search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
set hdb_capability_flags = 0
[heimdal.git] / lib / hdb / hdb-ldap.c
blob77ea23a6b67eca2a77713f6d037ebfbaf6c59e31
1 /*
2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "hdb_locl.h"
36
37 RCSID("$Id$");
38
39 #ifdef OPENLDAP
40
41 #include <lber.h>
42 #include <ldap.h>
43 #include <sys/un.h>
44 #include <hex.h>
45
46 static krb5_error_code LDAP__connect(krb5_context context, HDB *);
47 static krb5_error_code LDAP_close(krb5_context context, HDB *);
48
49 static krb5_error_code
50 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
51 hdb_entry_ex * ent);
52
53 static const char *default_structural_object = "account";
54 static char *structural_object;
55 static krb5_boolean samba_forwardable;
56
57 struct hdbldapdb {
58 LDAP *h_lp;
59 int h_msgid;
60 char *h_base;
61 char *h_url;
62 char *h_createbase;
63 };
64
65 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
66 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
67 #define HDBSETMSGID(db,msgid) \
68 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
69 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
70 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
71 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
72
73 /*
74 *
75 */
76
77 static char * krb5kdcentry_attrs[] = {
78 "cn",
79 "createTimestamp",
80 "creatorsName",
81 "krb5EncryptionType",
82 "krb5KDCFlags",
83 "krb5Key",
84 "krb5KeyVersionNumber",
85 "krb5MaxLife",
86 "krb5MaxRenew",
87 "krb5PasswordEnd",
88 "krb5PrincipalName",
89 "krb5PrincipalRealm",
90 "krb5ValidEnd",
91 "krb5ValidStart",
92 "modifiersName",
93 "modifyTimestamp",
94 "objectClass",
95 "sambaAcctFlags",
96 "sambaKickoffTime",
97 "sambaNTPassword",
98 "sambaPwdLastSet",
99 "sambaPwdMustChange",
100 "uid",
101 NULL
102 };
103
104 static char *krb5principal_attrs[] = {
105 "cn",
106 "createTimestamp",
107 "creatorsName",
108 "krb5PrincipalName",
109 "krb5PrincipalRealm",
110 "modifiersName",
111 "modifyTimestamp",
112 "objectClass",
113 "uid",
114 NULL
115 };
116
117 static int
118 LDAP_no_size_limit(krb5_context context, LDAP *lp)
119 {
120 int ret, limit = LDAP_NO_LIMIT;
121
122 ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
123 if (ret != LDAP_SUCCESS) {
124 krb5_set_error_message(context, HDB_ERR_BADVERSION,
125 "ldap_set_option: %s",
126 ldap_err2string(ret));
127 return HDB_ERR_BADVERSION;
128 }
129 return 0;
130 }
131
132 static int
133 check_ldap(krb5_context context, HDB *db, int ret)
134 {
135 switch (ret) {
136 case LDAP_SUCCESS:
137 return 0;
138 case LDAP_SERVER_DOWN:
139 LDAP_close(context, db);
140 return 1;
141 default:
142 return 1;
143 }
144 }
145
146 static krb5_error_code
147 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
148 int *pIndex)
149 {
150 int cMods;
151
152 if (*modlist == NULL) {
153 *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
154 if (*modlist == NULL)
155 return ENOMEM;
156 }
157
158 for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
159 if ((*modlist)[cMods]->mod_op == modop &&
160 strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
161 break;
162 }
163 }
164
165 *pIndex = cMods;
166
167 if ((*modlist)[cMods] == NULL) {
168 LDAPMod *mod;
169
170 *modlist = (LDAPMod **)ber_memrealloc(*modlist,
171 (cMods + 2) * sizeof(LDAPMod *));
172 if (*modlist == NULL)
173 return ENOMEM;
174
175 (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
176 if ((*modlist)[cMods] == NULL)
177 return ENOMEM;
178
179 mod = (*modlist)[cMods];
180 mod->mod_op = modop;
181 mod->mod_type = ber_strdup(attribute);
182 if (mod->mod_type == NULL) {
183 ber_memfree(mod);
184 (*modlist)[cMods] = NULL;
185 return ENOMEM;
186 }
187
188 if (modop & LDAP_MOD_BVALUES) {
189 mod->mod_bvalues = NULL;
190 } else {
191 mod->mod_values = NULL;
192 }
193
194 (*modlist)[cMods + 1] = NULL;
195 }
196
197 return 0;
198 }
199
200 static krb5_error_code
201 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
202 unsigned char *value, size_t len)
203 {
204 krb5_error_code ret;
205 int cMods, i = 0;
206
207 ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
208 if (ret)
209 return ret;
210
211 if (value != NULL) {
212 struct berval **bv;
213
214 bv = (*modlist)[cMods]->mod_bvalues;
215 if (bv != NULL) {
216 for (i = 0; bv[i] != NULL; i++)
217 ;
218 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
219 } else
220 bv = ber_memalloc(2 * sizeof(*bv));
221 if (bv == NULL)
222 return ENOMEM;
223
224 (*modlist)[cMods]->mod_bvalues = bv;
225
226 bv[i] = ber_memalloc(sizeof(**bv));;
227 if (bv[i] == NULL)
228 return ENOMEM;
229
230 bv[i]->bv_val = (void *)value;
231 bv[i]->bv_len = len;
232
233 bv[i + 1] = NULL;
234 }
235
236 return 0;
237 }
238
239 static krb5_error_code
240 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
241 const char *value)
242 {
243 int cMods, i = 0;
244 krb5_error_code ret;
245
246 ret = LDAP__setmod(modlist, modop, attribute, &cMods);
247 if (ret)
248 return ret;
249
250 if (value != NULL) {
251 char **bv;
252
253 bv = (*modlist)[cMods]->mod_values;
254 if (bv != NULL) {
255 for (i = 0; bv[i] != NULL; i++)
256 ;
257 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
258 } else
259 bv = ber_memalloc(2 * sizeof(*bv));
260 if (bv == NULL)
261 return ENOMEM;
262
263 (*modlist)[cMods]->mod_values = bv;
264
265 bv[i] = ber_strdup(value);
266 if (bv[i] == NULL)
267 return ENOMEM;
268
269 bv[i + 1] = NULL;
270 }
271
272 return 0;
273 }
274
275 static krb5_error_code
276 LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
277 const char *attribute, KerberosTime * time)
278 {
279 char buf[22];
280 struct tm *tm;
281
282 /* XXX not threadsafe */
283 tm = gmtime(time);
284 strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
285
286 return LDAP_addmod(mods, modop, attribute, buf);
287 }
288
289 static krb5_error_code
290 LDAP_addmod_integer(krb5_context context,
291 LDAPMod *** mods, int modop,
292 const char *attribute, unsigned long l)
293 {
294 krb5_error_code ret;
295 char *buf;
296
297 ret = asprintf(&buf, "%ld", l);
298 if (ret < 0) {
299 krb5_set_error_message(context, ENOMEM,
300 "asprintf: out of memory:");
301 return ENOMEM;
302 }
303 ret = LDAP_addmod(mods, modop, attribute, buf);
304 free (buf);
305 return ret;
306 }
307
308 static krb5_error_code
309 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
310 const char *attribute, char **ptr)
311 {
312 struct berval **vals;
313
314 vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);
315 if (vals == NULL || vals[0] == NULL) {
316 *ptr = NULL;
317 return HDB_ERR_NOENTRY;
318 }
319
320 *ptr = malloc(vals[0]->bv_len + 1);
321 if (*ptr == NULL) {
322 ldap_value_free_len(vals);
323 return ENOMEM;
324 }
325
326 memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);
327 (*ptr)[vals[0]->bv_len] = 0;
328
329 ldap_value_free_len(vals);
330
331 return 0;
332 }
333
334 static krb5_error_code
335 LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
336 const char *attribute, int *ptr)
337 {
338 krb5_error_code ret;
339 char *val;
340
341 ret = LDAP_get_string_value(db, entry, attribute, &val);
342 if (ret)
343 return ret;
344 *ptr = atoi(val);
345 free(val);
346 return 0;
347 }
348
349 static krb5_error_code
350 LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
351 const char *attribute, KerberosTime * kt)
352 {
353 char *tmp, *gentime;
354 struct tm tm;
355 int ret;
356
357 *kt = 0;
358
359 ret = LDAP_get_string_value(db, entry, attribute, &gentime);
360 if (ret)
361 return ret;
362
363 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
364 if (tmp == NULL) {
365 free(gentime);
366 return HDB_ERR_NOENTRY;
367 }
368
369 free(gentime);
370
371 *kt = timegm(&tm);
372
373 return 0;
374 }
375
376 static int
377 bervalstrcmp(struct berval *v, const char *str)
378 {
379 size_t len = strlen(str);
380 return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;
381 }
382
383
384 static krb5_error_code
385 LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
386 LDAPMessage * msg, LDAPMod *** pmods)
387 {
388 krb5_error_code ret;
389 krb5_boolean is_new_entry;
390 char *tmp = NULL;
391 LDAPMod **mods = NULL;
392 hdb_entry_ex orig;
393 unsigned long oflags, nflags;
394 int i;
395
396 krb5_boolean is_samba_account = FALSE;
397 krb5_boolean is_account = FALSE;
398 krb5_boolean is_heimdal_entry = FALSE;
399 krb5_boolean is_heimdal_principal = FALSE;
400
401 struct berval **vals;
402
403 *pmods = NULL;
404
405 if (msg != NULL) {
406
407 ret = LDAP_message2entry(context, db, msg, &orig);
408 if (ret)
409 goto out;
410
411 is_new_entry = FALSE;
412
413 vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
414 if (vals) {
415 int num_objectclasses = ldap_count_values_len(vals);
416 for (i=0; i < num_objectclasses; i++) {
417 if (bervalstrcmp(vals[i], "sambaSamAccount"))
418 is_samba_account = TRUE;
419 else if (bervalstrcmp(vals[i], structural_object))
420 is_account = TRUE;
421 else if (bervalstrcmp(vals[i], "krb5Principal"))
422 is_heimdal_principal = TRUE;
423 else if (bervalstrcmp(vals[i], "krb5KDCEntry"))
424 is_heimdal_entry = TRUE;
425 }
426 ldap_value_free_len(vals);
427 }
428
429 /*
430 * If this is just a "account" entry and no other objectclass
431 * is hanging on this entry, it's really a new entry.
432 */
433 if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
434 is_heimdal_entry == FALSE) {
435 if (is_account == TRUE) {
436 is_new_entry = TRUE;
437 } else {
438 ret = HDB_ERR_NOENTRY;
439 goto out;
440 }
441 }
442 } else
443 is_new_entry = TRUE;
444
445 if (is_new_entry) {
446
447 /* to make it perfectly obvious we're depending on
448 * orig being intiialized to zero */
449 memset(&orig, 0, sizeof(orig));
450
451 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
452 if (ret)
453 goto out;
454
455 /* account is the structural object class */
456 if (is_account == FALSE) {
457 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
458 structural_object);
459 is_account = TRUE;
460 if (ret)
461 goto out;
462 }
463
464 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
465 is_heimdal_principal = TRUE;
466 if (ret)
467 goto out;
468
469 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
470 is_heimdal_entry = TRUE;
471 if (ret)
472 goto out;
473 }
474
475 if (is_new_entry ||
476 krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
477 == FALSE)
478 {
479 if (is_heimdal_principal || is_heimdal_entry) {
480
481 ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
482 if (ret)
483 goto out;
484
485 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
486 "krb5PrincipalName", tmp);
487 if (ret) {
488 free(tmp);
489 goto out;
490 }
491 free(tmp);
492 }
493
494 if (is_account || is_samba_account) {
495 ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
496 if (ret)
497 goto out;
498 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
499 if (ret) {
500 free(tmp);
501 goto out;
502 }
503 free(tmp);
504 }
505 }
506
507 if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
508 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
509 "krb5KeyVersionNumber",
510 ent->entry.kvno);
511 if (ret)
512 goto out;
513 }
514
515 if (is_heimdal_entry && ent->entry.valid_start) {
516 if (orig.entry.valid_end == NULL
517 || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
518 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
519 "krb5ValidStart",
520 ent->entry.valid_start);
521 if (ret)
522 goto out;
523 }
524 }
525
526 if (ent->entry.valid_end) {
527 if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
528 if (is_heimdal_entry) {
529 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
530 "krb5ValidEnd",
531 ent->entry.valid_end);
532 if (ret)
533 goto out;
534 }
535 if (is_samba_account) {
536 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
537 "sambaKickoffTime",
538 *(ent->entry.valid_end));
539 if (ret)
540 goto out;
541 }
542 }
543 }
544
545 if (ent->entry.pw_end) {
546 if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
547 if (is_heimdal_entry) {
548 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
549 "krb5PasswordEnd",
550 ent->entry.pw_end);
551 if (ret)
552 goto out;
553 }
554
555 if (is_samba_account) {
556 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
557 "sambaPwdMustChange",
558 *(ent->entry.pw_end));
559 if (ret)
560 goto out;
561 }
562 }
563 }
564
565
566 #if 0 /* we we have last_pw_change */
567 if (is_samba_account && ent->entry.last_pw_change) {
568 if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
569 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
570 "sambaPwdLastSet",
571 *(ent->entry.last_pw_change));
572 if (ret)
573 goto out;
574 }
575 }
576 #endif
577
578 if (is_heimdal_entry && ent->entry.max_life) {
579 if (orig.entry.max_life == NULL
580 || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
581
582 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
583 "krb5MaxLife",
584 *(ent->entry.max_life));
585 if (ret)
586 goto out;
587 }
588 }
589
590 if (is_heimdal_entry && ent->entry.max_renew) {
591 if (orig.entry.max_renew == NULL
592 || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
593
594 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
595 "krb5MaxRenew",
596 *(ent->entry.max_renew));
597 if (ret)
598 goto out;
599 }
600 }
601
602 oflags = HDBFlags2int(orig.entry.flags);
603 nflags = HDBFlags2int(ent->entry.flags);
604
605 if (is_heimdal_entry && oflags != nflags) {
606
607 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
608 "krb5KDCFlags",
609 nflags);
610 if (ret)
611 goto out;
612 }
613
614 /* Remove keys if they exists, and then replace keys. */
615 if (!is_new_entry && orig.entry.keys.len > 0) {
616 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
617 if (vals) {
618 ldap_value_free_len(vals);
619
620 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
621 if (ret)
622 goto out;
623 }
624 }
625
626 for (i = 0; i < ent->entry.keys.len; i++) {
627
628 if (is_samba_account
629 && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
630 char *ntHexPassword;
631 char *nt;
632 time_t now = time(NULL);
633
634 /* the key might have been 'sealed', but samba passwords
635 are clear in the directory */
636 ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
637 if (ret)
638 goto out;
639
640 nt = ent->entry.keys.val[i].key.keyvalue.data;
641 /* store in ntPassword, not krb5key */
642 ret = hex_encode(nt, 16, &ntHexPassword);
643 if (ret < 0) {
644 ret = ENOMEM;
645 krb5_set_error_message(context, ret, "hdb-ldap: failed to "
646 "hex encode key");
647 goto out;
648 }
649 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
650 ntHexPassword);
651 free(ntHexPassword);
652 if (ret)
653 goto out;
654 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
655 "sambaPwdLastSet", now);
656 if (ret)
657 goto out;
658
659 /* have to kill the LM passwod if it exists */
660 vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");
661 if (vals) {
662 ldap_value_free_len(vals);
663 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
664 "sambaLMPassword", NULL);
665 if (ret)
666 goto out;
667 }
668
669 } else if (is_heimdal_entry) {
670 unsigned char *buf;
671 size_t len, buf_size;
672
673 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
674 if (ret)
675 goto out;
676 if(buf_size != len)
677 krb5_abortx(context, "internal error in ASN.1 encoder");
678
679 /* addmod_len _owns_ the key, doesn't need to copy it */
680 ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
681 if (ret)
682 goto out;
683 }
684 }
685
686 if (ent->entry.etypes) {
687 int add_krb5EncryptionType = 0;
688
689 /*
690 * Only add/modify krb5EncryptionType if it's a new heimdal
691 * entry or krb5EncryptionType already exists on the entry.
692 */
693
694 if (!is_new_entry) {
695 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
696 if (vals) {
697 ldap_value_free_len(vals);
698 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
699 NULL);
700 if (ret)
701 goto out;
702 add_krb5EncryptionType = 1;
703 }
704 } else if (is_heimdal_entry)
705 add_krb5EncryptionType = 1;
706
707 if (add_krb5EncryptionType) {
708 for (i = 0; i < ent->entry.etypes->len; i++) {
709 if (is_samba_account &&
710 ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
711 {
712 ;
713 } else if (is_heimdal_entry) {
714 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
715 "krb5EncryptionType",
716 ent->entry.etypes->val[i]);
717 if (ret)
718 goto out;
719 }
720 }
721 }
722 }
723
724 /* for clarity */
725 ret = 0;
726
727 out:
728
729 if (ret == 0)
730 *pmods = mods;
731 else if (mods != NULL) {
732 ldap_mods_free(mods, 1);
733 *pmods = NULL;
734 }
735
736 if (msg)
737 hdb_free_entry(context, &orig);
738
739 return ret;
740 }
741
742 static krb5_error_code
743 LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
744 krb5_principal * principal)
745 {
746 krb5_error_code ret;
747 int rc;
748 const char *filter = "(objectClass=krb5Principal)";
749 LDAPMessage *res = NULL, *e;
750 char *p;
751
752 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
753 if (ret)
754 goto out;
755
756 rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
757 filter, krb5principal_attrs, 0,
758 NULL, NULL, NULL,
759 0, &res);
760 if (check_ldap(context, db, rc)) {
761 ret = HDB_ERR_NOENTRY;
762 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
763 "filter: %s error: %s",
764 filter, ldap_err2string(rc));
765 goto out;
766 }
767
768 e = ldap_first_entry(HDB2LDAP(db), res);
769 if (e == NULL) {
770 ret = HDB_ERR_NOENTRY;
771 goto out;
772 }
773
774 ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);
775 if (ret) {
776 ret = HDB_ERR_NOENTRY;
777 goto out;
778 }
779
780 ret = krb5_parse_name(context, p, principal);
781 free(p);
782
783 out:
784 if (res)
785 ldap_msgfree(res);
786
787 return ret;
788 }
789
790 static krb5_error_code
791 LDAP__lookup_princ(krb5_context context,
792 HDB *db,
793 const char *princname,
794 const char *userid,
795 LDAPMessage **msg)
796 {
797 struct berval namebv, quotedp;
798 krb5_error_code ret;
799 int rc;
800 char *filter = NULL;
801
802 ret = LDAP__connect(context, db);
803 if (ret)
804 return ret;
805
806 /*
807 * Quote searches that contain filter language, this quote
808 * searches for *@REALM, which takes very long time.
809 */
810
811 ber_str2bv(princname, 0, 0, &namebv);
812 if (ldap_bv2escaped_filter_value(&namebv, &quotedp) != 0) {
813 ret = ENOMEM;
814 krb5_set_error_message(context, ret, "malloc: out of memory");
815 goto out;
816 }
817 rc = asprintf(&filter,
818 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
819 quotedp.bv_val);
820 ber_memfree(quotedp.bv_val);
821
822 if (rc < 0) {
823 ret = ENOMEM;
824 krb5_set_error_message(context, ret, "malloc: out of memory");
825 goto out;
826 }
827
828 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
829 if (ret)
830 goto out;
831
832 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),
833 LDAP_SCOPE_SUBTREE, filter,
834 krb5kdcentry_attrs, 0,
835 NULL, NULL, NULL,
836 0, msg);
837 if (check_ldap(context, db, rc)) {
838 ret = HDB_ERR_NOENTRY;
839 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
840 "filter: %s - error: %s",
841 filter, ldap_err2string(rc));
842 goto out;
843 }
844
845 if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
846 free(filter);
847 filter = NULL;
848 ldap_msgfree(*msg);
849 *msg = NULL;
850
851 ber_str2bv(userid, 0, 0, &namebv);
852 if (ldap_bv2escaped_filter_value(&namebv, &quotedp) != 0) {
853 ret = ENOMEM;
854 krb5_set_error_message(context, ret, "malloc: out of memory");
855 goto out;
856 }
857
858 rc = asprintf(&filter,
859 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
860 structural_object, quotedp.bv_val);
861 ber_memfree(quotedp.bv_val);
862 if (rc < 0) {
863 ret = ENOMEM;
864 krb5_set_error_message(context, ret, "asprintf: out of memory");
865 goto out;
866 }
867
868 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
869 if (ret)
870 goto out;
871
872 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
873 filter, krb5kdcentry_attrs, 0,
874 NULL, NULL, NULL,
875 0, msg);
876 if (check_ldap(context, db, rc)) {
877 ret = HDB_ERR_NOENTRY;
878 krb5_set_error_message(context, ret,
879 "ldap_search_ext_s: filter: %s error: %s",
880 filter, ldap_err2string(rc));
881 goto out;
882 }
883 }
884
885 ret = 0;
886
887 out:
888 if (filter)
889 free(filter);
890
891 return ret;
892 }
893
894 static krb5_error_code
895 LDAP_principal2message(krb5_context context, HDB * db,
896 krb5_const_principal princ, LDAPMessage ** msg)
897 {
898 char *name, *name_short = NULL;
899 krb5_error_code ret;
900 krb5_realm *r, *r0;
901
902 *msg = NULL;
903
904 ret = krb5_unparse_name(context, princ, &name);
905 if (ret)
906 return ret;
907
908 ret = krb5_get_default_realms(context, &r0);
909 if(ret) {
910 free(name);
911 return ret;
912 }
913 for (r = r0; *r != NULL; r++) {
914 if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
915 ret = krb5_unparse_name_short(context, princ, &name_short);
916 if (ret) {
917 krb5_free_host_realm(context, r0);
918 free(name);
919 return ret;
920 }
921 break;
922 }
923 }
924 krb5_free_host_realm(context, r0);
925
926 ret = LDAP__lookup_princ(context, db, name, name_short, msg);
927 free(name);
928 free(name_short);
929
930 return ret;
931 }
932
933 /*
934 * Construct an hdb_entry from a directory entry.
935 */
936 static krb5_error_code
937 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
938 hdb_entry_ex * ent)
939 {
940 char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
941 char *samba_acct_flags = NULL;
942 struct berval **keys;
943 struct berval **vals;
944 int tmp, tmp_time, i, ret, have_arcfour = 0;
945
946 memset(ent, 0, sizeof(*ent));
947 ent->entry.flags = int2HDBFlags(0);
948
949 ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
950 if (ret == 0) {
951 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
952 if (ret)
953 goto out;
954 } else {
955 ret = LDAP_get_string_value(db, msg, "uid",
956 &unparsed_name);
957 if (ret == 0) {
958 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
959 if (ret)
960 goto out;
961 } else {
962 krb5_set_error_message(context, HDB_ERR_NOENTRY,
963 "hdb-ldap: ldap entry missing"
964 "principal name");
965 return HDB_ERR_NOENTRY;
966 }
967 }
968
969 {
970 int integer;
971 ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
972 &integer);
973 if (ret)
974 ent->entry.kvno = 0;
975 else
976 ent->entry.kvno = integer;
977 }
978
979 keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
980 if (keys != NULL) {
981 int i;
982 size_t l;
983
984 ent->entry.keys.len = ldap_count_values_len(keys);
985 ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
986 if (ent->entry.keys.val == NULL) {
987 ret = ENOMEM;
988 krb5_set_error_message(context, ret, "calloc: out of memory");
989 goto out;
990 }
991 for (i = 0; i < ent->entry.keys.len; i++) {
992 decode_Key((unsigned char *) keys[i]->bv_val,
993 (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
994 }
995 ber_bvecfree(keys);
996 } else {
997 #if 1
998 /*
999 * This violates the ASN1 but it allows a principal to
1000 * be related to a general directory entry without creating
1001 * the keys. Hopefully it's OK.
1002 */
1003 ent->entry.keys.len = 0;
1004 ent->entry.keys.val = NULL;
1005 #else
1006 ret = HDB_ERR_NOENTRY;
1007 goto out;
1008 #endif
1009 }
1010
1011 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
1012 if (vals != NULL) {
1013 int i;
1014
1015 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1016 if (ent->entry.etypes == NULL) {
1017 ret = ENOMEM;
1018 krb5_set_error_message(context, ret,"malloc: out of memory");
1019 goto out;
1020 }
1021 ent->entry.etypes->len = ldap_count_values_len(vals);
1022 ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
1023 if (ent->entry.etypes->val == NULL) {
1024 ret = ENOMEM;
1025 krb5_set_error_message(context, ret, "malloc: out of memory");
1026 ent->entry.etypes->len = 0;
1027 goto out;
1028 }
1029 for (i = 0; i < ent->entry.etypes->len; i++) {
1030 char *buf;
1031
1032 buf = malloc(vals[i]->bv_len + 1);
1033 if (buf == NULL) {
1034 ret = ENOMEM;
1035 krb5_set_error_message(context, ret, "malloc: out of memory");
1036 goto out;
1037 }
1038 memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
1039 buf[vals[i]->bv_len] = '\0';
1040 ent->entry.etypes->val[i] = atoi(buf);
1041 free(buf);
1042 }
1043 ldap_value_free_len(vals);
1044 }
1045
1046 for (i = 0; i < ent->entry.keys.len; i++) {
1047 if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
1048 have_arcfour = 1;
1049 break;
1050 }
1051 }
1052
1053 /* manually construct the NT (type 23) key */
1054 ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
1055 if (ret == 0 && have_arcfour == 0) {
1056 unsigned *etypes;
1057 Key *keys;
1058 int i;
1059
1060 keys = realloc(ent->entry.keys.val,
1061 (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1062 if (keys == NULL) {
1063 free(ntPasswordIN);
1064 ret = ENOMEM;
1065 krb5_set_error_message(context, ret, "malloc: out of memory");
1066 goto out;
1067 }
1068 ent->entry.keys.val = keys;
1069 memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1070 ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1071 ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1072 if (ret) {
1073 krb5_set_error_message(context, ret, "malloc: out of memory");
1074 free(ntPasswordIN);
1075 ret = ENOMEM;
1076 goto out;
1077 }
1078 ret = hex_decode(ntPasswordIN,
1079 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1080 ent->entry.keys.len++;
1081
1082 if (ent->entry.etypes == NULL) {
1083 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1084 if (ent->entry.etypes == NULL) {
1085 ret = ENOMEM;
1086 krb5_set_error_message(context, ret, "malloc: out of memory");
1087 goto out;
1088 }
1089 ent->entry.etypes->val = NULL;
1090 ent->entry.etypes->len = 0;
1091 }
1092
1093 for (i = 0; i < ent->entry.etypes->len; i++)
1094 if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1095 break;
1096 /* If there is no ARCFOUR enctype, add one */
1097 if (i == ent->entry.etypes->len) {
1098 etypes = realloc(ent->entry.etypes->val,
1099 (ent->entry.etypes->len + 1) *
1100 sizeof(ent->entry.etypes->val[0]));
1101 if (etypes == NULL) {
1102 ret = ENOMEM;
1103 krb5_set_error_message(context, ret, "malloc: out of memory");
1104 goto out;
1105 }
1106 ent->entry.etypes->val = etypes;
1107 ent->entry.etypes->val[ent->entry.etypes->len] =
1108 ETYPE_ARCFOUR_HMAC_MD5;
1109 ent->entry.etypes->len++;
1110 }
1111 }
1112
1113 ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1114 &ent->entry.created_by.time);
1115 if (ret)
1116 ent->entry.created_by.time = time(NULL);
1117
1118 ent->entry.created_by.principal = NULL;
1119
1120 ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1121 if (ret == 0) {
1122 if (LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal)
1123 != 0) {
1124 ent->entry.created_by.principal = NULL;
1125 }
1126 free(dn);
1127 }
1128
1129 ent->entry.modified_by = (Event *) malloc(sizeof(Event));
1130 if (ent->entry.modified_by == NULL) {
1131 ret = ENOMEM;
1132 krb5_set_error_message(context, ret, "malloc: out of memory");
1133 goto out;
1134 }
1135 ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1136 &ent->entry.modified_by->time);
1137 if (ret == 0) {
1138 ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1139 if (LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal))
1140 ent->entry.modified_by->principal = NULL;
1141 free(dn);
1142 } else {
1143 free(ent->entry.modified_by);
1144 ent->entry.modified_by = NULL;
1145 }
1146
1147 ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1148 if (ent->entry.valid_start == NULL) {
1149 ret = ENOMEM;
1150 krb5_set_error_message(context, ret, "malloc: out of memory");
1151 goto out;
1152 }
1153 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1154 ent->entry.valid_start);
1155 if (ret) {
1156 /* OPTIONAL */
1157 free(ent->entry.valid_start);
1158 ent->entry.valid_start = NULL;
1159 }
1160
1161 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1162 if (ent->entry.valid_end == NULL) {
1163 ret = ENOMEM;
1164 krb5_set_error_message(context, ret, "malloc: out of memory");
1165 goto out;
1166 }
1167 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1168 ent->entry.valid_end);
1169 if (ret) {
1170 /* OPTIONAL */
1171 free(ent->entry.valid_end);
1172 ent->entry.valid_end = NULL;
1173 }
1174
1175 ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1176 if (ret == 0) {
1177 if (ent->entry.valid_end == NULL) {
1178 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1179 if (ent->entry.valid_end == NULL) {
1180 ret = ENOMEM;
1181 krb5_set_error_message(context, ret, "malloc: out of memory");
1182 goto out;
1183 }
1184 }
1185 *ent->entry.valid_end = tmp_time;
1186 }
1187
1188 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1189 if (ent->entry.pw_end == NULL) {
1190 ret = ENOMEM;
1191 krb5_set_error_message(context, ret, "malloc: out of memory");
1192 goto out;
1193 }
1194 ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1195 ent->entry.pw_end);
1196 if (ret) {
1197 /* OPTIONAL */
1198 free(ent->entry.pw_end);
1199 ent->entry.pw_end = NULL;
1200 }
1201
1202 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1203 if (ret == 0) {
1204 time_t delta;
1205
1206 if (ent->entry.pw_end == NULL) {
1207 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1208 if (ent->entry.pw_end == NULL) {
1209 ret = ENOMEM;
1210 krb5_set_error_message(context, ret, "malloc: out of memory");
1211 goto out;
1212 }
1213 }
1214
1215 delta = krb5_config_get_time_default(context, NULL,
1216 365 * 24 * 60 * 60,
1217 "kadmin",
1218 "password_lifetime",
1219 NULL);
1220 *ent->entry.pw_end = tmp_time + delta;
1221 }
1222
1223 ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1224 if (ret == 0) {
1225 if (ent->entry.pw_end == NULL) {
1226 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1227 if (ent->entry.pw_end == NULL) {
1228 ret = ENOMEM;
1229 krb5_set_error_message(context, ret, "malloc: out of memory");
1230 goto out;
1231 }
1232 }
1233 *ent->entry.pw_end = tmp_time;
1234 }
1235
1236 /* OPTIONAL */
1237 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1238 if (ret == 0)
1239 hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1240
1241 {
1242 int max_life;
1243
1244 ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1245 if (ent->entry.max_life == NULL) {
1246 ret = ENOMEM;
1247 krb5_set_error_message(context, ret, "malloc: out of memory");
1248 goto out;
1249 }
1250 ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1251 if (ret) {
1252 free(ent->entry.max_life);
1253 ent->entry.max_life = NULL;
1254 } else
1255 *ent->entry.max_life = max_life;
1256 }
1257
1258 {
1259 int max_renew;
1260
1261 ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1262 if (ent->entry.max_renew == NULL) {
1263 ret = ENOMEM;
1264 krb5_set_error_message(context, ret, "malloc: out of memory");
1265 goto out;
1266 }
1267 ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1268 if (ret) {
1269 free(ent->entry.max_renew);
1270 ent->entry.max_renew = NULL;
1271 } else
1272 *ent->entry.max_renew = max_renew;
1273 }
1274
1275 ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
1276 if (ret)
1277 tmp = 0;
1278
1279 ent->entry.flags = int2HDBFlags(tmp);
1280
1281 /* Try and find Samba flags to put into the mix */
1282 ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1283 if (ret == 0) {
1284 /* parse the [UXW...] string:
1285
1286 'N' No password
1287 'D' Disabled
1288 'H' Homedir required
1289 'T' Temp account.
1290 'U' User account (normal)
1291 'M' MNS logon user account - what is this ?
1292 'W' Workstation account
1293 'S' Server account
1294 'L' Locked account
1295 'X' No Xpiry on password
1296 'I' Interdomain trust account
1297
1298 */
1299
1300 int i;
1301 int flags_len = strlen(samba_acct_flags);
1302
1303 if (flags_len < 2)
1304 goto out2;
1305
1306 if (samba_acct_flags[0] != '['
1307 || samba_acct_flags[flags_len - 1] != ']')
1308 goto out2;
1309
1310 /* Allow forwarding */
1311 if (samba_forwardable)
1312 ent->entry.flags.forwardable = TRUE;
1313
1314 for (i=0; i < flags_len; i++) {
1315 switch (samba_acct_flags[i]) {
1316 case ' ':
1317 case '[':
1318 case ']':
1319 break;
1320 case 'N':
1321 /* how to handle no password in kerberos? */
1322 break;
1323 case 'D':
1324 ent->entry.flags.invalid = TRUE;
1325 break;
1326 case 'H':
1327 break;
1328 case 'T':
1329 /* temp duplicate */
1330 ent->entry.flags.invalid = TRUE;
1331 break;
1332 case 'U':
1333 ent->entry.flags.client = TRUE;
1334 break;
1335 case 'M':
1336 break;
1337 case 'W':
1338 case 'S':
1339 ent->entry.flags.server = TRUE;
1340 ent->entry.flags.client = TRUE;
1341 break;
1342 case 'L':
1343 ent->entry.flags.invalid = TRUE;
1344 break;
1345 case 'X':
1346 if (ent->entry.pw_end) {
1347 free(ent->entry.pw_end);
1348 ent->entry.pw_end = NULL;
1349 }
1350 break;
1351 case 'I':
1352 ent->entry.flags.server = TRUE;
1353 ent->entry.flags.client = TRUE;
1354 break;
1355 }
1356 }
1357 out2:
1358 free(samba_acct_flags);
1359 }
1360
1361 ret = 0;
1362
1363 out:
1364 if (unparsed_name)
1365 free(unparsed_name);
1366
1367 if (ret)
1368 hdb_free_entry(context, ent);
1369
1370 return ret;
1371 }
1372
1373 static krb5_error_code
1374 LDAP_close(krb5_context context, HDB * db)
1375 {
1376 if (HDB2LDAP(db)) {
1377 ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1378 ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1379 }
1380
1381 return 0;
1382 }
1383
1384 static krb5_error_code
1385 LDAP_lock(krb5_context context, HDB * db, int operation)
1386 {
1387 return 0;
1388 }
1389
1390 static krb5_error_code
1391 LDAP_unlock(krb5_context context, HDB * db)
1392 {
1393 return 0;
1394 }
1395
1396 static krb5_error_code
1397 LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1398 {
1399 int msgid, rc, parserc;
1400 krb5_error_code ret;
1401 LDAPMessage *e;
1402
1403 msgid = HDB2MSGID(db);
1404 if (msgid < 0)
1405 return HDB_ERR_NOENTRY;
1406
1407 do {
1408 rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1409 switch (rc) {
1410 case LDAP_RES_SEARCH_REFERENCE:
1411 ldap_msgfree(e);
1412 ret = 0;
1413 break;
1414 case LDAP_RES_SEARCH_ENTRY:
1415 /* We have an entry. Parse it. */
1416 ret = LDAP_message2entry(context, db, e, entry);
1417 ldap_msgfree(e);
1418 break;
1419 case LDAP_RES_SEARCH_RESULT:
1420 /* We're probably at the end of the results. If not, abandon. */
1421 parserc =
1422 ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1423 NULL, NULL, 1);
1424 ret = HDB_ERR_NOENTRY;
1425 if (parserc != LDAP_SUCCESS
1426 && parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1427 krb5_set_error_message(context, ret, "ldap_parse_result: %s",
1428 ldap_err2string(parserc));
1429 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1430 }
1431 HDBSETMSGID(db, -1);
1432 break;
1433 case LDAP_SERVER_DOWN:
1434 ldap_msgfree(e);
1435 LDAP_close(context, db);
1436 HDBSETMSGID(db, -1);
1437 ret = ENETDOWN;
1438 break;
1439 default:
1440 /* Some unspecified error (timeout?). Abandon. */
1441 ldap_msgfree(e);
1442 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1443 ret = HDB_ERR_NOENTRY;
1444 HDBSETMSGID(db, -1);
1445 break;
1446 }
1447 } while (rc == LDAP_RES_SEARCH_REFERENCE);
1448
1449 if (ret == 0) {
1450 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1451 ret = hdb_unseal_keys(context, db, &entry->entry);
1452 if (ret)
1453 hdb_free_entry(context, entry);
1454 }
1455 }
1456
1457 return ret;
1458 }
1459
1460 static krb5_error_code
1461 LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1462 hdb_entry_ex *entry)
1463 {
1464 krb5_error_code ret;
1465 int msgid;
1466
1467 ret = LDAP__connect(context, db);
1468 if (ret)
1469 return ret;
1470
1471 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1472 if (ret)
1473 return ret;
1474
1475 ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),
1476 LDAP_SCOPE_SUBTREE,
1477 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1478 krb5kdcentry_attrs, 0,
1479 NULL, NULL, NULL, 0, &msgid);
1480 if (msgid < 0)
1481 return HDB_ERR_NOENTRY;
1482
1483 HDBSETMSGID(db, msgid);
1484
1485 return LDAP_seq(context, db, flags, entry);
1486 }
1487
1488 static krb5_error_code
1489 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1490 hdb_entry_ex * entry)
1491 {
1492 return LDAP_seq(context, db, flags, entry);
1493 }
1494
1495 static krb5_error_code
1496 LDAP__connect(krb5_context context, HDB * db)
1497 {
1498 int rc, version = LDAP_VERSION3;
1499 /*
1500 * Empty credentials to do a SASL bind with LDAP. Note that empty
1501 * different from NULL credentials. If you provide NULL
1502 * credentials instead of empty credentials you will get a SASL
1503 * bind in progress message.
1504 */
1505 struct berval bv = { 0, "" };
1506
1507 if (HDB2LDAP(db)) {
1508 /* connection has been opened. ping server. */
1509 struct sockaddr_un addr;
1510 socklen_t len = sizeof(addr);
1511 int sd;
1512
1513 if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1514 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1515 /* the other end has died. reopen. */
1516 LDAP_close(context, db);
1517 }
1518 }
1519
1520 if (HDB2LDAP(db) != NULL) /* server is UP */
1521 return 0;
1522
1523 rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1524 if (rc != LDAP_SUCCESS) {
1525 krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",
1526 ldap_err2string(rc));
1527 return HDB_ERR_NOENTRY;
1528 }
1529
1530 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1531 (const void *)&version);
1532 if (rc != LDAP_SUCCESS) {
1533 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1534 "ldap_set_option: %s", ldap_err2string(rc));
1535 LDAP_close(context, db);
1536 return HDB_ERR_BADVERSION;
1537 }
1538
1539 rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
1540 NULL, NULL, NULL);
1541 if (rc != LDAP_SUCCESS) {
1542 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1543 "ldap_sasl_bind_s: %s", ldap_err2string(rc));
1544 LDAP_close(context, db);
1545 return HDB_ERR_BADVERSION;
1546 }
1547
1548 return 0;
1549 }
1550
1551 static krb5_error_code
1552 LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1553 {
1554 /* Not the right place for this. */
1555 #ifdef HAVE_SIGACTION
1556 struct sigaction sa;
1557
1558 sa.sa_flags = 0;
1559 sa.sa_handler = SIG_IGN;
1560 sigemptyset(&sa.sa_mask);
1561
1562 sigaction(SIGPIPE, &sa, NULL);
1563 #else
1564 signal(SIGPIPE, SIG_IGN);
1565 #endif /* HAVE_SIGACTION */
1566
1567 return LDAP__connect(context, db);
1568 }
1569
1570 static krb5_error_code
1571 LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1572 unsigned flags, hdb_entry_ex * entry)
1573 {
1574 LDAPMessage *msg, *e;
1575 krb5_error_code ret;
1576
1577 ret = LDAP_principal2message(context, db, principal, &msg);
1578 if (ret)
1579 return ret;
1580
1581 e = ldap_first_entry(HDB2LDAP(db), msg);
1582 if (e == NULL) {
1583 ret = HDB_ERR_NOENTRY;
1584 goto out;
1585 }
1586
1587 ret = LDAP_message2entry(context, db, e, entry);
1588 if (ret == 0) {
1589 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1590 ret = hdb_unseal_keys(context, db, &entry->entry);
1591 if (ret)
1592 hdb_free_entry(context, entry);
1593 }
1594 }
1595
1596 out:
1597 ldap_msgfree(msg);
1598
1599 return ret;
1600 }
1601
1602 static krb5_error_code
1603 LDAP_store(krb5_context context, HDB * db, unsigned flags,
1604 hdb_entry_ex * entry)
1605 {
1606 LDAPMod **mods = NULL;
1607 krb5_error_code ret;
1608 const char *errfn;
1609 int rc;
1610 LDAPMessage *msg = NULL, *e = NULL;
1611 char *dn = NULL, *name = NULL;
1612
1613 ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1614 if (ret == 0)
1615 e = ldap_first_entry(HDB2LDAP(db), msg);
1616
1617 ret = krb5_unparse_name(context, entry->entry.principal, &name);
1618 if (ret) {
1619 free(name);
1620 return ret;
1621 }
1622
1623 ret = hdb_seal_keys(context, db, &entry->entry);
1624 if (ret)
1625 goto out;
1626
1627 /* turn new entry into LDAPMod array */
1628 ret = LDAP_entry2mods(context, db, entry, e, &mods);
1629 if (ret)
1630 goto out;
1631
1632 if (e == NULL) {
1633 ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1634 if (ret < 0) {
1635 ret = ENOMEM;
1636 krb5_set_error_message(context, ret, "asprintf: out of memory");
1637 goto out;
1638 }
1639 } else if (flags & HDB_F_REPLACE) {
1640 /* Entry exists, and we're allowed to replace it. */
1641 dn = ldap_get_dn(HDB2LDAP(db), e);
1642 } else {
1643 /* Entry exists, but we're not allowed to replace it. Bail. */
1644 ret = HDB_ERR_EXISTS;
1645 goto out;
1646 }
1647
1648 /* write entry into directory */
1649 if (e == NULL) {
1650 /* didn't exist before */
1651 rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1652 errfn = "ldap_add_ext_s";
1653 } else {
1654 /* already existed, send deltas only */
1655 rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1656 errfn = "ldap_modify_ext_s";
1657 }
1658
1659 if (check_ldap(context, db, rc)) {
1660 char *ld_error = NULL;
1661 ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1662 &ld_error);
1663 ret = HDB_ERR_CANT_LOCK_DB;
1664 krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
1665 errfn, name, dn, ldap_err2string(rc), ld_error);
1666 } else
1667 ret = 0;
1668
1669 out:
1670 /* free stuff */
1671 if (dn)
1672 free(dn);
1673 if (msg)
1674 ldap_msgfree(msg);
1675 if (mods)
1676 ldap_mods_free(mods, 1);
1677 if (name)
1678 free(name);
1679
1680 return ret;
1681 }
1682
1683 static krb5_error_code
1684 LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1685 {
1686 krb5_error_code ret;
1687 LDAPMessage *msg, *e;
1688 char *dn = NULL;
1689 int rc, limit = LDAP_NO_LIMIT;
1690
1691 ret = LDAP_principal2message(context, db, principal, &msg);
1692 if (ret)
1693 goto out;
1694
1695 e = ldap_first_entry(HDB2LDAP(db), msg);
1696 if (e == NULL) {
1697 ret = HDB_ERR_NOENTRY;
1698 goto out;
1699 }
1700
1701 dn = ldap_get_dn(HDB2LDAP(db), e);
1702 if (dn == NULL) {
1703 ret = HDB_ERR_NOENTRY;
1704 goto out;
1705 }
1706
1707 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1708 if (rc != LDAP_SUCCESS) {
1709 ret = HDB_ERR_BADVERSION;
1710 krb5_set_error_message(context, ret, "ldap_set_option: %s",
1711 ldap_err2string(rc));
1712 goto out;
1713 }
1714
1715 rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
1716 if (check_ldap(context, db, rc)) {
1717 ret = HDB_ERR_CANT_LOCK_DB;
1718 krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",
1719 ldap_err2string(rc));
1720 } else
1721 ret = 0;
1722
1723 out:
1724 if (dn != NULL)
1725 free(dn);
1726 if (msg != NULL)
1727 ldap_msgfree(msg);
1728
1729 return ret;
1730 }
1731
1732 static krb5_error_code
1733 LDAP_destroy(krb5_context context, HDB * db)
1734 {
1735 krb5_error_code ret;
1736
1737 LDAP_close(context, db);
1738
1739 ret = hdb_clear_master_key(context, db);
1740 if (HDB2BASE(db))
1741 free(HDB2BASE(db));
1742 if (HDB2CREATE(db))
1743 free(HDB2CREATE(db));
1744 if (HDB2URL(db))
1745 free(HDB2URL(db));
1746 if (db->hdb_name)
1747 free(db->hdb_name);
1748 free(db->hdb_db);
1749 free(db);
1750
1751 return ret;
1752 }
1753
1754 static krb5_error_code
1755 hdb_ldap_common(krb5_context context,
1756 HDB ** db,
1757 const char *search_base,
1758 const char *url)
1759 {
1760 struct hdbldapdb *h;
1761 const char *create_base = NULL;
1762
1763 if (search_base == NULL && search_base[0] == '\0') {
1764 krb5_set_error_message(context, ENOMEM, "ldap search base not configured");
1765 return ENOMEM; /* XXX */
1766 }
1767
1768 if (structural_object == NULL) {
1769 const char *p;
1770
1771 p = krb5_config_get_string(context, NULL, "kdc",
1772 "hdb-ldap-structural-object", NULL);
1773 if (p == NULL)
1774 p = default_structural_object;
1775 structural_object = strdup(p);
1776 if (structural_object == NULL) {
1777 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1778 return ENOMEM;
1779 }
1780 }
1781
1782 samba_forwardable =
1783 krb5_config_get_bool_default(context, NULL, TRUE,
1784 "kdc", "hdb-samba-forwardable", NULL);
1785
1786 *db = calloc(1, sizeof(**db));
1787 if (*db == NULL) {
1788 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1789 return ENOMEM;
1790 }
1791 memset(*db, 0, sizeof(**db));
1792
1793 h = calloc(1, sizeof(*h));
1794 if (h == NULL) {
1795 free(*db);
1796 *db = NULL;
1797 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1798 return ENOMEM;
1799 }
1800 (*db)->hdb_db = h;
1801
1802 /* XXX */
1803 if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1804 LDAP_destroy(context, *db);
1805 *db = NULL;
1806 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1807 return ENOMEM;
1808 }
1809
1810 h->h_url = strdup(url);
1811 h->h_base = strdup(search_base);
1812 if (h->h_url == NULL || h->h_base == NULL) {
1813 LDAP_destroy(context, *db);
1814 *db = NULL;
1815 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1816 return ENOMEM;
1817 }
1818
1819 create_base = krb5_config_get_string(context, NULL, "kdc",
1820 "hdb-ldap-create-base", NULL);
1821 if (create_base == NULL)
1822 create_base = h->h_base;
1823
1824 h->h_createbase = strdup(create_base);
1825 if (h->h_createbase == NULL) {
1826 LDAP_destroy(context, *db);
1827 *db = NULL;
1828 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1829 return ENOMEM;
1830 }
1831
1832 (*db)->hdb_master_key_set = 0;
1833 (*db)->hdb_openp = 0;
1834 (*db)->hdb_capability_flags = 0;
1835 (*db)->hdb_open = LDAP_open;
1836 (*db)->hdb_close = LDAP_close;
1837 (*db)->hdb_fetch = LDAP_fetch;
1838 (*db)->hdb_store = LDAP_store;
1839 (*db)->hdb_remove = LDAP_remove;
1840 (*db)->hdb_firstkey = LDAP_firstkey;
1841 (*db)->hdb_nextkey = LDAP_nextkey;
1842 (*db)->hdb_lock = LDAP_lock;
1843 (*db)->hdb_unlock = LDAP_unlock;
1844 (*db)->hdb_rename = NULL;
1845 (*db)->hdb__get = NULL;
1846 (*db)->hdb__put = NULL;
1847 (*db)->hdb__del = NULL;
1848 (*db)->hdb_destroy = LDAP_destroy;
1849
1850 return 0;
1851 }
1852
1853 krb5_error_code
1854 hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1855 {
1856 return hdb_ldap_common(context, db, arg, "ldapi:///");
1857 }
1858
1859 krb5_error_code
1860 hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1861 {
1862 krb5_error_code ret;
1863 char *search_base, *p;
1864
1865 asprintf(&p, "ldapi:%s", arg);
1866 if (p == NULL) {
1867 *db = NULL;
1868 krb5_set_error_message(context, ENOMEM, "out of memory");
1869 return ENOMEM;
1870 }
1871 search_base = strchr(p + strlen("ldapi://"), ':');
1872 if (search_base == NULL) {
1873 *db = NULL;
1874 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1875 "search base missing");
1876 return HDB_ERR_BADVERSION;
1877 }
1878 *search_base = '\0';
1879 search_base++;
1880
1881 ret = hdb_ldap_common(context, db, search_base, p);
1882 free(p);
1883 return ret;
1884 }
1885
1886 #ifdef OPENLDAP_MODULE
1887
1888 struct hdb_so_method hdb_ldap_interface = {
1889 HDB_INTERFACE_VERSION,
1890 "ldap",
1891 hdb_ldap_create
1892 };
1893
1894 struct hdb_so_method hdb_ldapi_interface = {
1895 HDB_INTERFACE_VERSION,
1896 "ldapi",
1897 hdb_ldapi_create
1898 };
1899
1900 #endif
1901
1902 #endif /* OPENLDAP */
Heimdal