search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Rename context handle lifetime to endtime
[heimdal.git] / lib / hdb / hdb-ldap.c
blobcaf892eebb66f1e495cb1464175acf78e6fa1584
1 /*
2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "hdb_locl.h"
36
37 #ifdef OPENLDAP
38
39 #include <lber.h>
40 #include <ldap.h>
41 #include <sys/un.h>
42 #include <hex.h>
43
44 static krb5_error_code LDAP__connect(krb5_context context, HDB *);
45 static krb5_error_code LDAP_close(krb5_context context, HDB *);
46
47 static krb5_error_code
48 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
49 int flags, hdb_entry_ex * ent);
50
51 static const char *default_structural_object = "account";
52 static char *structural_object;
53 static const char *default_ldap_url = "ldapi:///";
54 static krb5_boolean samba_forwardable;
55
56 struct hdbldapdb {
57 LDAP *h_lp;
58 int h_msgid;
59 char *h_base;
60 char *h_url;
61 char *h_bind_dn;
62 char *h_bind_password;
63 krb5_boolean h_start_tls;
64 char *h_createbase;
65 };
66
67 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
68 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
69 #define HDBSETMSGID(db,msgid) \
70 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
71 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
72 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
73 #define HDB2BINDDN(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_dn)
74 #define HDB2BINDPW(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_password)
75 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
76
77 /*
78 *
79 */
80
81 static char * krb5kdcentry_attrs[] = {
82 "cn",
83 "createTimestamp",
84 "creatorsName",
85 "krb5EncryptionType",
86 "krb5KDCFlags",
87 "krb5Key",
88 "krb5KeyVersionNumber",
89 "krb5MaxLife",
90 "krb5MaxRenew",
91 "krb5PasswordEnd",
92 "krb5PrincipalName",
93 "krb5PrincipalRealm",
94 "krb5ValidEnd",
95 "krb5ValidStart",
96 "modifiersName",
97 "modifyTimestamp",
98 "objectClass",
99 "sambaAcctFlags",
100 "sambaKickoffTime",
101 "sambaNTPassword",
102 "sambaPwdLastSet",
103 "sambaPwdMustChange",
104 "uid",
105 NULL
106 };
107
108 static char *krb5principal_attrs[] = {
109 "cn",
110 "createTimestamp",
111 "creatorsName",
112 "krb5PrincipalName",
113 "krb5PrincipalRealm",
114 "modifiersName",
115 "modifyTimestamp",
116 "objectClass",
117 "uid",
118 NULL
119 };
120
121 static int
122 LDAP_no_size_limit(krb5_context context, LDAP *lp)
123 {
124 int ret, limit = LDAP_NO_LIMIT;
125
126 ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
127 if (ret != LDAP_SUCCESS) {
128 krb5_set_error_message(context, HDB_ERR_BADVERSION,
129 "ldap_set_option: %s",
130 ldap_err2string(ret));
131 return HDB_ERR_BADVERSION;
132 }
133 return 0;
134 }
135
136 static int
137 check_ldap(krb5_context context, HDB *db, int ret)
138 {
139 switch (ret) {
140 case LDAP_SUCCESS:
141 return 0;
142 case LDAP_SERVER_DOWN:
143 LDAP_close(context, db);
144 return 1;
145 default:
146 return 1;
147 }
148 }
149
150 static krb5_error_code
151 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
152 int *pIndex)
153 {
154 int cMods;
155
156 if (*modlist == NULL) {
157 *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
158 if (*modlist == NULL)
159 return ENOMEM;
160 }
161
162 for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
163 if ((*modlist)[cMods]->mod_op == modop &&
164 strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
165 break;
166 }
167 }
168
169 *pIndex = cMods;
170
171 if ((*modlist)[cMods] == NULL) {
172 LDAPMod *mod;
173
174 *modlist = (LDAPMod **)ber_memrealloc(*modlist,
175 (cMods + 2) * sizeof(LDAPMod *));
176 if (*modlist == NULL)
177 return ENOMEM;
178
179 (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
180 if ((*modlist)[cMods] == NULL)
181 return ENOMEM;
182
183 mod = (*modlist)[cMods];
184 mod->mod_op = modop;
185 mod->mod_type = ber_strdup(attribute);
186 if (mod->mod_type == NULL) {
187 ber_memfree(mod);
188 (*modlist)[cMods] = NULL;
189 return ENOMEM;
190 }
191
192 if (modop & LDAP_MOD_BVALUES) {
193 mod->mod_bvalues = NULL;
194 } else {
195 mod->mod_values = NULL;
196 }
197
198 (*modlist)[cMods + 1] = NULL;
199 }
200
201 return 0;
202 }
203
204 static krb5_error_code
205 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
206 unsigned char *value, size_t len)
207 {
208 krb5_error_code ret;
209 int cMods, i = 0;
210
211 ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
212 if (ret)
213 return ret;
214
215 if (value != NULL) {
216 struct berval **bv;
217
218 bv = (*modlist)[cMods]->mod_bvalues;
219 if (bv != NULL) {
220 for (i = 0; bv[i] != NULL; i++)
221 ;
222 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
223 } else
224 bv = ber_memalloc(2 * sizeof(*bv));
225 if (bv == NULL)
226 return ENOMEM;
227
228 (*modlist)[cMods]->mod_bvalues = bv;
229
230 bv[i] = ber_memalloc(sizeof(**bv));;
231 if (bv[i] == NULL)
232 return ENOMEM;
233
234 bv[i]->bv_val = (void *)value;
235 bv[i]->bv_len = len;
236
237 bv[i + 1] = NULL;
238 }
239
240 return 0;
241 }
242
243 static krb5_error_code
244 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
245 const char *value)
246 {
247 int cMods, i = 0;
248 krb5_error_code ret;
249
250 ret = LDAP__setmod(modlist, modop, attribute, &cMods);
251 if (ret)
252 return ret;
253
254 if (value != NULL) {
255 char **bv;
256
257 bv = (*modlist)[cMods]->mod_values;
258 if (bv != NULL) {
259 for (i = 0; bv[i] != NULL; i++)
260 ;
261 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
262 } else
263 bv = ber_memalloc(2 * sizeof(*bv));
264 if (bv == NULL)
265 return ENOMEM;
266
267 (*modlist)[cMods]->mod_values = bv;
268
269 bv[i] = ber_strdup(value);
270 if (bv[i] == NULL)
271 return ENOMEM;
272
273 bv[i + 1] = NULL;
274 }
275
276 return 0;
277 }
278
279 static krb5_error_code
280 LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
281 const char *attribute, KerberosTime * time)
282 {
283 char buf[22];
284 struct tm *tm;
285
286 /* XXX not threadsafe */
287 tm = gmtime(time);
288 strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
289
290 return LDAP_addmod(mods, modop, attribute, buf);
291 }
292
293 static krb5_error_code
294 LDAP_addmod_integer(krb5_context context,
295 LDAPMod *** mods, int modop,
296 const char *attribute, unsigned long l)
297 {
298 krb5_error_code ret;
299 char *buf;
300
301 ret = asprintf(&buf, "%ld", l);
302 if (ret < 0) {
303 krb5_set_error_message(context, ENOMEM,
304 "asprintf: out of memory:");
305 return ENOMEM;
306 }
307 ret = LDAP_addmod(mods, modop, attribute, buf);
308 free (buf);
309 return ret;
310 }
311
312 static krb5_error_code
313 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
314 const char *attribute, char **ptr)
315 {
316 struct berval **vals;
317
318 vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);
319 if (vals == NULL || vals[0] == NULL) {
320 *ptr = NULL;
321 return HDB_ERR_NOENTRY;
322 }
323
324 *ptr = malloc(vals[0]->bv_len + 1);
325 if (*ptr == NULL) {
326 ldap_value_free_len(vals);
327 return ENOMEM;
328 }
329
330 memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);
331 (*ptr)[vals[0]->bv_len] = 0;
332
333 ldap_value_free_len(vals);
334
335 return 0;
336 }
337
338 static krb5_error_code
339 LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
340 const char *attribute, int *ptr)
341 {
342 krb5_error_code ret;
343 char *val;
344
345 ret = LDAP_get_string_value(db, entry, attribute, &val);
346 if (ret)
347 return ret;
348 *ptr = atoi(val);
349 free(val);
350 return 0;
351 }
352
353 static krb5_error_code
354 LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
355 const char *attribute, KerberosTime * kt)
356 {
357 char *tmp, *gentime;
358 struct tm tm;
359 int ret;
360
361 *kt = 0;
362
363 ret = LDAP_get_string_value(db, entry, attribute, &gentime);
364 if (ret)
365 return ret;
366
367 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
368 if (tmp == NULL) {
369 free(gentime);
370 return HDB_ERR_NOENTRY;
371 }
372
373 free(gentime);
374
375 *kt = timegm(&tm);
376
377 return 0;
378 }
379
380 static int
381 bervalstrcmp(struct berval *v, const char *str)
382 {
383 size_t len = strlen(str);
384 return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;
385 }
386
387
388 static krb5_error_code
389 LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
390 LDAPMessage * msg, LDAPMod *** pmods)
391 {
392 krb5_error_code ret;
393 krb5_boolean is_new_entry;
394 char *tmp = NULL;
395 LDAPMod **mods = NULL;
396 hdb_entry_ex orig;
397 unsigned long oflags, nflags;
398 int i;
399
400 krb5_boolean is_samba_account = FALSE;
401 krb5_boolean is_account = FALSE;
402 krb5_boolean is_heimdal_entry = FALSE;
403 krb5_boolean is_heimdal_principal = FALSE;
404
405 struct berval **vals;
406
407 *pmods = NULL;
408
409 if (msg != NULL) {
410
411 ret = LDAP_message2entry(context, db, msg, 0, &orig);
412 if (ret)
413 goto out;
414
415 is_new_entry = FALSE;
416
417 vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
418 if (vals) {
419 int num_objectclasses = ldap_count_values_len(vals);
420 for (i=0; i < num_objectclasses; i++) {
421 if (bervalstrcmp(vals[i], "sambaSamAccount"))
422 is_samba_account = TRUE;
423 else if (bervalstrcmp(vals[i], structural_object))
424 is_account = TRUE;
425 else if (bervalstrcmp(vals[i], "krb5Principal"))
426 is_heimdal_principal = TRUE;
427 else if (bervalstrcmp(vals[i], "krb5KDCEntry"))
428 is_heimdal_entry = TRUE;
429 }
430 ldap_value_free_len(vals);
431 }
432
433 /*
434 * If this is just a "account" entry and no other objectclass
435 * is hanging on this entry, it's really a new entry.
436 */
437 if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
438 is_heimdal_entry == FALSE) {
439 if (is_account == TRUE) {
440 is_new_entry = TRUE;
441 } else {
442 ret = HDB_ERR_NOENTRY;
443 goto out;
444 }
445 }
446 } else
447 is_new_entry = TRUE;
448
449 if (is_new_entry) {
450
451 /* to make it perfectly obvious we're depending on
452 * orig being intiialized to zero */
453 memset(&orig, 0, sizeof(orig));
454
455 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
456 if (ret)
457 goto out;
458
459 /* account is the structural object class */
460 if (is_account == FALSE) {
461 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
462 structural_object);
463 is_account = TRUE;
464 if (ret)
465 goto out;
466 }
467
468 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
469 is_heimdal_principal = TRUE;
470 if (ret)
471 goto out;
472
473 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
474 is_heimdal_entry = TRUE;
475 if (ret)
476 goto out;
477 }
478
479 if (is_new_entry ||
480 krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
481 == FALSE)
482 {
483 if (is_heimdal_principal || is_heimdal_entry) {
484
485 ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
486 if (ret)
487 goto out;
488
489 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
490 "krb5PrincipalName", tmp);
491 if (ret) {
492 free(tmp);
493 goto out;
494 }
495 free(tmp);
496 }
497
498 if (is_account || is_samba_account) {
499 ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
500 if (ret)
501 goto out;
502 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
503 if (ret) {
504 free(tmp);
505 goto out;
506 }
507 free(tmp);
508 }
509 }
510
511 if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
512 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
513 "krb5KeyVersionNumber",
514 ent->entry.kvno);
515 if (ret)
516 goto out;
517 }
518
519 if (is_heimdal_entry && ent->entry.valid_start) {
520 if (orig.entry.valid_end == NULL
521 || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
522 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
523 "krb5ValidStart",
524 ent->entry.valid_start);
525 if (ret)
526 goto out;
527 }
528 }
529
530 if (ent->entry.valid_end) {
531 if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
532 if (is_heimdal_entry) {
533 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
534 "krb5ValidEnd",
535 ent->entry.valid_end);
536 if (ret)
537 goto out;
538 }
539 if (is_samba_account) {
540 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
541 "sambaKickoffTime",
542 *(ent->entry.valid_end));
543 if (ret)
544 goto out;
545 }
546 }
547 }
548
549 if (ent->entry.pw_end) {
550 if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
551 if (is_heimdal_entry) {
552 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
553 "krb5PasswordEnd",
554 ent->entry.pw_end);
555 if (ret)
556 goto out;
557 }
558
559 if (is_samba_account) {
560 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
561 "sambaPwdMustChange",
562 *(ent->entry.pw_end));
563 if (ret)
564 goto out;
565 }
566 }
567 }
568
569
570 #if 0 /* we we have last_pw_change */
571 if (is_samba_account && ent->entry.last_pw_change) {
572 if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
573 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
574 "sambaPwdLastSet",
575 *(ent->entry.last_pw_change));
576 if (ret)
577 goto out;
578 }
579 }
580 #endif
581
582 if (is_heimdal_entry && ent->entry.max_life) {
583 if (orig.entry.max_life == NULL
584 || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
585
586 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
587 "krb5MaxLife",
588 *(ent->entry.max_life));
589 if (ret)
590 goto out;
591 }
592 }
593
594 if (is_heimdal_entry && ent->entry.max_renew) {
595 if (orig.entry.max_renew == NULL
596 || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
597
598 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
599 "krb5MaxRenew",
600 *(ent->entry.max_renew));
601 if (ret)
602 goto out;
603 }
604 }
605
606 oflags = HDBFlags2int(orig.entry.flags);
607 nflags = HDBFlags2int(ent->entry.flags);
608
609 if (is_heimdal_entry && oflags != nflags) {
610
611 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
612 "krb5KDCFlags",
613 nflags);
614 if (ret)
615 goto out;
616 }
617
618 /* Remove keys if they exists, and then replace keys. */
619 if (!is_new_entry && orig.entry.keys.len > 0) {
620 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
621 if (vals) {
622 ldap_value_free_len(vals);
623
624 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
625 if (ret)
626 goto out;
627 }
628 }
629
630 for (i = 0; i < ent->entry.keys.len; i++) {
631
632 if (is_samba_account
633 && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
634 char *ntHexPassword;
635 char *nt;
636 time_t now = time(NULL);
637
638 /* the key might have been 'sealed', but samba passwords
639 are clear in the directory */
640 ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
641 if (ret)
642 goto out;
643
644 nt = ent->entry.keys.val[i].key.keyvalue.data;
645 /* store in ntPassword, not krb5key */
646 ret = hex_encode(nt, 16, &ntHexPassword);
647 if (ret < 0) {
648 ret = ENOMEM;
649 krb5_set_error_message(context, ret, "hdb-ldap: failed to "
650 "hex encode key");
651 goto out;
652 }
653 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
654 ntHexPassword);
655 free(ntHexPassword);
656 if (ret)
657 goto out;
658 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
659 "sambaPwdLastSet", now);
660 if (ret)
661 goto out;
662
663 /* have to kill the LM passwod if it exists */
664 vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");
665 if (vals) {
666 ldap_value_free_len(vals);
667 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
668 "sambaLMPassword", NULL);
669 if (ret)
670 goto out;
671 }
672
673 } else if (is_heimdal_entry) {
674 unsigned char *buf;
675 size_t len, buf_size;
676
677 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
678 if (ret)
679 goto out;
680 if(buf_size != len)
681 krb5_abortx(context, "internal error in ASN.1 encoder");
682
683 /* addmod_len _owns_ the key, doesn't need to copy it */
684 ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
685 if (ret)
686 goto out;
687 }
688 }
689
690 if (ent->entry.etypes) {
691 int add_krb5EncryptionType = 0;
692
693 /*
694 * Only add/modify krb5EncryptionType if it's a new heimdal
695 * entry or krb5EncryptionType already exists on the entry.
696 */
697
698 if (!is_new_entry) {
699 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
700 if (vals) {
701 ldap_value_free_len(vals);
702 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
703 NULL);
704 if (ret)
705 goto out;
706 add_krb5EncryptionType = 1;
707 }
708 } else if (is_heimdal_entry)
709 add_krb5EncryptionType = 1;
710
711 if (add_krb5EncryptionType) {
712 for (i = 0; i < ent->entry.etypes->len; i++) {
713 if (is_samba_account &&
714 ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
715 {
716 ;
717 } else if (is_heimdal_entry) {
718 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
719 "krb5EncryptionType",
720 ent->entry.etypes->val[i]);
721 if (ret)
722 goto out;
723 }
724 }
725 }
726 }
727
728 /* for clarity */
729 ret = 0;
730
731 out:
732
733 if (ret == 0)
734 *pmods = mods;
735 else if (mods != NULL) {
736 ldap_mods_free(mods, 1);
737 *pmods = NULL;
738 }
739
740 if (msg)
741 hdb_free_entry(context, &orig);
742
743 return ret;
744 }
745
746 static krb5_error_code
747 LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
748 krb5_principal * principal)
749 {
750 krb5_error_code ret;
751 int rc;
752 const char *filter = "(objectClass=krb5Principal)";
753 LDAPMessage *res = NULL, *e;
754 char *p;
755
756 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
757 if (ret)
758 goto out;
759
760 rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
761 filter, krb5principal_attrs, 0,
762 NULL, NULL, NULL,
763 0, &res);
764 if (check_ldap(context, db, rc)) {
765 ret = HDB_ERR_NOENTRY;
766 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
767 "filter: %s error: %s",
768 filter, ldap_err2string(rc));
769 goto out;
770 }
771
772 e = ldap_first_entry(HDB2LDAP(db), res);
773 if (e == NULL) {
774 ret = HDB_ERR_NOENTRY;
775 goto out;
776 }
777
778 ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);
779 if (ret) {
780 ret = HDB_ERR_NOENTRY;
781 goto out;
782 }
783
784 ret = krb5_parse_name(context, p, principal);
785 free(p);
786
787 out:
788 if (res)
789 ldap_msgfree(res);
790
791 return ret;
792 }
793
794 static int
795 need_quote(unsigned char c)
796 {
797 return (c & 0x80) ||
798 (c < 32) ||
799 (c == '(') ||
800 (c == ')') ||
801 (c == '*') ||
802 (c == '\\') ||
803 (c == 0x7f);
804 }
805
806 static const char hexchar[] = "0123456789ABCDEF";
807
808 static krb5_error_code
809 escape_value(krb5_context context, const char *unquoted, char **quoted)
810 {
811 size_t i, len;
812
813 for (i = 0, len = 0; unquoted[i] != '\0'; i++, len++) {
814 if (need_quote((unsigned char)unquoted[i]))
815 len += 2;
816 }
817
818 *quoted = malloc(len + 1);
819 if (*quoted == NULL) {
820 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
821 return ENOMEM;
822 }
823
824 for (i = 0; unquoted[0] ; unquoted++) {
825 if (need_quote((unsigned char)unquoted[0])) {
826 (*quoted)[i++] = '\\';
827 (*quoted)[i++] = hexchar[(unquoted[0] >> 4) & 0xf];
828 (*quoted)[i++] = hexchar[(unquoted[0] ) & 0xf];
829 } else
830 (*quoted)[i++] = (char)unquoted[0];
831 }
832 (*quoted)[i] = '\0';
833 return 0;
834 }
835
836
837 static krb5_error_code
838 LDAP__lookup_princ(krb5_context context,
839 HDB *db,
840 const char *princname,
841 const char *userid,
842 LDAPMessage **msg)
843 {
844 krb5_error_code ret;
845 int rc;
846 char *quote, *filter = NULL;
847
848 ret = LDAP__connect(context, db);
849 if (ret)
850 return ret;
851
852 /*
853 * Quote searches that contain filter language, this quote
854 * searches for *@REALM, which takes very long time.
855 */
856
857 ret = escape_value(context, princname, &quote);
858 if (ret)
859 goto out;
860
861 rc = asprintf(&filter,
862 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
863 quote);
864 free(quote);
865
866 if (rc < 0) {
867 ret = ENOMEM;
868 krb5_set_error_message(context, ret, "malloc: out of memory");
869 goto out;
870 }
871
872 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
873 if (ret)
874 goto out;
875
876 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),
877 LDAP_SCOPE_SUBTREE, filter,
878 krb5kdcentry_attrs, 0,
879 NULL, NULL, NULL,
880 0, msg);
881 if (check_ldap(context, db, rc)) {
882 ret = HDB_ERR_NOENTRY;
883 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
884 "filter: %s - error: %s",
885 filter, ldap_err2string(rc));
886 goto out;
887 }
888
889 if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
890 free(filter);
891 filter = NULL;
892 ldap_msgfree(*msg);
893 *msg = NULL;
894
895 ret = escape_value(context, userid, &quote);
896 if (ret)
897 goto out;
898
899 rc = asprintf(&filter,
900 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
901 structural_object, quote);
902 free(quote);
903 if (rc < 0) {
904 ret = ENOMEM;
905 krb5_set_error_message(context, ret, "asprintf: out of memory");
906 goto out;
907 }
908
909 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
910 if (ret)
911 goto out;
912
913 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
914 filter, krb5kdcentry_attrs, 0,
915 NULL, NULL, NULL,
916 0, msg);
917 if (check_ldap(context, db, rc)) {
918 ret = HDB_ERR_NOENTRY;
919 krb5_set_error_message(context, ret,
920 "ldap_search_ext_s: filter: %s error: %s",
921 filter, ldap_err2string(rc));
922 goto out;
923 }
924 }
925
926 ret = 0;
927
928 out:
929 if (filter)
930 free(filter);
931
932 return ret;
933 }
934
935 static krb5_error_code
936 LDAP_principal2message(krb5_context context, HDB * db,
937 krb5_const_principal princ, LDAPMessage ** msg)
938 {
939 char *name, *name_short = NULL;
940 krb5_error_code ret;
941 krb5_realm *r, *r0;
942
943 *msg = NULL;
944
945 ret = krb5_unparse_name(context, princ, &name);
946 if (ret)
947 return ret;
948
949 ret = krb5_get_default_realms(context, &r0);
950 if(ret) {
951 free(name);
952 return ret;
953 }
954 for (r = r0; *r != NULL; r++) {
955 if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
956 ret = krb5_unparse_name_short(context, princ, &name_short);
957 if (ret) {
958 krb5_free_host_realm(context, r0);
959 free(name);
960 return ret;
961 }
962 break;
963 }
964 }
965 krb5_free_host_realm(context, r0);
966
967 ret = LDAP__lookup_princ(context, db, name, name_short, msg);
968 free(name);
969 free(name_short);
970
971 return ret;
972 }
973
974 /*
975 * Construct an hdb_entry from a directory entry.
976 */
977 static krb5_error_code
978 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
979 int flags, hdb_entry_ex * ent)
980 {
981 char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
982 char *samba_acct_flags = NULL;
983 struct berval **keys;
984 struct berval **vals;
985 int tmp, tmp_time, i, ret, have_arcfour = 0;
986
987 memset(ent, 0, sizeof(*ent));
988 ent->entry.flags = int2HDBFlags(0);
989
990 ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
991 if (ret == 0) {
992 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
993 if (ret)
994 goto out;
995 } else {
996 ret = LDAP_get_string_value(db, msg, "uid",
997 &unparsed_name);
998 if (ret == 0) {
999 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
1000 if (ret)
1001 goto out;
1002 } else {
1003 krb5_set_error_message(context, HDB_ERR_NOENTRY,
1004 "hdb-ldap: ldap entry missing"
1005 "principal name");
1006 return HDB_ERR_NOENTRY;
1007 }
1008 }
1009
1010 {
1011 int integer;
1012 ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
1013 &integer);
1014 if (ret)
1015 ent->entry.kvno = 0;
1016 else
1017 ent->entry.kvno = integer;
1018 }
1019
1020 keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
1021 if (keys != NULL) {
1022 size_t l;
1023
1024 ent->entry.keys.len = ldap_count_values_len(keys);
1025 ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
1026 if (ent->entry.keys.val == NULL) {
1027 ret = ENOMEM;
1028 krb5_set_error_message(context, ret, "calloc: out of memory");
1029 goto out;
1030 }
1031 for (i = 0; i < ent->entry.keys.len; i++) {
1032 decode_Key((unsigned char *) keys[i]->bv_val,
1033 (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
1034 }
1035 ber_bvecfree(keys);
1036 } else {
1037 #if 1
1038 /*
1039 * This violates the ASN1 but it allows a principal to
1040 * be related to a general directory entry without creating
1041 * the keys. Hopefully it's OK.
1042 */
1043 ent->entry.keys.len = 0;
1044 ent->entry.keys.val = NULL;
1045 #else
1046 ret = HDB_ERR_NOENTRY;
1047 goto out;
1048 #endif
1049 }
1050
1051 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
1052 if (vals != NULL) {
1053 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1054 if (ent->entry.etypes == NULL) {
1055 ret = ENOMEM;
1056 krb5_set_error_message(context, ret,"malloc: out of memory");
1057 goto out;
1058 }
1059 ent->entry.etypes->len = ldap_count_values_len(vals);
1060 ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
1061 if (ent->entry.etypes->val == NULL) {
1062 ret = ENOMEM;
1063 krb5_set_error_message(context, ret, "malloc: out of memory");
1064 ent->entry.etypes->len = 0;
1065 goto out;
1066 }
1067 for (i = 0; i < ent->entry.etypes->len; i++) {
1068 char *buf;
1069
1070 buf = malloc(vals[i]->bv_len + 1);
1071 if (buf == NULL) {
1072 ret = ENOMEM;
1073 krb5_set_error_message(context, ret, "malloc: out of memory");
1074 goto out;
1075 }
1076 memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
1077 buf[vals[i]->bv_len] = '\0';
1078 ent->entry.etypes->val[i] = atoi(buf);
1079 free(buf);
1080 }
1081 ldap_value_free_len(vals);
1082 }
1083
1084 for (i = 0; i < ent->entry.keys.len; i++) {
1085 if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
1086 have_arcfour = 1;
1087 break;
1088 }
1089 }
1090
1091 /* manually construct the NT (type 23) key */
1092 ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
1093 if (ret == 0 && have_arcfour == 0) {
1094 unsigned *etypes;
1095
1096 keys = realloc(ent->entry.keys.val,
1097 (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1098 if (keys == NULL) {
1099 free(ntPasswordIN);
1100 ret = ENOMEM;
1101 krb5_set_error_message(context, ret, "malloc: out of memory");
1102 goto out;
1103 }
1104 ent->entry.keys.val = keys;
1105 memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1106 ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1107 ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1108 if (ret) {
1109 krb5_set_error_message(context, ret, "malloc: out of memory");
1110 free(ntPasswordIN);
1111 ret = ENOMEM;
1112 goto out;
1113 }
1114 ret = hex_decode(ntPasswordIN,
1115 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1116 ent->entry.keys.len++;
1117
1118 if (ent->entry.etypes == NULL) {
1119 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1120 if (ent->entry.etypes == NULL) {
1121 ret = ENOMEM;
1122 krb5_set_error_message(context, ret, "malloc: out of memory");
1123 goto out;
1124 }
1125 ent->entry.etypes->val = NULL;
1126 ent->entry.etypes->len = 0;
1127 }
1128
1129 for (i = 0; i < ent->entry.etypes->len; i++)
1130 if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1131 break;
1132 /* If there is no ARCFOUR enctype, add one */
1133 if (i == ent->entry.etypes->len) {
1134 etypes = realloc(ent->entry.etypes->val,
1135 (ent->entry.etypes->len + 1) *
1136 sizeof(ent->entry.etypes->val[0]));
1137 if (etypes == NULL) {
1138 ret = ENOMEM;
1139 krb5_set_error_message(context, ret, "malloc: out of memory");
1140 goto out;
1141 }
1142 ent->entry.etypes->val = etypes;
1143 ent->entry.etypes->val[ent->entry.etypes->len] =
1144 ETYPE_ARCFOUR_HMAC_MD5;
1145 ent->entry.etypes->len++;
1146 }
1147 }
1148
1149 ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1150 &ent->entry.created_by.time);
1151 if (ret)
1152 ent->entry.created_by.time = time(NULL);
1153
1154 ent->entry.created_by.principal = NULL;
1155
1156 if (flags & HDB_F_ADMIN_DATA) {
1157 ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1158 if (ret == 0) {
1159 LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);
1160 free(dn);
1161 }
1162
1163 ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));
1164 if (ent->entry.modified_by == NULL) {
1165 ret = ENOMEM;
1166 krb5_set_error_message(context, ret, "malloc: out of memory");
1167 goto out;
1168 }
1169
1170 ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1171 &ent->entry.modified_by->time);
1172 if (ret == 0) {
1173 ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1174 if (ret == 0) {
1175 LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);
1176 free(dn);
1177 } else {
1178 free(ent->entry.modified_by);
1179 ent->entry.modified_by = NULL;
1180 }
1181 }
1182 }
1183
1184 ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1185 if (ent->entry.valid_start == NULL) {
1186 ret = ENOMEM;
1187 krb5_set_error_message(context, ret, "malloc: out of memory");
1188 goto out;
1189 }
1190 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1191 ent->entry.valid_start);
1192 if (ret) {
1193 /* OPTIONAL */
1194 free(ent->entry.valid_start);
1195 ent->entry.valid_start = NULL;
1196 }
1197
1198 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1199 if (ent->entry.valid_end == NULL) {
1200 ret = ENOMEM;
1201 krb5_set_error_message(context, ret, "malloc: out of memory");
1202 goto out;
1203 }
1204 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1205 ent->entry.valid_end);
1206 if (ret) {
1207 /* OPTIONAL */
1208 free(ent->entry.valid_end);
1209 ent->entry.valid_end = NULL;
1210 }
1211
1212 ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1213 if (ret == 0) {
1214 if (ent->entry.valid_end == NULL) {
1215 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1216 if (ent->entry.valid_end == NULL) {
1217 ret = ENOMEM;
1218 krb5_set_error_message(context, ret, "malloc: out of memory");
1219 goto out;
1220 }
1221 }
1222 *ent->entry.valid_end = tmp_time;
1223 }
1224
1225 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1226 if (ent->entry.pw_end == NULL) {
1227 ret = ENOMEM;
1228 krb5_set_error_message(context, ret, "malloc: out of memory");
1229 goto out;
1230 }
1231 ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1232 ent->entry.pw_end);
1233 if (ret) {
1234 /* OPTIONAL */
1235 free(ent->entry.pw_end);
1236 ent->entry.pw_end = NULL;
1237 }
1238
1239 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1240 if (ret == 0) {
1241 time_t delta;
1242
1243 delta = krb5_config_get_time_default(context, NULL,
1244 0,
1245 "kadmin",
1246 "password_lifetime",
1247 NULL);
1248
1249 if (delta) {
1250 if (ent->entry.pw_end == NULL) {
1251 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1252 if (ent->entry.pw_end == NULL) {
1253 ret = ENOMEM;
1254 krb5_set_error_message(context, ret, "malloc: out of memory");
1255 goto out;
1256 }
1257 }
1258
1259 *ent->entry.pw_end = tmp_time + delta;
1260 }
1261 }
1262
1263 ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1264 if (ret == 0) {
1265 if (ent->entry.pw_end == NULL) {
1266 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1267 if (ent->entry.pw_end == NULL) {
1268 ret = ENOMEM;
1269 krb5_set_error_message(context, ret, "malloc: out of memory");
1270 goto out;
1271 }
1272 }
1273 *ent->entry.pw_end = tmp_time;
1274 }
1275
1276 /* OPTIONAL */
1277 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1278 if (ret == 0)
1279 hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1280
1281 {
1282 int max_life;
1283
1284 ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1285 if (ent->entry.max_life == NULL) {
1286 ret = ENOMEM;
1287 krb5_set_error_message(context, ret, "malloc: out of memory");
1288 goto out;
1289 }
1290 ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1291 if (ret) {
1292 free(ent->entry.max_life);
1293 ent->entry.max_life = NULL;
1294 } else
1295 *ent->entry.max_life = max_life;
1296 }
1297
1298 {
1299 int max_renew;
1300
1301 ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1302 if (ent->entry.max_renew == NULL) {
1303 ret = ENOMEM;
1304 krb5_set_error_message(context, ret, "malloc: out of memory");
1305 goto out;
1306 }
1307 ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1308 if (ret) {
1309 free(ent->entry.max_renew);
1310 ent->entry.max_renew = NULL;
1311 } else
1312 *ent->entry.max_renew = max_renew;
1313 }
1314
1315 ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
1316 if (ret)
1317 tmp = 0;
1318
1319 ent->entry.flags = int2HDBFlags(tmp);
1320
1321 /* Try and find Samba flags to put into the mix */
1322 ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1323 if (ret == 0) {
1324 /* parse the [UXW...] string:
1325
1326 'N' No password
1327 'D' Disabled
1328 'H' Homedir required
1329 'T' Temp account.
1330 'U' User account (normal)
1331 'M' MNS logon user account - what is this ?
1332 'W' Workstation account
1333 'S' Server account
1334 'L' Locked account
1335 'X' No Xpiry on password
1336 'I' Interdomain trust account
1337
1338 */
1339
1340 int flags_len = strlen(samba_acct_flags);
1341
1342 if (flags_len < 2)
1343 goto out2;
1344
1345 if (samba_acct_flags[0] != '['
1346 || samba_acct_flags[flags_len - 1] != ']')
1347 goto out2;
1348
1349 /* Allow forwarding */
1350 if (samba_forwardable)
1351 ent->entry.flags.forwardable = TRUE;
1352
1353 for (i=0; i < flags_len; i++) {
1354 switch (samba_acct_flags[i]) {
1355 case ' ':
1356 case '[':
1357 case ']':
1358 break;
1359 case 'N':
1360 /* how to handle no password in kerberos? */
1361 break;
1362 case 'D':
1363 ent->entry.flags.invalid = TRUE;
1364 break;
1365 case 'H':
1366 break;
1367 case 'T':
1368 /* temp duplicate */
1369 ent->entry.flags.invalid = TRUE;
1370 break;
1371 case 'U':
1372 ent->entry.flags.client = TRUE;
1373 break;
1374 case 'M':
1375 break;
1376 case 'W':
1377 case 'S':
1378 ent->entry.flags.server = TRUE;
1379 ent->entry.flags.client = TRUE;
1380 break;
1381 case 'L':
1382 ent->entry.flags.invalid = TRUE;
1383 break;
1384 case 'X':
1385 if (ent->entry.pw_end) {
1386 free(ent->entry.pw_end);
1387 ent->entry.pw_end = NULL;
1388 }
1389 break;
1390 case 'I':
1391 ent->entry.flags.server = TRUE;
1392 ent->entry.flags.client = TRUE;
1393 break;
1394 }
1395 }
1396 out2:
1397 free(samba_acct_flags);
1398 }
1399
1400 ret = 0;
1401
1402 out:
1403 if (unparsed_name)
1404 free(unparsed_name);
1405
1406 if (ret)
1407 hdb_free_entry(context, ent);
1408
1409 return ret;
1410 }
1411
1412 static krb5_error_code
1413 LDAP_close(krb5_context context, HDB * db)
1414 {
1415 if (HDB2LDAP(db)) {
1416 ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1417 ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1418 }
1419
1420 return 0;
1421 }
1422
1423 static krb5_error_code
1424 LDAP_lock(krb5_context context, HDB * db, int operation)
1425 {
1426 return 0;
1427 }
1428
1429 static krb5_error_code
1430 LDAP_unlock(krb5_context context, HDB * db)
1431 {
1432 return 0;
1433 }
1434
1435 static krb5_error_code
1436 LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1437 {
1438 int msgid, rc, parserc;
1439 krb5_error_code ret;
1440 LDAPMessage *e;
1441
1442 msgid = HDB2MSGID(db);
1443 if (msgid < 0)
1444 return HDB_ERR_NOENTRY;
1445
1446 do {
1447 rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1448 switch (rc) {
1449 case LDAP_RES_SEARCH_REFERENCE:
1450 ldap_msgfree(e);
1451 ret = 0;
1452 break;
1453 case LDAP_RES_SEARCH_ENTRY:
1454 /* We have an entry. Parse it. */
1455 ret = LDAP_message2entry(context, db, e, flags, entry);
1456 ldap_msgfree(e);
1457 break;
1458 case LDAP_RES_SEARCH_RESULT:
1459 /* We're probably at the end of the results. If not, abandon. */
1460 parserc =
1461 ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1462 NULL, NULL, 1);
1463 ret = HDB_ERR_NOENTRY;
1464 if (parserc != LDAP_SUCCESS
1465 && parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1466 krb5_set_error_message(context, ret, "ldap_parse_result: %s",
1467 ldap_err2string(parserc));
1468 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1469 }
1470 HDBSETMSGID(db, -1);
1471 break;
1472 case LDAP_SERVER_DOWN:
1473 ldap_msgfree(e);
1474 LDAP_close(context, db);
1475 HDBSETMSGID(db, -1);
1476 ret = ENETDOWN;
1477 break;
1478 default:
1479 /* Some unspecified error (timeout?). Abandon. */
1480 ldap_msgfree(e);
1481 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1482 ret = HDB_ERR_NOENTRY;
1483 HDBSETMSGID(db, -1);
1484 break;
1485 }
1486 } while (rc == LDAP_RES_SEARCH_REFERENCE);
1487
1488 if (ret == 0) {
1489 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1490 ret = hdb_unseal_keys(context, db, &entry->entry);
1491 if (ret)
1492 hdb_free_entry(context, entry);
1493 }
1494 }
1495
1496 return ret;
1497 }
1498
1499 static krb5_error_code
1500 LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1501 hdb_entry_ex *entry)
1502 {
1503 krb5_error_code ret;
1504 int msgid;
1505
1506 ret = LDAP__connect(context, db);
1507 if (ret)
1508 return ret;
1509
1510 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1511 if (ret)
1512 return ret;
1513
1514 ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),
1515 LDAP_SCOPE_SUBTREE,
1516 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1517 krb5kdcentry_attrs, 0,
1518 NULL, NULL, NULL, 0, &msgid);
1519 if (msgid < 0)
1520 return HDB_ERR_NOENTRY;
1521
1522 HDBSETMSGID(db, msgid);
1523
1524 return LDAP_seq(context, db, flags, entry);
1525 }
1526
1527 static krb5_error_code
1528 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1529 hdb_entry_ex * entry)
1530 {
1531 return LDAP_seq(context, db, flags, entry);
1532 }
1533
1534 static krb5_error_code
1535 LDAP__connect(krb5_context context, HDB * db)
1536 {
1537 int rc, version = LDAP_VERSION3;
1538 /*
1539 * Empty credentials to do a SASL bind with LDAP. Note that empty
1540 * different from NULL credentials. If you provide NULL
1541 * credentials instead of empty credentials you will get a SASL
1542 * bind in progress message.
1543 */
1544 struct berval bv = { 0, "" };
1545 const char *sasl_method = "EXTERNAL";
1546 const char *bind_dn = NULL;
1547
1548 if (HDB2BINDDN(db) != NULL && HDB2BINDPW(db) != NULL) {
1549 /* A bind DN was specified; use SASL SIMPLE */
1550 bind_dn = HDB2BINDDN(db);
1551 sasl_method = LDAP_SASL_SIMPLE;
1552 bv.bv_val = HDB2BINDPW(db);
1553 bv.bv_len = strlen(bv.bv_val);
1554 }
1555
1556 if (HDB2LDAP(db)) {
1557 /* connection has been opened. ping server. */
1558 struct sockaddr_un addr;
1559 socklen_t len = sizeof(addr);
1560 int sd;
1561
1562 if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1563 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1564 /* the other end has died. reopen. */
1565 LDAP_close(context, db);
1566 }
1567 }
1568
1569 if (HDB2LDAP(db) != NULL) /* server is UP */
1570 return 0;
1571
1572 rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1573 if (rc != LDAP_SUCCESS) {
1574 krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",
1575 ldap_err2string(rc));
1576 return HDB_ERR_NOENTRY;
1577 }
1578
1579 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1580 (const void *)&version);
1581 if (rc != LDAP_SUCCESS) {
1582 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1583 "ldap_set_option: %s", ldap_err2string(rc));
1584 LDAP_close(context, db);
1585 return HDB_ERR_BADVERSION;
1586 }
1587
1588 if (((struct hdbldapdb *)db->hdb_db)->h_start_tls) {
1589 rc = ldap_start_tls_s(HDB2LDAP(db), NULL, NULL);
1590
1591 if (rc != LDAP_SUCCESS) {
1592 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1593 "ldap_start_tls_s: %s", ldap_err2string(rc));
1594 LDAP_close(context, db);
1595 return HDB_ERR_BADVERSION;
1596 }
1597 }
1598
1599 rc = ldap_sasl_bind_s(HDB2LDAP(db), bind_dn, sasl_method, &bv,
1600 NULL, NULL, NULL);
1601 if (rc != LDAP_SUCCESS) {
1602 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1603 "ldap_sasl_bind_s: %s", ldap_err2string(rc));
1604 LDAP_close(context, db);
1605 return HDB_ERR_BADVERSION;
1606 }
1607
1608 return 0;
1609 }
1610
1611 static krb5_error_code
1612 LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1613 {
1614 /* Not the right place for this. */
1615 #ifdef HAVE_SIGACTION
1616 struct sigaction sa;
1617
1618 sa.sa_flags = 0;
1619 sa.sa_handler = SIG_IGN;
1620 sigemptyset(&sa.sa_mask);
1621
1622 sigaction(SIGPIPE, &sa, NULL);
1623 #else
1624 signal(SIGPIPE, SIG_IGN);
1625 #endif /* HAVE_SIGACTION */
1626
1627 return LDAP__connect(context, db);
1628 }
1629
1630 static krb5_error_code
1631 LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
1632 unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
1633 {
1634 LDAPMessage *msg, *e;
1635 krb5_error_code ret;
1636
1637 ret = LDAP_principal2message(context, db, principal, &msg);
1638 if (ret)
1639 return ret;
1640
1641 e = ldap_first_entry(HDB2LDAP(db), msg);
1642 if (e == NULL) {
1643 ret = HDB_ERR_NOENTRY;
1644 goto out;
1645 }
1646
1647 ret = LDAP_message2entry(context, db, e, flags, entry);
1648 if (ret == 0) {
1649 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1650 ret = hdb_unseal_keys(context, db, &entry->entry);
1651 if (ret)
1652 hdb_free_entry(context, entry);
1653 }
1654 }
1655
1656 out:
1657 ldap_msgfree(msg);
1658
1659 return ret;
1660 }
1661
1662 static krb5_error_code
1663 LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1664 unsigned flags, hdb_entry_ex * entry)
1665 {
1666 return LDAP_fetch_kvno(context, db, principal,
1667 flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
1668 }
1669
1670 static krb5_error_code
1671 LDAP_store(krb5_context context, HDB * db, unsigned flags,
1672 hdb_entry_ex * entry)
1673 {
1674 LDAPMod **mods = NULL;
1675 krb5_error_code ret;
1676 const char *errfn;
1677 int rc;
1678 LDAPMessage *msg = NULL, *e = NULL;
1679 char *dn = NULL, *name = NULL;
1680
1681 ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1682 if (ret == 0)
1683 e = ldap_first_entry(HDB2LDAP(db), msg);
1684
1685 ret = krb5_unparse_name(context, entry->entry.principal, &name);
1686 if (ret) {
1687 free(name);
1688 return ret;
1689 }
1690
1691 ret = hdb_seal_keys(context, db, &entry->entry);
1692 if (ret)
1693 goto out;
1694
1695 /* turn new entry into LDAPMod array */
1696 ret = LDAP_entry2mods(context, db, entry, e, &mods);
1697 if (ret)
1698 goto out;
1699
1700 if (e == NULL) {
1701 ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1702 if (ret < 0) {
1703 ret = ENOMEM;
1704 krb5_set_error_message(context, ret, "asprintf: out of memory");
1705 goto out;
1706 }
1707 } else if (flags & HDB_F_REPLACE) {
1708 /* Entry exists, and we're allowed to replace it. */
1709 dn = ldap_get_dn(HDB2LDAP(db), e);
1710 } else {
1711 /* Entry exists, but we're not allowed to replace it. Bail. */
1712 ret = HDB_ERR_EXISTS;
1713 goto out;
1714 }
1715
1716 /* write entry into directory */
1717 if (e == NULL) {
1718 /* didn't exist before */
1719 rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1720 errfn = "ldap_add_ext_s";
1721 } else {
1722 /* already existed, send deltas only */
1723 rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1724 errfn = "ldap_modify_ext_s";
1725 }
1726
1727 if (check_ldap(context, db, rc)) {
1728 char *ld_error = NULL;
1729 ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1730 &ld_error);
1731 ret = HDB_ERR_CANT_LOCK_DB;
1732 krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
1733 errfn, name, dn, ldap_err2string(rc), ld_error);
1734 } else
1735 ret = 0;
1736
1737 out:
1738 /* free stuff */
1739 if (dn)
1740 free(dn);
1741 if (msg)
1742 ldap_msgfree(msg);
1743 if (mods)
1744 ldap_mods_free(mods, 1);
1745 if (name)
1746 free(name);
1747
1748 return ret;
1749 }
1750
1751 static krb5_error_code
1752 LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1753 {
1754 krb5_error_code ret;
1755 LDAPMessage *msg, *e;
1756 char *dn = NULL;
1757 int rc, limit = LDAP_NO_LIMIT;
1758
1759 ret = LDAP_principal2message(context, db, principal, &msg);
1760 if (ret)
1761 goto out;
1762
1763 e = ldap_first_entry(HDB2LDAP(db), msg);
1764 if (e == NULL) {
1765 ret = HDB_ERR_NOENTRY;
1766 goto out;
1767 }
1768
1769 dn = ldap_get_dn(HDB2LDAP(db), e);
1770 if (dn == NULL) {
1771 ret = HDB_ERR_NOENTRY;
1772 goto out;
1773 }
1774
1775 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1776 if (rc != LDAP_SUCCESS) {
1777 ret = HDB_ERR_BADVERSION;
1778 krb5_set_error_message(context, ret, "ldap_set_option: %s",
1779 ldap_err2string(rc));
1780 goto out;
1781 }
1782
1783 rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
1784 if (check_ldap(context, db, rc)) {
1785 ret = HDB_ERR_CANT_LOCK_DB;
1786 krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",
1787 ldap_err2string(rc));
1788 } else
1789 ret = 0;
1790
1791 out:
1792 if (dn != NULL)
1793 free(dn);
1794 if (msg != NULL)
1795 ldap_msgfree(msg);
1796
1797 return ret;
1798 }
1799
1800 static krb5_error_code
1801 LDAP_destroy(krb5_context context, HDB * db)
1802 {
1803 krb5_error_code ret;
1804
1805 LDAP_close(context, db);
1806
1807 ret = hdb_clear_master_key(context, db);
1808 if (HDB2BASE(db))
1809 free(HDB2BASE(db));
1810 if (HDB2CREATE(db))
1811 free(HDB2CREATE(db));
1812 if (HDB2URL(db))
1813 free(HDB2URL(db));
1814 if (db->hdb_name)
1815 free(db->hdb_name);
1816 free(db->hdb_db);
1817 free(db);
1818
1819 return ret;
1820 }
1821
1822 static krb5_error_code
1823 hdb_ldap_common(krb5_context context,
1824 HDB ** db,
1825 const char *search_base,
1826 const char *url)
1827 {
1828 struct hdbldapdb *h;
1829 const char *create_base = NULL;
1830 const char *ldap_secret_file = NULL;
1831
1832 if (url == NULL || url[0] == '\0') {
1833 const char *p;
1834 p = krb5_config_get_string(context, NULL, "kdc",
1835 "hdb-ldap-url", NULL);
1836 if (p == NULL)
1837 p = default_ldap_url;
1838
1839 url = p;
1840 }
1841
1842 if (search_base == NULL && search_base[0] == '\0') {
1843 krb5_set_error_message(context, ENOMEM, "ldap search base not configured");
1844 return ENOMEM; /* XXX */
1845 }
1846
1847 if (structural_object == NULL) {
1848 const char *p;
1849
1850 p = krb5_config_get_string(context, NULL, "kdc",
1851 "hdb-ldap-structural-object", NULL);
1852 if (p == NULL)
1853 p = default_structural_object;
1854 structural_object = strdup(p);
1855 if (structural_object == NULL) {
1856 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1857 return ENOMEM;
1858 }
1859 }
1860
1861 samba_forwardable =
1862 krb5_config_get_bool_default(context, NULL, TRUE,
1863 "kdc", "hdb-samba-forwardable", NULL);
1864
1865 *db = calloc(1, sizeof(**db));
1866 if (*db == NULL) {
1867 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1868 return ENOMEM;
1869 }
1870 memset(*db, 0, sizeof(**db));
1871
1872 h = calloc(1, sizeof(*h));
1873 if (h == NULL) {
1874 free(*db);
1875 *db = NULL;
1876 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1877 return ENOMEM;
1878 }
1879 (*db)->hdb_db = h;
1880
1881 /* XXX */
1882 if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1883 LDAP_destroy(context, *db);
1884 *db = NULL;
1885 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1886 return ENOMEM;
1887 }
1888
1889 h->h_url = strdup(url);
1890 h->h_base = strdup(search_base);
1891 if (h->h_url == NULL || h->h_base == NULL) {
1892 LDAP_destroy(context, *db);
1893 *db = NULL;
1894 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1895 return ENOMEM;
1896 }
1897
1898 ldap_secret_file = krb5_config_get_string(context, NULL, "kdc",
1899 "hdb-ldap-secret-file", NULL);
1900 if (ldap_secret_file != NULL) {
1901 krb5_config_binding *tmp;
1902 krb5_error_code ret;
1903 const char *p;
1904
1905 ret = krb5_config_parse_file(context, ldap_secret_file, &tmp);
1906 if (ret)
1907 return ret;
1908
1909 p = krb5_config_get_string(context, tmp, "kdc",
1910 "hdb-ldap-bind-dn", NULL);
1911 if (p != NULL)
1912 h->h_bind_dn = strdup(p);
1913
1914 p = krb5_config_get_string(context, tmp, "kdc",
1915 "hdb-ldap-bind-password", NULL);
1916 if (p != NULL)
1917 h->h_bind_password = strdup(p);
1918
1919 krb5_config_file_free(context, tmp);
1920 }
1921
1922 h->h_start_tls =
1923 krb5_config_get_bool_default(context, NULL, FALSE,
1924 "kdc", "hdb-ldap-start-tls", NULL);
1925
1926 create_base = krb5_config_get_string(context, NULL, "kdc",
1927 "hdb-ldap-create-base", NULL);
1928 if (create_base == NULL)
1929 create_base = h->h_base;
1930
1931 h->h_createbase = strdup(create_base);
1932 if (h->h_createbase == NULL) {
1933 LDAP_destroy(context, *db);
1934 *db = NULL;
1935 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1936 return ENOMEM;
1937 }
1938
1939 (*db)->hdb_master_key_set = 0;
1940 (*db)->hdb_openp = 0;
1941 (*db)->hdb_capability_flags = 0;
1942 (*db)->hdb_open = LDAP_open;
1943 (*db)->hdb_close = LDAP_close;
1944 (*db)->hdb_fetch_kvno = LDAP_fetch_kvno;
1945 (*db)->hdb_store = LDAP_store;
1946 (*db)->hdb_remove = LDAP_remove;
1947 (*db)->hdb_firstkey = LDAP_firstkey;
1948 (*db)->hdb_nextkey = LDAP_nextkey;
1949 (*db)->hdb_lock = LDAP_lock;
1950 (*db)->hdb_unlock = LDAP_unlock;
1951 (*db)->hdb_rename = NULL;
1952 (*db)->hdb__get = NULL;
1953 (*db)->hdb__put = NULL;
1954 (*db)->hdb__del = NULL;
1955 (*db)->hdb_destroy = LDAP_destroy;
1956
1957 return 0;
1958 }
1959
1960 krb5_error_code
1961 hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1962 {
1963 return hdb_ldap_common(context, db, arg, NULL);
1964 }
1965
1966 krb5_error_code
1967 hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1968 {
1969 krb5_error_code ret;
1970 char *search_base, *p;
1971
1972 asprintf(&p, "ldapi:%s", arg);
1973 if (p == NULL) {
1974 *db = NULL;
1975 krb5_set_error_message(context, ENOMEM, "out of memory");
1976 return ENOMEM;
1977 }
1978 search_base = strchr(p + strlen("ldapi://"), ':');
1979 if (search_base == NULL) {
1980 *db = NULL;
1981 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1982 "search base missing");
1983 return HDB_ERR_BADVERSION;
1984 }
1985 *search_base = '\0';
1986 search_base++;
1987
1988 ret = hdb_ldap_common(context, db, search_base, p);
1989 free(p);
1990 return ret;
1991 }
1992
1993 #ifdef OPENLDAP_MODULE
1994
1995
1996 static krb5_error_code
1997 init(krb5_context context, void **ctx)
1998 {
1999 *ctx = NULL;
2000 return 0;
2001 }
2002
2003 static void
2004 fini(void *ctx)
2005 {
2006 }
2007
2008 struct hdb_method hdb_ldap_interface = {
2009 HDB_INTERFACE_VERSION,
2010 init,
2011 fini,
2012 "ldap",
2013 hdb_ldap_create
2014 };
2015
2016 struct hdb_method hdb_ldapi_interface = {
2017 HDB_INTERFACE_VERSION,
2018 init,
2019 fini,
2020 "ldapi",
2021 hdb_ldapi_create
2022 };
2023
2024 #endif
2025
2026 #endif /* OPENLDAP */
Heimdal