2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
44 static krb5_error_code
LDAP__connect(krb5_context context
, HDB
*);
45 static krb5_error_code
LDAP_close(krb5_context context
, HDB
*);
47 static krb5_error_code
48 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
51 static const char *default_structural_object
= "account";
52 static char *structural_object
;
53 static krb5_boolean samba_forwardable
;
63 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
64 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
65 #define HDBSETMSGID(db,msgid) \
66 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
67 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
68 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
69 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
75 static char * krb5kdcentry_attrs
[] = {
82 "krb5KeyVersionNumber",
102 static char *krb5principal_attrs
[] = {
107 "krb5PrincipalRealm",
116 LDAP_no_size_limit(krb5_context context
, LDAP
*lp
)
118 int ret
, limit
= LDAP_NO_LIMIT
;
120 ret
= ldap_set_option(lp
, LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
121 if (ret
!= LDAP_SUCCESS
) {
122 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
123 "ldap_set_option: %s",
124 ldap_err2string(ret
));
125 return HDB_ERR_BADVERSION
;
131 check_ldap(krb5_context context
, HDB
*db
, int ret
)
136 case LDAP_SERVER_DOWN
:
137 LDAP_close(context
, db
);
144 static krb5_error_code
145 LDAP__setmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
150 if (*modlist
== NULL
) {
151 *modlist
= (LDAPMod
**)ber_memcalloc(1, sizeof(LDAPMod
*));
152 if (*modlist
== NULL
)
156 for (cMods
= 0; (*modlist
)[cMods
] != NULL
; cMods
++) {
157 if ((*modlist
)[cMods
]->mod_op
== modop
&&
158 strcasecmp((*modlist
)[cMods
]->mod_type
, attribute
) == 0) {
165 if ((*modlist
)[cMods
] == NULL
) {
168 *modlist
= (LDAPMod
**)ber_memrealloc(*modlist
,
169 (cMods
+ 2) * sizeof(LDAPMod
*));
170 if (*modlist
== NULL
)
173 (*modlist
)[cMods
] = (LDAPMod
*)ber_memalloc(sizeof(LDAPMod
));
174 if ((*modlist
)[cMods
] == NULL
)
177 mod
= (*modlist
)[cMods
];
179 mod
->mod_type
= ber_strdup(attribute
);
180 if (mod
->mod_type
== NULL
) {
182 (*modlist
)[cMods
] = NULL
;
186 if (modop
& LDAP_MOD_BVALUES
) {
187 mod
->mod_bvalues
= NULL
;
189 mod
->mod_values
= NULL
;
192 (*modlist
)[cMods
+ 1] = NULL
;
198 static krb5_error_code
199 LDAP_addmod_len(LDAPMod
*** modlist
, int modop
, const char *attribute
,
200 unsigned char *value
, size_t len
)
205 ret
= LDAP__setmod(modlist
, modop
| LDAP_MOD_BVALUES
, attribute
, &cMods
);
212 bv
= (*modlist
)[cMods
]->mod_bvalues
;
214 for (i
= 0; bv
[i
] != NULL
; i
++)
216 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
218 bv
= ber_memalloc(2 * sizeof(*bv
));
222 (*modlist
)[cMods
]->mod_bvalues
= bv
;
224 bv
[i
] = ber_memalloc(sizeof(**bv
));;
228 bv
[i
]->bv_val
= (void *)value
;
237 static krb5_error_code
238 LDAP_addmod(LDAPMod
*** modlist
, int modop
, const char *attribute
,
244 ret
= LDAP__setmod(modlist
, modop
, attribute
, &cMods
);
251 bv
= (*modlist
)[cMods
]->mod_values
;
253 for (i
= 0; bv
[i
] != NULL
; i
++)
255 bv
= ber_memrealloc(bv
, (i
+ 2) * sizeof(*bv
));
257 bv
= ber_memalloc(2 * sizeof(*bv
));
261 (*modlist
)[cMods
]->mod_values
= bv
;
263 bv
[i
] = ber_strdup(value
);
273 static krb5_error_code
274 LDAP_addmod_generalized_time(LDAPMod
*** mods
, int modop
,
275 const char *attribute
, KerberosTime
* time
)
280 /* XXX not threadsafe */
282 strftime(buf
, sizeof(buf
), "%Y%m%d%H%M%SZ", tm
);
284 return LDAP_addmod(mods
, modop
, attribute
, buf
);
287 static krb5_error_code
288 LDAP_addmod_integer(krb5_context context
,
289 LDAPMod
*** mods
, int modop
,
290 const char *attribute
, unsigned long l
)
295 ret
= asprintf(&buf
, "%ld", l
);
297 krb5_set_error_message(context
, ENOMEM
,
298 "asprintf: out of memory:");
301 ret
= LDAP_addmod(mods
, modop
, attribute
, buf
);
306 static krb5_error_code
307 LDAP_get_string_value(HDB
* db
, LDAPMessage
* entry
,
308 const char *attribute
, char **ptr
)
310 struct berval
**vals
;
312 vals
= ldap_get_values_len(HDB2LDAP(db
), entry
, attribute
);
313 if (vals
== NULL
|| vals
[0] == NULL
) {
315 return HDB_ERR_NOENTRY
;
318 *ptr
= malloc(vals
[0]->bv_len
+ 1);
320 ldap_value_free_len(vals
);
324 memcpy(*ptr
, vals
[0]->bv_val
, vals
[0]->bv_len
);
325 (*ptr
)[vals
[0]->bv_len
] = 0;
327 ldap_value_free_len(vals
);
332 static krb5_error_code
333 LDAP_get_integer_value(HDB
* db
, LDAPMessage
* entry
,
334 const char *attribute
, int *ptr
)
339 ret
= LDAP_get_string_value(db
, entry
, attribute
, &val
);
347 static krb5_error_code
348 LDAP_get_generalized_time_value(HDB
* db
, LDAPMessage
* entry
,
349 const char *attribute
, KerberosTime
* kt
)
357 ret
= LDAP_get_string_value(db
, entry
, attribute
, &gentime
);
361 tmp
= strptime(gentime
, "%Y%m%d%H%M%SZ", &tm
);
364 return HDB_ERR_NOENTRY
;
375 bervalstrcmp(struct berval
*v
, const char *str
)
377 size_t len
= strlen(str
);
378 return (v
->bv_len
== len
) && strncasecmp(str
, (char *)v
->bv_val
, len
) == 0;
382 static krb5_error_code
383 LDAP_entry2mods(krb5_context context
, HDB
* db
, hdb_entry_ex
* ent
,
384 LDAPMessage
* msg
, LDAPMod
*** pmods
)
387 krb5_boolean is_new_entry
;
389 LDAPMod
**mods
= NULL
;
391 unsigned long oflags
, nflags
;
394 krb5_boolean is_samba_account
= FALSE
;
395 krb5_boolean is_account
= FALSE
;
396 krb5_boolean is_heimdal_entry
= FALSE
;
397 krb5_boolean is_heimdal_principal
= FALSE
;
399 struct berval
**vals
;
405 ret
= LDAP_message2entry(context
, db
, msg
, &orig
);
409 is_new_entry
= FALSE
;
411 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "objectClass");
413 int num_objectclasses
= ldap_count_values_len(vals
);
414 for (i
=0; i
< num_objectclasses
; i
++) {
415 if (bervalstrcmp(vals
[i
], "sambaSamAccount"))
416 is_samba_account
= TRUE
;
417 else if (bervalstrcmp(vals
[i
], structural_object
))
419 else if (bervalstrcmp(vals
[i
], "krb5Principal"))
420 is_heimdal_principal
= TRUE
;
421 else if (bervalstrcmp(vals
[i
], "krb5KDCEntry"))
422 is_heimdal_entry
= TRUE
;
424 ldap_value_free_len(vals
);
428 * If this is just a "account" entry and no other objectclass
429 * is hanging on this entry, it's really a new entry.
431 if (is_samba_account
== FALSE
&& is_heimdal_principal
== FALSE
&&
432 is_heimdal_entry
== FALSE
) {
433 if (is_account
== TRUE
) {
436 ret
= HDB_ERR_NOENTRY
;
445 /* to make it perfectly obvious we're depending on
446 * orig being intiialized to zero */
447 memset(&orig
, 0, sizeof(orig
));
449 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "top");
453 /* account is the structural object class */
454 if (is_account
== FALSE
) {
455 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass",
462 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5Principal");
463 is_heimdal_principal
= TRUE
;
467 ret
= LDAP_addmod(&mods
, LDAP_MOD_ADD
, "objectClass", "krb5KDCEntry");
468 is_heimdal_entry
= TRUE
;
474 krb5_principal_compare(context
, ent
->entry
.principal
, orig
.entry
.principal
)
477 if (is_heimdal_principal
|| is_heimdal_entry
) {
479 ret
= krb5_unparse_name(context
, ent
->entry
.principal
, &tmp
);
483 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
,
484 "krb5PrincipalName", tmp
);
492 if (is_account
|| is_samba_account
) {
493 ret
= krb5_unparse_name_short(context
, ent
->entry
.principal
, &tmp
);
496 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "uid", tmp
);
505 if (is_heimdal_entry
&& (ent
->entry
.kvno
!= orig
.entry
.kvno
|| is_new_entry
)) {
506 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
507 "krb5KeyVersionNumber",
513 if (is_heimdal_entry
&& ent
->entry
.valid_start
) {
514 if (orig
.entry
.valid_end
== NULL
515 || (*(ent
->entry
.valid_start
) != *(orig
.entry
.valid_start
))) {
516 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
518 ent
->entry
.valid_start
);
524 if (ent
->entry
.valid_end
) {
525 if (orig
.entry
.valid_end
== NULL
|| (*(ent
->entry
.valid_end
) != *(orig
.entry
.valid_end
))) {
526 if (is_heimdal_entry
) {
527 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
529 ent
->entry
.valid_end
);
533 if (is_samba_account
) {
534 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
536 *(ent
->entry
.valid_end
));
543 if (ent
->entry
.pw_end
) {
544 if (orig
.entry
.pw_end
== NULL
|| (*(ent
->entry
.pw_end
) != *(orig
.entry
.pw_end
))) {
545 if (is_heimdal_entry
) {
546 ret
= LDAP_addmod_generalized_time(&mods
, LDAP_MOD_REPLACE
,
553 if (is_samba_account
) {
554 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
555 "sambaPwdMustChange",
556 *(ent
->entry
.pw_end
));
564 #if 0 /* we we have last_pw_change */
565 if (is_samba_account
&& ent
->entry
.last_pw_change
) {
566 if (orig
.entry
.last_pw_change
== NULL
|| (*(ent
->entry
.last_pw_change
) != *(orig
.entry
.last_pw_change
))) {
567 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
569 *(ent
->entry
.last_pw_change
));
576 if (is_heimdal_entry
&& ent
->entry
.max_life
) {
577 if (orig
.entry
.max_life
== NULL
578 || (*(ent
->entry
.max_life
) != *(orig
.entry
.max_life
))) {
580 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
582 *(ent
->entry
.max_life
));
588 if (is_heimdal_entry
&& ent
->entry
.max_renew
) {
589 if (orig
.entry
.max_renew
== NULL
590 || (*(ent
->entry
.max_renew
) != *(orig
.entry
.max_renew
))) {
592 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
594 *(ent
->entry
.max_renew
));
600 oflags
= HDBFlags2int(orig
.entry
.flags
);
601 nflags
= HDBFlags2int(ent
->entry
.flags
);
603 if (is_heimdal_entry
&& oflags
!= nflags
) {
605 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
612 /* Remove keys if they exists, and then replace keys. */
613 if (!is_new_entry
&& orig
.entry
.keys
.len
> 0) {
614 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
616 ldap_value_free_len(vals
);
618 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5Key", NULL
);
624 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
627 && ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
630 time_t now
= time(NULL
);
632 /* the key might have been 'sealed', but samba passwords
633 are clear in the directory */
634 ret
= hdb_unseal_key(context
, db
, &ent
->entry
.keys
.val
[i
]);
638 nt
= ent
->entry
.keys
.val
[i
].key
.keyvalue
.data
;
639 /* store in ntPassword, not krb5key */
640 ret
= hex_encode(nt
, 16, &ntHexPassword
);
643 krb5_set_error_message(context
, ret
, "hdb-ldap: failed to "
647 ret
= LDAP_addmod(&mods
, LDAP_MOD_REPLACE
, "sambaNTPassword",
652 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_REPLACE
,
653 "sambaPwdLastSet", now
);
657 /* have to kill the LM passwod if it exists */
658 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "sambaLMPassword");
660 ldap_value_free_len(vals
);
661 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
,
662 "sambaLMPassword", NULL
);
667 } else if (is_heimdal_entry
) {
669 size_t len
, buf_size
;
671 ASN1_MALLOC_ENCODE(Key
, buf
, buf_size
, &ent
->entry
.keys
.val
[i
], &len
, ret
);
675 krb5_abortx(context
, "internal error in ASN.1 encoder");
677 /* addmod_len _owns_ the key, doesn't need to copy it */
678 ret
= LDAP_addmod_len(&mods
, LDAP_MOD_ADD
, "krb5Key", buf
, len
);
684 if (ent
->entry
.etypes
) {
685 int add_krb5EncryptionType
= 0;
688 * Only add/modify krb5EncryptionType if it's a new heimdal
689 * entry or krb5EncryptionType already exists on the entry.
693 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
695 ldap_value_free_len(vals
);
696 ret
= LDAP_addmod(&mods
, LDAP_MOD_DELETE
, "krb5EncryptionType",
700 add_krb5EncryptionType
= 1;
702 } else if (is_heimdal_entry
)
703 add_krb5EncryptionType
= 1;
705 if (add_krb5EncryptionType
) {
706 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
707 if (is_samba_account
&&
708 ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
)
711 } else if (is_heimdal_entry
) {
712 ret
= LDAP_addmod_integer(context
, &mods
, LDAP_MOD_ADD
,
713 "krb5EncryptionType",
714 ent
->entry
.etypes
->val
[i
]);
729 else if (mods
!= NULL
) {
730 ldap_mods_free(mods
, 1);
735 hdb_free_entry(context
, &orig
);
740 static krb5_error_code
741 LDAP_dn2principal(krb5_context context
, HDB
* db
, const char *dn
,
742 krb5_principal
* principal
)
746 const char *filter
= "(objectClass=krb5Principal)";
747 LDAPMessage
*res
= NULL
, *e
;
750 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
754 rc
= ldap_search_ext_s(HDB2LDAP(db
), dn
, LDAP_SCOPE_SUBTREE
,
755 filter
, krb5principal_attrs
, 0,
758 if (check_ldap(context
, db
, rc
)) {
759 ret
= HDB_ERR_NOENTRY
;
760 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
761 "filter: %s error: %s",
762 filter
, ldap_err2string(rc
));
766 e
= ldap_first_entry(HDB2LDAP(db
), res
);
768 ret
= HDB_ERR_NOENTRY
;
772 ret
= LDAP_get_string_value(db
, e
, "krb5PrincipalName", &p
);
774 ret
= HDB_ERR_NOENTRY
;
778 ret
= krb5_parse_name(context
, p
, principal
);
788 static krb5_error_code
789 LDAP__lookup_princ(krb5_context context
,
791 const char *princname
,
795 struct berval namebv
, quotedp
;
800 ret
= LDAP__connect(context
, db
);
805 * Quote searches that contain filter language, this quote
806 * searches for *@REALM, which takes very long time.
809 ber_str2bv(princname
, 0, 0, &namebv
);
810 if (ldap_bv2escaped_filter_value(&namebv
, "edp
) != 0) {
812 krb5_set_error_message(context
, ret
, "malloc: out of memory");
815 rc
= asprintf(&filter
,
816 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
818 ber_memfree(quotedp
.bv_val
);
822 krb5_set_error_message(context
, ret
, "malloc: out of memory");
826 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
830 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
),
831 LDAP_SCOPE_SUBTREE
, filter
,
832 krb5kdcentry_attrs
, 0,
835 if (check_ldap(context
, db
, rc
)) {
836 ret
= HDB_ERR_NOENTRY
;
837 krb5_set_error_message(context
, ret
, "ldap_search_ext_s: "
838 "filter: %s - error: %s",
839 filter
, ldap_err2string(rc
));
843 if (userid
&& ldap_count_entries(HDB2LDAP(db
), *msg
) == 0) {
849 ber_str2bv(userid
, 0, 0, &namebv
);
850 if (ldap_bv2escaped_filter_value(&namebv
, "edp
) != 0) {
852 krb5_set_error_message(context
, ret
, "malloc: out of memory");
856 rc
= asprintf(&filter
,
857 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
858 structural_object
, quotedp
.bv_val
);
859 ber_memfree(quotedp
.bv_val
);
862 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
866 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
870 rc
= ldap_search_ext_s(HDB2LDAP(db
), HDB2BASE(db
), LDAP_SCOPE_SUBTREE
,
871 filter
, krb5kdcentry_attrs
, 0,
874 if (check_ldap(context
, db
, rc
)) {
875 ret
= HDB_ERR_NOENTRY
;
876 krb5_set_error_message(context
, ret
,
877 "ldap_search_ext_s: filter: %s error: %s",
878 filter
, ldap_err2string(rc
));
892 static krb5_error_code
893 LDAP_principal2message(krb5_context context
, HDB
* db
,
894 krb5_const_principal princ
, LDAPMessage
** msg
)
896 char *name
, *name_short
= NULL
;
902 ret
= krb5_unparse_name(context
, princ
, &name
);
906 ret
= krb5_get_default_realms(context
, &r0
);
911 for (r
= r0
; *r
!= NULL
; r
++) {
912 if(strcmp(krb5_principal_get_realm(context
, princ
), *r
) == 0) {
913 ret
= krb5_unparse_name_short(context
, princ
, &name_short
);
915 krb5_free_host_realm(context
, r0
);
922 krb5_free_host_realm(context
, r0
);
924 ret
= LDAP__lookup_princ(context
, db
, name
, name_short
, msg
);
932 * Construct an hdb_entry from a directory entry.
934 static krb5_error_code
935 LDAP_message2entry(krb5_context context
, HDB
* db
, LDAPMessage
* msg
,
938 char *unparsed_name
= NULL
, *dn
= NULL
, *ntPasswordIN
= NULL
;
939 char *samba_acct_flags
= NULL
;
940 struct berval
**keys
;
941 struct berval
**vals
;
942 int tmp
, tmp_time
, i
, ret
, have_arcfour
= 0;
944 memset(ent
, 0, sizeof(*ent
));
945 ent
->entry
.flags
= int2HDBFlags(0);
947 ret
= LDAP_get_string_value(db
, msg
, "krb5PrincipalName", &unparsed_name
);
949 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
953 ret
= LDAP_get_string_value(db
, msg
, "uid",
956 ret
= krb5_parse_name(context
, unparsed_name
, &ent
->entry
.principal
);
960 krb5_set_error_message(context
, HDB_ERR_NOENTRY
,
961 "hdb-ldap: ldap entry missing"
963 return HDB_ERR_NOENTRY
;
969 ret
= LDAP_get_integer_value(db
, msg
, "krb5KeyVersionNumber",
974 ent
->entry
.kvno
= integer
;
977 keys
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5Key");
982 ent
->entry
.keys
.len
= ldap_count_values_len(keys
);
983 ent
->entry
.keys
.val
= (Key
*) calloc(ent
->entry
.keys
.len
, sizeof(Key
));
984 if (ent
->entry
.keys
.val
== NULL
) {
986 krb5_set_error_message(context
, ret
, "calloc: out of memory");
989 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
990 decode_Key((unsigned char *) keys
[i
]->bv_val
,
991 (size_t) keys
[i
]->bv_len
, &ent
->entry
.keys
.val
[i
], &l
);
997 * This violates the ASN1 but it allows a principal to
998 * be related to a general directory entry without creating
999 * the keys. Hopefully it's OK.
1001 ent
->entry
.keys
.len
= 0;
1002 ent
->entry
.keys
.val
= NULL
;
1004 ret
= HDB_ERR_NOENTRY
;
1009 vals
= ldap_get_values_len(HDB2LDAP(db
), msg
, "krb5EncryptionType");
1013 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1014 if (ent
->entry
.etypes
== NULL
) {
1016 krb5_set_error_message(context
, ret
,"malloc: out of memory");
1019 ent
->entry
.etypes
->len
= ldap_count_values_len(vals
);
1020 ent
->entry
.etypes
->val
= calloc(ent
->entry
.etypes
->len
, sizeof(int));
1021 if (ent
->entry
.etypes
->val
== NULL
) {
1023 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1024 ent
->entry
.etypes
->len
= 0;
1027 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++) {
1030 buf
= malloc(vals
[i
]->bv_len
+ 1);
1033 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1036 memcpy(buf
, vals
[i
]->bv_val
, vals
[i
]->bv_len
);
1037 buf
[vals
[i
]->bv_len
] = '\0';
1038 ent
->entry
.etypes
->val
[i
] = atoi(buf
);
1041 ldap_value_free_len(vals
);
1044 for (i
= 0; i
< ent
->entry
.keys
.len
; i
++) {
1045 if (ent
->entry
.keys
.val
[i
].key
.keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
1051 /* manually construct the NT (type 23) key */
1052 ret
= LDAP_get_string_value(db
, msg
, "sambaNTPassword", &ntPasswordIN
);
1053 if (ret
== 0 && have_arcfour
== 0) {
1058 keys
= realloc(ent
->entry
.keys
.val
,
1059 (ent
->entry
.keys
.len
+ 1) * sizeof(ent
->entry
.keys
.val
[0]));
1063 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1066 ent
->entry
.keys
.val
= keys
;
1067 memset(&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
], 0, sizeof(Key
));
1068 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keytype
= ETYPE_ARCFOUR_HMAC_MD5
;
1069 ret
= krb5_data_alloc (&ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
, 16);
1071 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1076 ret
= hex_decode(ntPasswordIN
,
1077 ent
->entry
.keys
.val
[ent
->entry
.keys
.len
].key
.keyvalue
.data
, 16);
1078 ent
->entry
.keys
.len
++;
1080 if (ent
->entry
.etypes
== NULL
) {
1081 ent
->entry
.etypes
= malloc(sizeof(*(ent
->entry
.etypes
)));
1082 if (ent
->entry
.etypes
== NULL
) {
1084 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1087 ent
->entry
.etypes
->val
= NULL
;
1088 ent
->entry
.etypes
->len
= 0;
1091 for (i
= 0; i
< ent
->entry
.etypes
->len
; i
++)
1092 if (ent
->entry
.etypes
->val
[i
] == ETYPE_ARCFOUR_HMAC_MD5
)
1094 /* If there is no ARCFOUR enctype, add one */
1095 if (i
== ent
->entry
.etypes
->len
) {
1096 etypes
= realloc(ent
->entry
.etypes
->val
,
1097 (ent
->entry
.etypes
->len
+ 1) *
1098 sizeof(ent
->entry
.etypes
->val
[0]));
1099 if (etypes
== NULL
) {
1101 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1104 ent
->entry
.etypes
->val
= etypes
;
1105 ent
->entry
.etypes
->val
[ent
->entry
.etypes
->len
] =
1106 ETYPE_ARCFOUR_HMAC_MD5
;
1107 ent
->entry
.etypes
->len
++;
1111 ret
= LDAP_get_generalized_time_value(db
, msg
, "createTimestamp",
1112 &ent
->entry
.created_by
.time
);
1114 ent
->entry
.created_by
.time
= time(NULL
);
1116 ent
->entry
.created_by
.principal
= NULL
;
1118 ret
= LDAP_get_string_value(db
, msg
, "creatorsName", &dn
);
1120 if (LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.created_by
.principal
)
1122 ent
->entry
.created_by
.principal
= NULL
;
1127 ent
->entry
.modified_by
= (Event
*) malloc(sizeof(Event
));
1128 if (ent
->entry
.modified_by
== NULL
) {
1130 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1133 ret
= LDAP_get_generalized_time_value(db
, msg
, "modifyTimestamp",
1134 &ent
->entry
.modified_by
->time
);
1136 ret
= LDAP_get_string_value(db
, msg
, "modifiersName", &dn
);
1137 if (LDAP_dn2principal(context
, db
, dn
, &ent
->entry
.modified_by
->principal
))
1138 ent
->entry
.modified_by
->principal
= NULL
;
1141 free(ent
->entry
.modified_by
);
1142 ent
->entry
.modified_by
= NULL
;
1145 ent
->entry
.valid_start
= malloc(sizeof(*ent
->entry
.valid_start
));
1146 if (ent
->entry
.valid_start
== NULL
) {
1148 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1151 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidStart",
1152 ent
->entry
.valid_start
);
1155 free(ent
->entry
.valid_start
);
1156 ent
->entry
.valid_start
= NULL
;
1159 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1160 if (ent
->entry
.valid_end
== NULL
) {
1162 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1165 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5ValidEnd",
1166 ent
->entry
.valid_end
);
1169 free(ent
->entry
.valid_end
);
1170 ent
->entry
.valid_end
= NULL
;
1173 ret
= LDAP_get_integer_value(db
, msg
, "sambaKickoffTime", &tmp_time
);
1175 if (ent
->entry
.valid_end
== NULL
) {
1176 ent
->entry
.valid_end
= malloc(sizeof(*ent
->entry
.valid_end
));
1177 if (ent
->entry
.valid_end
== NULL
) {
1179 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1183 *ent
->entry
.valid_end
= tmp_time
;
1186 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1187 if (ent
->entry
.pw_end
== NULL
) {
1189 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1192 ret
= LDAP_get_generalized_time_value(db
, msg
, "krb5PasswordEnd",
1196 free(ent
->entry
.pw_end
);
1197 ent
->entry
.pw_end
= NULL
;
1200 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1204 if (ent
->entry
.pw_end
== NULL
) {
1205 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1206 if (ent
->entry
.pw_end
== NULL
) {
1208 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1213 delta
= krb5_config_get_time_default(context
, NULL
,
1216 "password_lifetime",
1218 *ent
->entry
.pw_end
= tmp_time
+ delta
;
1221 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdMustChange", &tmp_time
);
1223 if (ent
->entry
.pw_end
== NULL
) {
1224 ent
->entry
.pw_end
= malloc(sizeof(*ent
->entry
.pw_end
));
1225 if (ent
->entry
.pw_end
== NULL
) {
1227 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1231 *ent
->entry
.pw_end
= tmp_time
;
1235 ret
= LDAP_get_integer_value(db
, msg
, "sambaPwdLastSet", &tmp_time
);
1237 hdb_entry_set_pw_change_time(context
, &ent
->entry
, tmp_time
);
1242 ent
->entry
.max_life
= malloc(sizeof(*ent
->entry
.max_life
));
1243 if (ent
->entry
.max_life
== NULL
) {
1245 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1248 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxLife", &max_life
);
1250 free(ent
->entry
.max_life
);
1251 ent
->entry
.max_life
= NULL
;
1253 *ent
->entry
.max_life
= max_life
;
1259 ent
->entry
.max_renew
= malloc(sizeof(*ent
->entry
.max_renew
));
1260 if (ent
->entry
.max_renew
== NULL
) {
1262 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1265 ret
= LDAP_get_integer_value(db
, msg
, "krb5MaxRenew", &max_renew
);
1267 free(ent
->entry
.max_renew
);
1268 ent
->entry
.max_renew
= NULL
;
1270 *ent
->entry
.max_renew
= max_renew
;
1273 ret
= LDAP_get_integer_value(db
, msg
, "krb5KDCFlags", &tmp
);
1277 ent
->entry
.flags
= int2HDBFlags(tmp
);
1279 /* Try and find Samba flags to put into the mix */
1280 ret
= LDAP_get_string_value(db
, msg
, "sambaAcctFlags", &samba_acct_flags
);
1282 /* parse the [UXW...] string:
1286 'H' Homedir required
1288 'U' User account (normal)
1289 'M' MNS logon user account - what is this ?
1290 'W' Workstation account
1293 'X' No Xpiry on password
1294 'I' Interdomain trust account
1299 int flags_len
= strlen(samba_acct_flags
);
1304 if (samba_acct_flags
[0] != '['
1305 || samba_acct_flags
[flags_len
- 1] != ']')
1308 /* Allow forwarding */
1309 if (samba_forwardable
)
1310 ent
->entry
.flags
.forwardable
= TRUE
;
1312 for (i
=0; i
< flags_len
; i
++) {
1313 switch (samba_acct_flags
[i
]) {
1319 /* how to handle no password in kerberos? */
1322 ent
->entry
.flags
.invalid
= TRUE
;
1327 /* temp duplicate */
1328 ent
->entry
.flags
.invalid
= TRUE
;
1331 ent
->entry
.flags
.client
= TRUE
;
1337 ent
->entry
.flags
.server
= TRUE
;
1338 ent
->entry
.flags
.client
= TRUE
;
1341 ent
->entry
.flags
.invalid
= TRUE
;
1344 if (ent
->entry
.pw_end
) {
1345 free(ent
->entry
.pw_end
);
1346 ent
->entry
.pw_end
= NULL
;
1350 ent
->entry
.flags
.server
= TRUE
;
1351 ent
->entry
.flags
.client
= TRUE
;
1356 free(samba_acct_flags
);
1363 free(unparsed_name
);
1366 hdb_free_entry(context
, ent
);
1371 static krb5_error_code
1372 LDAP_close(krb5_context context
, HDB
* db
)
1375 ldap_unbind_ext(HDB2LDAP(db
), NULL
, NULL
);
1376 ((struct hdbldapdb
*)db
->hdb_db
)->h_lp
= NULL
;
1382 static krb5_error_code
1383 LDAP_lock(krb5_context context
, HDB
* db
, int operation
)
1388 static krb5_error_code
1389 LDAP_unlock(krb5_context context
, HDB
* db
)
1394 static krb5_error_code
1395 LDAP_seq(krb5_context context
, HDB
* db
, unsigned flags
, hdb_entry_ex
* entry
)
1397 int msgid
, rc
, parserc
;
1398 krb5_error_code ret
;
1401 msgid
= HDB2MSGID(db
);
1403 return HDB_ERR_NOENTRY
;
1406 rc
= ldap_result(HDB2LDAP(db
), msgid
, LDAP_MSG_ONE
, NULL
, &e
);
1408 case LDAP_RES_SEARCH_REFERENCE
:
1412 case LDAP_RES_SEARCH_ENTRY
:
1413 /* We have an entry. Parse it. */
1414 ret
= LDAP_message2entry(context
, db
, e
, entry
);
1417 case LDAP_RES_SEARCH_RESULT
:
1418 /* We're probably at the end of the results. If not, abandon. */
1420 ldap_parse_result(HDB2LDAP(db
), e
, NULL
, NULL
, NULL
,
1422 ret
= HDB_ERR_NOENTRY
;
1423 if (parserc
!= LDAP_SUCCESS
1424 && parserc
!= LDAP_MORE_RESULTS_TO_RETURN
) {
1425 krb5_set_error_message(context
, ret
, "ldap_parse_result: %s",
1426 ldap_err2string(parserc
));
1427 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1429 HDBSETMSGID(db
, -1);
1431 case LDAP_SERVER_DOWN
:
1433 LDAP_close(context
, db
);
1434 HDBSETMSGID(db
, -1);
1438 /* Some unspecified error (timeout?). Abandon. */
1440 ldap_abandon_ext(HDB2LDAP(db
), msgid
, NULL
, NULL
);
1441 ret
= HDB_ERR_NOENTRY
;
1442 HDBSETMSGID(db
, -1);
1445 } while (rc
== LDAP_RES_SEARCH_REFERENCE
);
1448 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1449 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1451 hdb_free_entry(context
, entry
);
1458 static krb5_error_code
1459 LDAP_firstkey(krb5_context context
, HDB
*db
, unsigned flags
,
1460 hdb_entry_ex
*entry
)
1462 krb5_error_code ret
;
1465 ret
= LDAP__connect(context
, db
);
1469 ret
= LDAP_no_size_limit(context
, HDB2LDAP(db
));
1473 ret
= ldap_search_ext(HDB2LDAP(db
), HDB2BASE(db
),
1475 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1476 krb5kdcentry_attrs
, 0,
1477 NULL
, NULL
, NULL
, 0, &msgid
);
1479 return HDB_ERR_NOENTRY
;
1481 HDBSETMSGID(db
, msgid
);
1483 return LDAP_seq(context
, db
, flags
, entry
);
1486 static krb5_error_code
1487 LDAP_nextkey(krb5_context context
, HDB
* db
, unsigned flags
,
1488 hdb_entry_ex
* entry
)
1490 return LDAP_seq(context
, db
, flags
, entry
);
1493 static krb5_error_code
1494 LDAP__connect(krb5_context context
, HDB
* db
)
1496 int rc
, version
= LDAP_VERSION3
;
1498 * Empty credentials to do a SASL bind with LDAP. Note that empty
1499 * different from NULL credentials. If you provide NULL
1500 * credentials instead of empty credentials you will get a SASL
1501 * bind in progress message.
1503 struct berval bv
= { 0, "" };
1506 /* connection has been opened. ping server. */
1507 struct sockaddr_un addr
;
1508 socklen_t len
= sizeof(addr
);
1511 if (ldap_get_option(HDB2LDAP(db
), LDAP_OPT_DESC
, &sd
) == 0 &&
1512 getpeername(sd
, (struct sockaddr
*) &addr
, &len
) < 0) {
1513 /* the other end has died. reopen. */
1514 LDAP_close(context
, db
);
1518 if (HDB2LDAP(db
) != NULL
) /* server is UP */
1521 rc
= ldap_initialize(&((struct hdbldapdb
*)db
->hdb_db
)->h_lp
, HDB2URL(db
));
1522 if (rc
!= LDAP_SUCCESS
) {
1523 krb5_set_error_message(context
, HDB_ERR_NOENTRY
, "ldap_initialize: %s",
1524 ldap_err2string(rc
));
1525 return HDB_ERR_NOENTRY
;
1528 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_PROTOCOL_VERSION
,
1529 (const void *)&version
);
1530 if (rc
!= LDAP_SUCCESS
) {
1531 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1532 "ldap_set_option: %s", ldap_err2string(rc
));
1533 LDAP_close(context
, db
);
1534 return HDB_ERR_BADVERSION
;
1537 rc
= ldap_sasl_bind_s(HDB2LDAP(db
), NULL
, "EXTERNAL", &bv
,
1539 if (rc
!= LDAP_SUCCESS
) {
1540 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1541 "ldap_sasl_bind_s: %s", ldap_err2string(rc
));
1542 LDAP_close(context
, db
);
1543 return HDB_ERR_BADVERSION
;
1549 static krb5_error_code
1550 LDAP_open(krb5_context context
, HDB
* db
, int flags
, mode_t mode
)
1552 /* Not the right place for this. */
1553 #ifdef HAVE_SIGACTION
1554 struct sigaction sa
;
1557 sa
.sa_handler
= SIG_IGN
;
1558 sigemptyset(&sa
.sa_mask
);
1560 sigaction(SIGPIPE
, &sa
, NULL
);
1562 signal(SIGPIPE
, SIG_IGN
);
1563 #endif /* HAVE_SIGACTION */
1565 return LDAP__connect(context
, db
);
1568 static krb5_error_code
1569 LDAP_fetch(krb5_context context
, HDB
* db
, krb5_const_principal principal
,
1570 unsigned flags
, hdb_entry_ex
* entry
)
1572 LDAPMessage
*msg
, *e
;
1573 krb5_error_code ret
;
1575 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1579 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1581 ret
= HDB_ERR_NOENTRY
;
1585 ret
= LDAP_message2entry(context
, db
, e
, entry
);
1587 if (db
->hdb_master_key_set
&& (flags
& HDB_F_DECRYPT
)) {
1588 ret
= hdb_unseal_keys(context
, db
, &entry
->entry
);
1590 hdb_free_entry(context
, entry
);
1600 static krb5_error_code
1601 LDAP_store(krb5_context context
, HDB
* db
, unsigned flags
,
1602 hdb_entry_ex
* entry
)
1604 LDAPMod
**mods
= NULL
;
1605 krb5_error_code ret
;
1608 LDAPMessage
*msg
= NULL
, *e
= NULL
;
1609 char *dn
= NULL
, *name
= NULL
;
1611 ret
= LDAP_principal2message(context
, db
, entry
->entry
.principal
, &msg
);
1613 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1615 ret
= krb5_unparse_name(context
, entry
->entry
.principal
, &name
);
1621 ret
= hdb_seal_keys(context
, db
, &entry
->entry
);
1625 /* turn new entry into LDAPMod array */
1626 ret
= LDAP_entry2mods(context
, db
, entry
, e
, &mods
);
1631 ret
= asprintf(&dn
, "krb5PrincipalName=%s,%s", name
, HDB2CREATE(db
));
1634 krb5_set_error_message(context
, ret
, "asprintf: out of memory");
1637 } else if (flags
& HDB_F_REPLACE
) {
1638 /* Entry exists, and we're allowed to replace it. */
1639 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1641 /* Entry exists, but we're not allowed to replace it. Bail. */
1642 ret
= HDB_ERR_EXISTS
;
1646 /* write entry into directory */
1648 /* didn't exist before */
1649 rc
= ldap_add_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1650 errfn
= "ldap_add_ext_s";
1652 /* already existed, send deltas only */
1653 rc
= ldap_modify_ext_s(HDB2LDAP(db
), dn
, mods
, NULL
, NULL
);
1654 errfn
= "ldap_modify_ext_s";
1657 if (check_ldap(context
, db
, rc
)) {
1658 char *ld_error
= NULL
;
1659 ldap_get_option(HDB2LDAP(db
), LDAP_OPT_ERROR_STRING
,
1661 ret
= HDB_ERR_CANT_LOCK_DB
;
1662 krb5_set_error_message(context
, ret
, "%s: %s (DN=%s) %s: %s",
1663 errfn
, name
, dn
, ldap_err2string(rc
), ld_error
);
1674 ldap_mods_free(mods
, 1);
1681 static krb5_error_code
1682 LDAP_remove(krb5_context context
, HDB
*db
, krb5_const_principal principal
)
1684 krb5_error_code ret
;
1685 LDAPMessage
*msg
, *e
;
1687 int rc
, limit
= LDAP_NO_LIMIT
;
1689 ret
= LDAP_principal2message(context
, db
, principal
, &msg
);
1693 e
= ldap_first_entry(HDB2LDAP(db
), msg
);
1695 ret
= HDB_ERR_NOENTRY
;
1699 dn
= ldap_get_dn(HDB2LDAP(db
), e
);
1701 ret
= HDB_ERR_NOENTRY
;
1705 rc
= ldap_set_option(HDB2LDAP(db
), LDAP_OPT_SIZELIMIT
, (const void *)&limit
);
1706 if (rc
!= LDAP_SUCCESS
) {
1707 ret
= HDB_ERR_BADVERSION
;
1708 krb5_set_error_message(context
, ret
, "ldap_set_option: %s",
1709 ldap_err2string(rc
));
1713 rc
= ldap_delete_ext_s(HDB2LDAP(db
), dn
, NULL
, NULL
);
1714 if (check_ldap(context
, db
, rc
)) {
1715 ret
= HDB_ERR_CANT_LOCK_DB
;
1716 krb5_set_error_message(context
, ret
, "ldap_delete_ext_s: %s",
1717 ldap_err2string(rc
));
1730 static krb5_error_code
1731 LDAP_destroy(krb5_context context
, HDB
* db
)
1733 krb5_error_code ret
;
1735 LDAP_close(context
, db
);
1737 ret
= hdb_clear_master_key(context
, db
);
1741 free(HDB2CREATE(db
));
1752 static krb5_error_code
1753 hdb_ldap_common(krb5_context context
,
1755 const char *search_base
,
1758 struct hdbldapdb
*h
;
1759 const char *create_base
= NULL
;
1761 if (search_base
== NULL
&& search_base
[0] == '\0') {
1762 krb5_set_error_message(context
, ENOMEM
, "ldap search base not configured");
1763 return ENOMEM
; /* XXX */
1766 if (structural_object
== NULL
) {
1769 p
= krb5_config_get_string(context
, NULL
, "kdc",
1770 "hdb-ldap-structural-object", NULL
);
1772 p
= default_structural_object
;
1773 structural_object
= strdup(p
);
1774 if (structural_object
== NULL
) {
1775 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1781 krb5_config_get_bool_default(context
, NULL
, TRUE
,
1782 "kdc", "hdb-samba-forwardable", NULL
);
1784 *db
= calloc(1, sizeof(**db
));
1786 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1789 memset(*db
, 0, sizeof(**db
));
1791 h
= calloc(1, sizeof(*h
));
1795 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1801 if (asprintf(&(*db
)->hdb_name
, "ldap:%s", search_base
) == -1) {
1802 LDAP_destroy(context
, *db
);
1804 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1808 h
->h_url
= strdup(url
);
1809 h
->h_base
= strdup(search_base
);
1810 if (h
->h_url
== NULL
|| h
->h_base
== NULL
) {
1811 LDAP_destroy(context
, *db
);
1813 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1817 create_base
= krb5_config_get_string(context
, NULL
, "kdc",
1818 "hdb-ldap-create-base", NULL
);
1819 if (create_base
== NULL
)
1820 create_base
= h
->h_base
;
1822 h
->h_createbase
= strdup(create_base
);
1823 if (h
->h_createbase
== NULL
) {
1824 LDAP_destroy(context
, *db
);
1826 krb5_set_error_message(context
, ENOMEM
, "strdup: out of memory");
1830 (*db
)->hdb_master_key_set
= 0;
1831 (*db
)->hdb_openp
= 0;
1832 (*db
)->hdb_capability_flags
= 0;
1833 (*db
)->hdb_open
= LDAP_open
;
1834 (*db
)->hdb_close
= LDAP_close
;
1835 (*db
)->hdb_fetch
= LDAP_fetch
;
1836 (*db
)->hdb_store
= LDAP_store
;
1837 (*db
)->hdb_remove
= LDAP_remove
;
1838 (*db
)->hdb_firstkey
= LDAP_firstkey
;
1839 (*db
)->hdb_nextkey
= LDAP_nextkey
;
1840 (*db
)->hdb_lock
= LDAP_lock
;
1841 (*db
)->hdb_unlock
= LDAP_unlock
;
1842 (*db
)->hdb_rename
= NULL
;
1843 (*db
)->hdb__get
= NULL
;
1844 (*db
)->hdb__put
= NULL
;
1845 (*db
)->hdb__del
= NULL
;
1846 (*db
)->hdb_destroy
= LDAP_destroy
;
1852 hdb_ldap_create(krb5_context context
, HDB
** db
, const char *arg
)
1854 return hdb_ldap_common(context
, db
, arg
, "ldapi:///");
1858 hdb_ldapi_create(krb5_context context
, HDB
** db
, const char *arg
)
1860 krb5_error_code ret
;
1861 char *search_base
, *p
;
1863 asprintf(&p
, "ldapi:%s", arg
);
1866 krb5_set_error_message(context
, ENOMEM
, "out of memory");
1869 search_base
= strchr(p
+ strlen("ldapi://"), ':');
1870 if (search_base
== NULL
) {
1872 krb5_set_error_message(context
, HDB_ERR_BADVERSION
,
1873 "search base missing");
1874 return HDB_ERR_BADVERSION
;
1876 *search_base
= '\0';
1879 ret
= hdb_ldap_common(context
, db
, search_base
, p
);
1884 #ifdef OPENLDAP_MODULE
1886 struct hdb_so_method hdb_ldap_interface
= {
1887 HDB_INTERFACE_VERSION
,
1892 struct hdb_so_method hdb_ldapi_interface
= {
1893 HDB_INTERFACE_VERSION
,
1900 #endif /* OPENLDAP */