2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
46 static krb5_error_code
LDAP__connect(krb5_context context
, HDB
*);
47 static krb5_error_code
LDAP_close(krb5_context context
, HDB
*);
49 static krb5_error_code
50 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
53 static const char *default_structural_object
= "account";
54 static char *structural_object
;
55 static krb5_boolean samba_forwardable
;
65 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
66 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
67 #define HDBSETMSGID(db,msgid) \
68 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
69 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
70 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
71 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
77 static char * krb5kdcentry_attrs
[] = {
84 "krb5KeyVersionNumber",
104 static char *krb5principal_attrs
[] = {
109 "krb5PrincipalRealm",
118 LDAP_no_size_limit(krb5_context context
, LDAP
*lp
)
120 int ret
, limit
= LDAP_NO_LIMIT
;
122 ret
= ldap_set_option(lp
, LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
123 if (ret
!= LDAP_SUCCESS
) {
124 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
125 "ldap_set_option: %s",
126 ldap_err2string(ret
));
127 return HDB_ERR_BADVERSION
;
133 check_ldap(krb5_context context
, HDB
*db
, int ret
)
138 case LDAP_SERVER_DOWN
:
139 LDAP_close(context
, db
);
146 static krb5_error_code
147 LDAP__setmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
152 if (*modlist
== NULL
) {
153 *modlist
= (LDAPMod
**)ber_memcalloc(1, sizeof(LDAPMod
*));
154 if (*modlist
== NULL
)
158 for (cMods
= 0; (*modlist
)[cMods
] != NULL
; cMods
++) {
159 if ((*modlist
)[cMods
]->mod_op
== modop
&&
160 strcasecmp((*modlist
)[cMods
]->mod_type
, attribute
) == 0) {
167 if ((*modlist
)[cMods
] == NULL
) {
170 *modlist
= (LDAPMod
**)ber_memrealloc(*modlist
,
171 (cMods
+ 2) * sizeof(LDAPMod
*));
172 if (*modlist
== NULL
)
175 (*modlist
)[cMods
] = (LDAPMod
*)ber_memalloc(sizeof(LDAPMod
));
176 if ((*modlist
)[cMods
] == NULL
)
179 mod
= (*modlist
)[cMods
];
181 mod
->mod_type
= ber_strdup(attribute
);
182 if (mod
->mod_type
== NULL
) {
184 (*modlist
)[cMods
] = NULL
;
188 if (modop
& LDAP_MOD_BVALUES
) {
189 mod
->mod_bvalues
= NULL
;
191 mod
->mod_values
= NULL
;
194 (*modlist
)[cMods
+ 1] = NULL
;
200 static krb5_error_code
201 LDAP_addmod_len(LDAPMod
*** modlist
, int modop
, const char *attribute
,
202 unsigned char *value
, size_t len
)
207 ret
= LDAP__setmod(modlist
, modop
| LDAP_MOD_BVALUES
, attribute
, &cMods
);
214 bv
= (*modlist
)[cMods
]->mod_bvalues
;
216 for (i
= 0; bv
[i
] != NULL
; i
++)
218 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
220 bv
= ber_memalloc(2 * sizeof(*bv
));
224 (*modlist
)[cMods
]->mod_bvalues
= bv
;
226 bv
[i
] = ber_memalloc(sizeof(**bv
));;
230 bv
[i
]->bv_val
= (void *)value
;
239 static krb5_error_code
240 LDAP_addmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
246 ret
= LDAP__setmod(modlist
, modop
, attribute
, &cMods
);
253 bv
= (*modlist
)[cMods
]->mod_values
;
255 for (i
= 0; bv
[i
] != NULL
; i
++)
257 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
259 bv
= ber_memalloc(2 * sizeof(*bv
));
263 (*modlist
)[cMods
]->mod_values
= bv
;
265 bv
[i
] = ber_strdup(value
);
275 static krb5_error_code
276 LDAP_addmod_generalized_time(LDAPMod
*** mods
, int modop
,
277 const char *attribute
, KerberosTime
* time
)
282 /* XXX not threadsafe */
284 strftime(buf
, sizeof(buf
), "%Y%m%d%H%M%SZ", tm
);
286 return LDAP_addmod(mods
, modop
, attribute
, buf
);
289 static krb5_error_code
290 LDAP_addmod_integer(krb5_context context
,
291 LDAPMod
*** mods
, int modop
,
292 const char *attribute
, unsigned long l
)
297 ret
= asprintf(&buf
, "%ld", l
);
299 krb5_set_error_message(context
, ENOMEM
,
300 "asprintf: out of memory:");
303 ret
= LDAP_addmod(mods
, modop
, attribute
, buf
);
308 static krb5_error_code
309 LDAP_get_string_value(HDB
* db
, LDAPMessage
* entry
,
310 const char *attribute
, char **ptr
)
312 struct berval
**vals
;
314 vals
= ldap_get_values_len(HDB2LDAP(db
), entry
, attribute
);
315 if (vals
== NULL
|| vals
[0] == NULL
) {
317 return HDB_ERR_NOENTRY
;
320 *ptr
= malloc(vals
[0]->bv_len
+ 1);
322 ldap_value_free_len(vals
);
326 memcpy(*ptr
, vals
[0]->bv_val
, vals
[0]->bv_len
);
327 (*ptr
)[vals
[0]->bv_len
] = 0;
329 ldap_value_free_len(vals
);
334 static krb5_error_code
335 LDAP_get_integer_value(HDB
* db
, LDAPMessage
* entry
,
336 const char *attribute
, int *ptr
)
341 ret
= LDAP_get_string_value(db
, entry
, attribute
, &val
);
349 static krb5_error_code
350 LDAP_get_generalized_time_value(HDB
* db
, LDAPMessage
* entry
,
351 const char *attribute
, KerberosTime
* kt
)
359 ret
= LDAP_get_string_value(db
, entry
, attribute
, &gentime
);
363 tmp
= strptime(gentime
, "%Y%m%d%H%M%SZ", &tm
);
366 return HDB_ERR_NOENTRY
;
377 bervalstrcmp(struct berval
*v
, const char *str
)
379 size_t len
= strlen(str
);
380 return (v
->bv_len
== len
) && strncasecmp(str
, (char *)v
->bv_val
, len
) == 0;
384 static krb5_error_code
385 LDAP_entry2mods(krb5_context context
, HDB
* db
, hdb_entry_ex
* ent
,
386 LDAPMessage
* msg
, LDAPMod
*** pmods
)
389 krb5_boolean is_new_entry
;
391 LDAPMod
**mods
= NULL
;
393 unsigned long oflags
, nflags
;
396 krb5_boolean is_samba_account
= FALSE
;
397 krb5_boolean is_account
= FALSE
;
398 krb5_boolean is_heimdal_entry
= FALSE
;
399 krb5_boolean is_heimdal_principal
= FALSE
;
401 struct berval
**vals
;
407 ret
= LDAP_message2entry(context
, db
, msg
, &orig
);
411 is_new_entry
= FALSE
;
413 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "objectClass");
415 int num_objectclasses
= ldap_count_values_len(vals
);
416 for (i
=0; i
< num_objectclasses
; i
++) {
417 if (bervalstrcmp(vals
[i
], "sambaSamAccount"))
418 is_samba_account
= TRUE
;
419 else if (bervalstrcmp(vals
[i
], structural_object
))
421 else if (bervalstrcmp(vals
[i
], "krb5Principal"))
422 is_heimdal_principal
= TRUE
;
423 else if (bervalstrcmp(vals
[i
], "krb5KDCEntry"))
424 is_heimdal_entry
= TRUE
;
426 ldap_value_free_len(vals
);
430 * If this is just a "account" entry and no other objectclass
431 * is hanging on this entry, it's really a new entry.
433 if (is_samba_account
== FALSE
&& is_heimdal_principal
== FALSE
&&
434 is_heimdal_entry
== FALSE
) {
435 if (is_account
== TRUE
) {
438 ret
= HDB_ERR_NOENTRY
;
447 /* to make it perfectly obvious we're depending on
448 * orig being intiialized to zero */
449 memset(&orig
, 0, sizeof(orig
));
451 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "top");
455 /* account is the structural object class */
456 if (is_account
== FALSE
) {
457 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass",
464 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5Principal");
465 is_heimdal_principal
= TRUE
;
469 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5KDCEntry");
470 is_heimdal_entry
= TRUE
;
476 krb5_principal_compare(context
, ent
->entry
.principal
, orig
.entry
.principal
)
479 if (is_heimdal_principal
|| is_heimdal_entry
) {
481 ret
= krb5_unparse_name(context
, ent
->entry
.principal
, &tmp
);
485 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
,
486 "krb5PrincipalName", tmp
);
494 if (is_account
|| is_samba_account
) {
495 ret
= krb5_unparse_name_short(context
, ent
->entry
.principal
, &tmp
);
498 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "uid", tmp
);
507 if (is_heimdal_entry
&& (ent
->entry
.kvno
!= orig
.entry
.kvno
|| is_new_entry
)) {
508 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
509 "krb5KeyVersionNumber",
515 if (is_heimdal_entry
&& ent
->entry
.valid_start
) {
516 if (orig
.entry
.valid_end
== NULL
517 || (*(ent
->entry
.valid_start
) != *(orig
.entry
.valid_start
))) {
518 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
520 ent
->entry
.valid_start
);
526 if (ent
->entry
.valid_end
) {
527 if (orig
.entry
.valid_end
== NULL
|| (*(ent
->entry
.valid_end
) != *(orig
.entry
.valid_end
))) {
528 if (is_heimdal_entry
) {
529 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
531 ent
->entry
.valid_end
);
535 if (is_samba_account
) {
536 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
538 *(ent
->entry
.valid_end
));
545 if (ent
->entry
.pw_end
) {
546 if (orig
.entry
.pw_end
== NULL
|| (*(ent
->entry
.pw_end
) != *(orig
.entry
.pw_end
))) {
547 if (is_heimdal_entry
) {
548 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
555 if (is_samba_account
) {
556 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
557 "sambaPwdMustChange",
558 *(ent
->entry
.pw_end
));
566 #if 0 /* we we have last_pw_change */
567 if (is_samba_account
&& ent
->entry
.last_pw_change
) {
568 if (orig
.entry
.last_pw_change
== NULL
|| (*(ent
->entry
.last_pw_change
) != *(orig
.entry
.last_pw_change
))) {
569 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
571 *(ent
->entry
.last_pw_change
));
578 if (is_heimdal_entry
&& ent
->entry
.max_life
) {
579 if (orig
.entry
.max_life
== NULL
580 || (*(ent
->entry
.max_life
) != *(orig
.entry
.max_life
))) {
582 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
584 *(ent
->entry
.max_life
));
590 if (is_heimdal_entry
&& ent
->entry
.max_renew
) {
591 if (orig
.entry
.max_renew
== NULL
592 || (*(ent
->entry
.max_renew
) != *(orig
.entry
.max_renew
))) {
594 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
596 *(ent
->entry
.max_renew
));
602 oflags
= HDBFlags2int(orig
.entry
.flags
);
603 nflags
= HDBFlags2int(ent
->entry
.flags
);
605 if (is_heimdal_entry
&& oflags
!= nflags
) {
607 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
614 /* Remove keys if they exists, and then replace keys. */
615 if (!is_new_entry
&& orig
.entry
.keys
.len
> 0) {
616 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
618 ldap_value_free_len(vals
);
620 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5Key", NULL
);
626 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
629 && ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
632 time_t now
= time(NULL
);
634 /* the key might have been 'sealed', but samba passwords
635 are clear in the directory */
636 ret
= hdb_unseal_key(context
, db
, &ent
->entry
.keys
.val
[i
]);
640 nt
= ent
->entry
.keys
.val
[i
].key
.keyvalue
.data
;
641 /* store in ntPassword, not krb5key */
642 ret
= hex_encode(nt
, 16, &ntHexPassword
);
645 krb5_set_error_message(context
, ret
, "hdb-ldap: failed to "
649 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "sambaNTPassword",
654 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
655 "sambaPwdLastSet", now
);
659 /* have to kill the LM passwod if it exists */
660 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "sambaLMPassword");
662 ldap_value_free_len(vals
);
663 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
,
664 "sambaLMPassword", NULL
);
669 } else if (is_heimdal_entry
) {
671 size_t len
, buf_size
;
673 ASN1_MALLOC_ENCODE(Key
, buf
, buf_size
, &ent
->entry
.keys
.val
[i
], &len
, ret
);
677 krb5_abortx(context
, "internal error in ASN.1 encoder");
679 /* addmod_len _owns_ the key, doesn't need to copy it */
680 ret
= LDAP_addmod_len(&mods
, LDAP_MOD_ADD
, "krb5Key", buf
, len
);
686 if (ent
->entry
.etypes
) {
687 int add_krb5EncryptionType
= 0;
690 * Only add/modify krb5EncryptionType if it's a new heimdal
691 * entry or krb5EncryptionType already exists on the entry.
695 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
697 ldap_value_free_len(vals
);
698 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5EncryptionType",
702 add_krb5EncryptionType
= 1;
704 } else if (is_heimdal_entry
)
705 add_krb5EncryptionType
= 1;
707 if (add_krb5EncryptionType
) {
708 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
709 if (is_samba_account
&&
710 ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
)
713 } else if (is_heimdal_entry
) {
714 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_ADD
,
715 "krb5EncryptionType",
716 ent
->entry
.etypes
->val
[i
]);
731 else if (mods
!= NULL
) {
732 ldap_mods_free(mods
, 1);
737 hdb_free_entry(context
, &orig
);
742 static krb5_error_code
743 LDAP_dn2principal(krb5_context context
, HDB
* db
, const char *dn
,
744 krb5_principal
* principal
)
748 const char *filter
= "(objectClass=krb5Principal)";
749 LDAPMessage
*res
= NULL
, *e
;
752 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
756 rc
= ldap_search_ext_s(HDB2LDAP(db
), dn
, LDAP_SCOPE_SUBTREE
,
757 filter
, krb5principal_attrs
, 0,
760 if (check_ldap(context
, db
, rc
)) {
761 ret
= HDB_ERR_NOENTRY
;
762 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
763 "filter: %s error: %s",
764 filter
, ldap_err2string(rc
));
768 e
= ldap_first_entry(HDB2LDAP(db
), res
);
770 ret
= HDB_ERR_NOENTRY
;
774 ret
= LDAP_get_string_value(db
, e
, "krb5PrincipalName", &p
);
776 ret
= HDB_ERR_NOENTRY
;
780 ret
= krb5_parse_name(context
, p
, principal
);
790 static krb5_error_code
791 LDAP__lookup_princ(krb5_context context
,
793 const char *princname
,
797 struct berval namebv
, quotedp
;
802 ret
= LDAP__connect(context
, db
);
807 * Quote searches that contain filter language, this quote
808 * searches for *@REALM, which takes very long time.
811 ber_str2bv(princname
, 0, 0, &namebv
);
812 if (ldap_bv2escaped_filter_value(&namebv
, "edp
) != 0) {
814 krb5_set_error_message(context
, ret
, "malloc: out of memory");
817 rc
= asprintf(&filter
,
818 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
820 ber_memfree(quotedp
.bv_val
);
824 krb5_set_error_message(context
, ret
, "malloc: out of memory");
828 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
832 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
),
833 LDAP_SCOPE_SUBTREE
, filter
,
834 krb5kdcentry_attrs
, 0,
837 if (check_ldap(context
, db
, rc
)) {
838 ret
= HDB_ERR_NOENTRY
;
839 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
840 "filter: %s - error: %s",
841 filter
, ldap_err2string(rc
));
845 if (userid
&& ldap_count_entries(HDB2LDAP(db
), *msg
) == 0) {
851 ber_str2bv(userid
, 0, 0, &namebv
);
852 if (ldap_bv2escaped_filter_value(&namebv
, "edp
) != 0) {
854 krb5_set_error_message(context
, ret
, "malloc: out of memory");
858 rc
= asprintf(&filter
,
859 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
860 structural_object
, quotedp
.bv_val
);
861 ber_memfree(quotedp
.bv_val
);
864 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
868 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
872 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
), LDAP_SCOPE_SUBTREE
,
873 filter
, krb5kdcentry_attrs
, 0,
876 if (check_ldap(context
, db
, rc
)) {
877 ret
= HDB_ERR_NOENTRY
;
878 krb5_set_error_message(context
, ret
,
879 "ldap_search_ext_s: filter: %s error: %s",
880 filter
, ldap_err2string(rc
));
894 static krb5_error_code
895 LDAP_principal2message(krb5_context context
, HDB
* db
,
896 krb5_const_principal princ
, LDAPMessage
** msg
)
898 char *name
, *name_short
= NULL
;
904 ret
= krb5_unparse_name(context
, princ
, &name
);
908 ret
= krb5_get_default_realms(context
, &r0
);
913 for (r
= r0
; *r
!= NULL
; r
++) {
914 if(strcmp(krb5_principal_get_realm(context
, princ
), *r
) == 0) {
915 ret
= krb5_unparse_name_short(context
, princ
, &name_short
);
917 krb5_free_host_realm(context
, r0
);
924 krb5_free_host_realm(context
, r0
);
926 ret
= LDAP__lookup_princ(context
, db
, name
, name_short
, msg
);
934 * Construct an hdb_entry from a directory entry.
936 static krb5_error_code
937 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
940 char *unparsed_name
= NULL
, *dn
= NULL
, *ntPasswordIN
= NULL
;
941 char *samba_acct_flags
= NULL
;
942 struct berval
**keys
;
943 struct berval
**vals
;
944 int tmp
, tmp_time
, i
, ret
, have_arcfour
= 0;
946 memset(ent
, 0, sizeof(*ent
));
947 ent
->entry
.flags
= int2HDBFlags(0);
949 ret
= LDAP_get_string_value(db
, msg
, "krb5PrincipalName", &unparsed_name
);
951 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
955 ret
= LDAP_get_string_value(db
, msg
, "uid",
958 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
962 krb5_set_error_message(context
, HDB_ERR_NOENTRY
,
963 "hdb-ldap: ldap entry missing"
965 return HDB_ERR_NOENTRY
;
971 ret
= LDAP_get_integer_value(db
, msg
, "krb5KeyVersionNumber",
976 ent
->entry
.kvno
= integer
;
979 keys
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
984 ent
->entry
.keys
.len
= ldap_count_values_len(keys
);
985 ent
->entry
.keys
.val
= (Key
*) calloc(ent
->entry
.keys
.len
, sizeof(Key
));
986 if (ent
->entry
.keys
.val
== NULL
) {
988 krb5_set_error_message(context
, ret
, "calloc: out of memory");
991 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
992 decode_Key((unsigned char *) keys
[i
]->bv_val
,
993 (size_t) keys
[i
]->bv_len
, &ent
->entry
.keys
.val
[i
], &l
);
999 * This violates the ASN1 but it allows a principal to
1000 * be related to a general directory entry without creating
1001 * the keys. Hopefully it's OK.
1003 ent
->entry
.keys
.len
= 0;
1004 ent
->entry
.keys
.val
= NULL
;
1006 ret
= HDB_ERR_NOENTRY
;
1011 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
1015 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1016 if (ent
->entry
.etypes
== NULL
) {
1018 krb5_set_error_message(context
, ret
,"malloc: out of memory");
1021 ent
->entry
.etypes
->len
= ldap_count_values_len(vals
);
1022 ent
->entry
.etypes
->val
= calloc(ent
->entry
.etypes
->len
, sizeof(int));
1023 if (ent
->entry
.etypes
->val
== NULL
) {
1025 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1026 ent
->entry
.etypes
->len
= 0;
1029 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
1032 buf
= malloc(vals
[i
]->bv_len
+ 1);
1035 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1038 memcpy(buf
, vals
[i
]->bv_val
, vals
[i
]->bv_len
);
1039 buf
[vals
[i
]->bv_len
] = '\0';
1040 ent
->entry
.etypes
->val
[i
] = atoi(buf
);
1043 ldap_value_free_len(vals
);
1046 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1047 if (ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
1053 /* manually construct the NT (type 23) key */
1054 ret
= LDAP_get_string_value(db
, msg
, "sambaNTPassword", &ntPasswordIN
);
1055 if (ret
== 0 && have_arcfour
== 0) {
1060 keys
= realloc(ent
->entry
.keys
.val
,
1061 (ent
->entry
.keys
.len
+ 1) * sizeof(ent
->entry
.keys
.val
[0]));
1065 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1068 ent
->entry
.keys
.val
= keys
;
1069 memset(&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
], 0, sizeof(Key
));
1070 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keytype
= ETYPE_ARCFOUR_HMAC_MD5
;
1071 ret
= krb5_data_alloc (&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
, 16);
1073 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1078 ret
= hex_decode(ntPasswordIN
,
1079 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
.data
, 16);
1080 ent
->entry
.keys
.len
++;
1082 if (ent
->entry
.etypes
== NULL
) {
1083 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1084 if (ent
->entry
.etypes
== NULL
) {
1086 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1089 ent
->entry
.etypes
->val
= NULL
;
1090 ent
->entry
.etypes
->len
= 0;
1093 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++)
1094 if (ent
->entry
.etypes
->val
[i
] == ETYPE_ARCFOUR_HMAC_MD5
)
1096 /* If there is no ARCFOUR enctype, add one */
1097 if (i
== ent
->entry
.etypes
->len
) {
1098 etypes
= realloc(ent
->entry
.etypes
->val
,
1099 (ent
->entry
.etypes
->len
+ 1) *
1100 sizeof(ent
->entry
.etypes
->val
[0]));
1101 if (etypes
== NULL
) {
1103 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1106 ent
->entry
.etypes
->val
= etypes
;
1107 ent
->entry
.etypes
->val
[ent
->entry
.etypes
->len
] =
1108 ETYPE_ARCFOUR_HMAC_MD5
;
1109 ent
->entry
.etypes
->len
++;
1113 ret
= LDAP_get_generalized_time_value(db
, msg
, "createTimestamp",
1114 &ent
->entry
.created_by
.time
);
1116 ent
->entry
.created_by
.time
= time(NULL
);
1118 ent
->entry
.created_by
.principal
= NULL
;
1120 ret
= LDAP_get_string_value(db
, msg
, "creatorsName", &dn
);
1122 if (LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.created_by
.principal
)
1124 ent
->entry
.created_by
.principal
= NULL
;
1129 ent
->entry
.modified_by
= (Event
*) malloc(sizeof(Event
));
1130 if (ent
->entry
.modified_by
== NULL
) {
1132 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1135 ret
= LDAP_get_generalized_time_value(db
, msg
, "modifyTimestamp",
1136 &ent
->entry
.modified_by
->time
);
1138 ret
= LDAP_get_string_value(db
, msg
, "modifiersName", &dn
);
1139 if (LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.modified_by
->principal
))
1140 ent
->entry
.modified_by
->principal
= NULL
;
1143 free(ent
->entry
.modified_by
);
1144 ent
->entry
.modified_by
= NULL
;
1147 ent
->entry
.valid_start
= malloc(sizeof(*ent
->entry
.valid_start
));
1148 if (ent
->entry
.valid_start
== NULL
) {
1150 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1153 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidStart",
1154 ent
->entry
.valid_start
);
1157 free(ent
->entry
.valid_start
);
1158 ent
->entry
.valid_start
= NULL
;
1161 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1162 if (ent
->entry
.valid_end
== NULL
) {
1164 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1167 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidEnd",
1168 ent
->entry
.valid_end
);
1171 free(ent
->entry
.valid_end
);
1172 ent
->entry
.valid_end
= NULL
;
1175 ret
= LDAP_get_integer_value(db
, msg
, "sambaKickoffTime", &tmp_time
);
1177 if (ent
->entry
.valid_end
== NULL
) {
1178 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1179 if (ent
->entry
.valid_end
== NULL
) {
1181 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1185 *ent
->entry
.valid_end
= tmp_time
;
1188 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1189 if (ent
->entry
.pw_end
== NULL
) {
1191 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1194 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5PasswordEnd",
1198 free(ent
->entry
.pw_end
);
1199 ent
->entry
.pw_end
= NULL
;
1202 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1206 if (ent
->entry
.pw_end
== NULL
) {
1207 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1208 if (ent
->entry
.pw_end
== NULL
) {
1210 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1215 delta
= krb5_config_get_time_default(context
, NULL
,
1218 "password_lifetime",
1220 *ent
->entry
.pw_end
= tmp_time
+ delta
;
1223 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdMustChange", &tmp_time
);
1225 if (ent
->entry
.pw_end
== NULL
) {
1226 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1227 if (ent
->entry
.pw_end
== NULL
) {
1229 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1233 *ent
->entry
.pw_end
= tmp_time
;
1237 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1239 hdb_entry_set_pw_change_time(context
, &ent
->entry
, tmp_time
);
1244 ent
->entry
.max_life
= malloc(sizeof(*ent
->entry
.max_life
));
1245 if (ent
->entry
.max_life
== NULL
) {
1247 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1250 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxLife", &max_life
);
1252 free(ent
->entry
.max_life
);
1253 ent
->entry
.max_life
= NULL
;
1255 *ent
->entry
.max_life
= max_life
;
1261 ent
->entry
.max_renew
= malloc(sizeof(*ent
->entry
.max_renew
));
1262 if (ent
->entry
.max_renew
== NULL
) {
1264 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1267 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxRenew", &max_renew
);
1269 free(ent
->entry
.max_renew
);
1270 ent
->entry
.max_renew
= NULL
;
1272 *ent
->entry
.max_renew
= max_renew
;
1275 ret
= LDAP_get_integer_value(db
, msg
, "krb5KDCFlags", &tmp
);
1279 ent
->entry
.flags
= int2HDBFlags(tmp
);
1281 /* Try and find Samba flags to put into the mix */
1282 ret
= LDAP_get_string_value(db
, msg
, "sambaAcctFlags", &samba_acct_flags
);
1284 /* parse the [UXW...] string:
1288 'H' Homedir required
1290 'U' User account (normal)
1291 'M' MNS logon user account - what is this ?
1292 'W' Workstation account
1295 'X' No Xpiry on password
1296 'I' Interdomain trust account
1301 int flags_len
= strlen(samba_acct_flags
);
1306 if (samba_acct_flags
[0] != '['
1307 || samba_acct_flags
[flags_len
- 1] != ']')
1310 /* Allow forwarding */
1311 if (samba_forwardable
)
1312 ent
->entry
.flags
.forwardable
= TRUE
;
1314 for (i
=0; i
< flags_len
; i
++) {
1315 switch (samba_acct_flags
[i
]) {
1321 /* how to handle no password in kerberos? */
1324 ent
->entry
.flags
.invalid
= TRUE
;
1329 /* temp duplicate */
1330 ent
->entry
.flags
.invalid
= TRUE
;
1333 ent
->entry
.flags
.client
= TRUE
;
1339 ent
->entry
.flags
.server
= TRUE
;
1340 ent
->entry
.flags
.client
= TRUE
;
1343 ent
->entry
.flags
.invalid
= TRUE
;
1346 if (ent
->entry
.pw_end
) {
1347 free(ent
->entry
.pw_end
);
1348 ent
->entry
.pw_end
= NULL
;
1352 ent
->entry
.flags
.server
= TRUE
;
1353 ent
->entry
.flags
.client
= TRUE
;
1358 free(samba_acct_flags
);
1365 free(unparsed_name
);
1368 hdb_free_entry(context
, ent
);
1373 static krb5_error_code
1374 LDAP_close(krb5_context context
, HDB
* db
)
1377 ldap_unbind_ext(HDB2LDAP(db
), NULL
, NULL
);
1378 ((struct hdbldapdb
*)db
->hdb_db
)->h_lp
= NULL
;
1384 static krb5_error_code
1385 LDAP_lock(krb5_context context
, HDB
* db
, int operation
)
1390 static krb5_error_code
1391 LDAP_unlock(krb5_context context
, HDB
* db
)
1396 static krb5_error_code
1397 LDAP_seq(krb5_context context
, HDB
* db
, unsigned flags
, hdb_entry_ex
* entry
)
1399 int msgid
, rc
, parserc
;
1400 krb5_error_code ret
;
1403 msgid
= HDB2MSGID(db
);
1405 return HDB_ERR_NOENTRY
;
1408 rc
= ldap_result(HDB2LDAP(db
), msgid
, LDAP_MSG_ONE
, NULL
, &e
);
1410 case LDAP_RES_SEARCH_REFERENCE
:
1414 case LDAP_RES_SEARCH_ENTRY
:
1415 /* We have an entry. Parse it. */
1416 ret
= LDAP_message2entry(context
, db
, e
, entry
);
1419 case LDAP_RES_SEARCH_RESULT
:
1420 /* We're probably at the end of the results. If not, abandon. */
1422 ldap_parse_result(HDB2LDAP(db
), e
, NULL
, NULL
, NULL
,
1424 ret
= HDB_ERR_NOENTRY
;
1425 if (parserc
!= LDAP_SUCCESS
1426 && parserc
!= LDAP_MORE_RESULTS_TO_RETURN
) {
1427 krb5_set_error_message(context
, ret
, "ldap_parse_result: %s",
1428 ldap_err2string(parserc
));
1429 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1431 HDBSETMSGID(db
, -1);
1433 case LDAP_SERVER_DOWN
:
1435 LDAP_close(context
, db
);
1436 HDBSETMSGID(db
, -1);
1440 /* Some unspecified error (timeout?). Abandon. */
1442 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1443 ret
= HDB_ERR_NOENTRY
;
1444 HDBSETMSGID(db
, -1);
1447 } while (rc
== LDAP_RES_SEARCH_REFERENCE
);
1450 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1451 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1453 hdb_free_entry(context
, entry
);
1460 static krb5_error_code
1461 LDAP_firstkey(krb5_context context
, HDB
*db
, unsigned flags
,
1462 hdb_entry_ex
*entry
)
1464 krb5_error_code ret
;
1467 ret
= LDAP__connect(context
, db
);
1471 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
1475 ret
= ldap_search_ext(HDB2LDAP(db
), HDB2BASE(db
),
1477 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1478 krb5kdcentry_attrs
, 0,
1479 NULL
, NULL
, NULL
, 0, &msgid
);
1481 return HDB_ERR_NOENTRY
;
1483 HDBSETMSGID(db
, msgid
);
1485 return LDAP_seq(context
, db
, flags
, entry
);
1488 static krb5_error_code
1489 LDAP_nextkey(krb5_context context
, HDB
* db
, unsigned flags
,
1490 hdb_entry_ex
* entry
)
1492 return LDAP_seq(context
, db
, flags
, entry
);
1495 static krb5_error_code
1496 LDAP__connect(krb5_context context
, HDB
* db
)
1498 int rc
, version
= LDAP_VERSION3
;
1500 * Empty credentials to do a SASL bind with LDAP. Note that empty
1501 * different from NULL credentials. If you provide NULL
1502 * credentials instead of empty credentials you will get a SASL
1503 * bind in progress message.
1505 struct berval bv
= { 0, "" };
1508 /* connection has been opened. ping server. */
1509 struct sockaddr_un addr
;
1510 socklen_t len
= sizeof(addr
);
1513 if (ldap_get_option(HDB2LDAP(db
), LDAP_OPT_DESC
, &sd
) == 0 &&
1514 getpeername(sd
, (struct sockaddr
*) &addr
, &len
) < 0) {
1515 /* the other end has died. reopen. */
1516 LDAP_close(context
, db
);
1520 if (HDB2LDAP(db
) != NULL
) /* server is UP */
1523 rc
= ldap_initialize(&((struct hdbldapdb
*)db
->hdb_db
)->h_lp
, HDB2URL(db
));
1524 if (rc
!= LDAP_SUCCESS
) {
1525 krb5_set_error_message(context
, HDB_ERR_NOENTRY
, "ldap_initialize: %s",
1526 ldap_err2string(rc
));
1527 return HDB_ERR_NOENTRY
;
1530 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_PROTOCOL_VERSION
,
1531 (const void *)&version
);
1532 if (rc
!= LDAP_SUCCESS
) {
1533 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1534 "ldap_set_option: %s", ldap_err2string(rc
));
1535 LDAP_close(context
, db
);
1536 return HDB_ERR_BADVERSION
;
1539 rc
= ldap_sasl_bind_s(HDB2LDAP(db
), NULL
, "EXTERNAL", &bv
,
1541 if (rc
!= LDAP_SUCCESS
) {
1542 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1543 "ldap_sasl_bind_s: %s", ldap_err2string(rc
));
1544 LDAP_close(context
, db
);
1545 return HDB_ERR_BADVERSION
;
1551 static krb5_error_code
1552 LDAP_open(krb5_context context
, HDB
* db
, int flags
, mode_t mode
)
1554 /* Not the right place for this. */
1555 #ifdef HAVE_SIGACTION
1556 struct sigaction sa
;
1559 sa
.sa_handler
= SIG_IGN
;
1560 sigemptyset(&sa
.sa_mask
);
1562 sigaction(SIGPIPE
, &sa
, NULL
);
1564 signal(SIGPIPE
, SIG_IGN
);
1565 #endif /* HAVE_SIGACTION */
1567 return LDAP__connect(context
, db
);
1570 static krb5_error_code
1571 LDAP_fetch(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1572 unsigned flags
, hdb_entry_ex
* entry
)
1574 LDAPMessage
*msg
, *e
;
1575 krb5_error_code ret
;
1577 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1581 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1583 ret
= HDB_ERR_NOENTRY
;
1587 ret
= LDAP_message2entry(context
, db
, e
, entry
);
1589 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1590 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1592 hdb_free_entry(context
, entry
);
1602 static krb5_error_code
1603 LDAP_store(krb5_context context
, HDB
* db
, unsigned flags
,
1604 hdb_entry_ex
* entry
)
1606 LDAPMod
**mods
= NULL
;
1607 krb5_error_code ret
;
1610 LDAPMessage
*msg
= NULL
, *e
= NULL
;
1611 char *dn
= NULL
, *name
= NULL
;
1613 ret
= LDAP_principal2message(context
, db
, entry
->entry
.principal
, &msg
);
1615 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1617 ret
= krb5_unparse_name(context
, entry
->entry
.principal
, &name
);
1623 ret
= hdb_seal_keys(context
, db
, &entry
->entry
);
1627 /* turn new entry into LDAPMod array */
1628 ret
= LDAP_entry2mods(context
, db
, entry
, e
, &mods
);
1633 ret
= asprintf(&dn
, "krb5PrincipalName=%s,%s", name
, HDB2CREATE(db
));
1636 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
1639 } else if (flags
& HDB_F_REPLACE
) {
1640 /* Entry exists, and we're allowed to replace it. */
1641 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1643 /* Entry exists, but we're not allowed to replace it. Bail. */
1644 ret
= HDB_ERR_EXISTS
;
1648 /* write entry into directory */
1650 /* didn't exist before */
1651 rc
= ldap_add_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1652 errfn
= "ldap_add_ext_s";
1654 /* already existed, send deltas only */
1655 rc
= ldap_modify_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1656 errfn
= "ldap_modify_ext_s";
1659 if (check_ldap(context
, db
, rc
)) {
1660 char *ld_error
= NULL
;
1661 ldap_get_option(HDB2LDAP(db
), LDAP_OPT_ERROR_STRING
,
1663 ret
= HDB_ERR_CANT_LOCK_DB
;
1664 krb5_set_error_message(context
, ret
, "%s: %s (DN=%s) %s: %s",
1665 errfn
, name
, dn
, ldap_err2string(rc
), ld_error
);
1676 ldap_mods_free(mods
, 1);
1683 static krb5_error_code
1684 LDAP_remove(krb5_context context
, HDB
*db
, krb5_const_principal principal
)
1686 krb5_error_code ret
;
1687 LDAPMessage
*msg
, *e
;
1689 int rc
, limit
= LDAP_NO_LIMIT
;
1691 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1695 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1697 ret
= HDB_ERR_NOENTRY
;
1701 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1703 ret
= HDB_ERR_NOENTRY
;
1707 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
1708 if (rc
!= LDAP_SUCCESS
) {
1709 ret
= HDB_ERR_BADVERSION
;
1710 krb5_set_error_message(context
, ret
, "ldap_set_option: %s",
1711 ldap_err2string(rc
));
1715 rc
= ldap_delete_ext_s(HDB2LDAP(db
), dn
, NULL
, NULL
);
1716 if (check_ldap(context
, db
, rc
)) {
1717 ret
= HDB_ERR_CANT_LOCK_DB
;
1718 krb5_set_error_message(context
, ret
, "ldap_delete_ext_s: %s",
1719 ldap_err2string(rc
));
1732 static krb5_error_code
1733 LDAP_destroy(krb5_context context
, HDB
* db
)
1735 krb5_error_code ret
;
1737 LDAP_close(context
, db
);
1739 ret
= hdb_clear_master_key(context
, db
);
1743 free(HDB2CREATE(db
));
1754 static krb5_error_code
1755 hdb_ldap_common(krb5_context context
,
1757 const char *search_base
,
1760 struct hdbldapdb
*h
;
1761 const char *create_base
= NULL
;
1763 if (search_base
== NULL
&& search_base
[0] == '\0') {
1764 krb5_set_error_message(context
, ENOMEM
, "ldap search base not configured");
1765 return ENOMEM
; /* XXX */
1768 if (structural_object
== NULL
) {
1771 p
= krb5_config_get_string(context
, NULL
, "kdc",
1772 "hdb-ldap-structural-object", NULL
);
1774 p
= default_structural_object
;
1775 structural_object
= strdup(p
);
1776 if (structural_object
== NULL
) {
1777 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1783 krb5_config_get_bool_default(context
, NULL
, TRUE
,
1784 "kdc", "hdb-samba-forwardable", NULL
);
1786 *db
= calloc(1, sizeof(**db
));
1788 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1791 memset(*db
, 0, sizeof(**db
));
1793 h
= calloc(1, sizeof(*h
));
1797 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1803 if (asprintf(&(*db
)->hdb_name
, "ldap:%s", search_base
) == -1) {
1804 LDAP_destroy(context
, *db
);
1806 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1810 h
->h_url
= strdup(url
);
1811 h
->h_base
= strdup(search_base
);
1812 if (h
->h_url
== NULL
|| h
->h_base
== NULL
) {
1813 LDAP_destroy(context
, *db
);
1815 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1819 create_base
= krb5_config_get_string(context
, NULL
, "kdc",
1820 "hdb-ldap-create-base", NULL
);
1821 if (create_base
== NULL
)
1822 create_base
= h
->h_base
;
1824 h
->h_createbase
= strdup(create_base
);
1825 if (h
->h_createbase
== NULL
) {
1826 LDAP_destroy(context
, *db
);
1828 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1832 (*db
)->hdb_master_key_set
= 0;
1833 (*db
)->hdb_openp
= 0;
1834 (*db
)->hdb_capability_flags
= 0;
1835 (*db
)->hdb_open
= LDAP_open
;
1836 (*db
)->hdb_close
= LDAP_close
;
1837 (*db
)->hdb_fetch
= LDAP_fetch
;
1838 (*db
)->hdb_store
= LDAP_store
;
1839 (*db
)->hdb_remove
= LDAP_remove
;
1840 (*db
)->hdb_firstkey
= LDAP_firstkey
;
1841 (*db
)->hdb_nextkey
= LDAP_nextkey
;
1842 (*db
)->hdb_lock
= LDAP_lock
;
1843 (*db
)->hdb_unlock
= LDAP_unlock
;
1844 (*db
)->hdb_rename
= NULL
;
1845 (*db
)->hdb__get
= NULL
;
1846 (*db
)->hdb__put
= NULL
;
1847 (*db
)->hdb__del
= NULL
;
1848 (*db
)->hdb_destroy
= LDAP_destroy
;
1854 hdb_ldap_create(krb5_context context
, HDB
** db
, const char *arg
)
1856 return hdb_ldap_common(context
, db
, arg
, "ldapi:///");
1860 hdb_ldapi_create(krb5_context context
, HDB
** db
, const char *arg
)
1862 krb5_error_code ret
;
1863 char *search_base
, *p
;
1865 asprintf(&p
, "ldapi:%s", arg
);
1868 krb5_set_error_message(context
, ENOMEM
, "out of memory");
1871 search_base
= strchr(p
+ strlen("ldapi://"), ':');
1872 if (search_base
== NULL
) {
1874 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1875 "search base missing");
1876 return HDB_ERR_BADVERSION
;
1878 *search_base
= '\0';
1881 ret
= hdb_ldap_common(context
, db
, search_base
, p
);
1886 #ifdef OPENLDAP_MODULE
1888 struct hdb_so_method hdb_ldap_interface
= {
1889 HDB_INTERFACE_VERSION
,
1894 struct hdb_so_method hdb_ldapi_interface
= {
1895 HDB_INTERFACE_VERSION
,
1902 #endif /* OPENLDAP */