "objectClass";
attr_objectclass.mod_values = objectclass_values;
attr_uid.mod_op = LDAP_MOD_ADD;
attr_uid.mod_type = "uid";
attr_uid.mod_values = uid_values;
attr_password.mod_op = LDAP_MOD_ADD;
attr_password.mod_type = "userpassword";
attr_password.mod_values = uid_values;
attr_mail.mod_op = LDAP_MOD_ADD;
attr_mail.mod_type = "mail";
attr_mail.mod_values = mail_values;
attr_telephonenumber.mod_op = LDAP_MOD_ADD;
attr_telephonenumber.mod_type = "telephonenumber";
attr_telephonenumber.mod_values = telno_values;
#if 0
for (i = 0; attrs[i]; i++) {
fprintf(stderr, "attr '%s': ", attrs[i]->mod_type);
if (strcasecmp(attrs[i]->mod_type, "audio") == 0)
fprintf(stderr, "binary data len=%lu\n", ((struct berval **)(attrs[i]->mod_values))[0]->bv_len);
else
fprintf(stderr, "'%s'\n", attrs[i]->mod_values[0]);
}
#endif
ret = ldap_add_ext_s(at->ld, dn, attrs, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, "T%d: failed to add, error = %d\n", at->id, ret);
}
return ret;
}
/**
* Add new contact to LDAP
*
* \param server AddressBook resource
* \param contact GHashTable with object to add
*/
void ldapsvr_add_contact(LdapServer *server, GHashTable *contact) {
gchar *email = NULL, *param = NULL;
LDAP *ld = NULL;
LDAPMod *mods[MODSIZE];
LDAPMod modarr[7];
gint cnt = 0;
char *cn[] = {NULL, NULL};
char *displayName[] = {NULL, NULL};
char *givenName[] = {NULL, NULL};
char **mail = NULL;
char *sn[] = {NULL, NULL};
char *org[] = {NULL, NULL};
char *obj[] = {/*"top",*/ "person", "organizationalPerson", "inetOrgPerson", NULL};
int rc=0;
GList *node;
AttrKeyValue *ou, *commonName;
ItemPerson *person;
gchar *base_dn;
GList *mailList;
cm_return_if_fail(server != NULL || contact != NULL);
node = g_hash_table_lookup(contact , "mail");
if (node) {
EmailKeyValue *newEmail = node->data;
email = g_strdup(newEmail->mail);
}
if (email == NULL) {
server->retVal = LDAPRC_NODN;
clean_up(ld, server, contact);
return;
}
base_dn = g_strdup_printf("mail=%s,%s",
email, server->control->baseDN?server->control->baseDN:"null");
g_free(email);
person =
ldapsvr_get_contact(server, g_hash_table_lookup(contact , "uid"));
person->externalID = g_strdup(base_dn);
debug_print("dn: %s\n", base_dn);
ld = ldapsvr_connect(server->control);
if (ld == NULL) {
clean_up(ld, server, contact);
debug_print("no ldap found\n");
return;
}
SETMODS(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "objectClass", obj);
cnt++;
ou = get_ou(base_dn);
if (ou != NULL) {
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, g_strdup(ou->key), org, g_strdup(ou->value));
cnt++;
attrkeyvalue_free(ou);
}
commonName = get_cn(base_dn);
if (commonName == NULL) {
param = g_hash_table_lookup(contact , "cn");
if (param) {
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "cn", cn, param);
}
else {
clean_up(ld, server, contact);
debug_print("no CN found\n");
return;
}
}
else {
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, g_strdup(commonName->key), cn, g_strdup(commonName->value));
cnt++;
param = g_hash_table_lookup(contact , "cn");
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "displayName", displayName, param);
g_hash_table_insert(contact, "displayName", param);
attrkeyvalue_free(commonName);
}
cnt++;
param = g_hash_table_lookup(contact , "givenName");
if (param) {
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "givenName", givenName, param);
cnt++;
}
mailList = g_hash_table_lookup(contact , "mail");
if (mailList) {
char **tmp;
tmp = g_malloc(sizeof(*tmp) * (g_list_length(mailList)+1));
mail = tmp;
while (mailList) {
EmailKeyValue *item = mailList->data;
*tmp++ = g_strdup((gchar *) item->mail);
mailList = g_list_next(mailList);
}
*tmp = NULL;
SETMODS(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "mail", mail);
cnt++;
}
param = g_hash_table_lookup(contact, "sn");
if (param == NULL)
param = g_strdup(N_("Some SN"));
SETMOD(mods[cnt], modarr[cnt], LDAP_MOD_ADD, "sn", sn, param);
cnt++;
mods[cnt] = NULL;
if (debug_get_mode()) {
ldapsvr_print_ldapmod(mods);
}
server->retVal = LDAPRC_SUCCESS;
rc = ldap_add_ext_s(ld, base_dn, mods, NULL, NULL);
if (rc) {
switch (rc) {
case LDAP_ALREADY_EXISTS:
server->retVal = LDAPRC_ALREADY_EXIST;
break;
default:
g_printerr("ldap_modify for dn=%s\" failed[0x%x]: %s\n",
base_dn, rc, ldaputil_get_error(ld));
if (rc == 0x8)
server->retVal = LDAPRC_STRONG_AUTH;
else
server->retVal = LDAPRC_NAMING_VIOLATION;
}
}
ldapsvr_handle_other_attributes(ld, server, base_dn, contact);
g_free(base_dn);
clean_up(ld, server, contact);
}
krb5_error_code
krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
int mask)
{
LDAP *ld=NULL;
krb5_error_code st=0;
char *dn=NULL;
char *strval[4]={NULL};
char *contref[2]={NULL};
LDAPMod **mods = NULL;
int i=0, objectmask=0, subtreecount=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
char *realm_name;
SETUP_CONTEXT ();
/* Check input validity ... */
if (ldap_context->container_dn == NULL ||
rparams == NULL ||
rparams->realm_name == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
((mask & LDAP_REALM_CONTREF) && rparams->containerref == NULL) ||
0) {
st = EINVAL;
return st;
}
/* get ldap handle */
GET_HANDLE ();
realm_name = rparams->realm_name;
if (asprintf(&dn, "cn=%s,%s", realm_name, ldap_context->container_dn) < 0)
dn = NULL;
CHECK_NULL(dn);
strval[0] = realm_name;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
strval[0] = "top";
strval[1] = "krbrealmcontainer";
strval[2] = "krbticketpolicyaux";
strval[3] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
/* SUBTREE ATTRIBUTE */
if (mask & LDAP_REALM_SUBTREE) {
if ( rparams->subtree!=NULL) {
subtreecount = rparams->subtreecount;
for (i=0; rparams->subtree[i]!=NULL && i<subtreecount; i++) {
if (strlen(rparams->subtree[i]) != 0) {
st = checkattributevalue(ld, rparams->subtree[i], "Objectclass", subtreeclass,
&objectmask);
CHECK_CLASS_VALIDITY(st, objectmask,
_("realm object value: "));
}
}
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbsubtrees", LDAP_MOD_ADD,
rparams->subtree)) != 0) {
goto cleanup;
}
}
}
/* CONTAINER REFERENCE ATTRIBUTE */
if (mask & LDAP_REALM_CONTREF) {
if (strlen(rparams->containerref) != 0 ) {
st = checkattributevalue(ld, rparams->containerref, "Objectclass", subtreeclass,
&objectmask);
CHECK_CLASS_VALIDITY(st, objectmask, "realm object value: ");
contref[0] = rparams->containerref;
contref[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbPrincContainerRef", LDAP_MOD_ADD,
contref)) != 0)
goto cleanup;
}
}
/* SEARCHSCOPE ATTRIBUTE */
if (mask & LDAP_REALM_SEARCHSCOPE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbsearchscope", LDAP_MOD_ADD,
(rparams->search_scope == LDAP_SCOPE_ONELEVEL
|| rparams->search_scope == LDAP_SCOPE_SUBTREE) ?
rparams->search_scope : LDAP_SCOPE_SUBTREE)) != 0)
goto cleanup;
}
if (mask & LDAP_REALM_MAXRENEWLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxRenewableAge", LDAP_MOD_ADD,
rparams->max_renewable_life)) != 0)
goto cleanup;
}
/* krbMaxTicketLife ATTRIBUTE */
if (mask & LDAP_REALM_MAXTICKETLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbMaxTicketLife", LDAP_MOD_ADD,
rparams->max_life)) != 0)
goto cleanup;
}
/* krbTicketFlags ATTRIBUTE */
if (mask & LDAP_REALM_KRBTICKETFLAGS) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbTicketFlags", LDAP_MOD_ADD,
rparams->tktflags)) != 0)
goto cleanup;
}
/* realm creation operation */
if ((st=ldap_add_ext_s(ld, dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_ADD);
goto cleanup;
}
cleanup:
if (dn)
free(dn);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
int
ldap_add_s( LDAP *ld, LDAP_CONST char *dn, LDAPMod **attrs )
{
return ldap_add_ext_s( ld, dn, attrs, NULL, NULL );
}
DWORD
_VmDirTestCreateTestContainer(
PVMDIR_TEST_STATE pState
)
{
DWORD dwError = 0;
PCSTR valsCn[] = {DEFAULT_TEST_CONTAINER_NAME, NULL};
PCSTR valsClass[] = {OC_TOP, OC_CONTAINER, NULL};
PCSTR valsAcl[] = {NULL, NULL};
PSTR pszDN = NULL;
PSTR pszDomainSid = NULL;
PSTR pszAclString = NULL;
PSTR pszLimitedUserSid = NULL;
LDAPMod mod[] = {
{LDAP_MOD_ADD, ATTR_CN, {(PSTR*)valsCn}},
{LDAP_MOD_ADD, ATTR_OBJECT_CLASS, {(PSTR*)valsClass}},
{LDAP_MOD_ADD, ATTR_ACL_STRING, {(PSTR*)valsAcl}},
};
LDAPMod *attrs[] = {&mod[0], &mod[1], &mod[2], NULL};
dwError = VmDirAllocateStringPrintf(
&pszDN,
"cn=%s,%s",
DEFAULT_TEST_CONTAINER_NAME,
pState->pszBaseDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirTestGetDomainSid(pState, pState->pszBaseDN, &pszDomainSid);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirTestGetUserSid(pState, VmDirTestGetInternalUserCn(pState), NULL, &pszLimitedUserSid);
BAIL_ON_VMDIR_ERROR(dwError);
// O:%s-500G:BAD:(A;;RPWP;;;S-1-7-32-666)(A;;GXNRNWGXCCDCRPWP;;;BA)(A;;GXNRNWGXCCDCRPWP;;;%s-500)",
dwError = VmDirAllocateStringPrintf(
&pszAclString,
"O:%s-500G:BAD:(A;;CCDCRPWP;;;BA)(A;;CCDCRPWP;;;%s-500)(A;;CCRPWP;;;%s)",
pszDomainSid,
pszDomainSid,
pszLimitedUserSid);
BAIL_ON_VMDIR_ERROR(dwError);
valsAcl[0] = pszAclString;
dwError = ldap_add_ext_s(
pState->pLd,
pszDN,
attrs,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszAclString);
VMDIR_SAFE_FREE_STRINGA(pszLimitedUserSid);
VMDIR_SAFE_FREE_STRINGA(pszDomainSid);
VMDIR_SAFE_FREE_STRINGA(pszDN);
return dwError;
error:
printf("%s failed with error %d\n", __FUNCTION__, dwError);
goto cleanup;
}
static LibBalsaABErr
libbalsa_address_book_ldap_add_address(LibBalsaAddressBook *ab,
LibBalsaAddress *address)
{
static char *object_class_values[] =
{ "person", "organizationalPerson", "inetOrgPerson", NULL };
gchar *dn;
LDAPMod *mods[7];
LDAPMod modarr[6];
int cnt;
char *cn[] = {NULL, NULL};
char *gn[] = {NULL, NULL};
char *org[] = {NULL, NULL};
char *sn[] = {NULL, NULL};
char *mail[] = {NULL, NULL};
LibBalsaAddressBookLdap *ldap_ab = LIBBALSA_ADDRESS_BOOK_LDAP(ab);
g_return_val_if_fail(address, LBABERR_CANNOT_WRITE);
g_return_val_if_fail(address->address_list, LBABERR_CANNOT_WRITE);
if (ldap_ab->directory == NULL) {
if(libbalsa_address_book_ldap_open_connection(ldap_ab) != LDAP_SUCCESS)
return LBABERR_CANNOT_CONNECT;
}
if(ldap_ab->priv_book_dn == NULL) {
libbalsa_address_book_set_status
(ab, _("Undefined location of user address book"));
return LBABERR_CANNOT_WRITE;
}
dn = g_strdup_printf("mail=%s,%s",
(char*)address->address_list->data,
ldap_ab->priv_book_dn);
mods[0] = &modarr[0];
modarr[0].mod_op = LDAP_MOD_ADD;
modarr[0].mod_type = "objectClass";
modarr[0].mod_values = object_class_values;
cnt = 1;
if(address->full_name) {
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_ADD,"cn",cn,address->full_name);
cnt++;
}
if(address->first_name) {
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_ADD,"givenName",gn,
address->first_name);
cnt++;
}
if(address->last_name) {
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_ADD,"sn",sn,address->last_name);
cnt++;
}
if(address->organization) {
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_ADD,"o",org,
address->organization);
cnt++;
}
SETMOD(mods[cnt],modarr[cnt],LDAP_MOD_ADD,"mail",mail,
(char*)address->address_list->data);
cnt++;
mods[cnt] = NULL;
cnt = 0;
do {
int rc = ldap_add_ext_s(ldap_ab->directory, dn, mods, NULL, NULL);
switch(rc) {
case LDAP_SUCCESS: g_free(dn); return LBABERR_OK;
case LDAP_ALREADY_EXISTS:
g_free(dn);
libbalsa_address_book_set_status(ab,
g_strdup(ldap_err2string(rc)));
return LBABERR_DUPLICATE;
case LDAP_SERVER_DOWN:
libbalsa_address_book_ldap_close_connection(ldap_ab);
if( (rc=libbalsa_address_book_ldap_open_connection(ldap_ab))
!= LDAP_SUCCESS) {
g_free(dn);
return LBABERR_CANNOT_CONNECT;
}
/* fall through */
default:
fprintf(stderr, "ldap_add for dn=“%s” failed[0x%x]: %s\n",
dn, rc, ldap_err2string(rc));
}
} while(cnt++<1);
g_free(dn);
libbalsa_address_book_set_status(ab, NULL);
return LBABERR_CANNOT_WRITE;
}
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
{
int l=0, kerberos_principal_object_type=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
char **values=NULL, *strval[10]= {NULL}, errbuf[1024];
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone_prinicipal=FALSE;
krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs = {0};
char *polname = NULL;
OPERATION optype;
krb5_boolean found_entry = FALSE;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
return EINVAL;
/* get ldap handle */
GET_HANDLE();
if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
st = EINVAL;
krb5_set_error_message(context, st, _("Principal does not belong to "
"the default realm"));
goto cleanup;
}
/* get the principal information to act on */
if (entry->princ) {
if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
}
/* Identity the type of operation, it can be
* add principal or modify principal.
* hack if the entry->mask has KRB_PRINCIPAL flag set
* then it is a add operation
*/
if (entry->mask & KADM5_PRINCIPAL)
optype = ADD_PRINCIPAL;
else
optype = MODIFY_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
goto cleanup;
if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
goto cleanup;
if (entry->mask & KADM5_LOAD) {
int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
char **subtreelist = NULL, *filter = NULL;
/* A load operation is special, will do a mix-in (add krbprinc
* attrs to a non-krb object entry) if an object exists with a
* matching krbprincipalname attribute so try to find existing
* object and set principal_dn. This assumes that the
* krbprincipalname attribute is unique (only one object entry has
* a particular krbprincipalname attribute).
*/
if (user == NULL) {
/* must have principal name for search */
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, principal "
"name not found"));
goto cleanup;
}
princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", user);
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
found_entry = FALSE;
/* search for entry with matching krbprincipalname attribute */
for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
result = NULL;
if (principal_dn == NULL) {
LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
} else {
/* just look for entry with principal_dn */
LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
}
if (st == LDAP_SUCCESS) {
numlentries = ldap_count_entries(ld, result);
if (numlentries > 1) {
ldap_msgfree(result);
free(filter);
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, "
"more than one entry with "
"principal name \"%s\" found"),
user);
goto cleanup;
} else if (numlentries == 1) {
found_entry = TRUE;
if (principal_dn == NULL) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
/* setting principal_dn will cause that entry to be modified further down */
if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
st = set_ldap_error (context, st, 0);
ldap_msgfree(result);
free(filter);
goto cleanup;
}
}
}
}
if (result)
ldap_msgfree(result);
} else if (st != LDAP_NO_SUCH_OBJECT) {
/* could not perform search, return with failure */
st = set_ldap_error (context, st, 0);
free(filter);
goto cleanup;
}
/*
* If it isn't found then assume a standalone princ entry is to
* be created.
*/
} /* end for (tree = 0; principal_dn == ... */
free(filter);
if (found_entry == FALSE && principal_dn != NULL) {
/*
* if principal_dn is null then there is code further down to
* deal with setting standalone_principal_dn. Also note that
* this will set create_standalone_prinicipal true for
* non-mix-in entries which is okay if loading from a dump.
*/
create_standalone_prinicipal = TRUE;
standalone_principal_dn = strdup(principal_dn);
CHECK_NULL(standalone_principal_dn);
}
} /* end if (entry->mask & KADM5_LOAD */
/* time to generate the DN information with the help of
* containerdn, principalcontainerreference or
* realmcontainerdn information
*/
if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
/* get the subtree information */
if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
/* if the principal is a inter-realm principal, always created in the realm container */
subtree = strdup(ldap_context->lrparams->realmdn);
} else if (xargs.containerdn) {
if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "),
xargs.containerdn);
prepend_err_str(context, errbuf, st, ost);
}
goto cleanup;
}
subtree = strdup(xargs.containerdn);
} else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
/*
* Here the subtree should be changed with
* principalcontainerreference attribute value
*/
subtree = strdup(ldap_context->lrparams->containerref);
} else {
subtree = strdup(ldap_context->lrparams->realmdn);
}
CHECK_NULL(subtree);
if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
user, subtree) < 0)
standalone_principal_dn = NULL;
CHECK_NULL(standalone_principal_dn);
/*
* free subtree when you are done using the subtree
* set the boolean create_standalone_prinicipal to TRUE
*/
create_standalone_prinicipal = TRUE;
free(subtree);
subtree = NULL;
}
/*
* If the DN information is presented by the user, time to
* validate the input to ensure that the DN falls under
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
/* make sure the DN falls in the subtree */
int tre=0, dnlen=0, subtreelen=0, ntrees=0;
char **subtreelist=NULL;
char *dn=NULL;
krb5_boolean outofsubtree=TRUE;
if (xargs.dn != NULL) {
dn = xargs.dn;
} else if (xargs.linkdn != NULL) {
dn = xargs.linkdn;
} else if (standalone_principal_dn != NULL) {
/*
* Even though the standalone_principal_dn is constructed
* within this function, there is the containerdn input
* from the user that can become part of the it.
*/
dn = standalone_principal_dn;
}
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
for (tre=0; tre<ntrees; ++tre) {
if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
outofsubtree = FALSE;
break;
} else {
dnlen = strlen (dn);
subtreelen = strlen(subtreelist[tre]);
if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
}
}
}
for (tre=0; tre < ntrees; ++tre) {
free(subtreelist[tre]);
}
if (outofsubtree == TRUE) {
st = EINVAL;
krb5_set_error_message(context, st,
_("DN is out of the realm subtree"));
goto cleanup;
}
/*
* dn value will be set either by dn, linkdn or the standalone_principal_dn
* In the first 2 cases, the dn should be existing and in the last case we
* are supposed to create the ldap object. so the below should not be
* executed for the last case.
*/
if (standalone_principal_dn == NULL) {
/*
* If the ldap object is missing, this results in an error.
*/
/*
* Search for krbprincipalname attribute here.
* This is to find if a kerberos identity is already present
* on the ldap object, in which case adding a kerberos identity
* on the ldap object should result in an error.
*/
char *attributes[]= {"krbticketpolicyreference", "krbprincipalname", NULL};
LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
if (st == LDAP_SUCCESS) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
ldap_value_free(values);
}
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
krb_identity_exists = TRUE;
ldap_value_free(values);
}
}
ldap_msgfree(result);
} else {
st = set_ldap_error(context, st, OP_SEARCH);
goto cleanup;
}
}
}
/*
* If xargs.dn is set then the request is to add a
* kerberos principal on a ldap object, but if
* there is one already on the ldap object this
* should result in an error.
*/
if (xargs.dn != NULL && krb_identity_exists == TRUE) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("ldap object is already kerberized"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (xargs.linkdn != NULL) {
/*
* link information can be changed using modprinc.
* However, link information can be changed only on the
* standalone kerberos principal objects. A standalone
* kerberos principal object is of type krbprincipal
* structural objectclass.
*
* NOTE: kerberos principals on an ldap object can't be
* linked to other ldap objects.
*/
if (optype == MODIFY_PRINCIPAL &&
kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("link information can not be set/updated as the "
"kerberos principal belongs to an ldap object"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
/*
* Check the link information. If there is already a link
* existing then this operation is not allowed.
*/
{
char **linkdns=NULL;
int j=0;
if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
snprintf(errbuf, sizeof(errbuf),
_("Failed getting object references"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (linkdns != NULL) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("kerberos principal is already linked to a ldap "
"object"));
krb5_set_error_message(context, st, "%s", errbuf);
for (j=0; linkdns[j] != NULL; ++j)
free (linkdns[j]);
free (linkdns);
goto cleanup;
}
}
establish_links = TRUE;
}
if (entry->mask & KADM5_LAST_SUCCESS) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_success)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_LAST_FAILED) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free(strval[0]);
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
krb5_kvno fail_auth_count;
fail_auth_count = entry->fail_auth_count;
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
fail_auth_count++;
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_REPLACE,
fail_auth_count);
if (st != 0)
goto cleanup;
} else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
int attr_mask = 0;
krb5_boolean has_fail_count;
/* Check if the krbLoginFailedCount attribute exists. (Through
* krb5 1.8.1, it wasn't set in new entries.) */
st = krb5_get_attributes_mask(context, entry, &attr_mask);
if (st != 0)
goto cleanup;
has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
/*
* If the client library and server supports RFC 4525,
* then use it to increment by one the value of the
* krbLoginFailedCount attribute. Otherwise, assert the
* (provided) old value by deleting it before adding.
*/
#ifdef LDAP_MOD_INCREMENT
if (ldap_server_handle->server_info->modify_increment &&
has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_INCREMENT, 1);
if (st != 0)
goto cleanup;
} else {
#endif /* LDAP_MOD_INCREMENT */
if (has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods,
"krbLoginFailedCount",
LDAP_MOD_DELETE,
entry->fail_auth_count);
if (st != 0)
goto cleanup;
}
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD,
entry->fail_auth_count + 1);
if (st != 0)
goto cleanup;
#ifdef LDAP_MOD_INCREMENT
}
#endif
} else if (optype == ADD_PRINCIPAL) {
/* Initialize krbLoginFailedCount in new entries to help avoid a
* race during the first failed login. */
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD, 0);
}
if (entry->mask & KADM5_MAX_LIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_MAX_RLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
entry->max_renewable_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_ATTRIBUTES) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
entry->attributes)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_PW_EXPIRATION) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
LDAP_MOD_REPLACE,
strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_POLICY) {
memset(&princ_ent, 0, sizeof(princ_ent));
for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
/* FIX ME: I guess the princ_ent should be freed after this call */
if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
goto cleanup;
}
}
}
if (princ_ent.aux_attributes & KADM5_POLICY) {
memset(strval, 0, sizeof(strval));
if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
goto cleanup;
strval[0] = polname;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
st = EINVAL;
krb5_set_error_message(context, st, "Password policy value null");
goto cleanup;
}
} else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
/*
* a load is special in that existing entries must have attrs that
* removed.
*/
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_POLICY_CLR) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
krb5_kvno mkvno;
if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
goto cleanup;
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
entry->n_key_data, mkvno);
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
if (!(entry->mask & KADM5_PRINCIPAL)) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods,
"krbpasswordexpiration",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
/* Update last password change whenever a new key is set */
{
krb5_timestamp last_pw_changed;
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
&last_pw_changed)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
} /* Modify Key data ends here */
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
count++;
}
if (count != 0) {
int j;
ber_tl_data = (struct berval **) calloc (count + 1,
sizeof (struct berval*));
if (ber_tl_data == NULL) {
st = ENOMEM;
goto cleanup;
}
for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
/* Ignore tl_data that are stored in separate directory
* attributes */
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
}
if (st == 0) {
ber_tl_data[count] = NULL;
st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
LDAP_MOD_REPLACE |
LDAP_MOD_BVALUES, ber_tl_data);
}
for (j = 0; ber_tl_data[j] != NULL; j++) {
free(ber_tl_data[j]->bv_val);
free(ber_tl_data[j]);
}
free(ber_tl_data);
if (st != 0)
goto cleanup;
}
if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time)) != 0)
goto cleanup;
if (unlock_time != 0) {
/* Update last admin unlock */
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(unlock_time)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
}
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
int tmask=0;
if (strlen(xargs.tktpolicydn) != 0) {
st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: "));
strval[0] = xargs.tktpolicydn;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
/* if xargs.tktpolicydn is a empty string, then delete
* already existing krbticketpolicyreference attr */
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
}
if (establish_links == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = xargs.linkdn;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
/*
* in case mods is NULL then return
* not sure but can happen in a modprinc
* so no need to return an error
* addprinc will at least have the principal name
* and the keys passed in
*/
if (mods == NULL)
goto cleanup;
if (create_standalone_prinicipal == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = "krbprincipal";
strval[1] = "krbprincipalaux";
strval[2] = "krbTicketPolicyAux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
/* a load operation must replace an existing entry */
st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf),
_("Principal delete failed (trying to replace "
"entry): %s"), ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
} else {
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
}
}
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
} else {
/*
* Here existing ldap object is modified and can be related
* to any attribute, so always ensure that the ldap
* object is extended with all the kerberos related
* objectclasses so that there are no constraint
* violations.
*/
{
char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
"objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=2; p<<=1, ++q) {
if ((p & amask) == 0)
strval[r++] = attrvalues[q];
}
if (r != 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
}
}
if (xargs.dn != NULL)
st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
else
st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
entry->fail_auth_count++;
}
cleanup:
if (user)
free(user);
free_xargs(xargs);
if (standalone_principal_dn)
free(standalone_principal_dn);
if (principal_dn)
free (principal_dn);
if (polname != NULL)
free(polname);
if (subtree)
free (subtree);
if (bersecretkey) {
for (l=0; bersecretkey[l]; ++l) {
if (bersecretkey[l]->bv_val)
free (bersecretkey[l]->bv_val);
free (bersecretkey[l]);
}
free (bersecretkey);
}
if (keys)
free (keys);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
static void
do_addel(
char *uri,
char *manager,
struct berval *passwd,
char *entry,
LDAPMod **attrs,
int maxloop,
int maxretries,
int delay,
int friendly,
int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
retry:;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Add/Delete(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( delay != 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
for ( ; i < maxloop; i++ ) {
/* add the entry */
rc = ldap_add_ext_s( ld, entry, attrs, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_add_ext_s", NULL );
switch ( rc ) {
case LDAP_ALREADY_EXISTS:
/* NOTE: this likely means
* the delete failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
#if 0
/* wait a second for the add to really complete */
/* This masks some race conditions though. */
sleep( 1 );
#endif
/* now delete the entry again */
rc = ldap_delete_ext_s( ld, entry, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_delete_ext_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_OBJECT:
/* NOTE: this likely means
* the add failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
}
done:;
fprintf( stderr, " PID=%ld - Add/Delete done (%d).\n", (long) pid, rc );
ldap_unbind_ext( ld, NULL, NULL );
}
