search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drop RCSID
[heimdal.git] / lib / hdb / hdb-ldap.c
blob173a9dd8864f9c290175701ad1ab89e77d438fe0
1 /*
2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "hdb_locl.h"
36
37 #ifdef OPENLDAP
38
39 #include <lber.h>
40 #include <ldap.h>
41 #include <sys/un.h>
42 #include <hex.h>
43
44 static krb5_error_code LDAP__connect(krb5_context context, HDB *);
45 static krb5_error_code LDAP_close(krb5_context context, HDB *);
46
47 static krb5_error_code
48 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
49 hdb_entry_ex * ent);
50
51 static const char *default_structural_object = "account";
52 static char *structural_object;
53 static krb5_boolean samba_forwardable;
54
55 struct hdbldapdb {
56 LDAP *h_lp;
57 int h_msgid;
58 char *h_base;
59 char *h_url;
60 char *h_createbase;
61 };
62
63 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
64 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
65 #define HDBSETMSGID(db,msgid) \
66 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
67 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
68 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
69 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
70
71 /*
72 *
73 */
74
75 static char * krb5kdcentry_attrs[] = {
76 "cn",
77 "createTimestamp",
78 "creatorsName",
79 "krb5EncryptionType",
80 "krb5KDCFlags",
81 "krb5Key",
82 "krb5KeyVersionNumber",
83 "krb5MaxLife",
84 "krb5MaxRenew",
85 "krb5PasswordEnd",
86 "krb5PrincipalName",
87 "krb5PrincipalRealm",
88 "krb5ValidEnd",
89 "krb5ValidStart",
90 "modifiersName",
91 "modifyTimestamp",
92 "objectClass",
93 "sambaAcctFlags",
94 "sambaKickoffTime",
95 "sambaNTPassword",
96 "sambaPwdLastSet",
97 "sambaPwdMustChange",
98 "uid",
99 NULL
100 };
101
102 static char *krb5principal_attrs[] = {
103 "cn",
104 "createTimestamp",
105 "creatorsName",
106 "krb5PrincipalName",
107 "krb5PrincipalRealm",
108 "modifiersName",
109 "modifyTimestamp",
110 "objectClass",
111 "uid",
112 NULL
113 };
114
115 static int
116 LDAP_no_size_limit(krb5_context context, LDAP *lp)
117 {
118 int ret, limit = LDAP_NO_LIMIT;
119
120 ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
121 if (ret != LDAP_SUCCESS) {
122 krb5_set_error_message(context, HDB_ERR_BADVERSION,
123 "ldap_set_option: %s",
124 ldap_err2string(ret));
125 return HDB_ERR_BADVERSION;
126 }
127 return 0;
128 }
129
130 static int
131 check_ldap(krb5_context context, HDB *db, int ret)
132 {
133 switch (ret) {
134 case LDAP_SUCCESS:
135 return 0;
136 case LDAP_SERVER_DOWN:
137 LDAP_close(context, db);
138 return 1;
139 default:
140 return 1;
141 }
142 }
143
144 static krb5_error_code
145 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
146 int *pIndex)
147 {
148 int cMods;
149
150 if (*modlist == NULL) {
151 *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
152 if (*modlist == NULL)
153 return ENOMEM;
154 }
155
156 for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
157 if ((*modlist)[cMods]->mod_op == modop &&
158 strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
159 break;
160 }
161 }
162
163 *pIndex = cMods;
164
165 if ((*modlist)[cMods] == NULL) {
166 LDAPMod *mod;
167
168 *modlist = (LDAPMod **)ber_memrealloc(*modlist,
169 (cMods + 2) * sizeof(LDAPMod *));
170 if (*modlist == NULL)
171 return ENOMEM;
172
173 (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
174 if ((*modlist)[cMods] == NULL)
175 return ENOMEM;
176
177 mod = (*modlist)[cMods];
178 mod->mod_op = modop;
179 mod->mod_type = ber_strdup(attribute);
180 if (mod->mod_type == NULL) {
181 ber_memfree(mod);
182 (*modlist)[cMods] = NULL;
183 return ENOMEM;
184 }
185
186 if (modop & LDAP_MOD_BVALUES) {
187 mod->mod_bvalues = NULL;
188 } else {
189 mod->mod_values = NULL;
190 }
191
192 (*modlist)[cMods + 1] = NULL;
193 }
194
195 return 0;
196 }
197
198 static krb5_error_code
199 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
200 unsigned char *value, size_t len)
201 {
202 krb5_error_code ret;
203 int cMods, i = 0;
204
205 ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
206 if (ret)
207 return ret;
208
209 if (value != NULL) {
210 struct berval **bv;
211
212 bv = (*modlist)[cMods]->mod_bvalues;
213 if (bv != NULL) {
214 for (i = 0; bv[i] != NULL; i++)
215 ;
216 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
217 } else
218 bv = ber_memalloc(2 * sizeof(*bv));
219 if (bv == NULL)
220 return ENOMEM;
221
222 (*modlist)[cMods]->mod_bvalues = bv;
223
224 bv[i] = ber_memalloc(sizeof(**bv));;
225 if (bv[i] == NULL)
226 return ENOMEM;
227
228 bv[i]->bv_val = (void *)value;
229 bv[i]->bv_len = len;
230
231 bv[i + 1] = NULL;
232 }
233
234 return 0;
235 }
236
237 static krb5_error_code
238 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
239 const char *value)
240 {
241 int cMods, i = 0;
242 krb5_error_code ret;
243
244 ret = LDAP__setmod(modlist, modop, attribute, &cMods);
245 if (ret)
246 return ret;
247
248 if (value != NULL) {
249 char **bv;
250
251 bv = (*modlist)[cMods]->mod_values;
252 if (bv != NULL) {
253 for (i = 0; bv[i] != NULL; i++)
254 ;
255 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
256 } else
257 bv = ber_memalloc(2 * sizeof(*bv));
258 if (bv == NULL)
259 return ENOMEM;
260
261 (*modlist)[cMods]->mod_values = bv;
262
263 bv[i] = ber_strdup(value);
264 if (bv[i] == NULL)
265 return ENOMEM;
266
267 bv[i + 1] = NULL;
268 }
269
270 return 0;
271 }
272
273 static krb5_error_code
274 LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
275 const char *attribute, KerberosTime * time)
276 {
277 char buf[22];
278 struct tm *tm;
279
280 /* XXX not threadsafe */
281 tm = gmtime(time);
282 strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
283
284 return LDAP_addmod(mods, modop, attribute, buf);
285 }
286
287 static krb5_error_code
288 LDAP_addmod_integer(krb5_context context,
289 LDAPMod *** mods, int modop,
290 const char *attribute, unsigned long l)
291 {
292 krb5_error_code ret;
293 char *buf;
294
295 ret = asprintf(&buf, "%ld", l);
296 if (ret < 0) {
297 krb5_set_error_message(context, ENOMEM,
298 "asprintf: out of memory:");
299 return ENOMEM;
300 }
301 ret = LDAP_addmod(mods, modop, attribute, buf);
302 free (buf);
303 return ret;
304 }
305
306 static krb5_error_code
307 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
308 const char *attribute, char **ptr)
309 {
310 struct berval **vals;
311
312 vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);
313 if (vals == NULL || vals[0] == NULL) {
314 *ptr = NULL;
315 return HDB_ERR_NOENTRY;
316 }
317
318 *ptr = malloc(vals[0]->bv_len + 1);
319 if (*ptr == NULL) {
320 ldap_value_free_len(vals);
321 return ENOMEM;
322 }
323
324 memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);
325 (*ptr)[vals[0]->bv_len] = 0;
326
327 ldap_value_free_len(vals);
328
329 return 0;
330 }
331
332 static krb5_error_code
333 LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
334 const char *attribute, int *ptr)
335 {
336 krb5_error_code ret;
337 char *val;
338
339 ret = LDAP_get_string_value(db, entry, attribute, &val);
340 if (ret)
341 return ret;
342 *ptr = atoi(val);
343 free(val);
344 return 0;
345 }
346
347 static krb5_error_code
348 LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
349 const char *attribute, KerberosTime * kt)
350 {
351 char *tmp, *gentime;
352 struct tm tm;
353 int ret;
354
355 *kt = 0;
356
357 ret = LDAP_get_string_value(db, entry, attribute, &gentime);
358 if (ret)
359 return ret;
360
361 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
362 if (tmp == NULL) {
363 free(gentime);
364 return HDB_ERR_NOENTRY;
365 }
366
367 free(gentime);
368
369 *kt = timegm(&tm);
370
371 return 0;
372 }
373
374 static int
375 bervalstrcmp(struct berval *v, const char *str)
376 {
377 size_t len = strlen(str);
378 return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;
379 }
380
381
382 static krb5_error_code
383 LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
384 LDAPMessage * msg, LDAPMod *** pmods)
385 {
386 krb5_error_code ret;
387 krb5_boolean is_new_entry;
388 char *tmp = NULL;
389 LDAPMod **mods = NULL;
390 hdb_entry_ex orig;
391 unsigned long oflags, nflags;
392 int i;
393
394 krb5_boolean is_samba_account = FALSE;
395 krb5_boolean is_account = FALSE;
396 krb5_boolean is_heimdal_entry = FALSE;
397 krb5_boolean is_heimdal_principal = FALSE;
398
399 struct berval **vals;
400
401 *pmods = NULL;
402
403 if (msg != NULL) {
404
405 ret = LDAP_message2entry(context, db, msg, &orig);
406 if (ret)
407 goto out;
408
409 is_new_entry = FALSE;
410
411 vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
412 if (vals) {
413 int num_objectclasses = ldap_count_values_len(vals);
414 for (i=0; i < num_objectclasses; i++) {
415 if (bervalstrcmp(vals[i], "sambaSamAccount"))
416 is_samba_account = TRUE;
417 else if (bervalstrcmp(vals[i], structural_object))
418 is_account = TRUE;
419 else if (bervalstrcmp(vals[i], "krb5Principal"))
420 is_heimdal_principal = TRUE;
421 else if (bervalstrcmp(vals[i], "krb5KDCEntry"))
422 is_heimdal_entry = TRUE;
423 }
424 ldap_value_free_len(vals);
425 }
426
427 /*
428 * If this is just a "account" entry and no other objectclass
429 * is hanging on this entry, it's really a new entry.
430 */
431 if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
432 is_heimdal_entry == FALSE) {
433 if (is_account == TRUE) {
434 is_new_entry = TRUE;
435 } else {
436 ret = HDB_ERR_NOENTRY;
437 goto out;
438 }
439 }
440 } else
441 is_new_entry = TRUE;
442
443 if (is_new_entry) {
444
445 /* to make it perfectly obvious we're depending on
446 * orig being intiialized to zero */
447 memset(&orig, 0, sizeof(orig));
448
449 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
450 if (ret)
451 goto out;
452
453 /* account is the structural object class */
454 if (is_account == FALSE) {
455 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
456 structural_object);
457 is_account = TRUE;
458 if (ret)
459 goto out;
460 }
461
462 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
463 is_heimdal_principal = TRUE;
464 if (ret)
465 goto out;
466
467 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
468 is_heimdal_entry = TRUE;
469 if (ret)
470 goto out;
471 }
472
473 if (is_new_entry ||
474 krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
475 == FALSE)
476 {
477 if (is_heimdal_principal || is_heimdal_entry) {
478
479 ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
480 if (ret)
481 goto out;
482
483 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
484 "krb5PrincipalName", tmp);
485 if (ret) {
486 free(tmp);
487 goto out;
488 }
489 free(tmp);
490 }
491
492 if (is_account || is_samba_account) {
493 ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
494 if (ret)
495 goto out;
496 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
497 if (ret) {
498 free(tmp);
499 goto out;
500 }
501 free(tmp);
502 }
503 }
504
505 if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
506 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
507 "krb5KeyVersionNumber",
508 ent->entry.kvno);
509 if (ret)
510 goto out;
511 }
512
513 if (is_heimdal_entry && ent->entry.valid_start) {
514 if (orig.entry.valid_end == NULL
515 || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
516 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
517 "krb5ValidStart",
518 ent->entry.valid_start);
519 if (ret)
520 goto out;
521 }
522 }
523
524 if (ent->entry.valid_end) {
525 if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
526 if (is_heimdal_entry) {
527 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
528 "krb5ValidEnd",
529 ent->entry.valid_end);
530 if (ret)
531 goto out;
532 }
533 if (is_samba_account) {
534 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
535 "sambaKickoffTime",
536 *(ent->entry.valid_end));
537 if (ret)
538 goto out;
539 }
540 }
541 }
542
543 if (ent->entry.pw_end) {
544 if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
545 if (is_heimdal_entry) {
546 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
547 "krb5PasswordEnd",
548 ent->entry.pw_end);
549 if (ret)
550 goto out;
551 }
552
553 if (is_samba_account) {
554 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
555 "sambaPwdMustChange",
556 *(ent->entry.pw_end));
557 if (ret)
558 goto out;
559 }
560 }
561 }
562
563
564 #if 0 /* we we have last_pw_change */
565 if (is_samba_account && ent->entry.last_pw_change) {
566 if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
567 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
568 "sambaPwdLastSet",
569 *(ent->entry.last_pw_change));
570 if (ret)
571 goto out;
572 }
573 }
574 #endif
575
576 if (is_heimdal_entry && ent->entry.max_life) {
577 if (orig.entry.max_life == NULL
578 || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
579
580 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
581 "krb5MaxLife",
582 *(ent->entry.max_life));
583 if (ret)
584 goto out;
585 }
586 }
587
588 if (is_heimdal_entry && ent->entry.max_renew) {
589 if (orig.entry.max_renew == NULL
590 || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
591
592 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
593 "krb5MaxRenew",
594 *(ent->entry.max_renew));
595 if (ret)
596 goto out;
597 }
598 }
599
600 oflags = HDBFlags2int(orig.entry.flags);
601 nflags = HDBFlags2int(ent->entry.flags);
602
603 if (is_heimdal_entry && oflags != nflags) {
604
605 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
606 "krb5KDCFlags",
607 nflags);
608 if (ret)
609 goto out;
610 }
611
612 /* Remove keys if they exists, and then replace keys. */
613 if (!is_new_entry && orig.entry.keys.len > 0) {
614 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
615 if (vals) {
616 ldap_value_free_len(vals);
617
618 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
619 if (ret)
620 goto out;
621 }
622 }
623
624 for (i = 0; i < ent->entry.keys.len; i++) {
625
626 if (is_samba_account
627 && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
628 char *ntHexPassword;
629 char *nt;
630 time_t now = time(NULL);
631
632 /* the key might have been 'sealed', but samba passwords
633 are clear in the directory */
634 ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
635 if (ret)
636 goto out;
637
638 nt = ent->entry.keys.val[i].key.keyvalue.data;
639 /* store in ntPassword, not krb5key */
640 ret = hex_encode(nt, 16, &ntHexPassword);
641 if (ret < 0) {
642 ret = ENOMEM;
643 krb5_set_error_message(context, ret, "hdb-ldap: failed to "
644 "hex encode key");
645 goto out;
646 }
647 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
648 ntHexPassword);
649 free(ntHexPassword);
650 if (ret)
651 goto out;
652 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
653 "sambaPwdLastSet", now);
654 if (ret)
655 goto out;
656
657 /* have to kill the LM passwod if it exists */
658 vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");
659 if (vals) {
660 ldap_value_free_len(vals);
661 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
662 "sambaLMPassword", NULL);
663 if (ret)
664 goto out;
665 }
666
667 } else if (is_heimdal_entry) {
668 unsigned char *buf;
669 size_t len, buf_size;
670
671 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
672 if (ret)
673 goto out;
674 if(buf_size != len)
675 krb5_abortx(context, "internal error in ASN.1 encoder");
676
677 /* addmod_len _owns_ the key, doesn't need to copy it */
678 ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
679 if (ret)
680 goto out;
681 }
682 }
683
684 if (ent->entry.etypes) {
685 int add_krb5EncryptionType = 0;
686
687 /*
688 * Only add/modify krb5EncryptionType if it's a new heimdal
689 * entry or krb5EncryptionType already exists on the entry.
690 */
691
692 if (!is_new_entry) {
693 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
694 if (vals) {
695 ldap_value_free_len(vals);
696 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
697 NULL);
698 if (ret)
699 goto out;
700 add_krb5EncryptionType = 1;
701 }
702 } else if (is_heimdal_entry)
703 add_krb5EncryptionType = 1;
704
705 if (add_krb5EncryptionType) {
706 for (i = 0; i < ent->entry.etypes->len; i++) {
707 if (is_samba_account &&
708 ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
709 {
710 ;
711 } else if (is_heimdal_entry) {
712 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
713 "krb5EncryptionType",
714 ent->entry.etypes->val[i]);
715 if (ret)
716 goto out;
717 }
718 }
719 }
720 }
721
722 /* for clarity */
723 ret = 0;
724
725 out:
726
727 if (ret == 0)
728 *pmods = mods;
729 else if (mods != NULL) {
730 ldap_mods_free(mods, 1);
731 *pmods = NULL;
732 }
733
734 if (msg)
735 hdb_free_entry(context, &orig);
736
737 return ret;
738 }
739
740 static krb5_error_code
741 LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
742 krb5_principal * principal)
743 {
744 krb5_error_code ret;
745 int rc;
746 const char *filter = "(objectClass=krb5Principal)";
747 LDAPMessage *res = NULL, *e;
748 char *p;
749
750 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
751 if (ret)
752 goto out;
753
754 rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
755 filter, krb5principal_attrs, 0,
756 NULL, NULL, NULL,
757 0, &res);
758 if (check_ldap(context, db, rc)) {
759 ret = HDB_ERR_NOENTRY;
760 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
761 "filter: %s error: %s",
762 filter, ldap_err2string(rc));
763 goto out;
764 }
765
766 e = ldap_first_entry(HDB2LDAP(db), res);
767 if (e == NULL) {
768 ret = HDB_ERR_NOENTRY;
769 goto out;
770 }
771
772 ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);
773 if (ret) {
774 ret = HDB_ERR_NOENTRY;
775 goto out;
776 }
777
778 ret = krb5_parse_name(context, p, principal);
779 free(p);
780
781 out:
782 if (res)
783 ldap_msgfree(res);
784
785 return ret;
786 }
787
788 static krb5_error_code
789 LDAP__lookup_princ(krb5_context context,
790 HDB *db,
791 const char *princname,
792 const char *userid,
793 LDAPMessage **msg)
794 {
795 struct berval namebv, quotedp;
796 krb5_error_code ret;
797 int rc;
798 char *filter = NULL;
799
800 ret = LDAP__connect(context, db);
801 if (ret)
802 return ret;
803
804 /*
805 * Quote searches that contain filter language, this quote
806 * searches for *@REALM, which takes very long time.
807 */
808
809 ber_str2bv(princname, 0, 0, &namebv);
810 if (ldap_bv2escaped_filter_value(&namebv, &quotedp) != 0) {
811 ret = ENOMEM;
812 krb5_set_error_message(context, ret, "malloc: out of memory");
813 goto out;
814 }
815 rc = asprintf(&filter,
816 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
817 quotedp.bv_val);
818 ber_memfree(quotedp.bv_val);
819
820 if (rc < 0) {
821 ret = ENOMEM;
822 krb5_set_error_message(context, ret, "malloc: out of memory");
823 goto out;
824 }
825
826 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
827 if (ret)
828 goto out;
829
830 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),
831 LDAP_SCOPE_SUBTREE, filter,
832 krb5kdcentry_attrs, 0,
833 NULL, NULL, NULL,
834 0, msg);
835 if (check_ldap(context, db, rc)) {
836 ret = HDB_ERR_NOENTRY;
837 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
838 "filter: %s - error: %s",
839 filter, ldap_err2string(rc));
840 goto out;
841 }
842
843 if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
844 free(filter);
845 filter = NULL;
846 ldap_msgfree(*msg);
847 *msg = NULL;
848
849 ber_str2bv(userid, 0, 0, &namebv);
850 if (ldap_bv2escaped_filter_value(&namebv, &quotedp) != 0) {
851 ret = ENOMEM;
852 krb5_set_error_message(context, ret, "malloc: out of memory");
853 goto out;
854 }
855
856 rc = asprintf(&filter,
857 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
858 structural_object, quotedp.bv_val);
859 ber_memfree(quotedp.bv_val);
860 if (rc < 0) {
861 ret = ENOMEM;
862 krb5_set_error_message(context, ret, "asprintf: out of memory");
863 goto out;
864 }
865
866 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
867 if (ret)
868 goto out;
869
870 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
871 filter, krb5kdcentry_attrs, 0,
872 NULL, NULL, NULL,
873 0, msg);
874 if (check_ldap(context, db, rc)) {
875 ret = HDB_ERR_NOENTRY;
876 krb5_set_error_message(context, ret,
877 "ldap_search_ext_s: filter: %s error: %s",
878 filter, ldap_err2string(rc));
879 goto out;
880 }
881 }
882
883 ret = 0;
884
885 out:
886 if (filter)
887 free(filter);
888
889 return ret;
890 }
891
892 static krb5_error_code
893 LDAP_principal2message(krb5_context context, HDB * db,
894 krb5_const_principal princ, LDAPMessage ** msg)
895 {
896 char *name, *name_short = NULL;
897 krb5_error_code ret;
898 krb5_realm *r, *r0;
899
900 *msg = NULL;
901
902 ret = krb5_unparse_name(context, princ, &name);
903 if (ret)
904 return ret;
905
906 ret = krb5_get_default_realms(context, &r0);
907 if(ret) {
908 free(name);
909 return ret;
910 }
911 for (r = r0; *r != NULL; r++) {
912 if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
913 ret = krb5_unparse_name_short(context, princ, &name_short);
914 if (ret) {
915 krb5_free_host_realm(context, r0);
916 free(name);
917 return ret;
918 }
919 break;
920 }
921 }
922 krb5_free_host_realm(context, r0);
923
924 ret = LDAP__lookup_princ(context, db, name, name_short, msg);
925 free(name);
926 free(name_short);
927
928 return ret;
929 }
930
931 /*
932 * Construct an hdb_entry from a directory entry.
933 */
934 static krb5_error_code
935 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
936 hdb_entry_ex * ent)
937 {
938 char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
939 char *samba_acct_flags = NULL;
940 struct berval **keys;
941 struct berval **vals;
942 int tmp, tmp_time, i, ret, have_arcfour = 0;
943
944 memset(ent, 0, sizeof(*ent));
945 ent->entry.flags = int2HDBFlags(0);
946
947 ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
948 if (ret == 0) {
949 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
950 if (ret)
951 goto out;
952 } else {
953 ret = LDAP_get_string_value(db, msg, "uid",
954 &unparsed_name);
955 if (ret == 0) {
956 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
957 if (ret)
958 goto out;
959 } else {
960 krb5_set_error_message(context, HDB_ERR_NOENTRY,
961 "hdb-ldap: ldap entry missing"
962 "principal name");
963 return HDB_ERR_NOENTRY;
964 }
965 }
966
967 {
968 int integer;
969 ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
970 &integer);
971 if (ret)
972 ent->entry.kvno = 0;
973 else
974 ent->entry.kvno = integer;
975 }
976
977 keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
978 if (keys != NULL) {
979 int i;
980 size_t l;
981
982 ent->entry.keys.len = ldap_count_values_len(keys);
983 ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
984 if (ent->entry.keys.val == NULL) {
985 ret = ENOMEM;
986 krb5_set_error_message(context, ret, "calloc: out of memory");
987 goto out;
988 }
989 for (i = 0; i < ent->entry.keys.len; i++) {
990 decode_Key((unsigned char *) keys[i]->bv_val,
991 (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
992 }
993 ber_bvecfree(keys);
994 } else {
995 #if 1
996 /*
997 * This violates the ASN1 but it allows a principal to
998 * be related to a general directory entry without creating
999 * the keys. Hopefully it's OK.
1000 */
1001 ent->entry.keys.len = 0;
1002 ent->entry.keys.val = NULL;
1003 #else
1004 ret = HDB_ERR_NOENTRY;
1005 goto out;
1006 #endif
1007 }
1008
1009 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
1010 if (vals != NULL) {
1011 int i;
1012
1013 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1014 if (ent->entry.etypes == NULL) {
1015 ret = ENOMEM;
1016 krb5_set_error_message(context, ret,"malloc: out of memory");
1017 goto out;
1018 }
1019 ent->entry.etypes->len = ldap_count_values_len(vals);
1020 ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
1021 if (ent->entry.etypes->val == NULL) {
1022 ret = ENOMEM;
1023 krb5_set_error_message(context, ret, "malloc: out of memory");
1024 ent->entry.etypes->len = 0;
1025 goto out;
1026 }
1027 for (i = 0; i < ent->entry.etypes->len; i++) {
1028 char *buf;
1029
1030 buf = malloc(vals[i]->bv_len + 1);
1031 if (buf == NULL) {
1032 ret = ENOMEM;
1033 krb5_set_error_message(context, ret, "malloc: out of memory");
1034 goto out;
1035 }
1036 memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
1037 buf[vals[i]->bv_len] = '\0';
1038 ent->entry.etypes->val[i] = atoi(buf);
1039 free(buf);
1040 }
1041 ldap_value_free_len(vals);
1042 }
1043
1044 for (i = 0; i < ent->entry.keys.len; i++) {
1045 if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
1046 have_arcfour = 1;
1047 break;
1048 }
1049 }
1050
1051 /* manually construct the NT (type 23) key */
1052 ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
1053 if (ret == 0 && have_arcfour == 0) {
1054 unsigned *etypes;
1055 Key *keys;
1056 int i;
1057
1058 keys = realloc(ent->entry.keys.val,
1059 (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1060 if (keys == NULL) {
1061 free(ntPasswordIN);
1062 ret = ENOMEM;
1063 krb5_set_error_message(context, ret, "malloc: out of memory");
1064 goto out;
1065 }
1066 ent->entry.keys.val = keys;
1067 memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1068 ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1069 ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1070 if (ret) {
1071 krb5_set_error_message(context, ret, "malloc: out of memory");
1072 free(ntPasswordIN);
1073 ret = ENOMEM;
1074 goto out;
1075 }
1076 ret = hex_decode(ntPasswordIN,
1077 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1078 ent->entry.keys.len++;
1079
1080 if (ent->entry.etypes == NULL) {
1081 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1082 if (ent->entry.etypes == NULL) {
1083 ret = ENOMEM;
1084 krb5_set_error_message(context, ret, "malloc: out of memory");
1085 goto out;
1086 }
1087 ent->entry.etypes->val = NULL;
1088 ent->entry.etypes->len = 0;
1089 }
1090
1091 for (i = 0; i < ent->entry.etypes->len; i++)
1092 if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1093 break;
1094 /* If there is no ARCFOUR enctype, add one */
1095 if (i == ent->entry.etypes->len) {
1096 etypes = realloc(ent->entry.etypes->val,
1097 (ent->entry.etypes->len + 1) *
1098 sizeof(ent->entry.etypes->val[0]));
1099 if (etypes == NULL) {
1100 ret = ENOMEM;
1101 krb5_set_error_message(context, ret, "malloc: out of memory");
1102 goto out;
1103 }
1104 ent->entry.etypes->val = etypes;
1105 ent->entry.etypes->val[ent->entry.etypes->len] =
1106 ETYPE_ARCFOUR_HMAC_MD5;
1107 ent->entry.etypes->len++;
1108 }
1109 }
1110
1111 ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1112 &ent->entry.created_by.time);
1113 if (ret)
1114 ent->entry.created_by.time = time(NULL);
1115
1116 ent->entry.created_by.principal = NULL;
1117
1118 ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1119 if (ret == 0) {
1120 if (LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal)
1121 != 0) {
1122 ent->entry.created_by.principal = NULL;
1123 }
1124 free(dn);
1125 }
1126
1127 ent->entry.modified_by = (Event *) malloc(sizeof(Event));
1128 if (ent->entry.modified_by == NULL) {
1129 ret = ENOMEM;
1130 krb5_set_error_message(context, ret, "malloc: out of memory");
1131 goto out;
1132 }
1133 ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1134 &ent->entry.modified_by->time);
1135 if (ret == 0) {
1136 ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1137 if (LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal))
1138 ent->entry.modified_by->principal = NULL;
1139 free(dn);
1140 } else {
1141 free(ent->entry.modified_by);
1142 ent->entry.modified_by = NULL;
1143 }
1144
1145 ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1146 if (ent->entry.valid_start == NULL) {
1147 ret = ENOMEM;
1148 krb5_set_error_message(context, ret, "malloc: out of memory");
1149 goto out;
1150 }
1151 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1152 ent->entry.valid_start);
1153 if (ret) {
1154 /* OPTIONAL */
1155 free(ent->entry.valid_start);
1156 ent->entry.valid_start = NULL;
1157 }
1158
1159 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1160 if (ent->entry.valid_end == NULL) {
1161 ret = ENOMEM;
1162 krb5_set_error_message(context, ret, "malloc: out of memory");
1163 goto out;
1164 }
1165 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1166 ent->entry.valid_end);
1167 if (ret) {
1168 /* OPTIONAL */
1169 free(ent->entry.valid_end);
1170 ent->entry.valid_end = NULL;
1171 }
1172
1173 ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1174 if (ret == 0) {
1175 if (ent->entry.valid_end == NULL) {
1176 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1177 if (ent->entry.valid_end == NULL) {
1178 ret = ENOMEM;
1179 krb5_set_error_message(context, ret, "malloc: out of memory");
1180 goto out;
1181 }
1182 }
1183 *ent->entry.valid_end = tmp_time;
1184 }
1185
1186 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1187 if (ent->entry.pw_end == NULL) {
1188 ret = ENOMEM;
1189 krb5_set_error_message(context, ret, "malloc: out of memory");
1190 goto out;
1191 }
1192 ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1193 ent->entry.pw_end);
1194 if (ret) {
1195 /* OPTIONAL */
1196 free(ent->entry.pw_end);
1197 ent->entry.pw_end = NULL;
1198 }
1199
1200 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1201 if (ret == 0) {
1202 time_t delta;
1203
1204 if (ent->entry.pw_end == NULL) {
1205 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1206 if (ent->entry.pw_end == NULL) {
1207 ret = ENOMEM;
1208 krb5_set_error_message(context, ret, "malloc: out of memory");
1209 goto out;
1210 }
1211 }
1212
1213 delta = krb5_config_get_time_default(context, NULL,
1214 365 * 24 * 60 * 60,
1215 "kadmin",
1216 "password_lifetime",
1217 NULL);
1218 *ent->entry.pw_end = tmp_time + delta;
1219 }
1220
1221 ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1222 if (ret == 0) {
1223 if (ent->entry.pw_end == NULL) {
1224 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1225 if (ent->entry.pw_end == NULL) {
1226 ret = ENOMEM;
1227 krb5_set_error_message(context, ret, "malloc: out of memory");
1228 goto out;
1229 }
1230 }
1231 *ent->entry.pw_end = tmp_time;
1232 }
1233
1234 /* OPTIONAL */
1235 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1236 if (ret == 0)
1237 hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1238
1239 {
1240 int max_life;
1241
1242 ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1243 if (ent->entry.max_life == NULL) {
1244 ret = ENOMEM;
1245 krb5_set_error_message(context, ret, "malloc: out of memory");
1246 goto out;
1247 }
1248 ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1249 if (ret) {
1250 free(ent->entry.max_life);
1251 ent->entry.max_life = NULL;
1252 } else
1253 *ent->entry.max_life = max_life;
1254 }
1255
1256 {
1257 int max_renew;
1258
1259 ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1260 if (ent->entry.max_renew == NULL) {
1261 ret = ENOMEM;
1262 krb5_set_error_message(context, ret, "malloc: out of memory");
1263 goto out;
1264 }
1265 ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1266 if (ret) {
1267 free(ent->entry.max_renew);
1268 ent->entry.max_renew = NULL;
1269 } else
1270 *ent->entry.max_renew = max_renew;
1271 }
1272
1273 ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
1274 if (ret)
1275 tmp = 0;
1276
1277 ent->entry.flags = int2HDBFlags(tmp);
1278
1279 /* Try and find Samba flags to put into the mix */
1280 ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1281 if (ret == 0) {
1282 /* parse the [UXW...] string:
1283
1284 'N' No password
1285 'D' Disabled
1286 'H' Homedir required
1287 'T' Temp account.
1288 'U' User account (normal)
1289 'M' MNS logon user account - what is this ?
1290 'W' Workstation account
1291 'S' Server account
1292 'L' Locked account
1293 'X' No Xpiry on password
1294 'I' Interdomain trust account
1295
1296 */
1297
1298 int i;
1299 int flags_len = strlen(samba_acct_flags);
1300
1301 if (flags_len < 2)
1302 goto out2;
1303
1304 if (samba_acct_flags[0] != '['
1305 || samba_acct_flags[flags_len - 1] != ']')
1306 goto out2;
1307
1308 /* Allow forwarding */
1309 if (samba_forwardable)
1310 ent->entry.flags.forwardable = TRUE;
1311
1312 for (i=0; i < flags_len; i++) {
1313 switch (samba_acct_flags[i]) {
1314 case ' ':
1315 case '[':
1316 case ']':
1317 break;
1318 case 'N':
1319 /* how to handle no password in kerberos? */
1320 break;
1321 case 'D':
1322 ent->entry.flags.invalid = TRUE;
1323 break;
1324 case 'H':
1325 break;
1326 case 'T':
1327 /* temp duplicate */
1328 ent->entry.flags.invalid = TRUE;
1329 break;
1330 case 'U':
1331 ent->entry.flags.client = TRUE;
1332 break;
1333 case 'M':
1334 break;
1335 case 'W':
1336 case 'S':
1337 ent->entry.flags.server = TRUE;
1338 ent->entry.flags.client = TRUE;
1339 break;
1340 case 'L':
1341 ent->entry.flags.invalid = TRUE;
1342 break;
1343 case 'X':
1344 if (ent->entry.pw_end) {
1345 free(ent->entry.pw_end);
1346 ent->entry.pw_end = NULL;
1347 }
1348 break;
1349 case 'I':
1350 ent->entry.flags.server = TRUE;
1351 ent->entry.flags.client = TRUE;
1352 break;
1353 }
1354 }
1355 out2:
1356 free(samba_acct_flags);
1357 }
1358
1359 ret = 0;
1360
1361 out:
1362 if (unparsed_name)
1363 free(unparsed_name);
1364
1365 if (ret)
1366 hdb_free_entry(context, ent);
1367
1368 return ret;
1369 }
1370
1371 static krb5_error_code
1372 LDAP_close(krb5_context context, HDB * db)
1373 {
1374 if (HDB2LDAP(db)) {
1375 ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1376 ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1377 }
1378
1379 return 0;
1380 }
1381
1382 static krb5_error_code
1383 LDAP_lock(krb5_context context, HDB * db, int operation)
1384 {
1385 return 0;
1386 }
1387
1388 static krb5_error_code
1389 LDAP_unlock(krb5_context context, HDB * db)
1390 {
1391 return 0;
1392 }
1393
1394 static krb5_error_code
1395 LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1396 {
1397 int msgid, rc, parserc;
1398 krb5_error_code ret;
1399 LDAPMessage *e;
1400
1401 msgid = HDB2MSGID(db);
1402 if (msgid < 0)
1403 return HDB_ERR_NOENTRY;
1404
1405 do {
1406 rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1407 switch (rc) {
1408 case LDAP_RES_SEARCH_REFERENCE:
1409 ldap_msgfree(e);
1410 ret = 0;
1411 break;
1412 case LDAP_RES_SEARCH_ENTRY:
1413 /* We have an entry. Parse it. */
1414 ret = LDAP_message2entry(context, db, e, entry);
1415 ldap_msgfree(e);
1416 break;
1417 case LDAP_RES_SEARCH_RESULT:
1418 /* We're probably at the end of the results. If not, abandon. */
1419 parserc =
1420 ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1421 NULL, NULL, 1);
1422 ret = HDB_ERR_NOENTRY;
1423 if (parserc != LDAP_SUCCESS
1424 && parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1425 krb5_set_error_message(context, ret, "ldap_parse_result: %s",
1426 ldap_err2string(parserc));
1427 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1428 }
1429 HDBSETMSGID(db, -1);
1430 break;
1431 case LDAP_SERVER_DOWN:
1432 ldap_msgfree(e);
1433 LDAP_close(context, db);
1434 HDBSETMSGID(db, -1);
1435 ret = ENETDOWN;
1436 break;
1437 default:
1438 /* Some unspecified error (timeout?). Abandon. */
1439 ldap_msgfree(e);
1440 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1441 ret = HDB_ERR_NOENTRY;
1442 HDBSETMSGID(db, -1);
1443 break;
1444 }
1445 } while (rc == LDAP_RES_SEARCH_REFERENCE);
1446
1447 if (ret == 0) {
1448 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1449 ret = hdb_unseal_keys(context, db, &entry->entry);
1450 if (ret)
1451 hdb_free_entry(context, entry);
1452 }
1453 }
1454
1455 return ret;
1456 }
1457
1458 static krb5_error_code
1459 LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1460 hdb_entry_ex *entry)
1461 {
1462 krb5_error_code ret;
1463 int msgid;
1464
1465 ret = LDAP__connect(context, db);
1466 if (ret)
1467 return ret;
1468
1469 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1470 if (ret)
1471 return ret;
1472
1473 ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),
1474 LDAP_SCOPE_SUBTREE,
1475 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1476 krb5kdcentry_attrs, 0,
1477 NULL, NULL, NULL, 0, &msgid);
1478 if (msgid < 0)
1479 return HDB_ERR_NOENTRY;
1480
1481 HDBSETMSGID(db, msgid);
1482
1483 return LDAP_seq(context, db, flags, entry);
1484 }
1485
1486 static krb5_error_code
1487 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1488 hdb_entry_ex * entry)
1489 {
1490 return LDAP_seq(context, db, flags, entry);
1491 }
1492
1493 static krb5_error_code
1494 LDAP__connect(krb5_context context, HDB * db)
1495 {
1496 int rc, version = LDAP_VERSION3;
1497 /*
1498 * Empty credentials to do a SASL bind with LDAP. Note that empty
1499 * different from NULL credentials. If you provide NULL
1500 * credentials instead of empty credentials you will get a SASL
1501 * bind in progress message.
1502 */
1503 struct berval bv = { 0, "" };
1504
1505 if (HDB2LDAP(db)) {
1506 /* connection has been opened. ping server. */
1507 struct sockaddr_un addr;
1508 socklen_t len = sizeof(addr);
1509 int sd;
1510
1511 if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1512 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1513 /* the other end has died. reopen. */
1514 LDAP_close(context, db);
1515 }
1516 }
1517
1518 if (HDB2LDAP(db) != NULL) /* server is UP */
1519 return 0;
1520
1521 rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1522 if (rc != LDAP_SUCCESS) {
1523 krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",
1524 ldap_err2string(rc));
1525 return HDB_ERR_NOENTRY;
1526 }
1527
1528 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1529 (const void *)&version);
1530 if (rc != LDAP_SUCCESS) {
1531 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1532 "ldap_set_option: %s", ldap_err2string(rc));
1533 LDAP_close(context, db);
1534 return HDB_ERR_BADVERSION;
1535 }
1536
1537 rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
1538 NULL, NULL, NULL);
1539 if (rc != LDAP_SUCCESS) {
1540 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1541 "ldap_sasl_bind_s: %s", ldap_err2string(rc));
1542 LDAP_close(context, db);
1543 return HDB_ERR_BADVERSION;
1544 }
1545
1546 return 0;
1547 }
1548
1549 static krb5_error_code
1550 LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1551 {
1552 /* Not the right place for this. */
1553 #ifdef HAVE_SIGACTION
1554 struct sigaction sa;
1555
1556 sa.sa_flags = 0;
1557 sa.sa_handler = SIG_IGN;
1558 sigemptyset(&sa.sa_mask);
1559
1560 sigaction(SIGPIPE, &sa, NULL);
1561 #else
1562 signal(SIGPIPE, SIG_IGN);
1563 #endif /* HAVE_SIGACTION */
1564
1565 return LDAP__connect(context, db);
1566 }
1567
1568 static krb5_error_code
1569 LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1570 unsigned flags, hdb_entry_ex * entry)
1571 {
1572 LDAPMessage *msg, *e;
1573 krb5_error_code ret;
1574
1575 ret = LDAP_principal2message(context, db, principal, &msg);
1576 if (ret)
1577 return ret;
1578
1579 e = ldap_first_entry(HDB2LDAP(db), msg);
1580 if (e == NULL) {
1581 ret = HDB_ERR_NOENTRY;
1582 goto out;
1583 }
1584
1585 ret = LDAP_message2entry(context, db, e, entry);
1586 if (ret == 0) {
1587 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1588 ret = hdb_unseal_keys(context, db, &entry->entry);
1589 if (ret)
1590 hdb_free_entry(context, entry);
1591 }
1592 }
1593
1594 out:
1595 ldap_msgfree(msg);
1596
1597 return ret;
1598 }
1599
1600 static krb5_error_code
1601 LDAP_store(krb5_context context, HDB * db, unsigned flags,
1602 hdb_entry_ex * entry)
1603 {
1604 LDAPMod **mods = NULL;
1605 krb5_error_code ret;
1606 const char *errfn;
1607 int rc;
1608 LDAPMessage *msg = NULL, *e = NULL;
1609 char *dn = NULL, *name = NULL;
1610
1611 ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1612 if (ret == 0)
1613 e = ldap_first_entry(HDB2LDAP(db), msg);
1614
1615 ret = krb5_unparse_name(context, entry->entry.principal, &name);
1616 if (ret) {
1617 free(name);
1618 return ret;
1619 }
1620
1621 ret = hdb_seal_keys(context, db, &entry->entry);
1622 if (ret)
1623 goto out;
1624
1625 /* turn new entry into LDAPMod array */
1626 ret = LDAP_entry2mods(context, db, entry, e, &mods);
1627 if (ret)
1628 goto out;
1629
1630 if (e == NULL) {
1631 ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1632 if (ret < 0) {
1633 ret = ENOMEM;
1634 krb5_set_error_message(context, ret, "asprintf: out of memory");
1635 goto out;
1636 }
1637 } else if (flags & HDB_F_REPLACE) {
1638 /* Entry exists, and we're allowed to replace it. */
1639 dn = ldap_get_dn(HDB2LDAP(db), e);
1640 } else {
1641 /* Entry exists, but we're not allowed to replace it. Bail. */
1642 ret = HDB_ERR_EXISTS;
1643 goto out;
1644 }
1645
1646 /* write entry into directory */
1647 if (e == NULL) {
1648 /* didn't exist before */
1649 rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1650 errfn = "ldap_add_ext_s";
1651 } else {
1652 /* already existed, send deltas only */
1653 rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1654 errfn = "ldap_modify_ext_s";
1655 }
1656
1657 if (check_ldap(context, db, rc)) {
1658 char *ld_error = NULL;
1659 ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1660 &ld_error);
1661 ret = HDB_ERR_CANT_LOCK_DB;
1662 krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
1663 errfn, name, dn, ldap_err2string(rc), ld_error);
1664 } else
1665 ret = 0;
1666
1667 out:
1668 /* free stuff */
1669 if (dn)
1670 free(dn);
1671 if (msg)
1672 ldap_msgfree(msg);
1673 if (mods)
1674 ldap_mods_free(mods, 1);
1675 if (name)
1676 free(name);
1677
1678 return ret;
1679 }
1680
1681 static krb5_error_code
1682 LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1683 {
1684 krb5_error_code ret;
1685 LDAPMessage *msg, *e;
1686 char *dn = NULL;
1687 int rc, limit = LDAP_NO_LIMIT;
1688
1689 ret = LDAP_principal2message(context, db, principal, &msg);
1690 if (ret)
1691 goto out;
1692
1693 e = ldap_first_entry(HDB2LDAP(db), msg);
1694 if (e == NULL) {
1695 ret = HDB_ERR_NOENTRY;
1696 goto out;
1697 }
1698
1699 dn = ldap_get_dn(HDB2LDAP(db), e);
1700 if (dn == NULL) {
1701 ret = HDB_ERR_NOENTRY;
1702 goto out;
1703 }
1704
1705 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1706 if (rc != LDAP_SUCCESS) {
1707 ret = HDB_ERR_BADVERSION;
1708 krb5_set_error_message(context, ret, "ldap_set_option: %s",
1709 ldap_err2string(rc));
1710 goto out;
1711 }
1712
1713 rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
1714 if (check_ldap(context, db, rc)) {
1715 ret = HDB_ERR_CANT_LOCK_DB;
1716 krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",
1717 ldap_err2string(rc));
1718 } else
1719 ret = 0;
1720
1721 out:
1722 if (dn != NULL)
1723 free(dn);
1724 if (msg != NULL)
1725 ldap_msgfree(msg);
1726
1727 return ret;
1728 }
1729
1730 static krb5_error_code
1731 LDAP_destroy(krb5_context context, HDB * db)
1732 {
1733 krb5_error_code ret;
1734
1735 LDAP_close(context, db);
1736
1737 ret = hdb_clear_master_key(context, db);
1738 if (HDB2BASE(db))
1739 free(HDB2BASE(db));
1740 if (HDB2CREATE(db))
1741 free(HDB2CREATE(db));
1742 if (HDB2URL(db))
1743 free(HDB2URL(db));
1744 if (db->hdb_name)
1745 free(db->hdb_name);
1746 free(db->hdb_db);
1747 free(db);
1748
1749 return ret;
1750 }
1751
1752 static krb5_error_code
1753 hdb_ldap_common(krb5_context context,
1754 HDB ** db,
1755 const char *search_base,
1756 const char *url)
1757 {
1758 struct hdbldapdb *h;
1759 const char *create_base = NULL;
1760
1761 if (search_base == NULL && search_base[0] == '\0') {
1762 krb5_set_error_message(context, ENOMEM, "ldap search base not configured");
1763 return ENOMEM; /* XXX */
1764 }
1765
1766 if (structural_object == NULL) {
1767 const char *p;
1768
1769 p = krb5_config_get_string(context, NULL, "kdc",
1770 "hdb-ldap-structural-object", NULL);
1771 if (p == NULL)
1772 p = default_structural_object;
1773 structural_object = strdup(p);
1774 if (structural_object == NULL) {
1775 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1776 return ENOMEM;
1777 }
1778 }
1779
1780 samba_forwardable =
1781 krb5_config_get_bool_default(context, NULL, TRUE,
1782 "kdc", "hdb-samba-forwardable", NULL);
1783
1784 *db = calloc(1, sizeof(**db));
1785 if (*db == NULL) {
1786 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1787 return ENOMEM;
1788 }
1789 memset(*db, 0, sizeof(**db));
1790
1791 h = calloc(1, sizeof(*h));
1792 if (h == NULL) {
1793 free(*db);
1794 *db = NULL;
1795 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1796 return ENOMEM;
1797 }
1798 (*db)->hdb_db = h;
1799
1800 /* XXX */
1801 if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1802 LDAP_destroy(context, *db);
1803 *db = NULL;
1804 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1805 return ENOMEM;
1806 }
1807
1808 h->h_url = strdup(url);
1809 h->h_base = strdup(search_base);
1810 if (h->h_url == NULL || h->h_base == NULL) {
1811 LDAP_destroy(context, *db);
1812 *db = NULL;
1813 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1814 return ENOMEM;
1815 }
1816
1817 create_base = krb5_config_get_string(context, NULL, "kdc",
1818 "hdb-ldap-create-base", NULL);
1819 if (create_base == NULL)
1820 create_base = h->h_base;
1821
1822 h->h_createbase = strdup(create_base);
1823 if (h->h_createbase == NULL) {
1824 LDAP_destroy(context, *db);
1825 *db = NULL;
1826 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1827 return ENOMEM;
1828 }
1829
1830 (*db)->hdb_master_key_set = 0;
1831 (*db)->hdb_openp = 0;
1832 (*db)->hdb_capability_flags = 0;
1833 (*db)->hdb_open = LDAP_open;
1834 (*db)->hdb_close = LDAP_close;
1835 (*db)->hdb_fetch = LDAP_fetch;
1836 (*db)->hdb_store = LDAP_store;
1837 (*db)->hdb_remove = LDAP_remove;
1838 (*db)->hdb_firstkey = LDAP_firstkey;
1839 (*db)->hdb_nextkey = LDAP_nextkey;
1840 (*db)->hdb_lock = LDAP_lock;
1841 (*db)->hdb_unlock = LDAP_unlock;
1842 (*db)->hdb_rename = NULL;
1843 (*db)->hdb__get = NULL;
1844 (*db)->hdb__put = NULL;
1845 (*db)->hdb__del = NULL;
1846 (*db)->hdb_destroy = LDAP_destroy;
1847
1848 return 0;
1849 }
1850
1851 krb5_error_code
1852 hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1853 {
1854 return hdb_ldap_common(context, db, arg, "ldapi:///");
1855 }
1856
1857 krb5_error_code
1858 hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1859 {
1860 krb5_error_code ret;
1861 char *search_base, *p;
1862
1863 asprintf(&p, "ldapi:%s", arg);
1864 if (p == NULL) {
1865 *db = NULL;
1866 krb5_set_error_message(context, ENOMEM, "out of memory");
1867 return ENOMEM;
1868 }
1869 search_base = strchr(p + strlen("ldapi://"), ':');
1870 if (search_base == NULL) {
1871 *db = NULL;
1872 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1873 "search base missing");
1874 return HDB_ERR_BADVERSION;
1875 }
1876 *search_base = '\0';
1877 search_base++;
1878
1879 ret = hdb_ldap_common(context, db, search_base, p);
1880 free(p);
1881 return ret;
1882 }
1883
1884 #ifdef OPENLDAP_MODULE
1885
1886 struct hdb_so_method hdb_ldap_interface = {
1887 HDB_INTERFACE_VERSION,
1888 "ldap",
1889 hdb_ldap_create
1890 };
1891
1892 struct hdb_so_method hdb_ldapi_interface = {
1893 HDB_INTERFACE_VERSION,
1894 "ldapi",
1895 hdb_ldapi_create
1896 };
1897
1898 #endif
1899
1900 #endif /* OPENLDAP */
Heimdal