2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
44 static krb5_error_code
LDAP__connect(krb5_context context
, HDB
*);
45 static krb5_error_code
LDAP_close(krb5_context context
, HDB
*);
47 static krb5_error_code
hdb_ldap_create(krb5_context context
, HDB
**, const char *);
48 static krb5_error_code
hdb_ldapi_create(krb5_context context
, HDB
**, const char *);
50 static krb5_error_code
51 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
52 int flags
, hdb_entry_ex
* ent
);
54 static const char *default_structural_object
= "account";
55 static char *structural_object
;
56 static const char *default_ldap_url
= "ldapi:///";
57 static krb5_boolean samba_forwardable
;
65 char *h_bind_password
;
66 krb5_boolean h_start_tls
;
70 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
71 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
72 #define HDBSETMSGID(db,msgid) \
73 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
74 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
75 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
76 #define HDB2BINDDN(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_dn)
77 #define HDB2BINDPW(db) (((struct hdbldapdb *)(db)->hdb_db)->h_bind_password)
78 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
84 static char * krb5kdcentry_attrs
[] = {
91 "krb5KeyVersionNumber",
106 "sambaPwdMustChange",
111 static char *krb5principal_attrs
[] = {
116 "krb5PrincipalRealm",
125 LDAP_no_size_limit(krb5_context context
, LDAP
*lp
)
127 int ret
, limit
= LDAP_NO_LIMIT
;
129 ret
= ldap_set_option(lp
, LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
130 if (ret
!= LDAP_SUCCESS
) {
131 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
132 "ldap_set_option: %s",
133 ldap_err2string(ret
));
134 return HDB_ERR_BADVERSION
;
140 check_ldap(krb5_context context
, HDB
*db
, int ret
)
145 case LDAP_SERVER_DOWN
:
146 LDAP_close(context
, db
);
153 static krb5_error_code
154 LDAP__setmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
159 if (*modlist
== NULL
) {
160 *modlist
= (LDAPMod
**)ber_memcalloc(1, sizeof(LDAPMod
*));
161 if (*modlist
== NULL
)
165 for (cMods
= 0; (*modlist
)[cMods
] != NULL
; cMods
++) {
166 if ((*modlist
)[cMods
]->mod_op
== modop
&&
167 strcasecmp((*modlist
)[cMods
]->mod_type
, attribute
) == 0) {
174 if ((*modlist
)[cMods
] == NULL
) {
177 *modlist
= (LDAPMod
**)ber_memrealloc(*modlist
,
178 (cMods
+ 2) * sizeof(LDAPMod
*));
179 if (*modlist
== NULL
)
182 (*modlist
)[cMods
] = (LDAPMod
*)ber_memalloc(sizeof(LDAPMod
));
183 if ((*modlist
)[cMods
] == NULL
)
186 mod
= (*modlist
)[cMods
];
188 mod
->mod_type
= ber_strdup(attribute
);
189 if (mod
->mod_type
== NULL
) {
191 (*modlist
)[cMods
] = NULL
;
195 if (modop
& LDAP_MOD_BVALUES
) {
196 mod
->mod_bvalues
= NULL
;
198 mod
->mod_values
= NULL
;
201 (*modlist
)[cMods
+ 1] = NULL
;
207 static krb5_error_code
208 LDAP_addmod_len(LDAPMod
*** modlist
, int modop
, const char *attribute
,
209 unsigned char *value
, size_t len
)
214 ret
= LDAP__setmod(modlist
, modop
| LDAP_MOD_BVALUES
, attribute
, &cMods
);
221 bv
= (*modlist
)[cMods
]->mod_bvalues
;
223 for (i
= 0; bv
[i
] != NULL
; i
++)
225 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
227 bv
= ber_memalloc(2 * sizeof(*bv
));
231 (*modlist
)[cMods
]->mod_bvalues
= bv
;
233 bv
[i
] = ber_memalloc(sizeof(**bv
));;
237 bv
[i
]->bv_val
= (void *)value
;
246 static krb5_error_code
247 LDAP_addmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
253 ret
= LDAP__setmod(modlist
, modop
, attribute
, &cMods
);
260 bv
= (*modlist
)[cMods
]->mod_values
;
262 for (i
= 0; bv
[i
] != NULL
; i
++)
264 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
266 bv
= ber_memalloc(2 * sizeof(*bv
));
270 (*modlist
)[cMods
]->mod_values
= bv
;
272 bv
[i
] = ber_strdup(value
);
282 static krb5_error_code
283 LDAP_addmod_generalized_time(LDAPMod
*** mods
, int modop
,
284 const char *attribute
, KerberosTime
* time
)
289 /* XXX not threadsafe */
291 strftime(buf
, sizeof(buf
), "%Y%m%d%H%M%SZ", tm
);
293 return LDAP_addmod(mods
, modop
, attribute
, buf
);
296 static krb5_error_code
297 LDAP_addmod_integer(krb5_context context
,
298 LDAPMod
*** mods
, int modop
,
299 const char *attribute
, unsigned long l
)
304 ret
= asprintf(&buf
, "%ld", l
);
306 krb5_set_error_message(context
, ENOMEM
,
307 "asprintf: out of memory:");
310 ret
= LDAP_addmod(mods
, modop
, attribute
, buf
);
315 static krb5_error_code
316 LDAP_get_string_value(HDB
* db
, LDAPMessage
* entry
,
317 const char *attribute
, char **ptr
)
319 struct berval
**vals
;
321 vals
= ldap_get_values_len(HDB2LDAP(db
), entry
, attribute
);
322 if (vals
== NULL
|| vals
[0] == NULL
) {
324 return HDB_ERR_NOENTRY
;
327 *ptr
= malloc(vals
[0]->bv_len
+ 1);
329 ldap_value_free_len(vals
);
333 memcpy(*ptr
, vals
[0]->bv_val
, vals
[0]->bv_len
);
334 (*ptr
)[vals
[0]->bv_len
] = 0;
336 ldap_value_free_len(vals
);
341 static krb5_error_code
342 LDAP_get_integer_value(HDB
* db
, LDAPMessage
* entry
,
343 const char *attribute
, int *ptr
)
348 ret
= LDAP_get_string_value(db
, entry
, attribute
, &val
);
356 static krb5_error_code
357 LDAP_get_generalized_time_value(HDB
* db
, LDAPMessage
* entry
,
358 const char *attribute
, KerberosTime
* kt
)
366 ret
= LDAP_get_string_value(db
, entry
, attribute
, &gentime
);
370 tmp
= strptime(gentime
, "%Y%m%d%H%M%SZ", &tm
);
373 return HDB_ERR_NOENTRY
;
384 bervalstrcmp(struct berval
*v
, const char *str
)
386 size_t len
= strlen(str
);
387 return (v
->bv_len
== len
) && strncasecmp(str
, (char *)v
->bv_val
, len
) == 0;
391 static krb5_error_code
392 LDAP_entry2mods(krb5_context context
, HDB
* db
, hdb_entry_ex
* ent
,
393 LDAPMessage
* msg
, LDAPMod
*** pmods
)
396 krb5_boolean is_new_entry
;
398 LDAPMod
**mods
= NULL
;
400 unsigned long oflags
, nflags
;
403 krb5_boolean is_samba_account
= FALSE
;
404 krb5_boolean is_account
= FALSE
;
405 krb5_boolean is_heimdal_entry
= FALSE
;
406 krb5_boolean is_heimdal_principal
= FALSE
;
408 struct berval
**vals
;
414 ret
= LDAP_message2entry(context
, db
, msg
, 0, &orig
);
418 is_new_entry
= FALSE
;
420 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "objectClass");
422 int num_objectclasses
= ldap_count_values_len(vals
);
423 for (i
=0; i
< num_objectclasses
; i
++) {
424 if (bervalstrcmp(vals
[i
], "sambaSamAccount"))
425 is_samba_account
= TRUE
;
426 else if (bervalstrcmp(vals
[i
], structural_object
))
428 else if (bervalstrcmp(vals
[i
], "krb5Principal"))
429 is_heimdal_principal
= TRUE
;
430 else if (bervalstrcmp(vals
[i
], "krb5KDCEntry"))
431 is_heimdal_entry
= TRUE
;
433 ldap_value_free_len(vals
);
437 * If this is just a "account" entry and no other objectclass
438 * is hanging on this entry, it's really a new entry.
440 if (is_samba_account
== FALSE
&& is_heimdal_principal
== FALSE
&&
441 is_heimdal_entry
== FALSE
) {
442 if (is_account
== TRUE
) {
445 ret
= HDB_ERR_NOENTRY
;
454 /* to make it perfectly obvious we're depending on
455 * orig being intiialized to zero */
456 memset(&orig
, 0, sizeof(orig
));
458 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "top");
462 /* account is the structural object class */
463 if (is_account
== FALSE
) {
464 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass",
471 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5Principal");
472 is_heimdal_principal
= TRUE
;
476 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5KDCEntry");
477 is_heimdal_entry
= TRUE
;
483 krb5_principal_compare(context
, ent
->entry
.principal
, orig
.entry
.principal
)
486 if (is_heimdal_principal
|| is_heimdal_entry
) {
488 ret
= krb5_unparse_name(context
, ent
->entry
.principal
, &tmp
);
492 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
,
493 "krb5PrincipalName", tmp
);
501 if (is_account
|| is_samba_account
) {
502 ret
= krb5_unparse_name_short(context
, ent
->entry
.principal
, &tmp
);
505 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "uid", tmp
);
514 if (is_heimdal_entry
&& (ent
->entry
.kvno
!= orig
.entry
.kvno
|| is_new_entry
)) {
515 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
516 "krb5KeyVersionNumber",
522 if (is_heimdal_entry
&& ent
->entry
.valid_start
) {
523 if (orig
.entry
.valid_end
== NULL
524 || (*(ent
->entry
.valid_start
) != *(orig
.entry
.valid_start
))) {
525 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
527 ent
->entry
.valid_start
);
533 if (ent
->entry
.valid_end
) {
534 if (orig
.entry
.valid_end
== NULL
|| (*(ent
->entry
.valid_end
) != *(orig
.entry
.valid_end
))) {
535 if (is_heimdal_entry
) {
536 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
538 ent
->entry
.valid_end
);
542 if (is_samba_account
) {
543 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
545 *(ent
->entry
.valid_end
));
552 if (ent
->entry
.pw_end
) {
553 if (orig
.entry
.pw_end
== NULL
|| (*(ent
->entry
.pw_end
) != *(orig
.entry
.pw_end
))) {
554 if (is_heimdal_entry
) {
555 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
562 if (is_samba_account
) {
563 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
564 "sambaPwdMustChange",
565 *(ent
->entry
.pw_end
));
573 #if 0 /* we we have last_pw_change */
574 if (is_samba_account
&& ent
->entry
.last_pw_change
) {
575 if (orig
.entry
.last_pw_change
== NULL
|| (*(ent
->entry
.last_pw_change
) != *(orig
.entry
.last_pw_change
))) {
576 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
578 *(ent
->entry
.last_pw_change
));
585 if (is_heimdal_entry
&& ent
->entry
.max_life
) {
586 if (orig
.entry
.max_life
== NULL
587 || (*(ent
->entry
.max_life
) != *(orig
.entry
.max_life
))) {
589 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
591 *(ent
->entry
.max_life
));
597 if (is_heimdal_entry
&& ent
->entry
.max_renew
) {
598 if (orig
.entry
.max_renew
== NULL
599 || (*(ent
->entry
.max_renew
) != *(orig
.entry
.max_renew
))) {
601 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
603 *(ent
->entry
.max_renew
));
609 oflags
= HDBFlags2int(orig
.entry
.flags
);
610 nflags
= HDBFlags2int(ent
->entry
.flags
);
612 if (is_heimdal_entry
&& oflags
!= nflags
) {
614 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
621 /* Remove keys if they exists, and then replace keys. */
622 if (!is_new_entry
&& orig
.entry
.keys
.len
> 0) {
623 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
625 ldap_value_free_len(vals
);
627 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5Key", NULL
);
633 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
636 && ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
639 time_t now
= time(NULL
);
641 /* the key might have been 'sealed', but samba passwords
642 are clear in the directory */
643 ret
= hdb_unseal_key(context
, db
, &ent
->entry
.keys
.val
[i
]);
647 nt
= ent
->entry
.keys
.val
[i
].key
.keyvalue
.data
;
648 /* store in ntPassword, not krb5key */
649 ret
= hex_encode(nt
, 16, &ntHexPassword
);
652 krb5_set_error_message(context
, ret
, "hdb-ldap: failed to "
656 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "sambaNTPassword",
661 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
662 "sambaPwdLastSet", now
);
666 /* have to kill the LM passwod if it exists */
667 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "sambaLMPassword");
669 ldap_value_free_len(vals
);
670 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
,
671 "sambaLMPassword", NULL
);
676 } else if (is_heimdal_entry
) {
678 size_t len
, buf_size
;
680 ASN1_MALLOC_ENCODE(Key
, buf
, buf_size
, &ent
->entry
.keys
.val
[i
], &len
, ret
);
684 krb5_abortx(context
, "internal error in ASN.1 encoder");
686 /* addmod_len _owns_ the key, doesn't need to copy it */
687 ret
= LDAP_addmod_len(&mods
, LDAP_MOD_ADD
, "krb5Key", buf
, len
);
693 if (ent
->entry
.etypes
) {
694 int add_krb5EncryptionType
= 0;
697 * Only add/modify krb5EncryptionType if it's a new heimdal
698 * entry or krb5EncryptionType already exists on the entry.
702 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
704 ldap_value_free_len(vals
);
705 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5EncryptionType",
709 add_krb5EncryptionType
= 1;
711 } else if (is_heimdal_entry
)
712 add_krb5EncryptionType
= 1;
714 if (add_krb5EncryptionType
) {
715 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
716 if (is_samba_account
&&
717 ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
)
720 } else if (is_heimdal_entry
) {
721 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_ADD
,
722 "krb5EncryptionType",
723 ent
->entry
.etypes
->val
[i
]);
738 else if (mods
!= NULL
) {
739 ldap_mods_free(mods
, 1);
744 hdb_free_entry(context
, &orig
);
749 static krb5_error_code
750 LDAP_dn2principal(krb5_context context
, HDB
* db
, const char *dn
,
751 krb5_principal
* principal
)
755 const char *filter
= "(objectClass=krb5Principal)";
756 LDAPMessage
*res
= NULL
, *e
;
759 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
763 rc
= ldap_search_ext_s(HDB2LDAP(db
), dn
, LDAP_SCOPE_SUBTREE
,
764 filter
, krb5principal_attrs
, 0,
767 if (check_ldap(context
, db
, rc
)) {
768 ret
= HDB_ERR_NOENTRY
;
769 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
770 "filter: %s error: %s",
771 filter
, ldap_err2string(rc
));
775 e
= ldap_first_entry(HDB2LDAP(db
), res
);
777 ret
= HDB_ERR_NOENTRY
;
781 ret
= LDAP_get_string_value(db
, e
, "krb5PrincipalName", &p
);
783 ret
= HDB_ERR_NOENTRY
;
787 ret
= krb5_parse_name(context
, p
, principal
);
798 need_quote(unsigned char c
)
809 static const char hexchar
[] = "0123456789ABCDEF";
811 static krb5_error_code
812 escape_value(krb5_context context
, const char *unquoted
, char **quoted
)
816 for (i
= 0, len
= 0; unquoted
[i
] != '\0'; i
++, len
++) {
817 if (need_quote((unsigned char)unquoted
[i
]))
821 *quoted
= malloc(len
+ 1);
822 if (*quoted
== NULL
) {
823 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
827 for (i
= 0; unquoted
[0] ; unquoted
++) {
828 if (need_quote((unsigned char)unquoted
[0])) {
829 (*quoted
)[i
++] = '\\';
830 (*quoted
)[i
++] = hexchar
[(unquoted
[0] >> 4) & 0xf];
831 (*quoted
)[i
++] = hexchar
[(unquoted
[0] ) & 0xf];
833 (*quoted
)[i
++] = (char)unquoted
[0];
840 static krb5_error_code
841 LDAP__lookup_princ(krb5_context context
,
843 const char *princname
,
849 char *quote
, *filter
= NULL
;
851 ret
= LDAP__connect(context
, db
);
856 * Quote searches that contain filter language, this quote
857 * searches for *@REALM, which takes very long time.
860 ret
= escape_value(context
, princname
, "e
);
864 rc
= asprintf(&filter
,
865 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
871 krb5_set_error_message(context
, ret
, "malloc: out of memory");
875 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
879 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
),
880 LDAP_SCOPE_SUBTREE
, filter
,
881 krb5kdcentry_attrs
, 0,
884 if (check_ldap(context
, db
, rc
)) {
885 ret
= HDB_ERR_NOENTRY
;
886 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
887 "filter: %s - error: %s",
888 filter
, ldap_err2string(rc
));
892 if (userid
&& ldap_count_entries(HDB2LDAP(db
), *msg
) == 0) {
898 ret
= escape_value(context
, userid
, "e
);
902 rc
= asprintf(&filter
,
903 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
904 structural_object
, quote
);
908 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
912 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
916 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
), LDAP_SCOPE_SUBTREE
,
917 filter
, krb5kdcentry_attrs
, 0,
920 if (check_ldap(context
, db
, rc
)) {
921 ret
= HDB_ERR_NOENTRY
;
922 krb5_set_error_message(context
, ret
,
923 "ldap_search_ext_s: filter: %s error: %s",
924 filter
, ldap_err2string(rc
));
938 static krb5_error_code
939 LDAP_principal2message(krb5_context context
, HDB
* db
,
940 krb5_const_principal princ
, LDAPMessage
** msg
)
942 char *name
, *name_short
= NULL
;
948 ret
= krb5_unparse_name(context
, princ
, &name
);
952 ret
= krb5_get_default_realms(context
, &r0
);
957 for (r
= r0
; *r
!= NULL
; r
++) {
958 if(strcmp(krb5_principal_get_realm(context
, princ
), *r
) == 0) {
959 ret
= krb5_unparse_name_short(context
, princ
, &name_short
);
961 krb5_free_host_realm(context
, r0
);
968 krb5_free_host_realm(context
, r0
);
970 ret
= LDAP__lookup_princ(context
, db
, name
, name_short
, msg
);
978 * Construct an hdb_entry from a directory entry.
980 static krb5_error_code
981 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
982 int flags
, hdb_entry_ex
* ent
)
984 char *unparsed_name
= NULL
, *dn
= NULL
, *ntPasswordIN
= NULL
;
985 char *samba_acct_flags
= NULL
;
986 struct berval
**keys
;
987 struct berval
**vals
;
988 int tmp
, tmp_time
, i
, ret
, have_arcfour
= 0;
990 memset(ent
, 0, sizeof(*ent
));
991 ent
->entry
.flags
= int2HDBFlags(0);
993 ret
= LDAP_get_string_value(db
, msg
, "krb5PrincipalName", &unparsed_name
);
995 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
999 ret
= LDAP_get_string_value(db
, msg
, "uid",
1002 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
1006 krb5_set_error_message(context
, HDB_ERR_NOENTRY
,
1007 "hdb-ldap: ldap entry missing"
1009 return HDB_ERR_NOENTRY
;
1015 ret
= LDAP_get_integer_value(db
, msg
, "krb5KeyVersionNumber",
1018 ent
->entry
.kvno
= 0;
1020 ent
->entry
.kvno
= integer
;
1023 keys
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
1027 ent
->entry
.keys
.len
= ldap_count_values_len(keys
);
1028 ent
->entry
.keys
.val
= (Key
*) calloc(ent
->entry
.keys
.len
, sizeof(Key
));
1029 if (ent
->entry
.keys
.val
== NULL
) {
1031 krb5_set_error_message(context
, ret
, "calloc: out of memory");
1034 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1035 decode_Key((unsigned char *) keys
[i
]->bv_val
,
1036 (size_t) keys
[i
]->bv_len
, &ent
->entry
.keys
.val
[i
], &l
);
1042 * This violates the ASN1 but it allows a principal to
1043 * be related to a general directory entry without creating
1044 * the keys. Hopefully it's OK.
1046 ent
->entry
.keys
.len
= 0;
1047 ent
->entry
.keys
.val
= NULL
;
1049 ret
= HDB_ERR_NOENTRY
;
1054 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
1056 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1057 if (ent
->entry
.etypes
== NULL
) {
1059 krb5_set_error_message(context
, ret
,"malloc: out of memory");
1062 ent
->entry
.etypes
->len
= ldap_count_values_len(vals
);
1063 ent
->entry
.etypes
->val
= calloc(ent
->entry
.etypes
->len
, sizeof(int));
1064 if (ent
->entry
.etypes
->val
== NULL
) {
1066 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1067 ent
->entry
.etypes
->len
= 0;
1070 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
1073 buf
= malloc(vals
[i
]->bv_len
+ 1);
1076 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1079 memcpy(buf
, vals
[i
]->bv_val
, vals
[i
]->bv_len
);
1080 buf
[vals
[i
]->bv_len
] = '\0';
1081 ent
->entry
.etypes
->val
[i
] = atoi(buf
);
1084 ldap_value_free_len(vals
);
1087 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1088 if (ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
1094 /* manually construct the NT (type 23) key */
1095 ret
= LDAP_get_string_value(db
, msg
, "sambaNTPassword", &ntPasswordIN
);
1096 if (ret
== 0 && have_arcfour
== 0) {
1099 keys
= realloc(ent
->entry
.keys
.val
,
1100 (ent
->entry
.keys
.len
+ 1) * sizeof(ent
->entry
.keys
.val
[0]));
1104 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1107 ent
->entry
.keys
.val
= keys
;
1108 memset(&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
], 0, sizeof(Key
));
1109 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keytype
= ETYPE_ARCFOUR_HMAC_MD5
;
1110 ret
= krb5_data_alloc (&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
, 16);
1112 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1117 ret
= hex_decode(ntPasswordIN
,
1118 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
.data
, 16);
1119 ent
->entry
.keys
.len
++;
1121 if (ent
->entry
.etypes
== NULL
) {
1122 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1123 if (ent
->entry
.etypes
== NULL
) {
1125 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1128 ent
->entry
.etypes
->val
= NULL
;
1129 ent
->entry
.etypes
->len
= 0;
1132 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++)
1133 if (ent
->entry
.etypes
->val
[i
] == ETYPE_ARCFOUR_HMAC_MD5
)
1135 /* If there is no ARCFOUR enctype, add one */
1136 if (i
== ent
->entry
.etypes
->len
) {
1137 etypes
= realloc(ent
->entry
.etypes
->val
,
1138 (ent
->entry
.etypes
->len
+ 1) *
1139 sizeof(ent
->entry
.etypes
->val
[0]));
1140 if (etypes
== NULL
) {
1142 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1145 ent
->entry
.etypes
->val
= etypes
;
1146 ent
->entry
.etypes
->val
[ent
->entry
.etypes
->len
] =
1147 ETYPE_ARCFOUR_HMAC_MD5
;
1148 ent
->entry
.etypes
->len
++;
1152 ret
= LDAP_get_generalized_time_value(db
, msg
, "createTimestamp",
1153 &ent
->entry
.created_by
.time
);
1155 ent
->entry
.created_by
.time
= time(NULL
);
1157 ent
->entry
.created_by
.principal
= NULL
;
1159 if (flags
& HDB_F_ADMIN_DATA
) {
1160 ret
= LDAP_get_string_value(db
, msg
, "creatorsName", &dn
);
1162 LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.created_by
.principal
);
1166 ent
->entry
.modified_by
= calloc(1, sizeof(*ent
->entry
.modified_by
));
1167 if (ent
->entry
.modified_by
== NULL
) {
1169 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1173 ret
= LDAP_get_generalized_time_value(db
, msg
, "modifyTimestamp",
1174 &ent
->entry
.modified_by
->time
);
1176 ret
= LDAP_get_string_value(db
, msg
, "modifiersName", &dn
);
1178 LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.modified_by
->principal
);
1181 free(ent
->entry
.modified_by
);
1182 ent
->entry
.modified_by
= NULL
;
1187 ent
->entry
.valid_start
= malloc(sizeof(*ent
->entry
.valid_start
));
1188 if (ent
->entry
.valid_start
== NULL
) {
1190 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1193 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidStart",
1194 ent
->entry
.valid_start
);
1197 free(ent
->entry
.valid_start
);
1198 ent
->entry
.valid_start
= NULL
;
1201 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1202 if (ent
->entry
.valid_end
== NULL
) {
1204 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1207 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidEnd",
1208 ent
->entry
.valid_end
);
1211 free(ent
->entry
.valid_end
);
1212 ent
->entry
.valid_end
= NULL
;
1215 ret
= LDAP_get_integer_value(db
, msg
, "sambaKickoffTime", &tmp_time
);
1217 if (ent
->entry
.valid_end
== NULL
) {
1218 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1219 if (ent
->entry
.valid_end
== NULL
) {
1221 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1225 *ent
->entry
.valid_end
= tmp_time
;
1228 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1229 if (ent
->entry
.pw_end
== NULL
) {
1231 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1234 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5PasswordEnd",
1238 free(ent
->entry
.pw_end
);
1239 ent
->entry
.pw_end
= NULL
;
1242 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1246 delta
= krb5_config_get_time_default(context
, NULL
,
1249 "password_lifetime",
1253 if (ent
->entry
.pw_end
== NULL
) {
1254 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1255 if (ent
->entry
.pw_end
== NULL
) {
1257 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1262 *ent
->entry
.pw_end
= tmp_time
+ delta
;
1266 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdMustChange", &tmp_time
);
1268 if (ent
->entry
.pw_end
== NULL
) {
1269 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1270 if (ent
->entry
.pw_end
== NULL
) {
1272 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1276 *ent
->entry
.pw_end
= tmp_time
;
1280 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1282 hdb_entry_set_pw_change_time(context
, &ent
->entry
, tmp_time
);
1287 ent
->entry
.max_life
= malloc(sizeof(*ent
->entry
.max_life
));
1288 if (ent
->entry
.max_life
== NULL
) {
1290 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1293 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxLife", &max_life
);
1295 free(ent
->entry
.max_life
);
1296 ent
->entry
.max_life
= NULL
;
1298 *ent
->entry
.max_life
= max_life
;
1304 ent
->entry
.max_renew
= malloc(sizeof(*ent
->entry
.max_renew
));
1305 if (ent
->entry
.max_renew
== NULL
) {
1307 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1310 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxRenew", &max_renew
);
1312 free(ent
->entry
.max_renew
);
1313 ent
->entry
.max_renew
= NULL
;
1315 *ent
->entry
.max_renew
= max_renew
;
1318 ret
= LDAP_get_integer_value(db
, msg
, "krb5KDCFlags", &tmp
);
1322 ent
->entry
.flags
= int2HDBFlags(tmp
);
1324 /* Try and find Samba flags to put into the mix */
1325 ret
= LDAP_get_string_value(db
, msg
, "sambaAcctFlags", &samba_acct_flags
);
1327 /* parse the [UXW...] string:
1331 'H' Homedir required
1333 'U' User account (normal)
1334 'M' MNS logon user account - what is this ?
1335 'W' Workstation account
1338 'X' No Xpiry on password
1339 'I' Interdomain trust account
1343 int flags_len
= strlen(samba_acct_flags
);
1348 if (samba_acct_flags
[0] != '['
1349 || samba_acct_flags
[flags_len
- 1] != ']')
1352 /* Allow forwarding */
1353 if (samba_forwardable
)
1354 ent
->entry
.flags
.forwardable
= TRUE
;
1356 for (i
=0; i
< flags_len
; i
++) {
1357 switch (samba_acct_flags
[i
]) {
1363 /* how to handle no password in kerberos? */
1366 ent
->entry
.flags
.invalid
= TRUE
;
1371 /* temp duplicate */
1372 ent
->entry
.flags
.invalid
= TRUE
;
1375 ent
->entry
.flags
.client
= TRUE
;
1381 ent
->entry
.flags
.server
= TRUE
;
1382 ent
->entry
.flags
.client
= TRUE
;
1385 ent
->entry
.flags
.invalid
= TRUE
;
1388 if (ent
->entry
.pw_end
) {
1389 free(ent
->entry
.pw_end
);
1390 ent
->entry
.pw_end
= NULL
;
1394 ent
->entry
.flags
.server
= TRUE
;
1395 ent
->entry
.flags
.client
= TRUE
;
1400 free(samba_acct_flags
);
1407 free(unparsed_name
);
1410 hdb_free_entry(context
, ent
);
1415 static krb5_error_code
1416 LDAP_close(krb5_context context
, HDB
* db
)
1419 ldap_unbind_ext(HDB2LDAP(db
), NULL
, NULL
);
1420 ((struct hdbldapdb
*)db
->hdb_db
)->h_lp
= NULL
;
1426 static krb5_error_code
1427 LDAP_lock(krb5_context context
, HDB
* db
, int operation
)
1432 static krb5_error_code
1433 LDAP_unlock(krb5_context context
, HDB
* db
)
1438 static krb5_error_code
1439 LDAP_seq(krb5_context context
, HDB
* db
, unsigned flags
, hdb_entry_ex
* entry
)
1441 int msgid
, rc
, parserc
;
1442 krb5_error_code ret
;
1445 msgid
= HDB2MSGID(db
);
1447 return HDB_ERR_NOENTRY
;
1450 rc
= ldap_result(HDB2LDAP(db
), msgid
, LDAP_MSG_ONE
, NULL
, &e
);
1452 case LDAP_RES_SEARCH_REFERENCE
:
1456 case LDAP_RES_SEARCH_ENTRY
:
1457 /* We have an entry. Parse it. */
1458 ret
= LDAP_message2entry(context
, db
, e
, flags
, entry
);
1461 case LDAP_RES_SEARCH_RESULT
:
1462 /* We're probably at the end of the results. If not, abandon. */
1464 ldap_parse_result(HDB2LDAP(db
), e
, NULL
, NULL
, NULL
,
1466 ret
= HDB_ERR_NOENTRY
;
1467 if (parserc
!= LDAP_SUCCESS
1468 && parserc
!= LDAP_MORE_RESULTS_TO_RETURN
) {
1469 krb5_set_error_message(context
, ret
, "ldap_parse_result: %s",
1470 ldap_err2string(parserc
));
1471 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1473 HDBSETMSGID(db
, -1);
1475 case LDAP_SERVER_DOWN
:
1477 LDAP_close(context
, db
);
1478 HDBSETMSGID(db
, -1);
1482 /* Some unspecified error (timeout?). Abandon. */
1484 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1485 ret
= HDB_ERR_NOENTRY
;
1486 HDBSETMSGID(db
, -1);
1489 } while (rc
== LDAP_RES_SEARCH_REFERENCE
);
1492 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1493 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1495 hdb_free_entry(context
, entry
);
1502 static krb5_error_code
1503 LDAP_firstkey(krb5_context context
, HDB
*db
, unsigned flags
,
1504 hdb_entry_ex
*entry
)
1506 krb5_error_code ret
;
1509 ret
= LDAP__connect(context
, db
);
1513 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
1517 ret
= ldap_search_ext(HDB2LDAP(db
), HDB2BASE(db
),
1519 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1520 krb5kdcentry_attrs
, 0,
1521 NULL
, NULL
, NULL
, 0, &msgid
);
1523 return HDB_ERR_NOENTRY
;
1525 HDBSETMSGID(db
, msgid
);
1527 return LDAP_seq(context
, db
, flags
, entry
);
1530 static krb5_error_code
1531 LDAP_nextkey(krb5_context context
, HDB
* db
, unsigned flags
,
1532 hdb_entry_ex
* entry
)
1534 return LDAP_seq(context
, db
, flags
, entry
);
1537 static krb5_error_code
1538 LDAP__connect(krb5_context context
, HDB
* db
)
1540 int rc
, version
= LDAP_VERSION3
;
1542 * Empty credentials to do a SASL bind with LDAP. Note that empty
1543 * different from NULL credentials. If you provide NULL
1544 * credentials instead of empty credentials you will get a SASL
1545 * bind in progress message.
1547 struct berval bv
= { 0, "" };
1548 const char *sasl_method
= "EXTERNAL";
1549 const char *bind_dn
= NULL
;
1551 if (HDB2BINDDN(db
) != NULL
&& HDB2BINDPW(db
) != NULL
) {
1552 /* A bind DN was specified; use SASL SIMPLE */
1553 bind_dn
= HDB2BINDDN(db
);
1554 sasl_method
= LDAP_SASL_SIMPLE
;
1555 bv
.bv_val
= HDB2BINDPW(db
);
1556 bv
.bv_len
= strlen(bv
.bv_val
);
1560 /* connection has been opened. ping server. */
1561 struct sockaddr_un addr
;
1562 socklen_t len
= sizeof(addr
);
1565 if (ldap_get_option(HDB2LDAP(db
), LDAP_OPT_DESC
, &sd
) == 0 &&
1566 getpeername(sd
, (struct sockaddr
*) &addr
, &len
) < 0) {
1567 /* the other end has died. reopen. */
1568 LDAP_close(context
, db
);
1572 if (HDB2LDAP(db
) != NULL
) /* server is UP */
1575 rc
= ldap_initialize(&((struct hdbldapdb
*)db
->hdb_db
)->h_lp
, HDB2URL(db
));
1576 if (rc
!= LDAP_SUCCESS
) {
1577 krb5_set_error_message(context
, HDB_ERR_NOENTRY
, "ldap_initialize: %s",
1578 ldap_err2string(rc
));
1579 return HDB_ERR_NOENTRY
;
1582 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_PROTOCOL_VERSION
,
1583 (const void *)&version
);
1584 if (rc
!= LDAP_SUCCESS
) {
1585 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1586 "ldap_set_option: %s", ldap_err2string(rc
));
1587 LDAP_close(context
, db
);
1588 return HDB_ERR_BADVERSION
;
1591 if (((struct hdbldapdb
*)db
->hdb_db
)->h_start_tls
) {
1592 rc
= ldap_start_tls_s(HDB2LDAP(db
), NULL
, NULL
);
1594 if (rc
!= LDAP_SUCCESS
) {
1595 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1596 "ldap_start_tls_s: %s", ldap_err2string(rc
));
1597 LDAP_close(context
, db
);
1598 return HDB_ERR_BADVERSION
;
1602 rc
= ldap_sasl_bind_s(HDB2LDAP(db
), bind_dn
, sasl_method
, &bv
,
1604 if (rc
!= LDAP_SUCCESS
) {
1605 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1606 "ldap_sasl_bind_s: %s", ldap_err2string(rc
));
1607 LDAP_close(context
, db
);
1608 return HDB_ERR_BADVERSION
;
1614 static krb5_error_code
1615 LDAP_open(krb5_context context
, HDB
* db
, int flags
, mode_t mode
)
1617 /* Not the right place for this. */
1618 #ifdef HAVE_SIGACTION
1619 struct sigaction sa
;
1622 sa
.sa_handler
= SIG_IGN
;
1623 sigemptyset(&sa
.sa_mask
);
1625 sigaction(SIGPIPE
, &sa
, NULL
);
1627 signal(SIGPIPE
, SIG_IGN
);
1628 #endif /* HAVE_SIGACTION */
1630 return LDAP__connect(context
, db
);
1633 static krb5_error_code
1634 LDAP_fetch_kvno(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1635 unsigned flags
, krb5_kvno kvno
, hdb_entry_ex
* entry
)
1637 LDAPMessage
*msg
, *e
;
1638 krb5_error_code ret
;
1640 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1644 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1646 ret
= HDB_ERR_NOENTRY
;
1650 ret
= LDAP_message2entry(context
, db
, e
, flags
, entry
);
1652 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1653 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1655 hdb_free_entry(context
, entry
);
1665 static krb5_error_code
1666 LDAP_fetch(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1667 unsigned flags
, hdb_entry_ex
* entry
)
1669 return LDAP_fetch_kvno(context
, db
, principal
,
1670 flags
& (~HDB_F_KVNO_SPECIFIED
), 0, entry
);
1673 static krb5_error_code
1674 LDAP_store(krb5_context context
, HDB
* db
, unsigned flags
,
1675 hdb_entry_ex
* entry
)
1677 LDAPMod
**mods
= NULL
;
1678 krb5_error_code ret
;
1681 LDAPMessage
*msg
= NULL
, *e
= NULL
;
1682 char *dn
= NULL
, *name
= NULL
;
1684 ret
= LDAP_principal2message(context
, db
, entry
->entry
.principal
, &msg
);
1686 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1688 ret
= krb5_unparse_name(context
, entry
->entry
.principal
, &name
);
1694 ret
= hdb_seal_keys(context
, db
, &entry
->entry
);
1698 /* turn new entry into LDAPMod array */
1699 ret
= LDAP_entry2mods(context
, db
, entry
, e
, &mods
);
1704 ret
= asprintf(&dn
, "krb5PrincipalName=%s,%s", name
, HDB2CREATE(db
));
1707 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
1710 } else if (flags
& HDB_F_REPLACE
) {
1711 /* Entry exists, and we're allowed to replace it. */
1712 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1714 /* Entry exists, but we're not allowed to replace it. Bail. */
1715 ret
= HDB_ERR_EXISTS
;
1719 /* write entry into directory */
1721 /* didn't exist before */
1722 rc
= ldap_add_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1723 errfn
= "ldap_add_ext_s";
1725 /* already existed, send deltas only */
1726 rc
= ldap_modify_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1727 errfn
= "ldap_modify_ext_s";
1730 if (check_ldap(context
, db
, rc
)) {
1731 char *ld_error
= NULL
;
1732 ldap_get_option(HDB2LDAP(db
), LDAP_OPT_ERROR_STRING
,
1734 ret
= HDB_ERR_CANT_LOCK_DB
;
1735 krb5_set_error_message(context
, ret
, "%s: %s (DN=%s) %s: %s",
1736 errfn
, name
, dn
, ldap_err2string(rc
), ld_error
);
1747 ldap_mods_free(mods
, 1);
1754 static krb5_error_code
1755 LDAP_remove(krb5_context context
, HDB
*db
, krb5_const_principal principal
)
1757 krb5_error_code ret
;
1758 LDAPMessage
*msg
, *e
;
1760 int rc
, limit
= LDAP_NO_LIMIT
;
1762 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1766 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1768 ret
= HDB_ERR_NOENTRY
;
1772 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1774 ret
= HDB_ERR_NOENTRY
;
1778 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
1779 if (rc
!= LDAP_SUCCESS
) {
1780 ret
= HDB_ERR_BADVERSION
;
1781 krb5_set_error_message(context
, ret
, "ldap_set_option: %s",
1782 ldap_err2string(rc
));
1786 rc
= ldap_delete_ext_s(HDB2LDAP(db
), dn
, NULL
, NULL
);
1787 if (check_ldap(context
, db
, rc
)) {
1788 ret
= HDB_ERR_CANT_LOCK_DB
;
1789 krb5_set_error_message(context
, ret
, "ldap_delete_ext_s: %s",
1790 ldap_err2string(rc
));
1803 static krb5_error_code
1804 LDAP_destroy(krb5_context context
, HDB
* db
)
1806 krb5_error_code ret
;
1808 LDAP_close(context
, db
);
1810 ret
= hdb_clear_master_key(context
, db
);
1814 free(HDB2CREATE(db
));
1825 static krb5_error_code
1826 hdb_ldap_common(krb5_context context
,
1828 const char *search_base
,
1831 struct hdbldapdb
*h
;
1832 const char *create_base
= NULL
;
1833 const char *ldap_secret_file
= NULL
;
1835 if (url
== NULL
|| url
[0] == '\0') {
1837 p
= krb5_config_get_string(context
, NULL
, "kdc",
1838 "hdb-ldap-url", NULL
);
1840 p
= default_ldap_url
;
1845 if (search_base
== NULL
&& search_base
[0] == '\0') {
1846 krb5_set_error_message(context
, ENOMEM
, "ldap search base not configured");
1847 return ENOMEM
; /* XXX */
1850 if (structural_object
== NULL
) {
1853 p
= krb5_config_get_string(context
, NULL
, "kdc",
1854 "hdb-ldap-structural-object", NULL
);
1856 p
= default_structural_object
;
1857 structural_object
= strdup(p
);
1858 if (structural_object
== NULL
) {
1859 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1865 krb5_config_get_bool_default(context
, NULL
, TRUE
,
1866 "kdc", "hdb-samba-forwardable", NULL
);
1868 *db
= calloc(1, sizeof(**db
));
1870 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1873 memset(*db
, 0, sizeof(**db
));
1875 h
= calloc(1, sizeof(*h
));
1879 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1885 if (asprintf(&(*db
)->hdb_name
, "ldap:%s", search_base
) == -1) {
1886 LDAP_destroy(context
, *db
);
1888 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1892 h
->h_url
= strdup(url
);
1893 h
->h_base
= strdup(search_base
);
1894 if (h
->h_url
== NULL
|| h
->h_base
== NULL
) {
1895 LDAP_destroy(context
, *db
);
1897 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1901 ldap_secret_file
= krb5_config_get_string(context
, NULL
, "kdc",
1902 "hdb-ldap-secret-file", NULL
);
1903 if (ldap_secret_file
!= NULL
) {
1904 krb5_config_binding
*tmp
;
1905 krb5_error_code ret
;
1908 ret
= krb5_config_parse_file(context
, ldap_secret_file
, &tmp
);
1912 p
= krb5_config_get_string(context
, tmp
, "kdc",
1913 "hdb-ldap-bind-dn", NULL
);
1915 h
->h_bind_dn
= strdup(p
);
1917 p
= krb5_config_get_string(context
, tmp
, "kdc",
1918 "hdb-ldap-bind-password", NULL
);
1920 h
->h_bind_password
= strdup(p
);
1922 krb5_config_file_free(context
, tmp
);
1926 krb5_config_get_bool_default(context
, NULL
, FALSE
,
1927 "kdc", "hdb-ldap-start-tls", NULL
);
1929 create_base
= krb5_config_get_string(context
, NULL
, "kdc",
1930 "hdb-ldap-create-base", NULL
);
1931 if (create_base
== NULL
)
1932 create_base
= h
->h_base
;
1934 h
->h_createbase
= strdup(create_base
);
1935 if (h
->h_createbase
== NULL
) {
1936 LDAP_destroy(context
, *db
);
1938 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1942 (*db
)->hdb_master_key_set
= 0;
1943 (*db
)->hdb_openp
= 0;
1944 (*db
)->hdb_capability_flags
= 0;
1945 (*db
)->hdb_open
= LDAP_open
;
1946 (*db
)->hdb_close
= LDAP_close
;
1947 (*db
)->hdb_fetch_kvno
= LDAP_fetch_kvno
;
1948 (*db
)->hdb_store
= LDAP_store
;
1949 (*db
)->hdb_remove
= LDAP_remove
;
1950 (*db
)->hdb_firstkey
= LDAP_firstkey
;
1951 (*db
)->hdb_nextkey
= LDAP_nextkey
;
1952 (*db
)->hdb_lock
= LDAP_lock
;
1953 (*db
)->hdb_unlock
= LDAP_unlock
;
1954 (*db
)->hdb_rename
= NULL
;
1955 (*db
)->hdb__get
= NULL
;
1956 (*db
)->hdb__put
= NULL
;
1957 (*db
)->hdb__del
= NULL
;
1958 (*db
)->hdb_destroy
= LDAP_destroy
;
1964 hdb_ldap_create(krb5_context context
, HDB
** db
, const char *arg
)
1966 return hdb_ldap_common(context
, db
, arg
, NULL
);
1970 hdb_ldapi_create(krb5_context context
, HDB
** db
, const char *arg
)
1972 krb5_error_code ret
;
1973 char *search_base
, *p
;
1975 asprintf(&p
, "ldapi:%s", arg
);
1978 krb5_set_error_message(context
, ENOMEM
, "out of memory");
1981 search_base
= strchr(p
+ strlen("ldapi://"), ':');
1982 if (search_base
== NULL
) {
1984 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1985 "search base missing");
1986 return HDB_ERR_BADVERSION
;
1988 *search_base
= '\0';
1991 ret
= hdb_ldap_common(context
, db
, search_base
, p
);
1996 #ifdef OPENLDAP_MODULE
1999 static krb5_error_code
2000 init(krb5_context context
, void **ctx
)
2011 struct hdb_method hdb_ldap_interface
= {
2012 HDB_INTERFACE_VERSION
,
2019 struct hdb_method hdb_ldapi_interface
= {
2020 HDB_INTERFACE_VERSION
,
2029 #endif /* OPENLDAP */