2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
5 * Copyright (c) 2015, Timothy Pearson.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of PADL Software nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
45 static krb5_error_code
LDAP__connect(krb5_context context
, HDB
*);
46 static krb5_error_code
LDAP_close(krb5_context context
, HDB
*);
48 static krb5_error_code
49 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
50 int flags
, hdb_entry_ex
* ent
);
52 static const char *default_structural_object
= "account";
53 static char *structural_object
;
54 static const char *default_ldap_url
= "ldapi:///";
55 static krb5_boolean samba_forwardable
;
63 char *h_bind_password
;
64 krb5_boolean h_start_tls
;
68 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
69 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
70 #define HDBSETMSGID(db,msgid) \
71 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
72 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
73 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
74 #define HDB2BINDDN(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_dn)
75 #define HDB2BINDPW(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_password)
76 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
82 static char * krb5kdcentry_attrs
[] = {
89 "krb5KeyVersionNumber",
95 "krb5ExtendedAttributes",
105 "sambaPwdMustChange",
110 static char *krb5principal_attrs
[] = {
115 "krb5PrincipalRealm",
124 LDAP_no_size_limit(krb5_context context
, LDAP
*lp
)
126 int ret
, limit
= LDAP_NO_LIMIT
;
128 ret
= ldap_set_option(lp
, LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
129 if (ret
!= LDAP_SUCCESS
) {
130 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
131 "ldap_set_option: %s",
132 ldap_err2string(ret
));
133 return HDB_ERR_BADVERSION
;
139 check_ldap(krb5_context context
, HDB
*db
, int ret
)
144 case LDAP_SERVER_DOWN
:
145 LDAP_close(context
, db
);
152 static krb5_error_code
153 LDAP__setmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
158 if (*modlist
== NULL
) {
159 *modlist
= (LDAPMod
**)ber_memcalloc(1, sizeof(LDAPMod
*));
160 if (*modlist
== NULL
)
164 for (cMods
= 0; (*modlist
)[cMods
] != NULL
; cMods
++) {
165 if ((*modlist
)[cMods
]->mod_op
== modop
&&
166 strcasecmp((*modlist
)[cMods
]->mod_type
, attribute
) == 0) {
173 if ((*modlist
)[cMods
] == NULL
) {
176 *modlist
= (LDAPMod
**)ber_memrealloc(*modlist
,
177 (cMods
+ 2) * sizeof(LDAPMod
*));
178 if (*modlist
== NULL
)
181 (*modlist
)[cMods
] = (LDAPMod
*)ber_memalloc(sizeof(LDAPMod
));
182 if ((*modlist
)[cMods
] == NULL
)
185 mod
= (*modlist
)[cMods
];
187 mod
->mod_type
= ber_strdup(attribute
);
188 if (mod
->mod_type
== NULL
) {
190 (*modlist
)[cMods
] = NULL
;
194 if (modop
& LDAP_MOD_BVALUES
) {
195 mod
->mod_bvalues
= NULL
;
197 mod
->mod_values
= NULL
;
200 (*modlist
)[cMods
+ 1] = NULL
;
206 static krb5_error_code
207 LDAP_addmod_len(LDAPMod
*** modlist
, int modop
, const char *attribute
,
208 unsigned char *value
, size_t len
)
213 ret
= LDAP__setmod(modlist
, modop
| LDAP_MOD_BVALUES
, attribute
, &cMods
);
220 bv
= (*modlist
)[cMods
]->mod_bvalues
;
222 for (i
= 0; bv
[i
] != NULL
; i
++)
224 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
226 bv
= ber_memalloc(2 * sizeof(*bv
));
230 (*modlist
)[cMods
]->mod_bvalues
= bv
;
232 bv
[i
] = ber_memalloc(sizeof(**bv
));;
236 bv
[i
]->bv_val
= (void *)value
;
245 static krb5_error_code
246 LDAP_addmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
252 ret
= LDAP__setmod(modlist
, modop
, attribute
, &cMods
);
259 bv
= (*modlist
)[cMods
]->mod_values
;
261 for (i
= 0; bv
[i
] != NULL
; i
++)
263 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
265 bv
= ber_memalloc(2 * sizeof(*bv
));
269 (*modlist
)[cMods
]->mod_values
= bv
;
271 bv
[i
] = ber_strdup(value
);
281 static krb5_error_code
282 LDAP_addmod_generalized_time(LDAPMod
*** mods
, int modop
,
283 const char *attribute
, KerberosTime
* time
)
288 /* XXX not threadsafe */
290 strftime(buf
, sizeof(buf
), "%Y%m%d%H%M%SZ", tm
);
292 return LDAP_addmod(mods
, modop
, attribute
, buf
);
295 static krb5_error_code
296 LDAP_addmod_integer(krb5_context context
,
297 LDAPMod
*** mods
, int modop
,
298 const char *attribute
, unsigned long l
)
303 ret
= asprintf(&buf
, "%ld", l
);
305 krb5_set_error_message(context
, ENOMEM
,
306 "asprintf: out of memory:");
309 ret
= LDAP_addmod(mods
, modop
, attribute
, buf
);
314 static krb5_error_code
315 LDAP_get_string_value(HDB
* db
, LDAPMessage
* entry
,
316 const char *attribute
, char **ptr
)
318 struct berval
**vals
;
320 vals
= ldap_get_values_len(HDB2LDAP(db
), entry
, attribute
);
321 if (vals
== NULL
|| vals
[0] == NULL
) {
323 return HDB_ERR_NOENTRY
;
326 *ptr
= malloc(vals
[0]->bv_len
+ 1);
328 ldap_value_free_len(vals
);
332 memcpy(*ptr
, vals
[0]->bv_val
, vals
[0]->bv_len
);
333 (*ptr
)[vals
[0]->bv_len
] = 0;
335 ldap_value_free_len(vals
);
340 static krb5_error_code
341 LDAP_get_integer_value(HDB
* db
, LDAPMessage
* entry
,
342 const char *attribute
, int *ptr
)
347 ret
= LDAP_get_string_value(db
, entry
, attribute
, &val
);
355 static krb5_error_code
356 LDAP_get_generalized_time_value(HDB
* db
, LDAPMessage
* entry
,
357 const char *attribute
, KerberosTime
* kt
)
365 ret
= LDAP_get_string_value(db
, entry
, attribute
, &gentime
);
369 tmp
= strptime(gentime
, "%Y%m%d%H%M%SZ", &tm
);
372 return HDB_ERR_NOENTRY
;
383 bervalstrcmp(struct berval
*v
, const char *str
)
385 size_t len
= strlen(str
);
386 return (v
->bv_len
== len
) && strncasecmp(str
, (char *)v
->bv_val
, len
) == 0;
390 static krb5_error_code
391 LDAP_entry2mods(krb5_context context
, HDB
* db
, hdb_entry_ex
* ent
,
392 LDAPMessage
* msg
, LDAPMod
*** pmods
)
395 krb5_boolean is_new_entry
;
397 LDAPMod
**mods
= NULL
;
399 unsigned long oflags
, nflags
;
402 krb5_boolean is_samba_account
= FALSE
;
403 krb5_boolean is_account
= FALSE
;
404 krb5_boolean is_heimdal_entry
= FALSE
;
405 krb5_boolean is_heimdal_principal
= FALSE
;
407 struct berval
**vals
;
413 ret
= LDAP_message2entry(context
, db
, msg
, 0, &orig
);
417 is_new_entry
= FALSE
;
419 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "objectClass");
421 int num_objectclasses
= ldap_count_values_len(vals
);
422 for (i
=0; i
< num_objectclasses
; i
++) {
423 if (bervalstrcmp(vals
[i
], "sambaSamAccount"))
424 is_samba_account
= TRUE
;
425 else if (bervalstrcmp(vals
[i
], structural_object
))
427 else if (bervalstrcmp(vals
[i
], "krb5Principal"))
428 is_heimdal_principal
= TRUE
;
429 else if (bervalstrcmp(vals
[i
], "krb5KDCEntry"))
430 is_heimdal_entry
= TRUE
;
432 ldap_value_free_len(vals
);
436 * If this is just a "account" entry and no other objectclass
437 * is hanging on this entry, it's really a new entry.
439 if (is_samba_account
== FALSE
&& is_heimdal_principal
== FALSE
&&
440 is_heimdal_entry
== FALSE
) {
441 if (is_account
== TRUE
) {
444 ret
= HDB_ERR_NOENTRY
;
453 /* to make it perfectly obvious we're depending on
454 * orig being intiialized to zero */
455 memset(&orig
, 0, sizeof(orig
));
457 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "top");
461 /* account is the structural object class */
462 if (is_account
== FALSE
) {
463 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass",
470 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5Principal");
471 is_heimdal_principal
= TRUE
;
475 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5KDCEntry");
476 is_heimdal_entry
= TRUE
;
482 krb5_principal_compare(context
, ent
->entry
.principal
, orig
.entry
.principal
)
485 if (is_heimdal_principal
|| is_heimdal_entry
) {
487 ret
= krb5_unparse_name(context
, ent
->entry
.principal
, &tmp
);
491 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
,
492 "krb5PrincipalName", tmp
);
500 if (is_account
|| is_samba_account
) {
501 ret
= krb5_unparse_name_short(context
, ent
->entry
.principal
, &tmp
);
504 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "uid", tmp
);
513 if (is_heimdal_entry
&& (ent
->entry
.kvno
!= orig
.entry
.kvno
|| is_new_entry
)) {
514 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
515 "krb5KeyVersionNumber",
521 if (is_heimdal_entry
&& ent
->entry
.extensions
) {
523 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5ExtendedAttributes");
525 ldap_value_free_len(vals
);
526 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5ExtendedAttributes", NULL
);
532 for (i
= 0; i
< ent
->entry
.extensions
->len
; i
++) {
536 ASN1_MALLOC_ENCODE(HDB_extension
, buf
, size
, &ent
->entry
.extensions
->val
[i
], &sz
, ret
);
540 krb5_abortx(context
, "internal error in ASN.1 encoder");
542 ret
= LDAP_addmod_len(&mods
, LDAP_MOD_ADD
, "krb5ExtendedAttributes", buf
, sz
);
548 if (is_heimdal_entry
&& ent
->entry
.valid_start
) {
549 if (orig
.entry
.valid_end
== NULL
550 || (*(ent
->entry
.valid_start
) != *(orig
.entry
.valid_start
))) {
551 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
553 ent
->entry
.valid_start
);
559 if (ent
->entry
.valid_end
) {
560 if (orig
.entry
.valid_end
== NULL
|| (*(ent
->entry
.valid_end
) != *(orig
.entry
.valid_end
))) {
561 if (is_heimdal_entry
) {
562 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
564 ent
->entry
.valid_end
);
568 if (is_samba_account
) {
569 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
571 *(ent
->entry
.valid_end
));
578 if (ent
->entry
.pw_end
) {
579 if (orig
.entry
.pw_end
== NULL
|| (*(ent
->entry
.pw_end
) != *(orig
.entry
.pw_end
))) {
580 if (is_heimdal_entry
) {
581 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
588 if (is_samba_account
) {
589 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
590 "sambaPwdMustChange",
591 *(ent
->entry
.pw_end
));
599 #if 0 /* we we have last_pw_change */
600 if (is_samba_account
&& ent
->entry
.last_pw_change
) {
601 if (orig
.entry
.last_pw_change
== NULL
|| (*(ent
->entry
.last_pw_change
) != *(orig
.entry
.last_pw_change
))) {
602 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
604 *(ent
->entry
.last_pw_change
));
611 if (is_heimdal_entry
&& ent
->entry
.max_life
) {
612 if (orig
.entry
.max_life
== NULL
613 || (*(ent
->entry
.max_life
) != *(orig
.entry
.max_life
))) {
615 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
617 *(ent
->entry
.max_life
));
623 if (is_heimdal_entry
&& ent
->entry
.max_renew
) {
624 if (orig
.entry
.max_renew
== NULL
625 || (*(ent
->entry
.max_renew
) != *(orig
.entry
.max_renew
))) {
627 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
629 *(ent
->entry
.max_renew
));
635 oflags
= HDBFlags2int(orig
.entry
.flags
);
636 nflags
= HDBFlags2int(ent
->entry
.flags
);
638 if (is_heimdal_entry
&& oflags
!= nflags
) {
640 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
647 /* Remove keys if they exists, and then replace keys. */
648 if (!is_new_entry
&& orig
.entry
.keys
.len
> 0) {
649 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
651 ldap_value_free_len(vals
);
653 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5Key", NULL
);
659 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
662 && ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
665 time_t now
= time(NULL
);
667 /* the key might have been 'sealed', but samba passwords
668 are clear in the directory */
669 ret
= hdb_unseal_key(context
, db
, &ent
->entry
.keys
.val
[i
]);
673 nt
= ent
->entry
.keys
.val
[i
].key
.keyvalue
.data
;
674 /* store in ntPassword, not krb5key */
675 ret
= hex_encode(nt
, 16, &ntHexPassword
);
678 krb5_set_error_message(context
, ret
, "hdb-ldap: failed to "
682 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "sambaNTPassword",
687 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
688 "sambaPwdLastSet", now
);
692 /* have to kill the LM passwod if it exists */
693 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "sambaLMPassword");
695 ldap_value_free_len(vals
);
696 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
,
697 "sambaLMPassword", NULL
);
702 } else if (is_heimdal_entry
) {
704 size_t len
, buf_size
;
706 ASN1_MALLOC_ENCODE(Key
, buf
, buf_size
, &ent
->entry
.keys
.val
[i
], &len
, ret
);
710 krb5_abortx(context
, "internal error in ASN.1 encoder");
712 /* addmod_len _owns_ the key, doesn't need to copy it */
713 ret
= LDAP_addmod_len(&mods
, LDAP_MOD_ADD
, "krb5Key", buf
, len
);
719 if (ent
->entry
.etypes
) {
720 int add_krb5EncryptionType
= 0;
723 * Only add/modify krb5EncryptionType if it's a new heimdal
724 * entry or krb5EncryptionType already exists on the entry.
728 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
730 ldap_value_free_len(vals
);
731 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5EncryptionType",
735 add_krb5EncryptionType
= 1;
737 } else if (is_heimdal_entry
)
738 add_krb5EncryptionType
= 1;
740 if (add_krb5EncryptionType
) {
741 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
742 if (is_samba_account
&&
743 ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
)
746 } else if (is_heimdal_entry
) {
747 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_ADD
,
748 "krb5EncryptionType",
749 ent
->entry
.etypes
->val
[i
]);
764 else if (mods
!= NULL
) {
765 ldap_mods_free(mods
, 1);
770 hdb_free_entry(context
, &orig
);
775 static krb5_error_code
776 LDAP_dn2principal(krb5_context context
, HDB
* db
, const char *dn
,
777 krb5_principal
* principal
)
781 const char *filter
= "(objectClass=krb5Principal)";
782 LDAPMessage
*res
= NULL
, *e
;
785 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
789 rc
= ldap_search_ext_s(HDB2LDAP(db
), dn
, LDAP_SCOPE_SUBTREE
,
790 filter
, krb5principal_attrs
, 0,
793 if (check_ldap(context
, db
, rc
)) {
794 ret
= HDB_ERR_NOENTRY
;
795 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
796 "filter: %s error: %s",
797 filter
, ldap_err2string(rc
));
801 e
= ldap_first_entry(HDB2LDAP(db
), res
);
803 ret
= HDB_ERR_NOENTRY
;
807 ret
= LDAP_get_string_value(db
, e
, "krb5PrincipalName", &p
);
809 ret
= HDB_ERR_NOENTRY
;
813 ret
= krb5_parse_name(context
, p
, principal
);
824 need_quote(unsigned char c
)
835 static const char hexchar
[] = "0123456789ABCDEF";
837 static krb5_error_code
838 escape_value(krb5_context context
, const char *unquoted
, char **quoted
)
842 for (i
= 0, len
= 0; unquoted
[i
] != '\0'; i
++, len
++) {
843 if (need_quote((unsigned char)unquoted
[i
]))
847 *quoted
= malloc(len
+ 1);
848 if (*quoted
== NULL
) {
849 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
853 for (i
= 0; unquoted
[0] ; unquoted
++) {
854 if (need_quote((unsigned char)unquoted
[0])) {
855 (*quoted
)[i
++] = '\\';
856 (*quoted
)[i
++] = hexchar
[(unquoted
[0] >> 4) & 0xf];
857 (*quoted
)[i
++] = hexchar
[(unquoted
[0] ) & 0xf];
859 (*quoted
)[i
++] = (char)unquoted
[0];
866 static krb5_error_code
867 LDAP__lookup_princ(krb5_context context
,
869 const char *princname
,
875 char *quote
, *filter
= NULL
;
877 ret
= LDAP__connect(context
, db
);
882 * Quote searches that contain filter language, this quote
883 * searches for *@REALM, which takes very long time.
886 ret
= escape_value(context
, princname
, "e
);
890 rc
= asprintf(&filter
,
891 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
897 krb5_set_error_message(context
, ret
, "malloc: out of memory");
901 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
905 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
),
906 LDAP_SCOPE_SUBTREE
, filter
,
907 krb5kdcentry_attrs
, 0,
910 if (check_ldap(context
, db
, rc
)) {
911 ret
= HDB_ERR_NOENTRY
;
912 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
913 "filter: %s - error: %s",
914 filter
, ldap_err2string(rc
));
918 if (userid
&& ldap_count_entries(HDB2LDAP(db
), *msg
) == 0) {
924 ret
= escape_value(context
, userid
, "e
);
928 rc
= asprintf(&filter
,
929 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
930 structural_object
, quote
);
934 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
938 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
942 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
), LDAP_SCOPE_SUBTREE
,
943 filter
, krb5kdcentry_attrs
, 0,
946 if (check_ldap(context
, db
, rc
)) {
947 ret
= HDB_ERR_NOENTRY
;
948 krb5_set_error_message(context
, ret
,
949 "ldap_search_ext_s: filter: %s error: %s",
950 filter
, ldap_err2string(rc
));
964 static krb5_error_code
965 LDAP_principal2message(krb5_context context
, HDB
* db
,
966 krb5_const_principal princ
, LDAPMessage
** msg
)
968 char *name
, *name_short
= NULL
;
974 ret
= krb5_unparse_name(context
, princ
, &name
);
978 ret
= krb5_get_default_realms(context
, &r0
);
983 for (r
= r0
; *r
!= NULL
; r
++) {
984 if(strcmp(krb5_principal_get_realm(context
, princ
), *r
) == 0) {
985 ret
= krb5_unparse_name_short(context
, princ
, &name_short
);
987 krb5_free_host_realm(context
, r0
);
994 krb5_free_host_realm(context
, r0
);
996 ret
= LDAP__lookup_princ(context
, db
, name
, name_short
, msg
);
1004 * Construct an hdb_entry from a directory entry.
1006 static krb5_error_code
1007 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
1008 int flags
, hdb_entry_ex
* ent
)
1010 char *unparsed_name
= NULL
, *dn
= NULL
, *ntPasswordIN
= NULL
;
1011 char *samba_acct_flags
= NULL
;
1012 struct berval
**keys
;
1013 struct berval
**extensions
;
1014 struct berval
**vals
;
1015 int tmp
, tmp_time
, i
, ret
, have_arcfour
= 0;
1017 memset(ent
, 0, sizeof(*ent
));
1018 ent
->entry
.flags
= int2HDBFlags(0);
1020 ret
= LDAP_get_string_value(db
, msg
, "krb5PrincipalName", &unparsed_name
);
1022 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
1026 ret
= LDAP_get_string_value(db
, msg
, "uid",
1029 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
1033 krb5_set_error_message(context
, HDB_ERR_NOENTRY
,
1034 "hdb-ldap: ldap entry missing"
1036 return HDB_ERR_NOENTRY
;
1042 ret
= LDAP_get_integer_value(db
, msg
, "krb5KeyVersionNumber",
1045 ent
->entry
.kvno
= 0;
1047 ent
->entry
.kvno
= integer
;
1050 keys
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
1054 ent
->entry
.keys
.len
= ldap_count_values_len(keys
);
1055 ent
->entry
.keys
.val
= (Key
*) calloc(ent
->entry
.keys
.len
, sizeof(Key
));
1056 if (ent
->entry
.keys
.val
== NULL
) {
1058 krb5_set_error_message(context
, ret
, "calloc: out of memory");
1061 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1062 decode_Key((unsigned char *) keys
[i
]->bv_val
,
1063 (size_t) keys
[i
]->bv_len
, &ent
->entry
.keys
.val
[i
], &l
);
1069 * This violates the ASN1 but it allows a principal to
1070 * be related to a general directory entry without creating
1071 * the keys. Hopefully it's OK.
1073 ent
->entry
.keys
.len
= 0;
1074 ent
->entry
.keys
.val
= NULL
;
1076 ret
= HDB_ERR_NOENTRY
;
1081 extensions
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5ExtendedAttributes");
1082 if (extensions
!= NULL
) {
1085 ent
->entry
.extensions
= calloc(1, sizeof(*(ent
->entry
.extensions
)));
1086 if (ent
->entry
.extensions
== NULL
) {
1087 ret
= krb5_enomem(context
);
1090 ent
->entry
.extensions
->len
= ldap_count_values_len(extensions
);
1091 ent
->entry
.extensions
->val
= (HDB_extension
*) calloc(ent
->entry
.extensions
->len
, sizeof(HDB_extension
));
1092 if (ent
->entry
.extensions
->val
== NULL
) {
1093 ent
->entry
.extensions
->len
= 0;
1094 ret
= krb5_enomem(context
);
1097 for (i
= 0; i
< ent
->entry
.extensions
->len
; i
++) {
1098 ret
= decode_HDB_extension((unsigned char *) extensions
[i
]->bv_val
,
1099 (size_t) extensions
[i
]->bv_len
, &ent
->entry
.extensions
->val
[i
], &l
);
1101 krb5_set_error_message(context
, ret
, "decode_HDB_extension failed");
1103 ber_bvecfree(extensions
);
1105 ent
->entry
.extensions
= NULL
;
1108 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
1110 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1111 if (ent
->entry
.etypes
== NULL
) {
1113 krb5_set_error_message(context
, ret
,"malloc: out of memory");
1116 ent
->entry
.etypes
->len
= ldap_count_values_len(vals
);
1117 ent
->entry
.etypes
->val
= calloc(ent
->entry
.etypes
->len
, sizeof(int));
1118 if (ent
->entry
.etypes
->val
== NULL
) {
1120 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1121 ent
->entry
.etypes
->len
= 0;
1124 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
1127 buf
= malloc(vals
[i
]->bv_len
+ 1);
1130 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1133 memcpy(buf
, vals
[i
]->bv_val
, vals
[i
]->bv_len
);
1134 buf
[vals
[i
]->bv_len
] = '\0';
1135 ent
->entry
.etypes
->val
[i
] = atoi(buf
);
1138 ldap_value_free_len(vals
);
1141 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1142 if (ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
1148 /* manually construct the NT (type 23) key */
1149 ret
= LDAP_get_string_value(db
, msg
, "sambaNTPassword", &ntPasswordIN
);
1150 if (ret
== 0 && have_arcfour
== 0) {
1154 ks
= realloc(ent
->entry
.keys
.val
,
1155 (ent
->entry
.keys
.len
+ 1) *
1156 sizeof(ent
->entry
.keys
.val
[0]));
1159 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1162 ent
->entry
.keys
.val
= ks
;
1163 memset(&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
], 0, sizeof(Key
));
1164 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keytype
= ETYPE_ARCFOUR_HMAC_MD5
;
1165 ret
= krb5_data_alloc (&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
, 16);
1167 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1171 ret
= hex_decode(ntPasswordIN
,
1172 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
.data
, 16);
1173 ent
->entry
.keys
.len
++;
1175 if (ent
->entry
.etypes
== NULL
) {
1176 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1177 if (ent
->entry
.etypes
== NULL
) {
1179 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1182 ent
->entry
.etypes
->val
= NULL
;
1183 ent
->entry
.etypes
->len
= 0;
1186 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++)
1187 if (ent
->entry
.etypes
->val
[i
] == ETYPE_ARCFOUR_HMAC_MD5
)
1189 /* If there is no ARCFOUR enctype, add one */
1190 if (i
== ent
->entry
.etypes
->len
) {
1191 etypes
= realloc(ent
->entry
.etypes
->val
,
1192 (ent
->entry
.etypes
->len
+ 1) *
1193 sizeof(ent
->entry
.etypes
->val
[0]));
1194 if (etypes
== NULL
) {
1196 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1199 ent
->entry
.etypes
->val
= etypes
;
1200 ent
->entry
.etypes
->val
[ent
->entry
.etypes
->len
] =
1201 ETYPE_ARCFOUR_HMAC_MD5
;
1202 ent
->entry
.etypes
->len
++;
1206 ret
= LDAP_get_generalized_time_value(db
, msg
, "createTimestamp",
1207 &ent
->entry
.created_by
.time
);
1209 ent
->entry
.created_by
.time
= time(NULL
);
1211 ent
->entry
.created_by
.principal
= NULL
;
1213 if (flags
& HDB_F_ADMIN_DATA
) {
1214 ret
= LDAP_get_string_value(db
, msg
, "creatorsName", &dn
);
1216 LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.created_by
.principal
);
1220 ent
->entry
.modified_by
= calloc(1, sizeof(*ent
->entry
.modified_by
));
1221 if (ent
->entry
.modified_by
== NULL
) {
1223 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1227 ret
= LDAP_get_generalized_time_value(db
, msg
, "modifyTimestamp",
1228 &ent
->entry
.modified_by
->time
);
1230 ret
= LDAP_get_string_value(db
, msg
, "modifiersName", &dn
);
1232 LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.modified_by
->principal
);
1235 free(ent
->entry
.modified_by
);
1236 ent
->entry
.modified_by
= NULL
;
1241 ent
->entry
.valid_start
= malloc(sizeof(*ent
->entry
.valid_start
));
1242 if (ent
->entry
.valid_start
== NULL
) {
1244 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1247 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidStart",
1248 ent
->entry
.valid_start
);
1251 free(ent
->entry
.valid_start
);
1252 ent
->entry
.valid_start
= NULL
;
1255 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1256 if (ent
->entry
.valid_end
== NULL
) {
1258 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1261 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidEnd",
1262 ent
->entry
.valid_end
);
1265 free(ent
->entry
.valid_end
);
1266 ent
->entry
.valid_end
= NULL
;
1269 ret
= LDAP_get_integer_value(db
, msg
, "sambaKickoffTime", &tmp_time
);
1271 if (ent
->entry
.valid_end
== NULL
) {
1272 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1273 if (ent
->entry
.valid_end
== NULL
) {
1275 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1279 *ent
->entry
.valid_end
= tmp_time
;
1282 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1283 if (ent
->entry
.pw_end
== NULL
) {
1285 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1288 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5PasswordEnd",
1292 free(ent
->entry
.pw_end
);
1293 ent
->entry
.pw_end
= NULL
;
1296 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1300 delta
= krb5_config_get_time_default(context
, NULL
,
1303 "password_lifetime",
1307 if (ent
->entry
.pw_end
== NULL
) {
1308 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1309 if (ent
->entry
.pw_end
== NULL
) {
1311 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1316 *ent
->entry
.pw_end
= tmp_time
+ delta
;
1320 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdMustChange", &tmp_time
);
1322 if (ent
->entry
.pw_end
== NULL
) {
1323 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1324 if (ent
->entry
.pw_end
== NULL
) {
1326 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1330 *ent
->entry
.pw_end
= tmp_time
;
1334 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1336 hdb_entry_set_pw_change_time(context
, &ent
->entry
, tmp_time
);
1341 ent
->entry
.max_life
= malloc(sizeof(*ent
->entry
.max_life
));
1342 if (ent
->entry
.max_life
== NULL
) {
1344 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1347 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxLife", &max_life
);
1349 free(ent
->entry
.max_life
);
1350 ent
->entry
.max_life
= NULL
;
1352 *ent
->entry
.max_life
= max_life
;
1358 ent
->entry
.max_renew
= malloc(sizeof(*ent
->entry
.max_renew
));
1359 if (ent
->entry
.max_renew
== NULL
) {
1361 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1364 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxRenew", &max_renew
);
1366 free(ent
->entry
.max_renew
);
1367 ent
->entry
.max_renew
= NULL
;
1369 *ent
->entry
.max_renew
= max_renew
;
1372 ret
= LDAP_get_integer_value(db
, msg
, "krb5KDCFlags", &tmp
);
1376 ent
->entry
.flags
= int2HDBFlags(tmp
);
1378 /* Try and find Samba flags to put into the mix */
1379 ret
= LDAP_get_string_value(db
, msg
, "sambaAcctFlags", &samba_acct_flags
);
1381 /* parse the [UXW...] string:
1385 'H' Homedir required
1387 'U' User account (normal)
1388 'M' MNS logon user account - what is this ?
1389 'W' Workstation account
1392 'X' No Xpiry on password
1393 'I' Interdomain trust account
1397 int flags_len
= strlen(samba_acct_flags
);
1402 if (samba_acct_flags
[0] != '['
1403 || samba_acct_flags
[flags_len
- 1] != ']')
1406 /* Allow forwarding */
1407 if (samba_forwardable
)
1408 ent
->entry
.flags
.forwardable
= TRUE
;
1410 for (i
=0; i
< flags_len
; i
++) {
1411 switch (samba_acct_flags
[i
]) {
1417 /* how to handle no password in kerberos? */
1420 ent
->entry
.flags
.invalid
= TRUE
;
1425 /* temp duplicate */
1426 ent
->entry
.flags
.invalid
= TRUE
;
1429 ent
->entry
.flags
.client
= TRUE
;
1435 ent
->entry
.flags
.server
= TRUE
;
1436 ent
->entry
.flags
.client
= TRUE
;
1439 ent
->entry
.flags
.invalid
= TRUE
;
1442 if (ent
->entry
.pw_end
) {
1443 free(ent
->entry
.pw_end
);
1444 ent
->entry
.pw_end
= NULL
;
1448 ent
->entry
.flags
.server
= TRUE
;
1449 ent
->entry
.flags
.client
= TRUE
;
1454 free(samba_acct_flags
);
1460 free(unparsed_name
);
1464 hdb_free_entry(context
, ent
);
1469 static krb5_error_code
1470 LDAP_close(krb5_context context
, HDB
* db
)
1473 ldap_unbind_ext(HDB2LDAP(db
), NULL
, NULL
);
1474 ((struct hdbldapdb
*)db
->hdb_db
)->h_lp
= NULL
;
1480 static krb5_error_code
1481 LDAP_lock(krb5_context context
, HDB
* db
, int operation
)
1486 static krb5_error_code
1487 LDAP_unlock(krb5_context context
, HDB
* db
)
1492 static krb5_error_code
1493 LDAP_seq(krb5_context context
, HDB
* db
, unsigned flags
, hdb_entry_ex
* entry
)
1495 int msgid
, rc
, parserc
;
1496 krb5_error_code ret
;
1499 msgid
= HDB2MSGID(db
);
1501 return HDB_ERR_NOENTRY
;
1504 rc
= ldap_result(HDB2LDAP(db
), msgid
, LDAP_MSG_ONE
, NULL
, &e
);
1506 case LDAP_RES_SEARCH_REFERENCE
:
1510 case LDAP_RES_SEARCH_ENTRY
:
1511 /* We have an entry. Parse it. */
1512 ret
= LDAP_message2entry(context
, db
, e
, flags
, entry
);
1515 case LDAP_RES_SEARCH_RESULT
:
1516 /* We're probably at the end of the results. If not, abandon. */
1518 ldap_parse_result(HDB2LDAP(db
), e
, NULL
, NULL
, NULL
,
1520 ret
= HDB_ERR_NOENTRY
;
1521 if (parserc
!= LDAP_SUCCESS
1522 && parserc
!= LDAP_MORE_RESULTS_TO_RETURN
) {
1523 krb5_set_error_message(context
, ret
, "ldap_parse_result: %s",
1524 ldap_err2string(parserc
));
1525 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1527 HDBSETMSGID(db
, -1);
1529 case LDAP_SERVER_DOWN
:
1531 LDAP_close(context
, db
);
1532 HDBSETMSGID(db
, -1);
1536 /* Some unspecified error (timeout?). Abandon. */
1538 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1539 ret
= HDB_ERR_NOENTRY
;
1540 HDBSETMSGID(db
, -1);
1543 } while (rc
== LDAP_RES_SEARCH_REFERENCE
);
1546 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1547 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1549 hdb_free_entry(context
, entry
);
1556 static krb5_error_code
1557 LDAP_firstkey(krb5_context context
, HDB
*db
, unsigned flags
,
1558 hdb_entry_ex
*entry
)
1560 krb5_error_code ret
;
1563 ret
= LDAP__connect(context
, db
);
1567 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
1571 ret
= ldap_search_ext(HDB2LDAP(db
), HDB2BASE(db
),
1573 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1574 krb5kdcentry_attrs
, 0,
1575 NULL
, NULL
, NULL
, 0, &msgid
);
1577 return HDB_ERR_NOENTRY
;
1579 HDBSETMSGID(db
, msgid
);
1581 return LDAP_seq(context
, db
, flags
, entry
);
1584 static krb5_error_code
1585 LDAP_nextkey(krb5_context context
, HDB
* db
, unsigned flags
,
1586 hdb_entry_ex
* entry
)
1588 return LDAP_seq(context
, db
, flags
, entry
);
1591 static krb5_error_code
1592 LDAP__connect(krb5_context context
, HDB
* db
)
1594 int rc
, version
= LDAP_VERSION3
;
1596 * Empty credentials to do a SASL bind with LDAP. Note that empty
1597 * different from NULL credentials. If you provide NULL
1598 * credentials instead of empty credentials you will get a SASL
1599 * bind in progress message.
1601 struct berval bv
= { 0, "" };
1602 const char *sasl_method
= "EXTERNAL";
1603 const char *bind_dn
= NULL
;
1605 if (HDB2BINDDN(db
) != NULL
&& HDB2BINDPW(db
) != NULL
) {
1606 /* A bind DN was specified; use SASL SIMPLE */
1607 bind_dn
= HDB2BINDDN(db
);
1608 sasl_method
= LDAP_SASL_SIMPLE
;
1609 bv
.bv_val
= HDB2BINDPW(db
);
1610 bv
.bv_len
= strlen(bv
.bv_val
);
1614 /* connection has been opened. ping server. */
1615 struct sockaddr_un addr
;
1616 socklen_t len
= sizeof(addr
);
1619 if (ldap_get_option(HDB2LDAP(db
), LDAP_OPT_DESC
, &sd
) == 0 &&
1620 getpeername(sd
, (struct sockaddr
*) &addr
, &len
) < 0) {
1621 /* the other end has died. reopen. */
1622 LDAP_close(context
, db
);
1626 if (HDB2LDAP(db
) != NULL
) /* server is UP */
1629 rc
= ldap_initialize(&((struct hdbldapdb
*)db
->hdb_db
)->h_lp
, HDB2URL(db
));
1630 if (rc
!= LDAP_SUCCESS
) {
1631 krb5_set_error_message(context
, HDB_ERR_NOENTRY
, "ldap_initialize: %s",
1632 ldap_err2string(rc
));
1633 return HDB_ERR_NOENTRY
;
1636 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_PROTOCOL_VERSION
,
1637 (const void *)&version
);
1638 if (rc
!= LDAP_SUCCESS
) {
1639 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1640 "ldap_set_option: %s", ldap_err2string(rc
));
1641 LDAP_close(context
, db
);
1642 return HDB_ERR_BADVERSION
;
1645 if (((struct hdbldapdb
*)db
->hdb_db
)->h_start_tls
) {
1646 rc
= ldap_start_tls_s(HDB2LDAP(db
), NULL
, NULL
);
1648 if (rc
!= LDAP_SUCCESS
) {
1649 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1650 "ldap_start_tls_s: %s", ldap_err2string(rc
));
1651 LDAP_close(context
, db
);
1652 return HDB_ERR_BADVERSION
;
1656 rc
= ldap_sasl_bind_s(HDB2LDAP(db
), bind_dn
, sasl_method
, &bv
,
1658 if (rc
!= LDAP_SUCCESS
) {
1659 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1660 "ldap_sasl_bind_s: %s", ldap_err2string(rc
));
1661 LDAP_close(context
, db
);
1662 return HDB_ERR_BADVERSION
;
1668 static krb5_error_code
1669 LDAP_open(krb5_context context
, HDB
* db
, int flags
, mode_t mode
)
1671 /* Not the right place for this. */
1672 #ifdef HAVE_SIGACTION
1673 struct sigaction sa
;
1676 sa
.sa_handler
= SIG_IGN
;
1677 sigemptyset(&sa
.sa_mask
);
1679 sigaction(SIGPIPE
, &sa
, NULL
);
1681 signal(SIGPIPE
, SIG_IGN
);
1682 #endif /* HAVE_SIGACTION */
1684 return LDAP__connect(context
, db
);
1687 static krb5_error_code
1688 LDAP_fetch_kvno(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1689 unsigned flags
, krb5_kvno kvno
, hdb_entry_ex
* entry
)
1691 LDAPMessage
*msg
, *e
;
1692 krb5_error_code ret
;
1694 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1698 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1700 ret
= HDB_ERR_NOENTRY
;
1704 ret
= LDAP_message2entry(context
, db
, e
, flags
, entry
);
1706 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1707 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1709 hdb_free_entry(context
, entry
);
1720 static krb5_error_code
1721 LDAP_fetch(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1722 unsigned flags
, hdb_entry_ex
* entry
)
1724 return LDAP_fetch_kvno(context
, db
, principal
,
1725 flags
& (~HDB_F_KVNO_SPECIFIED
), 0, entry
);
1729 static krb5_error_code
1730 LDAP_store(krb5_context context
, HDB
* db
, unsigned flags
,
1731 hdb_entry_ex
* entry
)
1733 LDAPMod
**mods
= NULL
;
1734 krb5_error_code ret
;
1737 LDAPMessage
*msg
= NULL
, *e
= NULL
;
1738 char *dn
= NULL
, *name
= NULL
;
1740 if ((flags
& HDB_F_PRECHECK
))
1741 return 0; /* we can't guarantee whether we'll be able to perform it */
1743 ret
= LDAP_principal2message(context
, db
, entry
->entry
.principal
, &msg
);
1745 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1747 ret
= krb5_unparse_name(context
, entry
->entry
.principal
, &name
);
1753 ret
= hdb_seal_keys(context
, db
, &entry
->entry
);
1757 /* turn new entry into LDAPMod array */
1758 ret
= LDAP_entry2mods(context
, db
, entry
, e
, &mods
);
1763 ret
= asprintf(&dn
, "krb5PrincipalName=%s,%s", name
, HDB2CREATE(db
));
1766 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
1769 } else if (flags
& HDB_F_REPLACE
) {
1770 /* Entry exists, and we're allowed to replace it. */
1771 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1773 /* Entry exists, but we're not allowed to replace it. Bail. */
1774 ret
= HDB_ERR_EXISTS
;
1778 /* write entry into directory */
1780 /* didn't exist before */
1781 rc
= ldap_add_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1782 errfn
= "ldap_add_ext_s";
1784 /* already existed, send deltas only */
1785 rc
= ldap_modify_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1786 errfn
= "ldap_modify_ext_s";
1789 if (check_ldap(context
, db
, rc
)) {
1790 char *ld_error
= NULL
;
1791 ldap_get_option(HDB2LDAP(db
), LDAP_OPT_ERROR_STRING
,
1793 ret
= HDB_ERR_CANT_LOCK_DB
;
1794 krb5_set_error_message(context
, ret
, "%s: %s (DN=%s) %s: %s",
1795 errfn
, name
, dn
, ldap_err2string(rc
), ld_error
);
1806 ldap_mods_free(mods
, 1);
1813 static krb5_error_code
1814 LDAP_remove(krb5_context context
, HDB
*db
,
1815 unsigned flags
, krb5_const_principal principal
)
1817 krb5_error_code ret
;
1818 LDAPMessage
*msg
, *e
;
1820 int rc
, limit
= LDAP_NO_LIMIT
;
1822 if ((flags
& HDB_F_PRECHECK
))
1823 return 0; /* we can't guarantee whether we'll be able to perform it */
1825 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1829 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1831 ret
= HDB_ERR_NOENTRY
;
1835 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1837 ret
= HDB_ERR_NOENTRY
;
1841 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
1842 if (rc
!= LDAP_SUCCESS
) {
1843 ret
= HDB_ERR_BADVERSION
;
1844 krb5_set_error_message(context
, ret
, "ldap_set_option: %s",
1845 ldap_err2string(rc
));
1849 rc
= ldap_delete_ext_s(HDB2LDAP(db
), dn
, NULL
, NULL
);
1850 if (check_ldap(context
, db
, rc
)) {
1851 ret
= HDB_ERR_CANT_LOCK_DB
;
1852 krb5_set_error_message(context
, ret
, "ldap_delete_ext_s: %s",
1853 ldap_err2string(rc
));
1866 static krb5_error_code
1867 LDAP_destroy(krb5_context context
, HDB
* db
)
1869 krb5_error_code ret
;
1871 LDAP_close(context
, db
);
1873 ret
= hdb_clear_master_key(context
, db
);
1877 free(HDB2CREATE(db
));
1888 static krb5_error_code
1889 hdb_ldap_common(krb5_context context
,
1891 const char *search_base
,
1894 struct hdbldapdb
*h
;
1895 const char *create_base
= NULL
;
1896 const char *ldap_secret_file
= NULL
;
1898 if (url
== NULL
|| url
[0] == '\0') {
1900 p
= krb5_config_get_string(context
, NULL
, "kdc",
1901 "hdb-ldap-url", NULL
);
1903 p
= default_ldap_url
;
1908 if (search_base
== NULL
|| search_base
[0] == '\0') {
1909 krb5_set_error_message(context
, ENOMEM
, "ldap search base not configured");
1910 return ENOMEM
; /* XXX */
1913 if (structural_object
== NULL
) {
1916 p
= krb5_config_get_string(context
, NULL
, "kdc",
1917 "hdb-ldap-structural-object", NULL
);
1919 p
= default_structural_object
;
1920 structural_object
= strdup(p
);
1921 if (structural_object
== NULL
) {
1922 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1928 krb5_config_get_bool_default(context
, NULL
, TRUE
,
1929 "kdc", "hdb-samba-forwardable", NULL
);
1931 *db
= calloc(1, sizeof(**db
));
1933 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1936 memset(*db
, 0, sizeof(**db
));
1938 h
= calloc(1, sizeof(*h
));
1942 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1948 if (asprintf(&(*db
)->hdb_name
, "ldap:%s", search_base
) == -1) {
1949 LDAP_destroy(context
, *db
);
1951 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1955 h
->h_url
= strdup(url
);
1956 h
->h_base
= strdup(search_base
);
1957 if (h
->h_url
== NULL
|| h
->h_base
== NULL
) {
1958 LDAP_destroy(context
, *db
);
1960 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1964 ldap_secret_file
= krb5_config_get_string(context
, NULL
, "kdc",
1965 "hdb-ldap-secret-file", NULL
);
1966 if (ldap_secret_file
!= NULL
) {
1967 krb5_config_binding
*tmp
;
1968 krb5_error_code ret
;
1971 ret
= krb5_config_parse_file(context
, ldap_secret_file
, &tmp
);
1975 p
= krb5_config_get_string(context
, tmp
, "kdc",
1976 "hdb-ldap-bind-dn", NULL
);
1978 h
->h_bind_dn
= strdup(p
);
1980 p
= krb5_config_get_string(context
, tmp
, "kdc",
1981 "hdb-ldap-bind-password", NULL
);
1983 h
->h_bind_password
= strdup(p
);
1985 krb5_config_file_free(context
, tmp
);
1989 krb5_config_get_bool_default(context
, NULL
, FALSE
,
1990 "kdc", "hdb-ldap-start-tls", NULL
);
1992 create_base
= krb5_config_get_string(context
, NULL
, "kdc",
1993 "hdb-ldap-create-base", NULL
);
1994 if (create_base
== NULL
)
1995 create_base
= h
->h_base
;
1997 h
->h_createbase
= strdup(create_base
);
1998 if (h
->h_createbase
== NULL
) {
1999 LDAP_destroy(context
, *db
);
2001 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
2005 (*db
)->hdb_master_key_set
= 0;
2006 (*db
)->hdb_openp
= 0;
2007 (*db
)->hdb_capability_flags
= HDB_CAP_F_SHARED_DIRECTORY
;
2008 (*db
)->hdb_open
= LDAP_open
;
2009 (*db
)->hdb_close
= LDAP_close
;
2010 (*db
)->hdb_fetch_kvno
= LDAP_fetch_kvno
;
2011 (*db
)->hdb_store
= LDAP_store
;
2012 (*db
)->hdb_remove
= LDAP_remove
;
2013 (*db
)->hdb_firstkey
= LDAP_firstkey
;
2014 (*db
)->hdb_nextkey
= LDAP_nextkey
;
2015 (*db
)->hdb_lock
= LDAP_lock
;
2016 (*db
)->hdb_unlock
= LDAP_unlock
;
2017 (*db
)->hdb_rename
= NULL
;
2018 (*db
)->hdb__get
= NULL
;
2019 (*db
)->hdb__put
= NULL
;
2020 (*db
)->hdb__del
= NULL
;
2021 (*db
)->hdb_destroy
= LDAP_destroy
;
2027 hdb_ldap_create(krb5_context context
, HDB
** db
, const char *arg
)
2029 return hdb_ldap_common(context
, db
, arg
, NULL
);
2033 hdb_ldapi_create(krb5_context context
, HDB
** db
, const char *arg
)
2035 krb5_error_code ret
;
2036 char *search_base
, *p
;
2038 asprintf(&p
, "ldapi:%s", arg
);
2041 krb5_set_error_message(context
, ENOMEM
, "out of memory");
2044 search_base
= strchr(p
+ strlen("ldapi://"), ':');
2045 if (search_base
== NULL
) {
2047 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
2048 "search base missing");
2049 return HDB_ERR_BADVERSION
;
2051 *search_base
= '\0';
2054 ret
= hdb_ldap_common(context
, db
, search_base
, p
);
2059 #ifdef OPENLDAP_MODULE
2062 static krb5_error_code
2063 init(krb5_context context
, void **ctx
)
2074 struct hdb_method hdb_ldap_interface
= {
2075 HDB_INTERFACE_VERSION
,
2082 struct hdb_method hdb_ldapi_interface
= {
2083 HDB_INTERFACE_VERSION
,
2092 #endif /* OPENLDAP */