search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
clean files
[heimdal.git] / lib / hdb / hdb-ldap.c
blob767d88ee6a09fa006a67f0043cea296861cc7a5f
1 /*
2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "hdb_locl.h"
36
37 #ifdef OPENLDAP
38
39 #include <lber.h>
40 #include <ldap.h>
41 #include <sys/un.h>
42 #include <hex.h>
43
44 static krb5_error_code LDAP__connect(krb5_context context, HDB *);
45 static krb5_error_code LDAP_close(krb5_context context, HDB *);
46
47 static krb5_error_code hdb_ldap_create(krb5_context context, HDB **, const char *);
48 static krb5_error_code hdb_ldapi_create(krb5_context context, HDB **, const char *);
49
50 static krb5_error_code
51 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
52 int flags, hdb_entry_ex * ent);
53
54 static const char *default_structural_object = "account";
55 static char *structural_object;
56 static const char *default_ldap_url = "ldapi:///";
57 static krb5_boolean samba_forwardable;
58
59 struct hdbldapdb {
60 LDAP *h_lp;
61 int h_msgid;
62 char *h_base;
63 char *h_url;
64 char *h_bind_dn;
65 char *h_bind_password;
66 krb5_boolean h_start_tls;
67 char *h_createbase;
68 };
69
70 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
71 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
72 #define HDBSETMSGID(db,msgid) \
73 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
74 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
75 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
76 #define HDB2BINDDN(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_dn)
77 #define HDB2BINDPW(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_password)
78 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
79
80 /*
81 *
82 */
83
84 static char * krb5kdcentry_attrs[] = {
85 "cn",
86 "createTimestamp",
87 "creatorsName",
88 "krb5EncryptionType",
89 "krb5KDCFlags",
90 "krb5Key",
91 "krb5KeyVersionNumber",
92 "krb5MaxLife",
93 "krb5MaxRenew",
94 "krb5PasswordEnd",
95 "krb5PrincipalName",
96 "krb5PrincipalRealm",
97 "krb5ValidEnd",
98 "krb5ValidStart",
99 "modifiersName",
100 "modifyTimestamp",
101 "objectClass",
102 "sambaAcctFlags",
103 "sambaKickoffTime",
104 "sambaNTPassword",
105 "sambaPwdLastSet",
106 "sambaPwdMustChange",
107 "uid",
108 NULL
109 };
110
111 static char *krb5principal_attrs[] = {
112 "cn",
113 "createTimestamp",
114 "creatorsName",
115 "krb5PrincipalName",
116 "krb5PrincipalRealm",
117 "modifiersName",
118 "modifyTimestamp",
119 "objectClass",
120 "uid",
121 NULL
122 };
123
124 static int
125 LDAP_no_size_limit(krb5_context context, LDAP *lp)
126 {
127 int ret, limit = LDAP_NO_LIMIT;
128
129 ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
130 if (ret != LDAP_SUCCESS) {
131 krb5_set_error_message(context, HDB_ERR_BADVERSION,
132 "ldap_set_option: %s",
133 ldap_err2string(ret));
134 return HDB_ERR_BADVERSION;
135 }
136 return 0;
137 }
138
139 static int
140 check_ldap(krb5_context context, HDB *db, int ret)
141 {
142 switch (ret) {
143 case LDAP_SUCCESS:
144 return 0;
145 case LDAP_SERVER_DOWN:
146 LDAP_close(context, db);
147 return 1;
148 default:
149 return 1;
150 }
151 }
152
153 static krb5_error_code
154 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
155 int *pIndex)
156 {
157 int cMods;
158
159 if (*modlist == NULL) {
160 *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
161 if (*modlist == NULL)
162 return ENOMEM;
163 }
164
165 for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
166 if ((*modlist)[cMods]->mod_op == modop &&
167 strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
168 break;
169 }
170 }
171
172 *pIndex = cMods;
173
174 if ((*modlist)[cMods] == NULL) {
175 LDAPMod *mod;
176
177 *modlist = (LDAPMod **)ber_memrealloc(*modlist,
178 (cMods + 2) * sizeof(LDAPMod *));
179 if (*modlist == NULL)
180 return ENOMEM;
181
182 (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
183 if ((*modlist)[cMods] == NULL)
184 return ENOMEM;
185
186 mod = (*modlist)[cMods];
187 mod->mod_op = modop;
188 mod->mod_type = ber_strdup(attribute);
189 if (mod->mod_type == NULL) {
190 ber_memfree(mod);
191 (*modlist)[cMods] = NULL;
192 return ENOMEM;
193 }
194
195 if (modop & LDAP_MOD_BVALUES) {
196 mod->mod_bvalues = NULL;
197 } else {
198 mod->mod_values = NULL;
199 }
200
201 (*modlist)[cMods + 1] = NULL;
202 }
203
204 return 0;
205 }
206
207 static krb5_error_code
208 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
209 unsigned char *value, size_t len)
210 {
211 krb5_error_code ret;
212 int cMods, i = 0;
213
214 ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
215 if (ret)
216 return ret;
217
218 if (value != NULL) {
219 struct berval **bv;
220
221 bv = (*modlist)[cMods]->mod_bvalues;
222 if (bv != NULL) {
223 for (i = 0; bv[i] != NULL; i++)
224 ;
225 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
226 } else
227 bv = ber_memalloc(2 * sizeof(*bv));
228 if (bv == NULL)
229 return ENOMEM;
230
231 (*modlist)[cMods]->mod_bvalues = bv;
232
233 bv[i] = ber_memalloc(sizeof(**bv));;
234 if (bv[i] == NULL)
235 return ENOMEM;
236
237 bv[i]->bv_val = (void *)value;
238 bv[i]->bv_len = len;
239
240 bv[i + 1] = NULL;
241 }
242
243 return 0;
244 }
245
246 static krb5_error_code
247 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
248 const char *value)
249 {
250 int cMods, i = 0;
251 krb5_error_code ret;
252
253 ret = LDAP__setmod(modlist, modop, attribute, &cMods);
254 if (ret)
255 return ret;
256
257 if (value != NULL) {
258 char **bv;
259
260 bv = (*modlist)[cMods]->mod_values;
261 if (bv != NULL) {
262 for (i = 0; bv[i] != NULL; i++)
263 ;
264 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
265 } else
266 bv = ber_memalloc(2 * sizeof(*bv));
267 if (bv == NULL)
268 return ENOMEM;
269
270 (*modlist)[cMods]->mod_values = bv;
271
272 bv[i] = ber_strdup(value);
273 if (bv[i] == NULL)
274 return ENOMEM;
275
276 bv[i + 1] = NULL;
277 }
278
279 return 0;
280 }
281
282 static krb5_error_code
283 LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
284 const char *attribute, KerberosTime * time)
285 {
286 char buf[22];
287 struct tm *tm;
288
289 /* XXX not threadsafe */
290 tm = gmtime(time);
291 strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
292
293 return LDAP_addmod(mods, modop, attribute, buf);
294 }
295
296 static krb5_error_code
297 LDAP_addmod_integer(krb5_context context,
298 LDAPMod *** mods, int modop,
299 const char *attribute, unsigned long l)
300 {
301 krb5_error_code ret;
302 char *buf;
303
304 ret = asprintf(&buf, "%ld", l);
305 if (ret < 0) {
306 krb5_set_error_message(context, ENOMEM,
307 "asprintf: out of memory:");
308 return ENOMEM;
309 }
310 ret = LDAP_addmod(mods, modop, attribute, buf);
311 free (buf);
312 return ret;
313 }
314
315 static krb5_error_code
316 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
317 const char *attribute, char **ptr)
318 {
319 struct berval **vals;
320
321 vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);
322 if (vals == NULL || vals[0] == NULL) {
323 *ptr = NULL;
324 return HDB_ERR_NOENTRY;
325 }
326
327 *ptr = malloc(vals[0]->bv_len + 1);
328 if (*ptr == NULL) {
329 ldap_value_free_len(vals);
330 return ENOMEM;
331 }
332
333 memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);
334 (*ptr)[vals[0]->bv_len] = 0;
335
336 ldap_value_free_len(vals);
337
338 return 0;
339 }
340
341 static krb5_error_code
342 LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
343 const char *attribute, int *ptr)
344 {
345 krb5_error_code ret;
346 char *val;
347
348 ret = LDAP_get_string_value(db, entry, attribute, &val);
349 if (ret)
350 return ret;
351 *ptr = atoi(val);
352 free(val);
353 return 0;
354 }
355
356 static krb5_error_code
357 LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
358 const char *attribute, KerberosTime * kt)
359 {
360 char *tmp, *gentime;
361 struct tm tm;
362 int ret;
363
364 *kt = 0;
365
366 ret = LDAP_get_string_value(db, entry, attribute, &gentime);
367 if (ret)
368 return ret;
369
370 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
371 if (tmp == NULL) {
372 free(gentime);
373 return HDB_ERR_NOENTRY;
374 }
375
376 free(gentime);
377
378 *kt = timegm(&tm);
379
380 return 0;
381 }
382
383 static int
384 bervalstrcmp(struct berval *v, const char *str)
385 {
386 size_t len = strlen(str);
387 return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;
388 }
389
390
391 static krb5_error_code
392 LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
393 LDAPMessage * msg, LDAPMod *** pmods)
394 {
395 krb5_error_code ret;
396 krb5_boolean is_new_entry;
397 char *tmp = NULL;
398 LDAPMod **mods = NULL;
399 hdb_entry_ex orig;
400 unsigned long oflags, nflags;
401 int i;
402
403 krb5_boolean is_samba_account = FALSE;
404 krb5_boolean is_account = FALSE;
405 krb5_boolean is_heimdal_entry = FALSE;
406 krb5_boolean is_heimdal_principal = FALSE;
407
408 struct berval **vals;
409
410 *pmods = NULL;
411
412 if (msg != NULL) {
413
414 ret = LDAP_message2entry(context, db, msg, 0, &orig);
415 if (ret)
416 goto out;
417
418 is_new_entry = FALSE;
419
420 vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
421 if (vals) {
422 int num_objectclasses = ldap_count_values_len(vals);
423 for (i=0; i < num_objectclasses; i++) {
424 if (bervalstrcmp(vals[i], "sambaSamAccount"))
425 is_samba_account = TRUE;
426 else if (bervalstrcmp(vals[i], structural_object))
427 is_account = TRUE;
428 else if (bervalstrcmp(vals[i], "krb5Principal"))
429 is_heimdal_principal = TRUE;
430 else if (bervalstrcmp(vals[i], "krb5KDCEntry"))
431 is_heimdal_entry = TRUE;
432 }
433 ldap_value_free_len(vals);
434 }
435
436 /*
437 * If this is just a "account" entry and no other objectclass
438 * is hanging on this entry, it's really a new entry.
439 */
440 if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
441 is_heimdal_entry == FALSE) {
442 if (is_account == TRUE) {
443 is_new_entry = TRUE;
444 } else {
445 ret = HDB_ERR_NOENTRY;
446 goto out;
447 }
448 }
449 } else
450 is_new_entry = TRUE;
451
452 if (is_new_entry) {
453
454 /* to make it perfectly obvious we're depending on
455 * orig being intiialized to zero */
456 memset(&orig, 0, sizeof(orig));
457
458 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
459 if (ret)
460 goto out;
461
462 /* account is the structural object class */
463 if (is_account == FALSE) {
464 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
465 structural_object);
466 is_account = TRUE;
467 if (ret)
468 goto out;
469 }
470
471 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
472 is_heimdal_principal = TRUE;
473 if (ret)
474 goto out;
475
476 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
477 is_heimdal_entry = TRUE;
478 if (ret)
479 goto out;
480 }
481
482 if (is_new_entry ||
483 krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
484 == FALSE)
485 {
486 if (is_heimdal_principal || is_heimdal_entry) {
487
488 ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
489 if (ret)
490 goto out;
491
492 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
493 "krb5PrincipalName", tmp);
494 if (ret) {
495 free(tmp);
496 goto out;
497 }
498 free(tmp);
499 }
500
501 if (is_account || is_samba_account) {
502 ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
503 if (ret)
504 goto out;
505 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
506 if (ret) {
507 free(tmp);
508 goto out;
509 }
510 free(tmp);
511 }
512 }
513
514 if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
515 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
516 "krb5KeyVersionNumber",
517 ent->entry.kvno);
518 if (ret)
519 goto out;
520 }
521
522 if (is_heimdal_entry && ent->entry.valid_start) {
523 if (orig.entry.valid_end == NULL
524 || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
525 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
526 "krb5ValidStart",
527 ent->entry.valid_start);
528 if (ret)
529 goto out;
530 }
531 }
532
533 if (ent->entry.valid_end) {
534 if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
535 if (is_heimdal_entry) {
536 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
537 "krb5ValidEnd",
538 ent->entry.valid_end);
539 if (ret)
540 goto out;
541 }
542 if (is_samba_account) {
543 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
544 "sambaKickoffTime",
545 *(ent->entry.valid_end));
546 if (ret)
547 goto out;
548 }
549 }
550 }
551
552 if (ent->entry.pw_end) {
553 if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
554 if (is_heimdal_entry) {
555 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
556 "krb5PasswordEnd",
557 ent->entry.pw_end);
558 if (ret)
559 goto out;
560 }
561
562 if (is_samba_account) {
563 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
564 "sambaPwdMustChange",
565 *(ent->entry.pw_end));
566 if (ret)
567 goto out;
568 }
569 }
570 }
571
572
573 #if 0 /* we we have last_pw_change */
574 if (is_samba_account && ent->entry.last_pw_change) {
575 if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
576 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
577 "sambaPwdLastSet",
578 *(ent->entry.last_pw_change));
579 if (ret)
580 goto out;
581 }
582 }
583 #endif
584
585 if (is_heimdal_entry && ent->entry.max_life) {
586 if (orig.entry.max_life == NULL
587 || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
588
589 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
590 "krb5MaxLife",
591 *(ent->entry.max_life));
592 if (ret)
593 goto out;
594 }
595 }
596
597 if (is_heimdal_entry && ent->entry.max_renew) {
598 if (orig.entry.max_renew == NULL
599 || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
600
601 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
602 "krb5MaxRenew",
603 *(ent->entry.max_renew));
604 if (ret)
605 goto out;
606 }
607 }
608
609 oflags = HDBFlags2int(orig.entry.flags);
610 nflags = HDBFlags2int(ent->entry.flags);
611
612 if (is_heimdal_entry && oflags != nflags) {
613
614 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
615 "krb5KDCFlags",
616 nflags);
617 if (ret)
618 goto out;
619 }
620
621 /* Remove keys if they exists, and then replace keys. */
622 if (!is_new_entry && orig.entry.keys.len > 0) {
623 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
624 if (vals) {
625 ldap_value_free_len(vals);
626
627 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
628 if (ret)
629 goto out;
630 }
631 }
632
633 for (i = 0; i < ent->entry.keys.len; i++) {
634
635 if (is_samba_account
636 && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
637 char *ntHexPassword;
638 char *nt;
639 time_t now = time(NULL);
640
641 /* the key might have been 'sealed', but samba passwords
642 are clear in the directory */
643 ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
644 if (ret)
645 goto out;
646
647 nt = ent->entry.keys.val[i].key.keyvalue.data;
648 /* store in ntPassword, not krb5key */
649 ret = hex_encode(nt, 16, &ntHexPassword);
650 if (ret < 0) {
651 ret = ENOMEM;
652 krb5_set_error_message(context, ret, "hdb-ldap: failed to "
653 "hex encode key");
654 goto out;
655 }
656 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
657 ntHexPassword);
658 free(ntHexPassword);
659 if (ret)
660 goto out;
661 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
662 "sambaPwdLastSet", now);
663 if (ret)
664 goto out;
665
666 /* have to kill the LM passwod if it exists */
667 vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");
668 if (vals) {
669 ldap_value_free_len(vals);
670 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
671 "sambaLMPassword", NULL);
672 if (ret)
673 goto out;
674 }
675
676 } else if (is_heimdal_entry) {
677 unsigned char *buf;
678 size_t len, buf_size;
679
680 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
681 if (ret)
682 goto out;
683 if(buf_size != len)
684 krb5_abortx(context, "internal error in ASN.1 encoder");
685
686 /* addmod_len _owns_ the key, doesn't need to copy it */
687 ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
688 if (ret)
689 goto out;
690 }
691 }
692
693 if (ent->entry.etypes) {
694 int add_krb5EncryptionType = 0;
695
696 /*
697 * Only add/modify krb5EncryptionType if it's a new heimdal
698 * entry or krb5EncryptionType already exists on the entry.
699 */
700
701 if (!is_new_entry) {
702 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
703 if (vals) {
704 ldap_value_free_len(vals);
705 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
706 NULL);
707 if (ret)
708 goto out;
709 add_krb5EncryptionType = 1;
710 }
711 } else if (is_heimdal_entry)
712 add_krb5EncryptionType = 1;
713
714 if (add_krb5EncryptionType) {
715 for (i = 0; i < ent->entry.etypes->len; i++) {
716 if (is_samba_account &&
717 ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
718 {
719 ;
720 } else if (is_heimdal_entry) {
721 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
722 "krb5EncryptionType",
723 ent->entry.etypes->val[i]);
724 if (ret)
725 goto out;
726 }
727 }
728 }
729 }
730
731 /* for clarity */
732 ret = 0;
733
734 out:
735
736 if (ret == 0)
737 *pmods = mods;
738 else if (mods != NULL) {
739 ldap_mods_free(mods, 1);
740 *pmods = NULL;
741 }
742
743 if (msg)
744 hdb_free_entry(context, &orig);
745
746 return ret;
747 }
748
749 static krb5_error_code
750 LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
751 krb5_principal * principal)
752 {
753 krb5_error_code ret;
754 int rc;
755 const char *filter = "(objectClass=krb5Principal)";
756 LDAPMessage *res = NULL, *e;
757 char *p;
758
759 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
760 if (ret)
761 goto out;
762
763 rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
764 filter, krb5principal_attrs, 0,
765 NULL, NULL, NULL,
766 0, &res);
767 if (check_ldap(context, db, rc)) {
768 ret = HDB_ERR_NOENTRY;
769 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
770 "filter: %s error: %s",
771 filter, ldap_err2string(rc));
772 goto out;
773 }
774
775 e = ldap_first_entry(HDB2LDAP(db), res);
776 if (e == NULL) {
777 ret = HDB_ERR_NOENTRY;
778 goto out;
779 }
780
781 ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);
782 if (ret) {
783 ret = HDB_ERR_NOENTRY;
784 goto out;
785 }
786
787 ret = krb5_parse_name(context, p, principal);
788 free(p);
789
790 out:
791 if (res)
792 ldap_msgfree(res);
793
794 return ret;
795 }
796
797 static int
798 need_quote(unsigned char c)
799 {
800 return (c & 0x80) ||
801 (c < 32) ||
802 (c == '(') ||
803 (c == ')') ||
804 (c == '*') ||
805 (c == '\\') ||
806 (c == 0x7f);
807 }
808
809 static const char hexchar[] = "0123456789ABCDEF";
810
811 static krb5_error_code
812 escape_value(krb5_context context, const char *unquoted, char **quoted)
813 {
814 size_t i, len;
815
816 for (i = 0, len = 0; unquoted[i] != '\0'; i++, len++) {
817 if (need_quote((unsigned char)unquoted[i]))
818 len += 2;
819 }
820
821 *quoted = malloc(len + 1);
822 if (*quoted == NULL) {
823 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
824 return ENOMEM;
825 }
826
827 for (i = 0; unquoted[0] ; unquoted++) {
828 if (need_quote((unsigned char)unquoted[0])) {
829 (*quoted)[i++] = '\\';
830 (*quoted)[i++] = hexchar[(unquoted[0] >> 4) & 0xf];
831 (*quoted)[i++] = hexchar[(unquoted[0] ) & 0xf];
832 } else
833 (*quoted)[i++] = (char)unquoted[0];
834 }
835 (*quoted)[i] = '\0';
836 return 0;
837 }
838
839
840 static krb5_error_code
841 LDAP__lookup_princ(krb5_context context,
842 HDB *db,
843 const char *princname,
844 const char *userid,
845 LDAPMessage **msg)
846 {
847 krb5_error_code ret;
848 int rc;
849 char *quote, *filter = NULL;
850
851 ret = LDAP__connect(context, db);
852 if (ret)
853 return ret;
854
855 /*
856 * Quote searches that contain filter language, this quote
857 * searches for *@REALM, which takes very long time.
858 */
859
860 ret = escape_value(context, princname, &quote);
861 if (ret)
862 goto out;
863
864 rc = asprintf(&filter,
865 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
866 quote);
867 free(quote);
868
869 if (rc < 0) {
870 ret = ENOMEM;
871 krb5_set_error_message(context, ret, "malloc: out of memory");
872 goto out;
873 }
874
875 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
876 if (ret)
877 goto out;
878
879 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),
880 LDAP_SCOPE_SUBTREE, filter,
881 krb5kdcentry_attrs, 0,
882 NULL, NULL, NULL,
883 0, msg);
884 if (check_ldap(context, db, rc)) {
885 ret = HDB_ERR_NOENTRY;
886 krb5_set_error_message(context, ret, "ldap_search_ext_s: "
887 "filter: %s - error: %s",
888 filter, ldap_err2string(rc));
889 goto out;
890 }
891
892 if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
893 free(filter);
894 filter = NULL;
895 ldap_msgfree(*msg);
896 *msg = NULL;
897
898 ret = escape_value(context, userid, &quote);
899 if (ret)
900 goto out;
901
902 rc = asprintf(&filter,
903 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
904 structural_object, quote);
905 free(quote);
906 if (rc < 0) {
907 ret = ENOMEM;
908 krb5_set_error_message(context, ret, "asprintf: out of memory");
909 goto out;
910 }
911
912 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
913 if (ret)
914 goto out;
915
916 rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
917 filter, krb5kdcentry_attrs, 0,
918 NULL, NULL, NULL,
919 0, msg);
920 if (check_ldap(context, db, rc)) {
921 ret = HDB_ERR_NOENTRY;
922 krb5_set_error_message(context, ret,
923 "ldap_search_ext_s: filter: %s error: %s",
924 filter, ldap_err2string(rc));
925 goto out;
926 }
927 }
928
929 ret = 0;
930
931 out:
932 if (filter)
933 free(filter);
934
935 return ret;
936 }
937
938 static krb5_error_code
939 LDAP_principal2message(krb5_context context, HDB * db,
940 krb5_const_principal princ, LDAPMessage ** msg)
941 {
942 char *name, *name_short = NULL;
943 krb5_error_code ret;
944 krb5_realm *r, *r0;
945
946 *msg = NULL;
947
948 ret = krb5_unparse_name(context, princ, &name);
949 if (ret)
950 return ret;
951
952 ret = krb5_get_default_realms(context, &r0);
953 if(ret) {
954 free(name);
955 return ret;
956 }
957 for (r = r0; *r != NULL; r++) {
958 if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
959 ret = krb5_unparse_name_short(context, princ, &name_short);
960 if (ret) {
961 krb5_free_host_realm(context, r0);
962 free(name);
963 return ret;
964 }
965 break;
966 }
967 }
968 krb5_free_host_realm(context, r0);
969
970 ret = LDAP__lookup_princ(context, db, name, name_short, msg);
971 free(name);
972 free(name_short);
973
974 return ret;
975 }
976
977 /*
978 * Construct an hdb_entry from a directory entry.
979 */
980 static krb5_error_code
981 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
982 int flags, hdb_entry_ex * ent)
983 {
984 char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
985 char *samba_acct_flags = NULL;
986 struct berval **keys;
987 struct berval **vals;
988 int tmp, tmp_time, i, ret, have_arcfour = 0;
989
990 memset(ent, 0, sizeof(*ent));
991 ent->entry.flags = int2HDBFlags(0);
992
993 ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
994 if (ret == 0) {
995 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
996 if (ret)
997 goto out;
998 } else {
999 ret = LDAP_get_string_value(db, msg, "uid",
1000 &unparsed_name);
1001 if (ret == 0) {
1002 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
1003 if (ret)
1004 goto out;
1005 } else {
1006 krb5_set_error_message(context, HDB_ERR_NOENTRY,
1007 "hdb-ldap: ldap entry missing"
1008 "principal name");
1009 return HDB_ERR_NOENTRY;
1010 }
1011 }
1012
1013 {
1014 int integer;
1015 ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
1016 &integer);
1017 if (ret)
1018 ent->entry.kvno = 0;
1019 else
1020 ent->entry.kvno = integer;
1021 }
1022
1023 keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
1024 if (keys != NULL) {
1025 size_t l;
1026
1027 ent->entry.keys.len = ldap_count_values_len(keys);
1028 ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
1029 if (ent->entry.keys.val == NULL) {
1030 ret = ENOMEM;
1031 krb5_set_error_message(context, ret, "calloc: out of memory");
1032 goto out;
1033 }
1034 for (i = 0; i < ent->entry.keys.len; i++) {
1035 decode_Key((unsigned char *) keys[i]->bv_val,
1036 (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
1037 }
1038 ber_bvecfree(keys);
1039 } else {
1040 #if 1
1041 /*
1042 * This violates the ASN1 but it allows a principal to
1043 * be related to a general directory entry without creating
1044 * the keys. Hopefully it's OK.
1045 */
1046 ent->entry.keys.len = 0;
1047 ent->entry.keys.val = NULL;
1048 #else
1049 ret = HDB_ERR_NOENTRY;
1050 goto out;
1051 #endif
1052 }
1053
1054 vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
1055 if (vals != NULL) {
1056 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1057 if (ent->entry.etypes == NULL) {
1058 ret = ENOMEM;
1059 krb5_set_error_message(context, ret,"malloc: out of memory");
1060 goto out;
1061 }
1062 ent->entry.etypes->len = ldap_count_values_len(vals);
1063 ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
1064 if (ent->entry.etypes->val == NULL) {
1065 ret = ENOMEM;
1066 krb5_set_error_message(context, ret, "malloc: out of memory");
1067 ent->entry.etypes->len = 0;
1068 goto out;
1069 }
1070 for (i = 0; i < ent->entry.etypes->len; i++) {
1071 char *buf;
1072
1073 buf = malloc(vals[i]->bv_len + 1);
1074 if (buf == NULL) {
1075 ret = ENOMEM;
1076 krb5_set_error_message(context, ret, "malloc: out of memory");
1077 goto out;
1078 }
1079 memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
1080 buf[vals[i]->bv_len] = '\0';
1081 ent->entry.etypes->val[i] = atoi(buf);
1082 free(buf);
1083 }
1084 ldap_value_free_len(vals);
1085 }
1086
1087 for (i = 0; i < ent->entry.keys.len; i++) {
1088 if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
1089 have_arcfour = 1;
1090 break;
1091 }
1092 }
1093
1094 /* manually construct the NT (type 23) key */
1095 ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
1096 if (ret == 0 && have_arcfour == 0) {
1097 unsigned *etypes;
1098
1099 keys = realloc(ent->entry.keys.val,
1100 (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1101 if (keys == NULL) {
1102 free(ntPasswordIN);
1103 ret = ENOMEM;
1104 krb5_set_error_message(context, ret, "malloc: out of memory");
1105 goto out;
1106 }
1107 ent->entry.keys.val = keys;
1108 memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1109 ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1110 ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1111 if (ret) {
1112 krb5_set_error_message(context, ret, "malloc: out of memory");
1113 free(ntPasswordIN);
1114 ret = ENOMEM;
1115 goto out;
1116 }
1117 ret = hex_decode(ntPasswordIN,
1118 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1119 ent->entry.keys.len++;
1120
1121 if (ent->entry.etypes == NULL) {
1122 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1123 if (ent->entry.etypes == NULL) {
1124 ret = ENOMEM;
1125 krb5_set_error_message(context, ret, "malloc: out of memory");
1126 goto out;
1127 }
1128 ent->entry.etypes->val = NULL;
1129 ent->entry.etypes->len = 0;
1130 }
1131
1132 for (i = 0; i < ent->entry.etypes->len; i++)
1133 if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1134 break;
1135 /* If there is no ARCFOUR enctype, add one */
1136 if (i == ent->entry.etypes->len) {
1137 etypes = realloc(ent->entry.etypes->val,
1138 (ent->entry.etypes->len + 1) *
1139 sizeof(ent->entry.etypes->val[0]));
1140 if (etypes == NULL) {
1141 ret = ENOMEM;
1142 krb5_set_error_message(context, ret, "malloc: out of memory");
1143 goto out;
1144 }
1145 ent->entry.etypes->val = etypes;
1146 ent->entry.etypes->val[ent->entry.etypes->len] =
1147 ETYPE_ARCFOUR_HMAC_MD5;
1148 ent->entry.etypes->len++;
1149 }
1150 }
1151
1152 ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1153 &ent->entry.created_by.time);
1154 if (ret)
1155 ent->entry.created_by.time = time(NULL);
1156
1157 ent->entry.created_by.principal = NULL;
1158
1159 if (flags & HDB_F_ADMIN_DATA) {
1160 ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1161 if (ret == 0) {
1162 LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);
1163 free(dn);
1164 }
1165
1166 ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));
1167 if (ent->entry.modified_by == NULL) {
1168 ret = ENOMEM;
1169 krb5_set_error_message(context, ret, "malloc: out of memory");
1170 goto out;
1171 }
1172
1173 ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1174 &ent->entry.modified_by->time);
1175 if (ret == 0) {
1176 ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1177 if (ret == 0) {
1178 LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);
1179 free(dn);
1180 } else {
1181 free(ent->entry.modified_by);
1182 ent->entry.modified_by = NULL;
1183 }
1184 }
1185 }
1186
1187 ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1188 if (ent->entry.valid_start == NULL) {
1189 ret = ENOMEM;
1190 krb5_set_error_message(context, ret, "malloc: out of memory");
1191 goto out;
1192 }
1193 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1194 ent->entry.valid_start);
1195 if (ret) {
1196 /* OPTIONAL */
1197 free(ent->entry.valid_start);
1198 ent->entry.valid_start = NULL;
1199 }
1200
1201 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1202 if (ent->entry.valid_end == NULL) {
1203 ret = ENOMEM;
1204 krb5_set_error_message(context, ret, "malloc: out of memory");
1205 goto out;
1206 }
1207 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1208 ent->entry.valid_end);
1209 if (ret) {
1210 /* OPTIONAL */
1211 free(ent->entry.valid_end);
1212 ent->entry.valid_end = NULL;
1213 }
1214
1215 ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1216 if (ret == 0) {
1217 if (ent->entry.valid_end == NULL) {
1218 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1219 if (ent->entry.valid_end == NULL) {
1220 ret = ENOMEM;
1221 krb5_set_error_message(context, ret, "malloc: out of memory");
1222 goto out;
1223 }
1224 }
1225 *ent->entry.valid_end = tmp_time;
1226 }
1227
1228 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1229 if (ent->entry.pw_end == NULL) {
1230 ret = ENOMEM;
1231 krb5_set_error_message(context, ret, "malloc: out of memory");
1232 goto out;
1233 }
1234 ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1235 ent->entry.pw_end);
1236 if (ret) {
1237 /* OPTIONAL */
1238 free(ent->entry.pw_end);
1239 ent->entry.pw_end = NULL;
1240 }
1241
1242 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1243 if (ret == 0) {
1244 time_t delta;
1245
1246 delta = krb5_config_get_time_default(context, NULL,
1247 0,
1248 "kadmin",
1249 "password_lifetime",
1250 NULL);
1251
1252 if (delta) {
1253 if (ent->entry.pw_end == NULL) {
1254 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1255 if (ent->entry.pw_end == NULL) {
1256 ret = ENOMEM;
1257 krb5_set_error_message(context, ret, "malloc: out of memory");
1258 goto out;
1259 }
1260 }
1261
1262 *ent->entry.pw_end = tmp_time + delta;
1263 }
1264 }
1265
1266 ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1267 if (ret == 0) {
1268 if (ent->entry.pw_end == NULL) {
1269 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1270 if (ent->entry.pw_end == NULL) {
1271 ret = ENOMEM;
1272 krb5_set_error_message(context, ret, "malloc: out of memory");
1273 goto out;
1274 }
1275 }
1276 *ent->entry.pw_end = tmp_time;
1277 }
1278
1279 /* OPTIONAL */
1280 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1281 if (ret == 0)
1282 hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1283
1284 {
1285 int max_life;
1286
1287 ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1288 if (ent->entry.max_life == NULL) {
1289 ret = ENOMEM;
1290 krb5_set_error_message(context, ret, "malloc: out of memory");
1291 goto out;
1292 }
1293 ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1294 if (ret) {
1295 free(ent->entry.max_life);
1296 ent->entry.max_life = NULL;
1297 } else
1298 *ent->entry.max_life = max_life;
1299 }
1300
1301 {
1302 int max_renew;
1303
1304 ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1305 if (ent->entry.max_renew == NULL) {
1306 ret = ENOMEM;
1307 krb5_set_error_message(context, ret, "malloc: out of memory");
1308 goto out;
1309 }
1310 ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1311 if (ret) {
1312 free(ent->entry.max_renew);
1313 ent->entry.max_renew = NULL;
1314 } else
1315 *ent->entry.max_renew = max_renew;
1316 }
1317
1318 ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
1319 if (ret)
1320 tmp = 0;
1321
1322 ent->entry.flags = int2HDBFlags(tmp);
1323
1324 /* Try and find Samba flags to put into the mix */
1325 ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1326 if (ret == 0) {
1327 /* parse the [UXW...] string:
1328
1329 'N' No password
1330 'D' Disabled
1331 'H' Homedir required
1332 'T' Temp account.
1333 'U' User account (normal)
1334 'M' MNS logon user account - what is this ?
1335 'W' Workstation account
1336 'S' Server account
1337 'L' Locked account
1338 'X' No Xpiry on password
1339 'I' Interdomain trust account
1340
1341 */
1342
1343 int flags_len = strlen(samba_acct_flags);
1344
1345 if (flags_len < 2)
1346 goto out2;
1347
1348 if (samba_acct_flags[0] != '['
1349 || samba_acct_flags[flags_len - 1] != ']')
1350 goto out2;
1351
1352 /* Allow forwarding */
1353 if (samba_forwardable)
1354 ent->entry.flags.forwardable = TRUE;
1355
1356 for (i=0; i < flags_len; i++) {
1357 switch (samba_acct_flags[i]) {
1358 case ' ':
1359 case '[':
1360 case ']':
1361 break;
1362 case 'N':
1363 /* how to handle no password in kerberos? */
1364 break;
1365 case 'D':
1366 ent->entry.flags.invalid = TRUE;
1367 break;
1368 case 'H':
1369 break;
1370 case 'T':
1371 /* temp duplicate */
1372 ent->entry.flags.invalid = TRUE;
1373 break;
1374 case 'U':
1375 ent->entry.flags.client = TRUE;
1376 break;
1377 case 'M':
1378 break;
1379 case 'W':
1380 case 'S':
1381 ent->entry.flags.server = TRUE;
1382 ent->entry.flags.client = TRUE;
1383 break;
1384 case 'L':
1385 ent->entry.flags.invalid = TRUE;
1386 break;
1387 case 'X':
1388 if (ent->entry.pw_end) {
1389 free(ent->entry.pw_end);
1390 ent->entry.pw_end = NULL;
1391 }
1392 break;
1393 case 'I':
1394 ent->entry.flags.server = TRUE;
1395 ent->entry.flags.client = TRUE;
1396 break;
1397 }
1398 }
1399 out2:
1400 free(samba_acct_flags);
1401 }
1402
1403 ret = 0;
1404
1405 out:
1406 if (unparsed_name)
1407 free(unparsed_name);
1408
1409 if (ret)
1410 hdb_free_entry(context, ent);
1411
1412 return ret;
1413 }
1414
1415 static krb5_error_code
1416 LDAP_close(krb5_context context, HDB * db)
1417 {
1418 if (HDB2LDAP(db)) {
1419 ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1420 ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1421 }
1422
1423 return 0;
1424 }
1425
1426 static krb5_error_code
1427 LDAP_lock(krb5_context context, HDB * db, int operation)
1428 {
1429 return 0;
1430 }
1431
1432 static krb5_error_code
1433 LDAP_unlock(krb5_context context, HDB * db)
1434 {
1435 return 0;
1436 }
1437
1438 static krb5_error_code
1439 LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1440 {
1441 int msgid, rc, parserc;
1442 krb5_error_code ret;
1443 LDAPMessage *e;
1444
1445 msgid = HDB2MSGID(db);
1446 if (msgid < 0)
1447 return HDB_ERR_NOENTRY;
1448
1449 do {
1450 rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1451 switch (rc) {
1452 case LDAP_RES_SEARCH_REFERENCE:
1453 ldap_msgfree(e);
1454 ret = 0;
1455 break;
1456 case LDAP_RES_SEARCH_ENTRY:
1457 /* We have an entry. Parse it. */
1458 ret = LDAP_message2entry(context, db, e, flags, entry);
1459 ldap_msgfree(e);
1460 break;
1461 case LDAP_RES_SEARCH_RESULT:
1462 /* We're probably at the end of the results. If not, abandon. */
1463 parserc =
1464 ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1465 NULL, NULL, 1);
1466 ret = HDB_ERR_NOENTRY;
1467 if (parserc != LDAP_SUCCESS
1468 && parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1469 krb5_set_error_message(context, ret, "ldap_parse_result: %s",
1470 ldap_err2string(parserc));
1471 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1472 }
1473 HDBSETMSGID(db, -1);
1474 break;
1475 case LDAP_SERVER_DOWN:
1476 ldap_msgfree(e);
1477 LDAP_close(context, db);
1478 HDBSETMSGID(db, -1);
1479 ret = ENETDOWN;
1480 break;
1481 default:
1482 /* Some unspecified error (timeout?). Abandon. */
1483 ldap_msgfree(e);
1484 ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1485 ret = HDB_ERR_NOENTRY;
1486 HDBSETMSGID(db, -1);
1487 break;
1488 }
1489 } while (rc == LDAP_RES_SEARCH_REFERENCE);
1490
1491 if (ret == 0) {
1492 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1493 ret = hdb_unseal_keys(context, db, &entry->entry);
1494 if (ret)
1495 hdb_free_entry(context, entry);
1496 }
1497 }
1498
1499 return ret;
1500 }
1501
1502 static krb5_error_code
1503 LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1504 hdb_entry_ex *entry)
1505 {
1506 krb5_error_code ret;
1507 int msgid;
1508
1509 ret = LDAP__connect(context, db);
1510 if (ret)
1511 return ret;
1512
1513 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1514 if (ret)
1515 return ret;
1516
1517 ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),
1518 LDAP_SCOPE_SUBTREE,
1519 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1520 krb5kdcentry_attrs, 0,
1521 NULL, NULL, NULL, 0, &msgid);
1522 if (msgid < 0)
1523 return HDB_ERR_NOENTRY;
1524
1525 HDBSETMSGID(db, msgid);
1526
1527 return LDAP_seq(context, db, flags, entry);
1528 }
1529
1530 static krb5_error_code
1531 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1532 hdb_entry_ex * entry)
1533 {
1534 return LDAP_seq(context, db, flags, entry);
1535 }
1536
1537 static krb5_error_code
1538 LDAP__connect(krb5_context context, HDB * db)
1539 {
1540 int rc, version = LDAP_VERSION3;
1541 /*
1542 * Empty credentials to do a SASL bind with LDAP. Note that empty
1543 * different from NULL credentials. If you provide NULL
1544 * credentials instead of empty credentials you will get a SASL
1545 * bind in progress message.
1546 */
1547 struct berval bv = { 0, "" };
1548 const char *sasl_method = "EXTERNAL";
1549 const char *bind_dn = NULL;
1550
1551 if (HDB2BINDDN(db) != NULL && HDB2BINDPW(db) != NULL) {
1552 /* A bind DN was specified; use SASL SIMPLE */
1553 bind_dn = HDB2BINDDN(db);
1554 sasl_method = LDAP_SASL_SIMPLE;
1555 bv.bv_val = HDB2BINDPW(db);
1556 bv.bv_len = strlen(bv.bv_val);
1557 }
1558
1559 if (HDB2LDAP(db)) {
1560 /* connection has been opened. ping server. */
1561 struct sockaddr_un addr;
1562 socklen_t len = sizeof(addr);
1563 int sd;
1564
1565 if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1566 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1567 /* the other end has died. reopen. */
1568 LDAP_close(context, db);
1569 }
1570 }
1571
1572 if (HDB2LDAP(db) != NULL) /* server is UP */
1573 return 0;
1574
1575 rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1576 if (rc != LDAP_SUCCESS) {
1577 krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",
1578 ldap_err2string(rc));
1579 return HDB_ERR_NOENTRY;
1580 }
1581
1582 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1583 (const void *)&version);
1584 if (rc != LDAP_SUCCESS) {
1585 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1586 "ldap_set_option: %s", ldap_err2string(rc));
1587 LDAP_close(context, db);
1588 return HDB_ERR_BADVERSION;
1589 }
1590
1591 if (((struct hdbldapdb *)db->hdb_db)->h_start_tls) {
1592 rc = ldap_start_tls_s(HDB2LDAP(db), NULL, NULL);
1593
1594 if (rc != LDAP_SUCCESS) {
1595 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1596 "ldap_start_tls_s: %s", ldap_err2string(rc));
1597 LDAP_close(context, db);
1598 return HDB_ERR_BADVERSION;
1599 }
1600 }
1601
1602 rc = ldap_sasl_bind_s(HDB2LDAP(db), bind_dn, sasl_method, &bv,
1603 NULL, NULL, NULL);
1604 if (rc != LDAP_SUCCESS) {
1605 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1606 "ldap_sasl_bind_s: %s", ldap_err2string(rc));
1607 LDAP_close(context, db);
1608 return HDB_ERR_BADVERSION;
1609 }
1610
1611 return 0;
1612 }
1613
1614 static krb5_error_code
1615 LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1616 {
1617 /* Not the right place for this. */
1618 #ifdef HAVE_SIGACTION
1619 struct sigaction sa;
1620
1621 sa.sa_flags = 0;
1622 sa.sa_handler = SIG_IGN;
1623 sigemptyset(&sa.sa_mask);
1624
1625 sigaction(SIGPIPE, &sa, NULL);
1626 #else
1627 signal(SIGPIPE, SIG_IGN);
1628 #endif /* HAVE_SIGACTION */
1629
1630 return LDAP__connect(context, db);
1631 }
1632
1633 static krb5_error_code
1634 LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
1635 unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
1636 {
1637 LDAPMessage *msg, *e;
1638 krb5_error_code ret;
1639
1640 ret = LDAP_principal2message(context, db, principal, &msg);
1641 if (ret)
1642 return ret;
1643
1644 e = ldap_first_entry(HDB2LDAP(db), msg);
1645 if (e == NULL) {
1646 ret = HDB_ERR_NOENTRY;
1647 goto out;
1648 }
1649
1650 ret = LDAP_message2entry(context, db, e, flags, entry);
1651 if (ret == 0) {
1652 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1653 ret = hdb_unseal_keys(context, db, &entry->entry);
1654 if (ret)
1655 hdb_free_entry(context, entry);
1656 }
1657 }
1658
1659 out:
1660 ldap_msgfree(msg);
1661
1662 return ret;
1663 }
1664
1665 static krb5_error_code
1666 LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1667 unsigned flags, hdb_entry_ex * entry)
1668 {
1669 return LDAP_fetch_kvno(context, db, principal,
1670 flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
1671 }
1672
1673 static krb5_error_code
1674 LDAP_store(krb5_context context, HDB * db, unsigned flags,
1675 hdb_entry_ex * entry)
1676 {
1677 LDAPMod **mods = NULL;
1678 krb5_error_code ret;
1679 const char *errfn;
1680 int rc;
1681 LDAPMessage *msg = NULL, *e = NULL;
1682 char *dn = NULL, *name = NULL;
1683
1684 ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1685 if (ret == 0)
1686 e = ldap_first_entry(HDB2LDAP(db), msg);
1687
1688 ret = krb5_unparse_name(context, entry->entry.principal, &name);
1689 if (ret) {
1690 free(name);
1691 return ret;
1692 }
1693
1694 ret = hdb_seal_keys(context, db, &entry->entry);
1695 if (ret)
1696 goto out;
1697
1698 /* turn new entry into LDAPMod array */
1699 ret = LDAP_entry2mods(context, db, entry, e, &mods);
1700 if (ret)
1701 goto out;
1702
1703 if (e == NULL) {
1704 ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1705 if (ret < 0) {
1706 ret = ENOMEM;
1707 krb5_set_error_message(context, ret, "asprintf: out of memory");
1708 goto out;
1709 }
1710 } else if (flags & HDB_F_REPLACE) {
1711 /* Entry exists, and we're allowed to replace it. */
1712 dn = ldap_get_dn(HDB2LDAP(db), e);
1713 } else {
1714 /* Entry exists, but we're not allowed to replace it. Bail. */
1715 ret = HDB_ERR_EXISTS;
1716 goto out;
1717 }
1718
1719 /* write entry into directory */
1720 if (e == NULL) {
1721 /* didn't exist before */
1722 rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1723 errfn = "ldap_add_ext_s";
1724 } else {
1725 /* already existed, send deltas only */
1726 rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1727 errfn = "ldap_modify_ext_s";
1728 }
1729
1730 if (check_ldap(context, db, rc)) {
1731 char *ld_error = NULL;
1732 ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1733 &ld_error);
1734 ret = HDB_ERR_CANT_LOCK_DB;
1735 krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
1736 errfn, name, dn, ldap_err2string(rc), ld_error);
1737 } else
1738 ret = 0;
1739
1740 out:
1741 /* free stuff */
1742 if (dn)
1743 free(dn);
1744 if (msg)
1745 ldap_msgfree(msg);
1746 if (mods)
1747 ldap_mods_free(mods, 1);
1748 if (name)
1749 free(name);
1750
1751 return ret;
1752 }
1753
1754 static krb5_error_code
1755 LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1756 {
1757 krb5_error_code ret;
1758 LDAPMessage *msg, *e;
1759 char *dn = NULL;
1760 int rc, limit = LDAP_NO_LIMIT;
1761
1762 ret = LDAP_principal2message(context, db, principal, &msg);
1763 if (ret)
1764 goto out;
1765
1766 e = ldap_first_entry(HDB2LDAP(db), msg);
1767 if (e == NULL) {
1768 ret = HDB_ERR_NOENTRY;
1769 goto out;
1770 }
1771
1772 dn = ldap_get_dn(HDB2LDAP(db), e);
1773 if (dn == NULL) {
1774 ret = HDB_ERR_NOENTRY;
1775 goto out;
1776 }
1777
1778 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1779 if (rc != LDAP_SUCCESS) {
1780 ret = HDB_ERR_BADVERSION;
1781 krb5_set_error_message(context, ret, "ldap_set_option: %s",
1782 ldap_err2string(rc));
1783 goto out;
1784 }
1785
1786 rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
1787 if (check_ldap(context, db, rc)) {
1788 ret = HDB_ERR_CANT_LOCK_DB;
1789 krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",
1790 ldap_err2string(rc));
1791 } else
1792 ret = 0;
1793
1794 out:
1795 if (dn != NULL)
1796 free(dn);
1797 if (msg != NULL)
1798 ldap_msgfree(msg);
1799
1800 return ret;
1801 }
1802
1803 static krb5_error_code
1804 LDAP_destroy(krb5_context context, HDB * db)
1805 {
1806 krb5_error_code ret;
1807
1808 LDAP_close(context, db);
1809
1810 ret = hdb_clear_master_key(context, db);
1811 if (HDB2BASE(db))
1812 free(HDB2BASE(db));
1813 if (HDB2CREATE(db))
1814 free(HDB2CREATE(db));
1815 if (HDB2URL(db))
1816 free(HDB2URL(db));
1817 if (db->hdb_name)
1818 free(db->hdb_name);
1819 free(db->hdb_db);
1820 free(db);
1821
1822 return ret;
1823 }
1824
1825 static krb5_error_code
1826 hdb_ldap_common(krb5_context context,
1827 HDB ** db,
1828 const char *search_base,
1829 const char *url)
1830 {
1831 struct hdbldapdb *h;
1832 const char *create_base = NULL;
1833 const char *ldap_secret_file = NULL;
1834
1835 if (url == NULL || url[0] == '\0') {
1836 const char *p;
1837 p = krb5_config_get_string(context, NULL, "kdc",
1838 "hdb-ldap-url", NULL);
1839 if (p == NULL)
1840 p = default_ldap_url;
1841
1842 url = p;
1843 }
1844
1845 if (search_base == NULL && search_base[0] == '\0') {
1846 krb5_set_error_message(context, ENOMEM, "ldap search base not configured");
1847 return ENOMEM; /* XXX */
1848 }
1849
1850 if (structural_object == NULL) {
1851 const char *p;
1852
1853 p = krb5_config_get_string(context, NULL, "kdc",
1854 "hdb-ldap-structural-object", NULL);
1855 if (p == NULL)
1856 p = default_structural_object;
1857 structural_object = strdup(p);
1858 if (structural_object == NULL) {
1859 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1860 return ENOMEM;
1861 }
1862 }
1863
1864 samba_forwardable =
1865 krb5_config_get_bool_default(context, NULL, TRUE,
1866 "kdc", "hdb-samba-forwardable", NULL);
1867
1868 *db = calloc(1, sizeof(**db));
1869 if (*db == NULL) {
1870 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1871 return ENOMEM;
1872 }
1873 memset(*db, 0, sizeof(**db));
1874
1875 h = calloc(1, sizeof(*h));
1876 if (h == NULL) {
1877 free(*db);
1878 *db = NULL;
1879 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1880 return ENOMEM;
1881 }
1882 (*db)->hdb_db = h;
1883
1884 /* XXX */
1885 if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1886 LDAP_destroy(context, *db);
1887 *db = NULL;
1888 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1889 return ENOMEM;
1890 }
1891
1892 h->h_url = strdup(url);
1893 h->h_base = strdup(search_base);
1894 if (h->h_url == NULL || h->h_base == NULL) {
1895 LDAP_destroy(context, *db);
1896 *db = NULL;
1897 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1898 return ENOMEM;
1899 }
1900
1901 ldap_secret_file = krb5_config_get_string(context, NULL, "kdc",
1902 "hdb-ldap-secret-file", NULL);
1903 if (ldap_secret_file != NULL) {
1904 krb5_config_binding *tmp;
1905 krb5_error_code ret;
1906 const char *p;
1907
1908 ret = krb5_config_parse_file(context, ldap_secret_file, &tmp);
1909 if (ret)
1910 return ret;
1911
1912 p = krb5_config_get_string(context, tmp, "kdc",
1913 "hdb-ldap-bind-dn", NULL);
1914 if (p != NULL)
1915 h->h_bind_dn = strdup(p);
1916
1917 p = krb5_config_get_string(context, tmp, "kdc",
1918 "hdb-ldap-bind-password", NULL);
1919 if (p != NULL)
1920 h->h_bind_password = strdup(p);
1921
1922 krb5_config_file_free(context, tmp);
1923 }
1924
1925 h->h_start_tls =
1926 krb5_config_get_bool_default(context, NULL, FALSE,
1927 "kdc", "hdb-ldap-start-tls", NULL);
1928
1929 create_base = krb5_config_get_string(context, NULL, "kdc",
1930 "hdb-ldap-create-base", NULL);
1931 if (create_base == NULL)
1932 create_base = h->h_base;
1933
1934 h->h_createbase = strdup(create_base);
1935 if (h->h_createbase == NULL) {
1936 LDAP_destroy(context, *db);
1937 *db = NULL;
1938 krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1939 return ENOMEM;
1940 }
1941
1942 (*db)->hdb_master_key_set = 0;
1943 (*db)->hdb_openp = 0;
1944 (*db)->hdb_capability_flags = 0;
1945 (*db)->hdb_open = LDAP_open;
1946 (*db)->hdb_close = LDAP_close;
1947 (*db)->hdb_fetch_kvno = LDAP_fetch_kvno;
1948 (*db)->hdb_store = LDAP_store;
1949 (*db)->hdb_remove = LDAP_remove;
1950 (*db)->hdb_firstkey = LDAP_firstkey;
1951 (*db)->hdb_nextkey = LDAP_nextkey;
1952 (*db)->hdb_lock = LDAP_lock;
1953 (*db)->hdb_unlock = LDAP_unlock;
1954 (*db)->hdb_rename = NULL;
1955 (*db)->hdb__get = NULL;
1956 (*db)->hdb__put = NULL;
1957 (*db)->hdb__del = NULL;
1958 (*db)->hdb_destroy = LDAP_destroy;
1959
1960 return 0;
1961 }
1962
1963 krb5_error_code
1964 hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1965 {
1966 return hdb_ldap_common(context, db, arg, NULL);
1967 }
1968
1969 krb5_error_code
1970 hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1971 {
1972 krb5_error_code ret;
1973 char *search_base, *p;
1974
1975 asprintf(&p, "ldapi:%s", arg);
1976 if (p == NULL) {
1977 *db = NULL;
1978 krb5_set_error_message(context, ENOMEM, "out of memory");
1979 return ENOMEM;
1980 }
1981 search_base = strchr(p + strlen("ldapi://"), ':');
1982 if (search_base == NULL) {
1983 *db = NULL;
1984 krb5_set_error_message(context, HDB_ERR_BADVERSION,
1985 "search base missing");
1986 return HDB_ERR_BADVERSION;
1987 }
1988 *search_base = '\0';
1989 search_base++;
1990
1991 ret = hdb_ldap_common(context, db, search_base, p);
1992 free(p);
1993 return ret;
1994 }
1995
1996 #ifdef OPENLDAP_MODULE
1997
1998
1999 static krb5_error_code
2000 init(krb5_context context, void **ctx)
2001 {
2002 *ctx = NULL;
2003 return 0;
2004 }
2005
2006 static void
2007 fini(void *ctx)
2008 {
2009 }
2010
2011 struct hdb_method hdb_ldap_interface = {
2012 HDB_INTERFACE_VERSION,
2013 init,
2014 fini,
2015 "ldap",
2016 hdb_ldap_create
2017 };
2018
2019 struct hdb_method hdb_ldapi_interface = {
2020 HDB_INTERFACE_VERSION,
2021 init,
2022 fini,
2023 "ldapi",
2024 hdb_ldapi_create
2025 };
2026
2027 #endif
2028
2029 #endif /* OPENLDAP */
Heimdal