search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / cmd / krb5 / ldap_util / kdb5_ldap_realm.c
blobcc263a1b84c51d9d4479c84e5c3477b4e40651df
1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * kadmin/ldap_util/kdb5_ldap_realm.c
8 *
9 * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
10 * All Rights Reserved.
11 *
12 * Export of this software from the United States of America may
13 * require a specific license from the United States Government.
14 * It is the responsibility of any person or organization contemplating
15 * export to obtain such a license before exporting.
16 *
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 * distribute this software and its documentation for any purpose and
19 * without fee is hereby granted, provided that the above copyright
20 * notice appear in all copies and that both that copyright notice and
21 * this permission notice appear in supporting documentation, and that
22 * the name of M.I.T. not be used in advertising or publicity pertaining
23 * to distribution of the software without specific, written prior
24 * permission. Furthermore if you modify this software you must label
25 * your software as modified software and not distribute it in such a
26 * fashion that it might be confused with the original M.I.T. software.
27 * M.I.T. makes no representations about the suitability of
28 * this software for any purpose. It is provided "as is" without express
29 * or implied warranty.
30 */
31
32 /*
33 * Copyright (C) 1998 by the FundsXpress, INC.
34 *
35 * All rights reserved.
36 *
37 * Export of this software from the United States of America may require
38 * a specific license from the United States Government. It is the
39 * responsibility of any person or organization contemplating export to
40 * obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of FundsXpress. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. FundsXpress makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 *
53 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
54 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
56 */
57
58 /* Copyright (c) 2004-2005, Novell, Inc.
59 * All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions are met:
63 *
64 * * Redistributions of source code must retain the above copyright notice,
65 * this list of conditions and the following disclaimer.
66 * * Redistributions in binary form must reproduce the above copyright
67 * notice, this list of conditions and the following disclaimer in the
68 * documentation and/or other materials provided with the distribution.
69 * * The copyright holder's name is not used to endorse or promote products
70 * derived from this software without specific prior written permission.
71 *
72 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
73 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
74 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
75 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
76 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
77 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
78 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
79 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
80 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
82 * POSSIBILITY OF SUCH DAMAGE.
83 */
84
85 /*
86 * Create / Modify / Destroy / View / List realm(s)
87 */
88
89 /* Needed for getting the definition of KRB5_TL_DB_ARGS */
90 #define SECURID
91
92 #include <stdio.h>
93 #include <k5-int.h>
94 #include <kadm5/admin.h>
95 #include <libintl.h>
96 #include <locale.h>
97 #include "kdb5_ldap_util.h"
98 #include "kdb5_ldap_list.h"
99 #include <ldap_principal.h>
100 #include <ldap_krbcontainer.h>
101 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
102
103 char *yes = "yes\n"; /* \n to compare against result of fgets */
104 krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
105
106 struct realm_info rblock = {
107 KRB5_KDB_MAX_LIFE,
108 KRB5_KDB_MAX_RLIFE,
109 KRB5_KDB_EXPIRATION,
110 KRB5_KDB_DEF_FLAGS,
111 (krb5_keyblock *) NULL,
112 1,
113 &def_kslist
114 };
115
116 krb5_data tgt_princ_entries[] = {
117 {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
118 {0, 0, 0} };
119
120 krb5_data db_creator_entries[] = {
121 {0, sizeof("db_creation")-1, "db_creation"} };
122
123
124 static krb5_principal_data db_create_princ = {
125 0, /* magic number */
126 {0, 0, 0}, /* krb5_data realm */
127 db_creator_entries, /* krb5_data *data */
128 1, /* int length */
129 KRB5_NT_SRV_INST /* int type */
130 };
131
132 extern char *mkey_password;
133 extern char *progname;
134 extern kadm5_config_params global_params;
135
136 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
137 static int kdb_ldap_create_principal (krb5_context context, krb5_principal
138 princ, enum ap_op op, struct realm_info *pblock);
139
140
141 static char *strdur(time_t duration);
142 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
143 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
144 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
145
146 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
147 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
148
149 static int get_ticket_policy(rparams,i,argv,argc)
150 krb5_ldap_realm_params *rparams;
151 int *i;
152 char *argv[];
153 int argc;
154 {
155 time_t date;
156 time_t now;
157 int mask = 0;
158 krb5_error_code retval = 0;
159 krb5_boolean no_msg = FALSE;
160
161 krb5_boolean print_usage = FALSE;
162 /* Solaris Kerberos */
163 char *me = progname;
164
165 time(&now);
166 if (!strcmp(argv[*i], "-maxtktlife")) {
167 if (++(*i) > argc-1)
168 goto err_usage;
169 date = get_date(argv[*i]);
170 if (date == (time_t)(-1)) {
171 retval = EINVAL;
172 com_err (me, retval, gettext("while providing time specification"));
173 goto err_nomsg;
174 }
175 rparams->max_life = date-now;
176 mask |= LDAP_REALM_MAXTICKETLIFE;
177 }
178
179
180 else if (!strcmp(argv[*i], "-maxrenewlife")) {
181 if (++(*i) > argc-1)
182 goto err_usage;
183
184 date = get_date(argv[*i]);
185 if (date == (time_t)(-1)) {
186 retval = EINVAL;
187 com_err (me, retval, gettext("while providing time specification"));
188 goto err_nomsg;
189 }
190 rparams->max_renewable_life = date-now;
191 mask |= LDAP_REALM_MAXRENEWLIFE;
192 } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
193 if (*(argv[*i]) == '+')
194 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
195 else if (*(argv[*i]) == '-')
196 rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
197 else
198 goto err_usage;
199
200 mask |= LDAP_REALM_KRBTICKETFLAGS;
201 } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
202 if (*(argv[*i]) == '+')
203 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
204
205 else if (*(argv[*i]) == '-')
206 rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
207 else
208 goto err_usage;
209
210 mask |= LDAP_REALM_KRBTICKETFLAGS;
211 } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
212 if (*(argv[*i]) == '+')
213 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
214 else if (*(argv[*i]) == '-')
215 rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
216 else
217 goto err_usage;
218
219 mask |= LDAP_REALM_KRBTICKETFLAGS;
220 } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
221 if (*(argv[*i]) == '+')
222 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
223 else if (*(argv[*i]) == '-')
224 rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
225 else
226 goto err_usage;
227
228 mask |= LDAP_REALM_KRBTICKETFLAGS;
229 } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
230 if (*(argv[*i]) == '+')
231 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
232 else if (*(argv[*i]) == '-')
233 rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
234 else
235 goto err_usage;
236
237 mask |= LDAP_REALM_KRBTICKETFLAGS;
238 }
239
240 else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
241 if (*(argv[*i]) == '+')
242 rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
243 else if (*(argv[*i]) == '-')
244 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
245 else
246 goto err_usage;
247
248 mask |= LDAP_REALM_KRBTICKETFLAGS;
249 } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
250 if (*(argv[*i]) == '+')
251 rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
252 else if (*(argv[*i]) == '-')
253 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
254 else
255 goto err_usage;
256
257 mask |= LDAP_REALM_KRBTICKETFLAGS;
258 } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
259 if (*(argv[*i]) == '+')
260 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
261 else if (*(argv[*i]) == '-')
262 rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
263 else
264 goto err_usage;
265
266 mask |= LDAP_REALM_KRBTICKETFLAGS;
267 } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
268 if (*(argv[*i]) == '+')
269 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
270 else if (*(argv[*i]) == '-')
271 rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
272 else
273 goto err_usage;
274
275 mask |= LDAP_REALM_KRBTICKETFLAGS;
276 } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
277 if (*(argv[*i]) == '+')
278 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
279 else if (*(argv[*i]) == '-')
280 rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
281 else
282 goto err_usage;
283
284 mask |= LDAP_REALM_KRBTICKETFLAGS;
285 } else if (!strcmp((argv[*i] + 1), "needchange")) {
286 if (*(argv[*i]) == '+')
287 rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
288 else if (*(argv[*i]) == '-')
289 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
290 else
291 goto err_usage;
292
293 mask |= LDAP_REALM_KRBTICKETFLAGS;
294 } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
295 if (*(argv[*i]) == '+')
296 rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
297 else if (*(argv[*i]) == '-')
298 rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
299 else
300 goto err_usage;
301
302 mask |=LDAP_REALM_KRBTICKETFLAGS;
303 }
304 err_usage:
305 print_usage = TRUE;
306
307 err_nomsg:
308 no_msg = TRUE;
309
310 return mask;
311 }
312
313 /*
314 * This function will create a realm on the LDAP Server, with
315 * the specified attributes.
316 */
317 void kdb5_ldap_create(argc, argv)
318 int argc;
319 char *argv[];
320 {
321 krb5_error_code retval = 0;
322 krb5_keyblock master_keyblock;
323 krb5_ldap_realm_params *rparams = NULL;
324 krb5_principal master_princ = NULL;
325 kdb5_dal_handle *dal_handle = NULL;
326 krb5_ldap_context *ldap_context=NULL;
327 krb5_boolean realm_obj_created = FALSE;
328 krb5_boolean create_complete = FALSE;
329 krb5_boolean print_usage = FALSE;
330 krb5_boolean no_msg = FALSE;
331 char *oldcontainerref=NULL;
332 char pw_str[1024];
333 int do_stash = 0;
334 int i = 0;
335 int mask = 0, ret_mask = 0;
336 char **list = NULL;
337 #ifdef HAVE_EDIRECTORY
338 int rightsmask = 0;
339 #endif
340
341 memset(&master_keyblock, 0, sizeof(master_keyblock));
342
343 rparams = (krb5_ldap_realm_params *)malloc(
344 sizeof(krb5_ldap_realm_params));
345 if (rparams == NULL) {
346 retval = ENOMEM;
347 goto cleanup;
348 }
349 memset(rparams, 0, sizeof(krb5_ldap_realm_params));
350
351 /* Parse the arguments */
352 for (i = 1; i < argc; i++) {
353 if (!strcmp(argv[i], "-subtrees")) {
354 if (++i > argc-1)
355 goto err_usage;
356
357 if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
358 list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
359 if (list == NULL) {
360 retval = ENOMEM;
361 goto cleanup;
362 }
363 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
364 free(list);
365 list = NULL;
366 goto cleanup;
367 }
368
369 rparams->subtreecount=0;
370 while(list[rparams->subtreecount]!=NULL)
371 (rparams->subtreecount)++;
372 rparams->subtree = list;
373 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
374 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
375 /* Solaris Kerberos */
376 com_err(progname, EINVAL,
377 gettext("for subtree while creating realm '%s'"),
378 global_params.realm);
379 goto err_nomsg;
380 }
381 rparams->subtree[rparams->subtreecount] = NULL;
382 mask |= LDAP_REALM_SUBTREE;
383 } else if (!strcmp(argv[i], "-containerref")) {
384 if (++i > argc-1)
385 goto err_usage;
386 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
387 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
388 /* Solaris Kerberos */
389 com_err(progname, EINVAL,
390 gettext("for container reference while creating realm '%s'"),
391 global_params.realm);
392 goto err_nomsg;
393 }
394 rparams->containerref = strdup(argv[i]);
395 if (rparams->containerref == NULL) {
396 retval = ENOMEM;
397 goto cleanup;
398 }
399 mask |= LDAP_REALM_CONTREF;
400 } else if (!strcmp(argv[i], "-sscope")) {
401 if (++i > argc-1)
402 goto err_usage;
403 /* Possible values for search scope are
404 * one (or 1) and sub (or 2)
405 */
406 if (!strcasecmp(argv[i], "one")) {
407 rparams->search_scope = 1;
408 } else if (!strcasecmp(argv[i], "sub")) {
409 rparams->search_scope = 2;
410 } else {
411 rparams->search_scope = atoi(argv[i]);
412 if ((rparams->search_scope != 1) &&
413 (rparams->search_scope != 2)) {
414 /* Solaris Kerberos */
415 com_err(progname, EINVAL,
416 gettext("invalid search scope while creating realm '%s'"),
417 global_params.realm);
418 goto err_nomsg;
419 }
420 }
421 mask |= LDAP_REALM_SEARCHSCOPE;
422 }
423 #ifdef HAVE_EDIRECTORY
424 else if (!strcmp(argv[i], "-kdcdn")) {
425 if (++i > argc-1)
426 goto err_usage;
427 rparams->kdcservers = (char **)malloc(
428 sizeof(char *) * MAX_LIST_ENTRIES);
429 if (rparams->kdcservers == NULL) {
430 retval = ENOMEM;
431 goto cleanup;
432 }
433 memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
434 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
435 rparams->kdcservers))) {
436 goto cleanup;
437 }
438 mask |= LDAP_REALM_KDCSERVERS;
439 } else if (!strcmp(argv[i], "-admindn")) {
440 if (++i > argc-1)
441 goto err_usage;
442 rparams->adminservers = (char **)malloc(
443 sizeof(char *) * MAX_LIST_ENTRIES);
444 if (rparams->adminservers == NULL) {
445 retval = ENOMEM;
446 goto cleanup;
447 }
448 memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
449 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
450 rparams->adminservers))) {
451 goto cleanup;
452 }
453 mask |= LDAP_REALM_ADMINSERVERS;
454 } else if (!strcmp(argv[i], "-pwddn")) {
455 if (++i > argc-1)
456 goto err_usage;
457 rparams->passwdservers = (char **)malloc(
458 sizeof(char *) * MAX_LIST_ENTRIES);
459 if (rparams->passwdservers == NULL) {
460 retval = ENOMEM;
461 goto cleanup;
462 }
463 memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
464 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
465 rparams->passwdservers))) {
466 goto cleanup;
467 }
468 mask |= LDAP_REALM_PASSWDSERVERS;
469 }
470 #endif
471 else if (!strcmp(argv[i], "-s")) {
472 do_stash = 1;
473 } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
474 mask|=ret_mask;
475 }
476
477 else {
478 printf(gettext("'%s' is an invalid option\n"), argv[i]);
479 goto err_usage;
480 }
481 }
482
483 /* If the default enctype/salttype is not provided, use the
484 * default values and also add to the list of supported
485 * enctypes/salttype
486 */
487
488 rblock.max_life = global_params.max_life;
489 rblock.max_rlife = global_params.max_rlife;
490 rblock.expiration = global_params.expiration;
491 rblock.flags = global_params.flags;
492 rblock.nkslist = global_params.num_keysalts;
493 rblock.kslist = global_params.keysalts;
494
495 krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
496 krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
497
498 printf(gettext("Initializing database for realm '%s'\n"), global_params.realm);
499
500 if (!mkey_password) {
501 unsigned int pw_size;
502 printf(gettext("You will be prompted for the database Master Password.\n"));
503 printf(gettext("It is important that you NOT FORGET this password.\n"));
504 fflush(stdout);
505
506 pw_size = sizeof (pw_str);
507 memset(pw_str, 0, pw_size);
508
509 retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
510 pw_str, &pw_size);
511 if (retval) {
512 /* Solaris Kerberos */
513 com_err(progname, retval, gettext("while reading master key from keyboard"));
514 goto err_nomsg;
515 }
516 mkey_password = pw_str;
517 }
518
519 rparams->mkey.enctype = global_params.enctype;
520 /* We are sure that 'mkey_password' is a regular string ... */
521 rparams->mkey.length = strlen(mkey_password) + 1;
522 rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
523 if (rparams->mkey.contents == NULL) {
524 retval = ENOMEM;
525 goto cleanup;
526 }
527
528 rparams->realm_name = strdup(global_params.realm);
529 if (rparams->realm_name == NULL) {
530 retval = ENOMEM;
531 /* Solaris Kerberos */
532 com_err(progname, ENOMEM, gettext("while creating realm '%s'"),
533 global_params.realm);
534 goto err_nomsg;
535 }
536
537 dal_handle = (kdb5_dal_handle *) util_context->db_context;
538 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
539 if (!ldap_context) {
540 retval = EINVAL;
541 goto cleanup;
542 }
543
544 /* read the kerberos container */
545 if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
546 &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
547 /* Prompt the user for entering the DN of Kerberos container */
548 char krb_location[MAX_KRB_CONTAINER_LEN];
549 krb5_ldap_krbcontainer_params kparams;
550 int krb_location_len = 0;
551 memset(&kparams, 0, sizeof(kparams));
552
553 /* Read the kerberos container location from configuration file */
554 if (ldap_context->conf_section) {
555 if ((retval=profile_get_string(util_context->profile,
556 KDB_MODULE_SECTION, ldap_context->conf_section,
557 "ldap_kerberos_container_dn", NULL,
558 &kparams.DN)) != 0) {
559 goto cleanup;
560 }
561 }
562 if (kparams.DN == NULL) {
563 if ((retval=profile_get_string(util_context->profile,
564 KDB_MODULE_DEF_SECTION,
565 "ldap_kerberos_container_dn", NULL,
566 NULL, &kparams.DN)) != 0) {
567 goto cleanup;
568 }
569 }
570
571 printf(gettext("\nKerberos container is missing. Creating now...\n"));
572 if (kparams.DN == NULL) {
573 #ifdef HAVE_EDIRECTORY
574 printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "));
575 #else
576 printf(gettext("Enter DN of Kerberos container: "));
577 #endif
578 if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
579 /* Remove the newline character at the end */
580 krb_location_len = strlen(krb_location);
581 if ((krb_location[krb_location_len - 1] == '\n') ||
582 (krb_location[krb_location_len - 1] == '\r')) {
583 krb_location[krb_location_len - 1] = '\0';
584 krb_location_len--;
585 }
586 /* If the user has not given any input, take the default location */
587 else if (krb_location[0] == '\0')
588 kparams.DN = NULL;
589 else
590 kparams.DN = krb_location;
591 } else
592 kparams.DN = NULL;
593 }
594
595 /* create the kerberos container */
596 retval = krb5_ldap_create_krbcontainer(util_context,
597 ((kparams.DN != NULL) ? &kparams : NULL));
598 if (retval)
599 goto cleanup;
600
601 retval = krb5_ldap_read_krbcontainer_params(util_context,
602 &(ldap_context->krbcontainer));
603 if (retval) {
604 /* Solaris Kerberos */
605 com_err(progname, retval, gettext("while reading kerberos container information"));
606 goto cleanup;
607 }
608 } else if (retval) {
609 /* Solaris Kerberos */
610 com_err(progname, retval, gettext("while reading kerberos container information"));
611 goto cleanup;
612 }
613
614 if ((retval = krb5_ldap_create_realm(util_context,
615 /* global_params.realm, */ rparams, mask))) {
616 goto cleanup;
617 }
618
619 /* We just created the Realm container. Here starts our transaction tracking */
620 realm_obj_created = TRUE;
621
622 if ((retval = krb5_ldap_read_realm_params(util_context,
623 global_params.realm,
624 &(ldap_context->lrparams),
625 &mask))) {
626 /* Solaris Kerberos */
627 com_err(progname, retval, gettext("while reading information of realm '%s'"),
628 global_params.realm);
629 goto err_nomsg;
630 }
631 ldap_context->lrparams->realm_name = strdup(global_params.realm);
632 if (ldap_context->lrparams->realm_name == NULL) {
633 retval = ENOMEM;
634 goto cleanup;
635 }
636
637 /* assemble & parse the master key name */
638 if ((retval = krb5_db_setup_mkey_name(util_context,
639 global_params.mkey_name,
640 global_params.realm,
641 0, &master_princ))) {
642 /* Solaris Kerberos */
643 com_err(progname, retval, gettext("while setting up master key name"));
644 goto err_nomsg;
645 }
646
647 /* Obtain master key from master password */
648 {
649 krb5_data master_salt, pwd;
650
651 pwd.data = mkey_password;
652 pwd.length = strlen(mkey_password);
653 retval = krb5_principal2salt(util_context, master_princ, &master_salt);
654 if (retval) {
655 /* Solaris Kerberos */
656 com_err(progname, retval, gettext("while calculating master key salt"));
657 goto err_nomsg;
658 }
659
660 retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
661 &pwd, &master_salt, &master_keyblock);
662
663 free(master_salt.data);
664
665 if (retval) {
666 /* Solaris Kerberos */
667 com_err(progname, retval, gettext("while transforming master key from password"));
668 goto err_nomsg;
669 }
670
671 }
672
673 rblock.key = &master_keyblock;
674 ldap_context->lrparams->mkey = master_keyblock;
675 ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
676 (master_keyblock.length);
677 if (ldap_context->lrparams->mkey.contents == NULL) {
678 retval = ENOMEM;
679 goto cleanup;
680 }
681 memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
682 master_keyblock.length);
683
684 /* Create special principals inside the realm subtree */
685 {
686 char princ_name[MAX_PRINC_SIZE];
687 krb5_principal_data tgt_princ = {
688 0, /* magic number */
689 {0, 0, 0}, /* krb5_data realm */
690 tgt_princ_entries, /* krb5_data *data */
691 2, /* int length */
692 KRB5_NT_SRV_INST /* int type */
693 };
694 krb5_principal p, temp_p=NULL;
695
696 krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
697 krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
698 krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
699 krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
700 /* The container reference value is set to NULL, to avoid service principals
701 * getting created within the container reference at realm creation */
702 if (ldap_context->lrparams->containerref != NULL) {
703 oldcontainerref = ldap_context->lrparams->containerref;
704 ldap_context->lrparams->containerref = NULL;
705 }
706
707 /* Create 'K/M' ... */
708 rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
709 if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
710 /* Solaris Kerberos */
711 com_err(progname, retval, gettext("while adding entries to the database"));
712 goto err_nomsg;
713 }
714
715 /* Create 'krbtgt' ... */
716 rblock.flags = 0; /* reset the flags */
717 if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
718 /* Solaris Kerberos */
719 com_err(progname, retval, gettext("while adding entries to the database"));
720 goto err_nomsg;
721 }
722 /*
723 * Solaris Kerberos:
724 * The kadmin/admin principal is unused on Solaris. This principal is used
725 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
726 * be used with host-based principals.
727 *
728 */
729 #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
730 /* Create 'kadmin/admin' ... */
731 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
732 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
733 /* Solaris Kerberos */
734 com_err(progname, retval, gettext("while adding entries to the database"));
735 goto err_nomsg;
736 }
737 rblock.max_life = ADMIN_LIFETIME;
738 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
739 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
740 krb5_free_principal(util_context, p);
741 /* Solaris Kerberos */
742 com_err(progname, retval, gettext("while adding entries to the database"));
743 goto err_nomsg;
744 }
745 krb5_free_principal(util_context, p);
746 #endif /* ************** END IFDEF'ed OUT ***************************** */
747
748 /* Create 'kadmin/changepw' ... */
749 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
750 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
751 /* Solaris Kerberos */
752 com_err(progname, retval, gettext("while adding entries to the database"));
753 goto err_nomsg;
754 }
755 rblock.max_life = CHANGEPW_LIFETIME;
756 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
757 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
758 krb5_free_principal(util_context, p);
759 /* Solaris Kerberos */
760 com_err(progname, retval, gettext("while adding entries to the database"));
761 goto err_nomsg;
762 }
763 krb5_free_principal(util_context, p);
764
765 /* Create 'kadmin/history' ... */
766 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
767 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
768 /* Solaris Kerberos */
769 com_err(progname, retval, gettext("while adding entries to the database"));
770 goto err_nomsg;
771 }
772 rblock.max_life = global_params.max_life;
773 rblock.flags = 0;
774 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
775 krb5_free_principal(util_context, p);
776 /* Solaris Kerberos */
777 com_err(progname, retval, gettext("while adding entries to the database"));
778 goto err_nomsg;
779 }
780 krb5_free_principal(util_context, p);
781
782 /* Create 'kadmin/<hostname>' ... */
783 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
784 /* Solaris Kerberos */
785 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
786 goto err_nomsg;
787 }
788
789 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
790 /* Solaris Kerberos */
791 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
792 goto err_nomsg;
793 }
794
795 /* change the realm portion to the default realm */
796 free(temp_p->realm.data);
797 temp_p->realm.length = strlen(util_context->default_realm);
798 temp_p->realm.data = strdup(util_context->default_realm);
799 if (temp_p->realm.data == NULL) {
800 /* Solaris Kerberos */
801 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
802 goto err_nomsg;
803 }
804
805 rblock.max_life = ADMIN_LIFETIME;
806 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
807 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
808 krb5_free_principal(util_context, p);
809 /* Solaris Kerberos */
810 com_err(progname, retval, gettext("while adding entries to the database"));
811 goto err_nomsg;
812 }
813 krb5_free_principal(util_context, temp_p);
814 krb5_free_principal(util_context, p);
815
816 /* Solaris Kerberos: Create 'changepw/<hostname>' ... */
817 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
818 /* Solaris Kerberos */
819 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
820 goto err_nomsg;
821 }
822
823 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
824 /* Solaris Kerberos */
825 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
826 goto err_nomsg;
827 }
828
829 /* change the realm portion to the default realm */
830 free(temp_p->realm.data);
831 temp_p->realm.length = strlen(util_context->default_realm);
832 temp_p->realm.data = strdup(util_context->default_realm);
833 if (temp_p->realm.data == NULL) {
834 /* Solaris Kerberos */
835 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
836 goto err_nomsg;
837 }
838
839 rblock.max_life = ADMIN_LIFETIME;
840 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
841 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
842 krb5_free_principal(util_context, p);
843 /* Solaris Kerberos */
844 com_err(progname, retval, gettext("while adding entries to the database"));
845 goto err_nomsg;
846 }
847 krb5_free_principal(util_context, temp_p);
848 krb5_free_principal(util_context, p);
849
850 if (oldcontainerref != NULL) {
851 ldap_context->lrparams->containerref = oldcontainerref;
852 oldcontainerref=NULL;
853 }
854 }
855
856 #ifdef HAVE_EDIRECTORY
857 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
858 (mask & LDAP_REALM_PASSWDSERVERS)) {
859
860 printf(gettext("Changing rights for the service object. Please wait ... "));
861 fflush(stdout);
862
863 rightsmask =0;
864 rightsmask |= LDAP_REALM_RIGHTS;
865 rightsmask |= LDAP_SUBTREE_RIGHTS;
866 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
867 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
868 if ((retval=krb5_ldap_add_service_rights(util_context,
869 LDAP_KDC_SERVICE, rparams->kdcservers[i],
870 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
871 printf(gettext("failed\n"));
872 /* Solaris Kerberos */
873 com_err(progname, retval, gettext("while assigning rights to '%s'"),
874 rparams->realm_name);
875 goto err_nomsg;
876 }
877 }
878 }
879
880 rightsmask = 0;
881 rightsmask |= LDAP_REALM_RIGHTS;
882 rightsmask |= LDAP_SUBTREE_RIGHTS;
883 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
884 for (i=0; (rparams->adminservers[i] != NULL); i++) {
885 if ((retval=krb5_ldap_add_service_rights(util_context,
886 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
887 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
888 printf(gettext("failed\n"));
889 /* Solaris Kerberos */
890 com_err(progname, retval, gettext("while assigning rights to '%s'"),
891 rparams->realm_name);
892 goto err_nomsg;
893 }
894 }
895 }
896
897 rightsmask = 0;
898 rightsmask |= LDAP_REALM_RIGHTS;
899 rightsmask |= LDAP_SUBTREE_RIGHTS;
900 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
901 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
902 if ((retval=krb5_ldap_add_service_rights(util_context,
903 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
904 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
905 printf(gettext("failed\n"));
906 /* Solaris Kerberos */
907 com_err(progname, retval, gettext("while assigning rights to '%s'"),
908 rparams->realm_name);
909 goto err_nomsg;
910 }
911 }
912 }
913
914 printf(gettext("done\n"));
915 }
916 #endif
917 /* The Realm creation is completed. Here is the end of transaction */
918 create_complete = TRUE;
919
920 /* Stash the master key only if '-s' option is specified */
921 if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) {
922 retval = krb5_def_store_mkey(util_context,
923 global_params.stash_file,
924 master_princ,
925 &master_keyblock, NULL);
926 if (retval) {
927 /* Solaris Kerberos */
928 com_err(progname, errno, gettext("while storing key"));
929 printf(gettext("Warning: couldn't stash master key.\n"));
930 }
931 }
932
933 goto cleanup;
934
935
936 err_usage:
937 print_usage = TRUE;
938
939 err_nomsg:
940 no_msg = TRUE;
941
942 cleanup:
943 /* If the Realm creation is not complete, do the roll-back here */
944 if ((realm_obj_created) && (!create_complete))
945 krb5_ldap_delete_realm(util_context, global_params.realm);
946
947 if (rparams)
948 krb5_ldap_free_realm_params(rparams);
949
950 memset (pw_str, 0, sizeof (pw_str));
951
952 if (print_usage)
953 db_usage(CREATE_REALM);
954
955 if (retval) {
956 if (!no_msg) {
957 /* Solaris Kerberos */
958 com_err(progname, retval, gettext("while creating realm '%s'"),
959 global_params.realm);
960 }
961 exit_status++;
962 }
963
964 return;
965 }
966
967
968 /*
969 * This function will modify the attributes of a given realm object
970 */
971 void kdb5_ldap_modify(argc, argv)
972 int argc;
973 char *argv[];
974 {
975 krb5_error_code retval = 0;
976 krb5_ldap_realm_params *rparams = NULL;
977 krb5_boolean print_usage = FALSE;
978 krb5_boolean no_msg = FALSE;
979 kdb5_dal_handle *dal_handle = NULL;
980 krb5_ldap_context *ldap_context=NULL;
981 int i = 0;
982 int mask = 0, rmask = 0, ret_mask = 0;
983 char **slist = {NULL};
984 #ifdef HAVE_EDIRECTORY
985 int j = 0;
986 char *list[MAX_LIST_ENTRIES];
987 int existing_entries = 0, list_entries = 0;
988 int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
989 char **tempstr = NULL;
990 char **oldkdcdns = NULL;
991 char **oldadmindns = NULL;
992 char **oldpwddns = NULL;
993 char **newkdcdns = NULL;
994 char **newsubtrees = NULL;
995 char **newadmindns = NULL;
996 char **newpwddns = NULL;
997 char **oldsubtrees = {NULL};
998 int rightsmask = 0;
999 int subtree_changed = 0;
1000 #endif
1001
1002 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1003 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1004 if (!(ldap_context)) {
1005 retval = EINVAL;
1006 goto cleanup;
1007 }
1008
1009 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1010 &(ldap_context->krbcontainer)))) {
1011 /* Solaris Kerberos */
1012 com_err(progname, retval, gettext("while reading Kerberos container information"));
1013 goto err_nomsg;
1014 }
1015
1016 retval = krb5_ldap_read_realm_params(util_context,
1017 global_params.realm, &rparams, &rmask);
1018 if (retval)
1019 goto cleanup;
1020 /* Parse the arguments */
1021 for (i = 1; i < argc; i++) {
1022 int k = 0;
1023 if (!strcmp(argv[i], "-subtrees")) {
1024 if (++i > argc-1)
1025 goto err_usage;
1026
1027 if (rmask & LDAP_REALM_SUBTREE) {
1028 if (rparams->subtree) {
1029 #ifdef HAVE_EDIRECTORY
1030 oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *));
1031 if (oldsubtrees == NULL) {
1032 retval = ENOMEM;
1033 goto cleanup;
1034 }
1035 for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
1036 oldsubtrees[k] = strdup(rparams->subtree[k]);
1037 if( oldsubtrees[k] == NULL ) {
1038 retval = ENOMEM;
1039 goto cleanup;
1040 }
1041 }
1042 #endif
1043 for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
1044 free(rparams->subtree[k]);
1045 rparams->subtreecount=0;
1046 }
1047 }
1048 if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
1049 slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
1050 if (slist == NULL) {
1051 retval = ENOMEM;
1052 goto cleanup;
1053 }
1054 if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
1055 free(slist);
1056 slist = NULL;
1057 goto cleanup;
1058 }
1059
1060 rparams->subtreecount=0;
1061 while(slist[rparams->subtreecount]!=NULL)
1062 (rparams->subtreecount)++;
1063 rparams->subtree = slist;
1064 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1065 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
1066 /* Solaris Kerberos */
1067 com_err(progname, EINVAL,
1068 gettext("for subtree while modifying realm '%s'"),
1069 global_params.realm);
1070 goto err_nomsg;
1071 }
1072 rparams->subtree[rparams->subtreecount] = NULL;
1073 mask |= LDAP_REALM_SUBTREE;
1074 } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
1075 if (++i > argc-1)
1076 goto err_usage;
1077 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1078 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
1079 /* Solaris Kerberos */
1080 com_err(progname, EINVAL,
1081 gettext("for container reference while modifying realm '%s'"),
1082 global_params.realm);
1083 goto err_nomsg;
1084 }
1085 rparams->containerref = strdup(argv[i]);
1086 if (rparams->containerref == NULL) {
1087 retval = ENOMEM;
1088 goto cleanup;
1089 }
1090 mask |= LDAP_REALM_CONTREF;
1091 } else if (!strcmp(argv[i], "-sscope")) {
1092 if (++i > argc-1)
1093 goto err_usage;
1094 /* Possible values for search scope are
1095 * one (or 1) and sub (or 2)
1096 */
1097 if (strcasecmp(argv[i], "one") == 0) {
1098 rparams->search_scope = 1;
1099 } else if (strcasecmp(argv[i], "sub") == 0) {
1100 rparams->search_scope = 2;
1101 } else {
1102 rparams->search_scope = atoi(argv[i]);
1103 if ((rparams->search_scope != 1) &&
1104 (rparams->search_scope != 2)) {
1105 retval = EINVAL;
1106 /* Solaris Kerberos */
1107 com_err(progname, retval,
1108 gettext("specified for search scope while modifying information of realm '%s'"),
1109 global_params.realm);
1110 goto err_nomsg;
1111 }
1112 }
1113 mask |= LDAP_REALM_SEARCHSCOPE;
1114 }
1115 #ifdef HAVE_EDIRECTORY
1116 else if (!strcmp(argv[i], "-kdcdn")) {
1117 if (++i > argc-1)
1118 goto err_usage;
1119
1120 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1121 if (!oldkdcdns) {
1122 /* Store the old kdc dns list for removing rights */
1123 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1124 if (oldkdcdns == NULL) {
1125 retval = ENOMEM;
1126 goto cleanup;
1127 }
1128
1129 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1130 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1131 if (oldkdcdns[j] == NULL) {
1132 retval = ENOMEM;
1133 goto cleanup;
1134 }
1135 }
1136 oldkdcdns[j] = NULL;
1137 }
1138
1139 krb5_free_list_entries(rparams->kdcservers);
1140 free(rparams->kdcservers);
1141 }
1142
1143 rparams->kdcservers = (char **)malloc(
1144 sizeof(char *) * MAX_LIST_ENTRIES);
1145 if (rparams->kdcservers == NULL) {
1146 retval = ENOMEM;
1147 goto cleanup;
1148 }
1149 memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1150 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1151 rparams->kdcservers))) {
1152 goto cleanup;
1153 }
1154 mask |= LDAP_REALM_KDCSERVERS;
1155 /* Going to replace the existing value by this new value. Hence
1156 * setting flag indicating that add or clear options will be ignored
1157 */
1158 newkdcdn = 1;
1159 } else if (!strcmp(argv[i], "-clearkdcdn")) {
1160 if (++i > argc-1)
1161 goto err_usage;
1162 if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1163 if (!oldkdcdns) {
1164 /* Store the old kdc dns list for removing rights */
1165 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1166 if (oldkdcdns == NULL) {
1167 retval = ENOMEM;
1168 goto cleanup;
1169 }
1170
1171 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1172 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1173 if (oldkdcdns[j] == NULL) {
1174 retval = ENOMEM;
1175 goto cleanup;
1176 }
1177 }
1178 oldkdcdns[j] = NULL;
1179 }
1180
1181 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1182 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1183 goto cleanup;
1184 }
1185 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1186 LIST_MODE_DELETE);
1187 mask |= LDAP_REALM_KDCSERVERS;
1188 krb5_free_list_entries(list);
1189 }
1190 } else if (!strcmp(argv[i], "-addkdcdn")) {
1191 if (++i > argc-1)
1192 goto err_usage;
1193 if (!newkdcdn) {
1194 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
1195 /* Store the old kdc dns list for removing rights */
1196 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1197 if (oldkdcdns == NULL) {
1198 retval = ENOMEM;
1199 goto cleanup;
1200 }
1201
1202 for (j = 0; rparams->kdcservers[j] != NULL; j++) {
1203 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1204 if (oldkdcdns[j] == NULL) {
1205 retval = ENOMEM;
1206 goto cleanup;
1207 }
1208 }
1209 oldkdcdns[j] = NULL;
1210 }
1211
1212 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1213 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1214 goto cleanup;
1215 }
1216 existing_entries = list_count_str_array(rparams->kdcservers);
1217 list_entries = list_count_str_array(list);
1218 if (rmask & LDAP_REALM_KDCSERVERS) {
1219 tempstr = reallocarray(rparams->kdcservers,
1220 existing_entries + list_entries + 1, sizeof (char *));
1221 if (tempstr == NULL) {
1222 retval = ENOMEM;
1223 goto cleanup;
1224 }
1225 rparams->kdcservers = tempstr;
1226 } else {
1227 rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1228 if (rparams->kdcservers == NULL) {
1229 retval = ENOMEM;
1230 goto cleanup;
1231 }
1232 memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
1233 }
1234 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1235 LIST_MODE_ADD);
1236 mask |= LDAP_REALM_KDCSERVERS;
1237 }
1238 } else if (!strcmp(argv[i], "-admindn")) {
1239 if (++i > argc-1)
1240 goto err_usage;
1241
1242 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1243 if (!oldadmindns) {
1244 /* Store the old admin dns list for removing rights */
1245 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1246 if (oldadmindns == NULL) {
1247 retval = ENOMEM;
1248 goto cleanup;
1249 }
1250
1251 for (j=0; rparams->adminservers[j] != NULL; j++) {
1252 oldadmindns[j] = strdup(rparams->adminservers[j]);
1253 if (oldadmindns[j] == NULL) {
1254 retval = ENOMEM;
1255 goto cleanup;
1256 }
1257 }
1258 oldadmindns[j] = NULL;
1259 }
1260
1261 krb5_free_list_entries(rparams->adminservers);
1262 free(rparams->adminservers);
1263 }
1264
1265 rparams->adminservers = (char **)malloc(
1266 sizeof(char *) * MAX_LIST_ENTRIES);
1267 if (rparams->adminservers == NULL) {
1268 retval = ENOMEM;
1269 goto cleanup;
1270 }
1271 memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1272 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1273 rparams->adminservers))) {
1274 goto cleanup;
1275 }
1276 mask |= LDAP_REALM_ADMINSERVERS;
1277 /* Going to replace the existing value by this new value. Hence
1278 * setting flag indicating that add or clear options will be ignored
1279 */
1280 newadmindn = 1;
1281 } else if (!strcmp(argv[i], "-clearadmindn")) {
1282 if (++i > argc-1)
1283 goto err_usage;
1284
1285 if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1286 if (!oldadmindns) {
1287 /* Store the old admin dns list for removing rights */
1288 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1289 if (oldadmindns == NULL) {
1290 retval = ENOMEM;
1291 goto cleanup;
1292 }
1293
1294 for (j=0; rparams->adminservers[j] != NULL; j++) {
1295 oldadmindns[j] = strdup(rparams->adminservers[j]);
1296 if (oldadmindns[j] == NULL) {
1297 retval = ENOMEM;
1298 goto cleanup;
1299 }
1300 }
1301 oldadmindns[j] = NULL;
1302 }
1303
1304 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1305 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1306 goto cleanup;
1307 }
1308 list_modify_str_array(&rparams->adminservers, (const char **)list,
1309 LIST_MODE_DELETE);
1310 mask |= LDAP_REALM_ADMINSERVERS;
1311 krb5_free_list_entries(list);
1312 }
1313 } else if (!strcmp(argv[i], "-addadmindn")) {
1314 if (++i > argc-1)
1315 goto err_usage;
1316 if (!newadmindn) {
1317 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
1318 /* Store the old admin dns list for removing rights */
1319 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1320 if (oldadmindns == NULL) {
1321 retval = ENOMEM;
1322 goto cleanup;
1323 }
1324
1325 for (j=0; rparams->adminservers[j] != NULL; j++) {
1326 oldadmindns[j] = strdup(rparams->adminservers[j]);
1327 if (oldadmindns[j] == NULL) {
1328 retval = ENOMEM;
1329 goto cleanup;
1330 }
1331 }
1332 oldadmindns[j] = NULL;
1333 }
1334
1335 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1336 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1337 goto cleanup;
1338 }
1339 existing_entries = list_count_str_array(rparams->adminservers);
1340 list_entries = list_count_str_array(list);
1341 if (rmask & LDAP_REALM_ADMINSERVERS) {
1342 tempstr = (char **)reallocarray(rparams->adminservers,
1343 (existing_entries + list_entries + 1),
1344 sizeof(char *));
1345 if (tempstr == NULL) {
1346 retval = ENOMEM;
1347 goto cleanup;
1348 }
1349 rparams->adminservers = tempstr;
1350 } else {
1351 rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1352 if (rparams->adminservers == NULL) {
1353 retval = ENOMEM;
1354 goto cleanup;
1355 }
1356 memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
1357 }
1358 list_modify_str_array(&rparams->adminservers, (const char **)list,
1359 LIST_MODE_ADD);
1360 mask |= LDAP_REALM_ADMINSERVERS;
1361 }
1362 } else if (!strcmp(argv[i], "-pwddn")) {
1363 if (++i > argc-1)
1364 goto err_usage;
1365
1366 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1367 if (!oldpwddns) {
1368 /* Store the old pwd dns list for removing rights */
1369 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1370 if (oldpwddns == NULL) {
1371 retval = ENOMEM;
1372 goto cleanup;
1373 }
1374
1375 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1376 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1377 if (oldpwddns[j] == NULL) {
1378 retval = ENOMEM;
1379 goto cleanup;
1380 }
1381 }
1382 oldpwddns[j] = NULL;
1383 }
1384
1385 krb5_free_list_entries(rparams->passwdservers);
1386 free(rparams->passwdservers);
1387 }
1388
1389 rparams->passwdservers = (char **)malloc(
1390 sizeof(char *) * MAX_LIST_ENTRIES);
1391 if (rparams->passwdservers == NULL) {
1392 retval = ENOMEM;
1393 goto cleanup;
1394 }
1395 memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1396 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1397 rparams->passwdservers))) {
1398 goto cleanup;
1399 }
1400 mask |= LDAP_REALM_PASSWDSERVERS;
1401 /* Going to replace the existing value by this new value. Hence
1402 * setting flag indicating that add or clear options will be ignored
1403 */
1404 newpwddn = 1;
1405 } else if (!strcmp(argv[i], "-clearpwddn")) {
1406 if (++i > argc-1)
1407 goto err_usage;
1408
1409 if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1410 if (!oldpwddns) {
1411 /* Store the old pwd dns list for removing rights */
1412 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1413 if (oldpwddns == NULL) {
1414 retval = ENOMEM;
1415 goto cleanup;
1416 }
1417
1418 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1419 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1420 if (oldpwddns[j] == NULL) {
1421 retval = ENOMEM;
1422 goto cleanup;
1423 }
1424 }
1425 oldpwddns[j] = NULL;
1426 }
1427
1428 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1429 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1430 goto cleanup;
1431 }
1432 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1433 LIST_MODE_DELETE);
1434 mask |= LDAP_REALM_PASSWDSERVERS;
1435 krb5_free_list_entries(list);
1436 }
1437 } else if (!strcmp(argv[i], "-addpwddn")) {
1438 if (++i > argc-1)
1439 goto err_usage;
1440 if (!newpwddn) {
1441 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
1442 /* Store the old pwd dns list for removing rights */
1443 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1444 if (oldpwddns == NULL) {
1445 retval = ENOMEM;
1446 goto cleanup;
1447 }
1448
1449 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1450 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1451 if (oldpwddns[j] == NULL) {
1452 retval = ENOMEM;
1453 goto cleanup;
1454 }
1455 }
1456 oldpwddns[j] = NULL;
1457 }
1458
1459 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1460 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1461 goto cleanup;
1462 }
1463 existing_entries = list_count_str_array(rparams->passwdservers);
1464 list_entries = list_count_str_array(list);
1465 if (rmask & LDAP_REALM_PASSWDSERVERS) {
1466 tempstr = (char **)reallocarray(rparams->passwdservers,
1467 (existing_entries + list_entries + 1),
1468 sizeof(char *));
1469 if (tempstr == NULL) {
1470 retval = ENOMEM;
1471 goto cleanup;
1472 }
1473 rparams->passwdservers = tempstr;
1474 } else {
1475 rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1476 if (rparams->passwdservers == NULL) {
1477 retval = ENOMEM;
1478 goto cleanup;
1479 }
1480 memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
1481 }
1482 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1483 LIST_MODE_ADD);
1484 mask |= LDAP_REALM_PASSWDSERVERS;
1485 }
1486 }
1487 #endif
1488 else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
1489 mask|=ret_mask;
1490 } else {
1491 printf(gettext("'%s' is an invalid option\n"), argv[i]);
1492 goto err_usage;
1493 }
1494 }
1495
1496 if ((retval = krb5_ldap_modify_realm(util_context,
1497 /* global_params.realm, */ rparams, mask))) {
1498 goto cleanup;
1499 }
1500
1501 #ifdef HAVE_EDIRECTORY
1502 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
1503 (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1504
1505 printf(gettext("Changing rights for the service object. Please wait ... "));
1506 fflush(stdout);
1507
1508 if (!(mask & LDAP_REALM_SUBTREE)) {
1509 if (rparams->subtree != NULL) {
1510 for(i=0; rparams->subtree[i]!=NULL;i++) {
1511 oldsubtrees[i] = strdup(rparams->subtree[i]);
1512 if( oldsubtrees[i] == NULL ) {
1513 retval = ENOMEM;
1514 goto cleanup;
1515 }
1516 }
1517 }
1518 }
1519
1520 if ((mask & LDAP_REALM_SUBTREE)) {
1521 int check_subtree = 1;
1522
1523 newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
1524
1525 if (newsubtrees == NULL) {
1526 retval = ENOMEM;
1527 goto cleanup;
1528 }
1529
1530 if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
1531 for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
1532 newsubtrees[j] = strdup(rparams->subtree[j]);
1533 if (newsubtrees[j] == NULL) {
1534 retval = ENOMEM;
1535 goto cleanup;
1536 }
1537 }
1538 newsubtrees[j] = NULL;
1539 }
1540 for(j=0;oldsubtrees[j]!=NULL;j++) {
1541 check_subtree = 1;
1542 for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
1543 (!oldsubtrees[j] && rparams->subtree[i])); i++) {
1544 if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
1545 check_subtree = 0;
1546 continue;
1547 }
1548 }
1549 if (check_subtree != 0) {
1550 subtree_changed=1;
1551 break;
1552 }
1553 }
1554 /* this will return list of the disjoint members */
1555 disjoint_members( oldsubtrees, newsubtrees);
1556 }
1557
1558 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
1559
1560 newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1561 if (newkdcdns == NULL) {
1562 retval = ENOMEM;
1563 goto cleanup;
1564 }
1565
1566 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1567 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1568 newkdcdns[j] = strdup(rparams->kdcservers[j]);
1569 if (newkdcdns[j] == NULL) {
1570 retval = ENOMEM;
1571 goto cleanup;
1572 }
1573 }
1574 newkdcdns[j] = NULL;
1575 }
1576
1577 if (!subtree_changed) {
1578 disjoint_members(oldkdcdns, newkdcdns);
1579 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1580 if (!(mask & LDAP_REALM_KDCSERVERS)) {
1581
1582 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1583 if (oldkdcdns == NULL) {
1584 retval = ENOMEM;
1585 goto cleanup;
1586 }
1587
1588 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1589 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1590 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1591 if (oldkdcdns[j] == NULL) {
1592 retval = ENOMEM;
1593 goto cleanup;
1594 }
1595 }
1596 oldkdcdns[j] = NULL;
1597 }
1598 }
1599 }
1600
1601 rightsmask =0;
1602 rightsmask |= LDAP_REALM_RIGHTS;
1603 rightsmask |= LDAP_SUBTREE_RIGHTS;
1604 /* Remove the rights on the old subtrees */
1605 if (oldkdcdns) {
1606 for (i=0; (oldkdcdns[i] != NULL); i++) {
1607 if ((retval=krb5_ldap_delete_service_rights(util_context,
1608 LDAP_KDC_SERVICE, oldkdcdns[i],
1609 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1610 printf(gettext("failed\n"));
1611 /* Solaris Kerberos */
1612 com_err(progname, retval, gettext("while assigning rights '%s'"),
1613 rparams->realm_name);
1614 goto err_nomsg;
1615 }
1616 }
1617 }
1618
1619 rightsmask =0;
1620 rightsmask |= LDAP_REALM_RIGHTS;
1621 rightsmask |= LDAP_SUBTREE_RIGHTS;
1622 if (newkdcdns) {
1623 for (i=0; (newkdcdns[i] != NULL); i++) {
1624
1625 if ((retval=krb5_ldap_add_service_rights(util_context,
1626 LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
1627 rparams->subtree, rightsmask)) != 0) {
1628 printf(gettext("failed\n"));
1629 /* Solaris Kerberos */
1630 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1631 rparams->realm_name);
1632 goto err_nomsg;
1633 }
1634 }
1635 }
1636 }
1637
1638 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
1639
1640 newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1641 if (newadmindns == NULL) {
1642 retval = ENOMEM;
1643 goto cleanup;
1644 }
1645
1646 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1647 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1648 newadmindns[j] = strdup(rparams->adminservers[j]);
1649 if (newadmindns[j] == NULL) {
1650 retval = ENOMEM;
1651 goto cleanup;
1652 }
1653 }
1654 newadmindns[j] = NULL;
1655 }
1656
1657 if (!subtree_changed) {
1658 disjoint_members(oldadmindns, newadmindns);
1659 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1660 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1661
1662 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1663 if (oldadmindns == NULL) {
1664 retval = ENOMEM;
1665 goto cleanup;
1666 }
1667
1668 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1669 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1670 oldadmindns[j] = strdup(rparams->adminservers[j]);
1671 if (oldadmindns[j] == NULL) {
1672 retval = ENOMEM;
1673 goto cleanup;
1674 }
1675 }
1676 oldadmindns[j] = NULL;
1677 }
1678 }
1679 }
1680
1681 rightsmask = 0;
1682 rightsmask |= LDAP_REALM_RIGHTS;
1683 rightsmask |= LDAP_SUBTREE_RIGHTS;
1684 /* Remove the rights on the old subtrees */
1685 if (oldadmindns) {
1686 for (i=0; (oldadmindns[i] != NULL); i++) {
1687
1688 if ((retval=krb5_ldap_delete_service_rights(util_context,
1689 LDAP_ADMIN_SERVICE, oldadmindns[i],
1690 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1691 printf(gettext("failed\n"));
1692 /* Solaris Kerberos */
1693 com_err(progname, retval, gettext("while assigning rights '%s'"),
1694 rparams->realm_name);
1695 goto err_nomsg;
1696 }
1697 }
1698 }
1699
1700 rightsmask = 0;
1701 rightsmask |= LDAP_REALM_RIGHTS;
1702 rightsmask |= LDAP_SUBTREE_RIGHTS;
1703 /* Add rights on the new subtree for all the kdc dns */
1704 if (newadmindns) {
1705 for (i=0; (newadmindns[i] != NULL); i++) {
1706
1707 if ((retval=krb5_ldap_add_service_rights(util_context,
1708 LDAP_ADMIN_SERVICE, newadmindns[i],
1709 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
1710 printf(gettext("failed\n"));
1711 /* Solaris Kerberos */
1712 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1713 rparams->realm_name);
1714 goto err_nomsg;
1715 }
1716 }
1717 }
1718 }
1719
1720
1721 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1722
1723 newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1724 if (newpwddns == NULL) {
1725 retval = ENOMEM;
1726 goto cleanup;
1727 }
1728
1729 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1730 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1731 newpwddns[j] = strdup(rparams->passwdservers[j]);
1732 if (newpwddns[j] == NULL) {
1733 retval = ENOMEM;
1734 goto cleanup;
1735 }
1736 }
1737 newpwddns[j] = NULL;
1738 }
1739
1740 if (!subtree_changed) {
1741 disjoint_members(oldpwddns, newpwddns);
1742 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1743 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1744
1745 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1746 if (oldpwddns == NULL) {
1747 retval = ENOMEM;
1748 goto cleanup;
1749 }
1750
1751 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1752 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1753 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1754 if (oldpwddns[j] == NULL) {
1755 retval = ENOMEM;
1756 goto cleanup;
1757 }
1758 }
1759 oldpwddns[j] = NULL;
1760 }
1761 }
1762 }
1763
1764 rightsmask =0;
1765 rightsmask |= LDAP_REALM_RIGHTS;
1766 rightsmask |= LDAP_SUBTREE_RIGHTS;
1767 /* Remove the rights on the old subtrees */
1768 if (oldpwddns) {
1769 for (i=0; (oldpwddns[i] != NULL); i++) {
1770 if ((retval = krb5_ldap_delete_service_rights(util_context,
1771 LDAP_PASSWD_SERVICE, oldpwddns[i],
1772 rparams->realm_name, oldsubtrees, rightsmask))) {
1773 printf(gettext("failed\n"));
1774 /* Solaris Kerberos */
1775 com_err(progname, retval, gettext("while assigning rights '%s'"),
1776 rparams->realm_name);
1777 goto err_nomsg;
1778 }
1779 }
1780 }
1781
1782 rightsmask =0;
1783 rightsmask |= LDAP_REALM_RIGHTS;
1784 rightsmask |= LDAP_SUBTREE_RIGHTS;
1785 /* Add rights on the new subtree for all the kdc dns */
1786 if (newpwddns) {
1787 for (i=0; (newpwddns[i] != NULL); i++) {
1788 if ((retval = krb5_ldap_add_service_rights(util_context,
1789 LDAP_PASSWD_SERVICE, newpwddns[i],
1790 rparams->realm_name, rparams->subtree, rightsmask))) {
1791 printf(gettext("failed\n"));
1792 /* Solaris Kerberos */
1793 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1794 rparams->realm_name);
1795 goto err_nomsg;
1796 }
1797 }
1798 }
1799 }
1800
1801 printf(gettext("done\n"));
1802 }
1803 #endif
1804
1805 goto cleanup;
1806
1807 err_usage:
1808 print_usage = TRUE;
1809
1810 err_nomsg:
1811 no_msg = TRUE;
1812
1813 cleanup:
1814 krb5_ldap_free_realm_params(rparams);
1815
1816
1817 #ifdef HAVE_EDIRECTORY
1818 if (oldkdcdns) {
1819 for (i=0; oldkdcdns[i] != NULL; i++)
1820 free(oldkdcdns[i]);
1821 free(oldkdcdns);
1822 }
1823 if (oldpwddns) {
1824 for (i=0; oldpwddns[i] != NULL; i++)
1825 free(oldpwddns[i]);
1826 free(oldpwddns);
1827 }
1828 if (oldadmindns) {
1829 for (i=0; oldadmindns[i] != NULL; i++)
1830 free(oldadmindns[i]);
1831 free(oldadmindns);
1832 }
1833 if (newkdcdns) {
1834 for (i=0; newkdcdns[i] != NULL; i++)
1835 free(newkdcdns[i]);
1836 free(newkdcdns);
1837 }
1838 if (newpwddns) {
1839 for (i=0; newpwddns[i] != NULL; i++)
1840 free(newpwddns[i]);
1841 free(newpwddns);
1842 }
1843 if (newadmindns) {
1844 for (i=0; newadmindns[i] != NULL; i++)
1845 free(newadmindns[i]);
1846 free(newadmindns);
1847 }
1848 if (oldsubtrees) {
1849 for (i=0;oldsubtrees[i]!=NULL; i++)
1850 free(oldsubtrees[i]);
1851 free(oldsubtrees);
1852 }
1853 if (newsubtrees) {
1854 for (i=0;newsubtrees[i]!=NULL; i++)
1855 free(newsubtrees[i]);
1856 free(oldsubtrees);
1857 }
1858 #endif
1859 if (print_usage) {
1860 db_usage(MODIFY_REALM);
1861 }
1862
1863 if (retval) {
1864 if (!no_msg) {
1865 /* Solaris Kerberos */
1866 com_err(progname, retval, gettext("while modifying information of realm '%s'"),
1867 global_params.realm);
1868 }
1869 exit_status++;
1870 }
1871
1872 return;
1873 }
1874
1875
1876
1877 /*
1878 * This function displays the attributes of a Realm
1879 */
1880 void kdb5_ldap_view(argc, argv)
1881 int argc;
1882 char *argv[];
1883 {
1884 krb5_ldap_realm_params *rparams = NULL;
1885 krb5_error_code retval = 0;
1886 kdb5_dal_handle *dal_handle=NULL;
1887 krb5_ldap_context *ldap_context=NULL;
1888 int mask = 0;
1889
1890 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1891 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1892 if (!(ldap_context)) {
1893 retval = EINVAL;
1894 /* Solaris Kerberos */
1895 com_err(progname, retval, gettext("while initializing database"));
1896 exit_status++;
1897 return;
1898 }
1899
1900 /* Read the kerberos container information */
1901 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1902 &(ldap_context->krbcontainer))) != 0) {
1903 /* Solaris Kerberos */
1904 com_err(progname, retval, gettext("while reading kerberos container information"));
1905 exit_status++;
1906 return;
1907 }
1908
1909 if ((retval = krb5_ldap_read_realm_params(util_context,
1910 global_params.realm, &rparams, &mask)) || (!rparams)) {
1911 /* Solaris Kerberos */
1912 com_err(progname, retval, gettext("while reading information of realm '%s'"),
1913 global_params.realm);
1914 exit_status++;
1915 return;
1916 }
1917 print_realm_params(rparams, mask);
1918 krb5_ldap_free_realm_params(rparams);
1919
1920 return;
1921 }
1922
1923 static char *strdur(duration)
1924 time_t duration;
1925 {
1926 static char out[50];
1927 int neg, days, hours, minutes, seconds;
1928
1929 if (duration < 0) {
1930 duration *= -1;
1931 neg = 1;
1932 } else
1933 neg = 0;
1934 days = duration / (24 * 3600);
1935 duration %= 24 * 3600;
1936 hours = duration / 3600;
1937 duration %= 3600;
1938 minutes = duration / 60;
1939 duration %= 60;
1940 seconds = duration;
1941 snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
1942 days, days == 1 ? gettext("day") : gettext("days"),
1943 hours, minutes, seconds);
1944 return out;
1945 }
1946
1947 /*
1948 * This function prints the attributes of a given realm to the
1949 * standard output.
1950 */
1951 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
1952 {
1953 char **slist = NULL;
1954 int num_entry_printed = 0, i = 0;
1955
1956 /* Print the Realm Attributes on the standard output */
1957 printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm);
1958 if (mask & LDAP_REALM_SUBTREE) {
1959 for (i=0; rparams->subtree[i]!=NULL; i++)
1960 printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]);
1961 }
1962 if (mask & LDAP_REALM_CONTREF)
1963 printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref);
1964 if (mask & LDAP_REALM_SEARCHSCOPE) {
1965 if ((rparams->search_scope != 1) &&
1966 (rparams->search_scope != 2)) {
1967 printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !"));
1968 } else {
1969 printf("%25s: %-50s\n", gettext("SearchScope"),
1970 (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB"));
1971 }
1972 }
1973 if (mask & LDAP_REALM_KDCSERVERS) {
1974 printf("%25s:", gettext("KDC Services"));
1975 if (rparams->kdcservers != NULL) {
1976 num_entry_printed = 0;
1977 for (slist = rparams->kdcservers; *slist != NULL; slist++) {
1978 if (num_entry_printed)
1979 printf(" %25s %-50s\n", " ", *slist);
1980 else
1981 printf(" %-50s\n", *slist);
1982 num_entry_printed++;
1983 }
1984 }
1985 if (num_entry_printed == 0)
1986 printf("\n");
1987 }
1988 if (mask & LDAP_REALM_ADMINSERVERS) {
1989 printf("%25s:", gettext("Admin Services"));
1990 if (rparams->adminservers != NULL) {
1991 num_entry_printed = 0;
1992 for (slist = rparams->adminservers; *slist != NULL; slist++) {
1993 if (num_entry_printed)
1994 printf(" %25s %-50s\n", " ", *slist);
1995 else
1996 printf(" %-50s\n", *slist);
1997 num_entry_printed++;
1998 }
1999 }
2000 if (num_entry_printed == 0)
2001 printf("\n");
2002 }
2003 if (mask & LDAP_REALM_PASSWDSERVERS) {
2004 printf("%25s:", gettext("Passwd Services"));
2005 if (rparams->passwdservers != NULL) {
2006 num_entry_printed = 0;
2007 for (slist = rparams->passwdservers; *slist != NULL; slist++) {
2008 if (num_entry_printed)
2009 printf(" %25s %-50s\n", " ", *slist);
2010 else
2011 printf(" %-50s\n", *slist);
2012 num_entry_printed++;
2013 }
2014 }
2015 if (num_entry_printed == 0)
2016 printf("\n");
2017 }
2018 if (mask & LDAP_REALM_MAXTICKETLIFE) {
2019 printf("%25s:", gettext("Maximum Ticket Life"));
2020 printf(" %s \n", strdur(rparams->max_life));
2021 }
2022
2023 if (mask & LDAP_REALM_MAXRENEWLIFE) {
2024 printf("%25s:", gettext("Maximum Renewable Life"));
2025 printf(" %s \n", strdur(rparams->max_renewable_life));
2026 }
2027
2028 if (mask & LDAP_REALM_KRBTICKETFLAGS) {
2029 int ticketflags = rparams->tktflags;
2030
2031 printf("%25s: ", gettext("Ticket flags"));
2032 if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
2033 printf("%s ","DISALLOW_POSTDATED");
2034
2035 if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
2036 printf("%s ","DISALLOW_FORWARDABLE");
2037
2038 if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
2039 printf("%s ","DISALLOW_RENEWABLE");
2040
2041 if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
2042 printf("%s ","DISALLOW_PROXIABLE");
2043
2044 if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
2045 printf("%s ","DISALLOW_DUP_SKEY");
2046
2047 if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
2048 printf("%s ","REQUIRES_PRE_AUTH");
2049
2050 if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
2051 printf("%s ","REQUIRES_HW_AUTH");
2052
2053 if (ticketflags & KRB5_KDB_DISALLOW_SVR)
2054 printf("%s ","DISALLOW_SVR");
2055
2056 if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
2057 printf("%s ","DISALLOW_TGT_BASED");
2058
2059 if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
2060 printf("%s ","DISALLOW_ALL_TIX");
2061
2062 if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
2063 printf("%s ","REQUIRES_PWCHANGE");
2064
2065 if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
2066 printf("%s ","PWCHANGE_SERVICE");
2067
2068 printf("\n");
2069 }
2070
2071
2072 return;
2073 }
2074
2075
2076
2077 /*
2078 * This function lists the Realm(s) present under the Kerberos container
2079 * on the LDAP Server.
2080 */
2081 void kdb5_ldap_list(argc, argv)
2082 int argc;
2083 char *argv[];
2084 {
2085 char **list = NULL;
2086 char **plist = NULL;
2087 krb5_error_code retval = 0;
2088 kdb5_dal_handle *dal_handle=NULL;
2089 krb5_ldap_context *ldap_context=NULL;
2090
2091 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2092 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2093 if (!(ldap_context)) {
2094 retval = EINVAL;
2095 exit_status++;
2096 return;
2097 }
2098
2099 /* Read the kerberos container information */
2100 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2101 &(ldap_context->krbcontainer))) != 0) {
2102 /* Solaris Kerberos */
2103 com_err(progname, retval, gettext("while reading kerberos container information"));
2104 exit_status++;
2105 return;
2106 }
2107
2108 retval = krb5_ldap_list_realm(util_context, &list);
2109 if (retval != 0) {
2110 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2111 ldap_context->krbcontainer = NULL;
2112 /* Solaris Kerberos */
2113 com_err (progname, retval, gettext("while listing realms"));
2114 exit_status++;
2115 return;
2116 }
2117 /* This is to handle the case of realm not present */
2118 if (list == NULL) {
2119 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2120 ldap_context->krbcontainer = NULL;
2121 return;
2122 }
2123
2124 for (plist = list; *plist != NULL; plist++) {
2125 printf("%s\n", *plist);
2126 }
2127 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2128 ldap_context->krbcontainer = NULL;
2129 krb5_free_list_entries(list);
2130 free(list);
2131
2132 return;
2133 }
2134
2135 /*
2136 * Duplicating the following two functions here because
2137 * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch
2138 * here is that the backend is not initialized - kdb5_ldap_util doesn't go
2139 * through DAL.
2140 * 1. krb5_dbe_update_tl_data
2141 * 2. krb5_dbe_update_mod_princ_data
2142 */
2143
2144 /* Start duplicate code ... */
2145
2146 static krb5_error_code
2147 krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
2148 krb5_context context;
2149 krb5_db_entry *entry;
2150 krb5_tl_data *new_tl_data;
2151 {
2152 krb5_tl_data *tl_data = NULL;
2153 krb5_octet *tmp;
2154
2155 /* copy the new data first, so we can fail cleanly if malloc()
2156 * fails */
2157 /*
2158 if ((tmp =
2159 (krb5_octet *) krb5_db_alloc(context, NULL,
2160 new_tl_data->tl_data_length)) == NULL)
2161 */
2162 if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
2163 return (ENOMEM);
2164
2165 /* Find an existing entry of the specified type and point at
2166 * it, or NULL if not found */
2167
2168 if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */
2169 for (tl_data = entry->tl_data; tl_data;
2170 tl_data = tl_data->tl_data_next)
2171 if (tl_data->tl_data_type == new_tl_data->tl_data_type)
2172 break;
2173 }
2174
2175 /* if necessary, chain a new record in the beginning and point at it */
2176
2177 if (!tl_data) {
2178 /*
2179 if ((tl_data =
2180 (krb5_tl_data *) krb5_db_alloc(context, NULL,
2181 sizeof(krb5_tl_data)))
2182 == NULL) {
2183 */
2184 if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
2185 free(tmp);
2186 return (ENOMEM);
2187 }
2188 memset(tl_data, 0, sizeof(krb5_tl_data));
2189 tl_data->tl_data_next = entry->tl_data;
2190 entry->tl_data = tl_data;
2191 entry->n_tl_data++;
2192 }
2193
2194 /* fill in the record */
2195
2196 if (tl_data->tl_data_contents)
2197 krb5_db_free(context, tl_data->tl_data_contents);
2198
2199 tl_data->tl_data_type = new_tl_data->tl_data_type;
2200 tl_data->tl_data_length = new_tl_data->tl_data_length;
2201 tl_data->tl_data_contents = tmp;
2202 memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length);
2203
2204 return (0);
2205 }
2206
2207 static krb5_error_code
2208 krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
2209 krb5_context context;
2210 krb5_db_entry * entry;
2211 krb5_timestamp mod_date;
2212 krb5_const_principal mod_princ;
2213 {
2214 krb5_tl_data tl_data;
2215
2216 krb5_error_code retval = 0;
2217 krb5_octet * nextloc = 0;
2218 char * unparse_mod_princ = 0;
2219 unsigned int unparse_mod_princ_size;
2220
2221 if ((retval = krb5_unparse_name(context, mod_princ,
2222 &unparse_mod_princ)))
2223 return(retval);
2224
2225 unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
2226
2227 if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
2228 == NULL) {
2229 free(unparse_mod_princ);
2230 return(ENOMEM);
2231 }
2232
2233 tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
2234 tl_data.tl_data_length = unparse_mod_princ_size + 4;
2235 tl_data.tl_data_contents = nextloc;
2236
2237 /* Mod Date */
2238 krb5_kdb_encode_int32(mod_date, nextloc);
2239
2240 /* Mod Princ */
2241 memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size);
2242
2243 retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data);
2244
2245 free(unparse_mod_princ);
2246 free(nextloc);
2247
2248 return(retval);
2249 }
2250
2251 static krb5_error_code
2252 kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
2253 krb5_key_salt_tuple *ksent;
2254 krb5_pointer ptr;
2255 {
2256 krb5_context context;
2257 krb5_error_code kret;
2258 struct iterate_args *iargs;
2259 krb5_keyblock key;
2260 krb5_int32 ind;
2261 krb5_data pwd;
2262 krb5_db_entry *entry;
2263
2264 iargs = (struct iterate_args *) ptr;
2265 kret = 0;
2266
2267 context = iargs->ctx;
2268 entry = iargs->dbentp;
2269
2270 /*
2271 * Convert the master key password into a key for this particular
2272 * encryption system.
2273 */
2274 pwd.data = mkey_password;
2275 pwd.length = strlen(mkey_password);
2276 kret = krb5_c_random_seed(context, &pwd);
2277 if (kret)
2278 return kret;
2279
2280 /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
2281 if ((entry->key_data =
2282 (krb5_key_data *) realloc(entry->key_data,
2283 (sizeof(krb5_key_data) *
2284 (entry->n_key_data + 1)))) == NULL)
2285 return (ENOMEM);
2286
2287 memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
2288 ind = entry->n_key_data++;
2289
2290 if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
2291 &key))) {
2292 kret = krb5_dbekd_encrypt_key_data(context,
2293 iargs->rblock->key,
2294 &key,
2295 NULL,
2296 1,
2297 &entry->key_data[ind]);
2298 krb5_free_keyblock_contents(context, &key);
2299 }
2300 /*}*/
2301
2302 return(kret);
2303 }
2304 /* End duplicate code */
2305
2306 /*
2307 * This function creates service principals when
2308 * creating the realm object.
2309 */
2310 static int
2311 kdb_ldap_create_principal (context, princ, op, pblock)
2312 krb5_context context;
2313 krb5_principal princ;
2314 enum ap_op op;
2315 struct realm_info *pblock;
2316 {
2317 int retval=0, currlen=0, princtype = 2 /* Service Principal */;
2318 unsigned char *curr=NULL;
2319 krb5_tl_data *tl_data=NULL;
2320 krb5_db_entry entry;
2321 int nentry=1;
2322 long mask = 0;
2323 krb5_keyblock key;
2324 int kvno = 0;
2325 kdb5_dal_handle *dal_handle = NULL;
2326 krb5_ldap_context *ldap_context=NULL;
2327 struct iterate_args iargs;
2328 krb5_data *pdata;
2329
2330 if ((pblock == NULL) || (context == NULL)) {
2331 retval = EINVAL;
2332 goto cleanup;
2333 }
2334 dal_handle = (kdb5_dal_handle *) context->db_context;
2335 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2336 if (!(ldap_context)) {
2337 retval = EINVAL;
2338 goto cleanup;
2339 }
2340
2341 memset(&entry, 0, sizeof(entry));
2342
2343 tl_data = malloc(sizeof(*tl_data));
2344 if (tl_data == NULL) {
2345 retval = ENOMEM;
2346 goto cleanup;
2347 }
2348 memset(tl_data, 0, sizeof(*tl_data));
2349 tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
2350 tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
2351 curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
2352 if (tl_data->tl_data_contents == NULL) {
2353 retval = ENOMEM;
2354 goto cleanup;
2355 }
2356
2357 memset(curr, 1, 1); /* Passing the mask as principal type */
2358 curr += 1;
2359 currlen = 2;
2360 STORE16_INT(curr, currlen);
2361 curr += currlen;
2362 STORE16_INT(curr, princtype);
2363 curr += currlen;
2364
2365 mask |= KADM5_PRINCIPAL;
2366 mask |= KADM5_ATTRIBUTES ;
2367 mask |= KADM5_MAX_LIFE ;
2368 mask |= KADM5_MAX_RLIFE ;
2369 mask |= KADM5_PRINC_EXPIRE_TIME ;
2370 mask |= KADM5_KEY_DATA;
2371
2372 entry.tl_data = tl_data;
2373 entry.n_tl_data += 1;
2374 /* Set the creator's name */
2375 {
2376 krb5_timestamp now;
2377 if ((retval = krb5_timeofday(context, &now)))
2378 goto cleanup;
2379 if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
2380 now, &db_create_princ)))
2381 goto cleanup;
2382 }
2383 entry.attributes = pblock->flags;
2384 entry.max_life = pblock->max_life;
2385 entry.max_renewable_life = pblock->max_rlife;
2386 entry.expiration = pblock->expiration;
2387 entry.mask = mask;
2388 if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
2389 goto cleanup;
2390
2391
2392 switch (op) {
2393 case TGT_KEY:
2394 if ((pdata = krb5_princ_component(context, princ, 1)) &&
2395 pdata->length == strlen("history") &&
2396 !memcmp(pdata->data, "history", strlen("history"))) {
2397
2398 /* Allocate memory for storing the key */
2399 if ((entry.key_data = (krb5_key_data *) malloc(
2400 sizeof(krb5_key_data))) == NULL) {
2401 retval = ENOMEM;
2402 goto cleanup;
2403 }
2404
2405 memset(entry.key_data, 0, sizeof(krb5_key_data));
2406 entry.n_key_data++;
2407
2408 retval = krb5_c_make_random_key(context, global_params.enctype, &key);
2409 if (retval) {
2410 goto cleanup;
2411 }
2412 kvno = 1; /* New key is getting set */
2413 retval = krb5_dbekd_encrypt_key_data(context,
2414 &ldap_context->lrparams->mkey,
2415 &key, NULL, kvno,
2416 &entry.key_data[entry.n_key_data - 1]);
2417 krb5_free_keyblock_contents(context, &key);
2418 if (retval) {
2419 goto cleanup;
2420 }
2421 } else {
2422 /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
2423 iargs.ctx = context;
2424 iargs.rblock = pblock;
2425 iargs.dbentp = &entry;
2426
2427 /*
2428 * create a set of random keys by iterating through the key/salt
2429 * list, ignoring salt types.
2430 */
2431 if ((retval = krb5_keysalt_iterate(pblock->kslist,
2432 pblock->nkslist,
2433 1,
2434 kdb_ldap_tgt_keysalt_iterate,
2435 (krb5_pointer) &iargs)))
2436 return retval;
2437 }
2438 break;
2439
2440 case MASTER_KEY:
2441 /* Allocate memory for storing the key */
2442 if ((entry.key_data = (krb5_key_data *) malloc(
2443 sizeof(krb5_key_data))) == NULL) {
2444 retval = ENOMEM;
2445 goto cleanup;
2446 }
2447
2448 memset(entry.key_data, 0, sizeof(krb5_key_data));
2449 entry.n_key_data++;
2450 kvno = 1; /* New key is getting set */
2451 retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
2452 &ldap_context->lrparams->mkey,
2453 NULL, kvno,
2454 &entry.key_data[entry.n_key_data - 1]);
2455 if (retval) {
2456 goto cleanup;
2457 }
2458 break;
2459
2460 case NULL_KEY:
2461 default:
2462 break;
2463 } /* end of switch */
2464
2465 retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
2466 if (retval) {
2467 com_err(NULL, retval, gettext("while adding entries to database"));
2468 goto cleanup;
2469 }
2470
2471 cleanup:
2472 krb5_dbe_free_contents(context, &entry);
2473 return retval;
2474 }
2475
2476
2477 /*
2478 * This function destroys the realm object and the associated principals
2479 */
2480 void
2481 kdb5_ldap_destroy(argc, argv)
2482 int argc;
2483 char *argv[];
2484 {
2485 extern char *optarg;
2486 extern int optind;
2487 int optchar = 0;
2488 char buf[5] = {0};
2489 krb5_error_code retval = 0;
2490 int force = 0;
2491 int mask = 0;
2492 kdb5_dal_handle *dal_handle = NULL;
2493 krb5_ldap_context *ldap_context = NULL;
2494 #ifdef HAVE_EDIRECTORY
2495 int i = 0, rightsmask = 0;
2496 krb5_ldap_realm_params *rparams = NULL;
2497 #endif
2498 /* Solaris Kerberos: to remove stash file */
2499 char *stash_file = NULL;
2500 struct stat stb;
2501
2502 optind = 1;
2503 while ((optchar = getopt(argc, argv, "f")) != -1) {
2504 switch (optchar) {
2505 case 'f':
2506 force++;
2507 break;
2508 case '?':
2509 default:
2510 db_usage(DESTROY_REALM);
2511 return;
2512 /*NOTREACHED*/
2513 }
2514 }
2515
2516 if (!force) {
2517 printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm);
2518 printf(gettext("(type 'yes' to confirm)? "));
2519 if (fgets(buf, sizeof(buf), stdin) == NULL) {
2520 exit_status++;
2521 return;
2522 }
2523 if (strcmp(buf, yes)) {
2524 exit_status++;
2525 return;
2526 }
2527 printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm);
2528 }
2529
2530 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2531 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2532 if (!(ldap_context)) {
2533 /* Solaris Kerberos */
2534 com_err(progname, EINVAL, gettext("while initializing database"));
2535 exit_status++;
2536 return;
2537 }
2538
2539 /* Read the kerberos container from the LDAP Server */
2540 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2541 &(ldap_context->krbcontainer))) != 0) {
2542 /* Solaris Kerberos */
2543 com_err(progname, retval, gettext("while reading kerberos container information"));
2544 exit_status++;
2545 return;
2546 }
2547
2548 /* Read the Realm information from the LDAP Server */
2549 if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
2550 &(ldap_context->lrparams), &mask)) != 0) {
2551 /* Solaris Kerberos */
2552 com_err(progname, retval, gettext("while reading realm information"));
2553 exit_status++;
2554 return;
2555 }
2556
2557 #ifdef HAVE_EDIRECTORY
2558 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
2559 (mask & LDAP_REALM_PASSWDSERVERS)) {
2560
2561 printf(gettext("Changing rights for the service object. Please wait ... "));
2562 fflush(stdout);
2563
2564 rparams = ldap_context->lrparams;
2565 rightsmask = 0;
2566 rightsmask |= LDAP_REALM_RIGHTS;
2567 rightsmask |= LDAP_SUBTREE_RIGHTS;
2568 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
2569 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
2570 if ((retval = krb5_ldap_delete_service_rights(util_context,
2571 LDAP_KDC_SERVICE, rparams->kdcservers[i],
2572 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2573 printf(gettext("failed\n"));
2574 /* Solaris Kerberos */
2575 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2576 rparams->realm_name);
2577 return;
2578 }
2579 }
2580 }
2581 rightsmask = 0;
2582 rightsmask |= LDAP_REALM_RIGHTS;
2583 rightsmask |= LDAP_SUBTREE_RIGHTS;
2584 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
2585 for (i=0; (rparams->adminservers[i] != NULL); i++) {
2586 if ((retval = krb5_ldap_delete_service_rights(util_context,
2587 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
2588 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2589 printf(gettext("failed\n"));
2590 /* Solaris Kerberos */
2591 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2592 rparams->realm_name);
2593 return;
2594 }
2595 }
2596 }
2597 rightsmask = 0;
2598 rightsmask |= LDAP_REALM_RIGHTS;
2599 rightsmask |= LDAP_SUBTREE_RIGHTS;
2600 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
2601 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
2602 if ((retval = krb5_ldap_delete_service_rights(util_context,
2603 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
2604 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2605 printf(gettext("failed\n"));
2606 /* Solaris Kerberos */
2607 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2608 rparams->realm_name);
2609 return;
2610 }
2611 }
2612 }
2613 printf(gettext("done\n"));
2614 }
2615 #endif
2616 /* Delete the realm container and all the associated principals */
2617 retval = krb5_ldap_delete_realm(util_context, global_params.realm);
2618 if (retval) {
2619 /* Solaris Kerberos */
2620 com_err(progname, retval, gettext("deleting database of '%s'"), global_params.realm);
2621 exit_status++;
2622 return;
2623 }
2624
2625 /*
2626 * Solaris Kerberos: check for a stash file and delete it if necessary
2627 * This behavior exists in the Solaris version of kdb5_util destroy.
2628 */
2629 if (global_params.stash_file == NULL) {
2630 char stashbuf[MAXPATHLEN+1];
2631 int realm_len = strlen(global_params.realm);
2632
2633 (void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf));
2634
2635 if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) {
2636 (void) strncat(stashbuf, global_params.realm,
2637 (MAXPATHLEN-strlen(stashbuf)));
2638 } else {
2639 /* Solaris Kerberos */
2640 com_err(progname, EINVAL,
2641 gettext("can not determine stash file name for '%s'"),
2642 global_params.realm);
2643 exit_status++;
2644 return;
2645 }
2646 stash_file = stashbuf;
2647 } else {
2648 stash_file = global_params.stash_file;
2649 }
2650 /* Make sure stash_file is a regular file before unlinking */
2651 if (stat(stash_file, &stb) == 0) {
2652 if ((stb.st_mode & S_IFMT) == S_IFREG) {
2653 (void)unlink(stash_file);
2654 } else {
2655 /* Solaris Kerberos */
2656 com_err(progname, EINVAL,
2657 gettext("stash file '%s' not a regular file, can not delete"),
2658 stash_file);
2659 exit_status++;
2660 return;
2661 }
2662 } else if (errno != ENOENT) {
2663 /*
2664 * If the error is something other than the file doesn't exist set an
2665 * error.
2666 */
2667 /* Solaris Kerberos */
2668 com_err(progname, EINVAL,
2669 gettext("could not stat stash file '%s', could not delete"),
2670 stash_file);
2671 exit_status++;
2672 return;
2673 }
2674
2675 printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm);
2676
2677 return;
2678 }
unleashed repo fork