diff options
Diffstat (limited to 'crypto/heimdal/lib/hdb/hdb-ldap.c')
-rw-r--r-- | crypto/heimdal/lib/hdb/hdb-ldap.c | 1677 |
1 files changed, 1091 insertions, 586 deletions
diff --git a/crypto/heimdal/lib/hdb/hdb-ldap.c b/crypto/heimdal/lib/hdb/hdb-ldap.c index aed29b3..c9f3d37 100644 --- a/crypto/heimdal/lib/hdb/hdb-ldap.c +++ b/crypto/heimdal/lib/hdb/hdb-ldap.c @@ -1,5 +1,7 @@ /* - * Copyright (c) 1999-2001, PADL Software Pty Ltd. + * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd. + * Copyright (c) 2004, Andrew Bartlett. + * Copyright (c) 2003 - 2007, Kungliga Tekniska Högskolan. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,47 +34,124 @@ #include "hdb_locl.h" -RCSID("$Id: hdb-ldap.c,v 1.10.4.1 2003/09/18 20:49:09 lha Exp $"); +RCSID("$Id: hdb-ldap.c 22071 2007-11-14 20:04:50Z lha $"); #ifdef OPENLDAP #include <lber.h> #include <ldap.h> -#include <ctype.h> #include <sys/un.h> +#include <hex.h> -static krb5_error_code LDAP__connect(krb5_context context, HDB * db); +static krb5_error_code LDAP__connect(krb5_context context, HDB *); +static krb5_error_code LDAP_close(krb5_context context, HDB *); static krb5_error_code LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - hdb_entry * ent); - -static char *krb5kdcentry_attrs[] = - { "krb5PrincipalName", "cn", "krb5PrincipalRealm", - "krb5KeyVersionNumber", "krb5Key", - "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd", - "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType", - "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp", + hdb_entry_ex * ent); + +static const char *default_structural_object = "account"; +static char *structural_object; +static krb5_boolean samba_forwardable; + +struct hdbldapdb { + LDAP *h_lp; + int h_msgid; + char *h_base; + char *h_url; + char *h_createbase; +}; + +#define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp) +#define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid) +#define HDBSETMSGID(db,msgid) \ + do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0) +#define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base) +#define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url) +#define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase) + +/* + * + */ + +static char * krb5kdcentry_attrs[] = { + "cn", + "createTimestamp", + "creatorsName", + "krb5EncryptionType", + "krb5KDCFlags", + "krb5Key", + "krb5KeyVersionNumber", + "krb5MaxLife", + "krb5MaxRenew", + "krb5PasswordEnd", + "krb5PrincipalName", + "krb5PrincipalRealm", + "krb5ValidEnd", + "krb5ValidStart", + "modifiersName", + "modifyTimestamp", + "objectClass", + "sambaAcctFlags", + "sambaKickoffTime", + "sambaNTPassword", + "sambaPwdLastSet", + "sambaPwdMustChange", + "uid", NULL }; -static char *krb5principal_attrs[] = - { "krb5PrincipalName", "cn", "krb5PrincipalRealm", - "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp", +static char *krb5principal_attrs[] = { + "cn", + "createTimestamp", + "creatorsName", + "krb5PrincipalName", + "krb5PrincipalRealm", + "modifiersName", + "modifyTimestamp", + "objectClass", + "uid", NULL }; +static int +LDAP_no_size_limit(krb5_context context, LDAP *lp) +{ + int ret, limit = LDAP_NO_LIMIT; + + ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit); + if (ret != LDAP_SUCCESS) { + krb5_set_error_string(context, "ldap_set_option: %s", + ldap_err2string(ret)); + return HDB_ERR_BADVERSION; + } + return 0; +} + +static int +check_ldap(krb5_context context, HDB *db, int ret) +{ + switch (ret) { + case LDAP_SUCCESS: + return 0; + case LDAP_SERVER_DOWN: + LDAP_close(context, db); + return 1; + default: + return 1; + } +} + static krb5_error_code LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute, - int *pIndex) + int *pIndex) { int cMods; if (*modlist == NULL) { *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *)); - if (*modlist == NULL) { + if (*modlist == NULL) return ENOMEM; - } } for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) { @@ -89,13 +168,12 @@ LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute, *modlist = (LDAPMod **)ber_memrealloc(*modlist, (cMods + 2) * sizeof(LDAPMod *)); - if (*modlist == NULL) { + if (*modlist == NULL) return ENOMEM; - } + (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod)); - if ((*modlist)[cMods] == NULL) { + if ((*modlist)[cMods] == NULL) return ENOMEM; - } mod = (*modlist)[cMods]; mod->mod_op = modop; @@ -122,39 +200,36 @@ static krb5_error_code LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute, unsigned char *value, size_t len) { - int cMods, cValues = 0; krb5_error_code ret; + int cMods, i = 0; ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods); - if (ret != 0) { + if (ret) return ret; - } if (value != NULL) { - struct berval *bValue; - struct berval ***pbValues = &((*modlist)[cMods]->mod_bvalues); + struct berval **bv; - if (*pbValues != NULL) { - for (cValues = 0; (*pbValues)[cValues] != NULL; cValues++) + bv = (*modlist)[cMods]->mod_bvalues; + if (bv != NULL) { + for (i = 0; bv[i] != NULL; i++) ; - *pbValues = (struct berval **)ber_memrealloc(*pbValues, (cValues + 2) - * sizeof(struct berval *)); - } else { - *pbValues = (struct berval **)ber_memalloc(2 * sizeof(struct berval *)); - } - if (*pbValues == NULL) { + bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv)); + } else + bv = ber_memalloc(2 * sizeof(*bv)); + if (bv == NULL) return ENOMEM; - } - (*pbValues)[cValues] = (struct berval *)ber_memalloc(sizeof(struct berval));; - if ((*pbValues)[cValues] == NULL) { + + (*modlist)[cMods]->mod_bvalues = bv; + + bv[i] = ber_memalloc(sizeof(*bv));; + if (bv[i] == NULL) return ENOMEM; - } - bValue = (*pbValues)[cValues]; - bValue->bv_val = value; - bValue->bv_len = len; + bv[i]->bv_val = (void *)value; + bv[i]->bv_len = len; - (*pbValues)[cValues + 1] = NULL; + bv[i + 1] = NULL; } return 0; @@ -164,32 +239,33 @@ static krb5_error_code LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute, const char *value) { - int cMods, cValues = 0; + int cMods, i = 0; krb5_error_code ret; ret = LDAP__setmod(modlist, modop, attribute, &cMods); - if (ret != 0) { + if (ret) return ret; - } if (value != NULL) { - char ***pValues = &((*modlist)[cMods]->mod_values); + char **bv; - if (*pValues != NULL) { - for (cValues = 0; (*pValues)[cValues] != NULL; cValues++) + bv = (*modlist)[cMods]->mod_values; + if (bv != NULL) { + for (i = 0; bv[i] != NULL; i++) ; - *pValues = (char **)ber_memrealloc(*pValues, (cValues + 2) * sizeof(char *)); - } else { - *pValues = (char **)ber_memalloc(2 * sizeof(char *)); - } - if (*pValues == NULL) { + bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv)); + } else + bv = ber_memalloc(2 * sizeof(*bv)); + if (bv == NULL) return ENOMEM; - } - (*pValues)[cValues] = ber_strdup(value); - if ((*pValues)[cValues] == NULL) { + + (*modlist)[cMods]->mod_values = bv; + + bv[i] = ber_strdup(value); + if (bv[i] == NULL) return ENOMEM; - } - (*pValues)[cValues + 1] = NULL; + + bv[i + 1] = NULL; } return 0; @@ -210,22 +286,41 @@ LDAP_addmod_generalized_time(LDAPMod *** mods, int modop, } static krb5_error_code +LDAP_addmod_integer(krb5_context context, + LDAPMod *** mods, int modop, + const char *attribute, unsigned long l) +{ + krb5_error_code ret; + char *buf; + + ret = asprintf(&buf, "%ld", l); + if (ret < 0) { + krb5_set_error_string(context, "asprintf: out of memory:"); + return ret; + } + ret = LDAP_addmod(mods, modop, attribute, buf); + free (buf); + return ret; +} + +static krb5_error_code LDAP_get_string_value(HDB * db, LDAPMessage * entry, const char *attribute, char **ptr) { char **vals; int ret; - vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute); + vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute); if (vals == NULL) { + *ptr = NULL; return HDB_ERR_NOENTRY; } + *ptr = strdup(vals[0]); - if (*ptr == NULL) { + if (*ptr == NULL) ret = ENOMEM; - } else { + else ret = 0; - } ldap_value_free(vals); @@ -238,10 +333,10 @@ LDAP_get_integer_value(HDB * db, LDAPMessage * entry, { char **vals; - vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute); - if (vals == NULL) { + vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute); + if (vals == NULL) return HDB_ERR_NOENTRY; - } + *ptr = atoi(vals[0]); ldap_value_free(vals); return 0; @@ -258,9 +353,8 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry, *kt = 0; ret = LDAP_get_string_value(db, entry, attribute, &gentime); - if (ret != 0) { + if (ret) return ret; - } tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm); if (tmp == NULL) { @@ -276,218 +370,337 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry, } static krb5_error_code -LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent, +LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, LDAPMessage * msg, LDAPMod *** pmods) { krb5_error_code ret; krb5_boolean is_new_entry; - int rc, i; char *tmp = NULL; LDAPMod **mods = NULL; - hdb_entry orig; + hdb_entry_ex orig; unsigned long oflags, nflags; + int i; + + krb5_boolean is_samba_account = FALSE; + krb5_boolean is_account = FALSE; + krb5_boolean is_heimdal_entry = FALSE; + krb5_boolean is_heimdal_principal = FALSE; + + char **values; + + *pmods = NULL; if (msg != NULL) { + ret = LDAP_message2entry(context, db, msg, &orig); - if (ret != 0) { + if (ret) goto out; - } + is_new_entry = FALSE; - } else { + + values = ldap_get_values(HDB2LDAP(db), msg, "objectClass"); + if (values) { + int num_objectclasses = ldap_count_values(values); + for (i=0; i < num_objectclasses; i++) { + if (strcasecmp(values[i], "sambaSamAccount") == 0) { + is_samba_account = TRUE; + } else if (strcasecmp(values[i], structural_object) == 0) { + is_account = TRUE; + } else if (strcasecmp(values[i], "krb5Principal") == 0) { + is_heimdal_principal = TRUE; + } else if (strcasecmp(values[i], "krb5KDCEntry") == 0) { + is_heimdal_entry = TRUE; + } + } + ldap_value_free(values); + } + + /* + * If this is just a "account" entry and no other objectclass + * is hanging on this entry, it's really a new entry. + */ + if (is_samba_account == FALSE && is_heimdal_principal == FALSE && + is_heimdal_entry == FALSE) { + if (is_account == TRUE) { + is_new_entry = TRUE; + } else { + ret = HDB_ERR_NOENTRY; + goto out; + } + } + } else + is_new_entry = TRUE; + + if (is_new_entry) { + /* to make it perfectly obvious we're depending on * orig being intiialized to zero */ memset(&orig, 0, sizeof(orig)); - is_new_entry = TRUE; - } - if (is_new_entry) { ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top"); - if (ret != 0) { - goto out; - } - /* person is the structural object class */ - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person"); - if (ret != 0) { + if (ret) goto out; + + /* account is the structural object class */ + if (is_account == FALSE) { + ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", + structural_object); + is_account = TRUE; + if (ret) + goto out; } - ret = - LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", - "krb5Principal"); - if (ret != 0) { + + ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal"); + is_heimdal_principal = TRUE; + if (ret) goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", - "krb5KDCEntry"); - if (ret != 0) { + + ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry"); + is_heimdal_entry = TRUE; + if (ret) goto out; - } } - if (is_new_entry || - krb5_principal_compare(context, ent->principal, orig.principal) == - FALSE) { - ret = krb5_unparse_name(context, ent->principal, &tmp); - if (ret != 0) { - goto out; + if (is_new_entry || + krb5_principal_compare(context, ent->entry.principal, orig.entry.principal) + == FALSE) + { + if (is_heimdal_principal || is_heimdal_entry) { + + ret = krb5_unparse_name(context, ent->entry.principal, &tmp); + if (ret) + goto out; + + ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, + "krb5PrincipalName", tmp); + if (ret) { + free(tmp); + goto out; + } + free(tmp); } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp); - if (ret != 0) { + + if (is_account || is_samba_account) { + ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp); + if (ret) + goto out; + ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp); + if (ret) { + free(tmp); + goto out; + } free(tmp); - goto out; } - free(tmp); } - if (ent->kvno != orig.kvno) { - rc = asprintf(&tmp, "%d", ent->kvno); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber", - tmp); - free(tmp); - if (ret != 0) { + if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "krb5KeyVersionNumber", + ent->entry.kvno); + if (ret) goto out; - } } - if (ent->valid_start) { - if (orig.valid_end == NULL - || (*(ent->valid_start) != *(orig.valid_start))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5ValidStart", - ent->valid_start); - if (ret != 0) { + if (is_heimdal_entry && ent->entry.valid_start) { + if (orig.entry.valid_end == NULL + || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) { + ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, + "krb5ValidStart", + ent->entry.valid_start); + if (ret) goto out; - } } } - if (ent->valid_end) { - if (orig.valid_end == NULL - || (*(ent->valid_end) != *(orig.valid_end))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5ValidEnd", - ent->valid_end); - if (ret != 0) { - goto out; + if (ent->entry.valid_end) { + if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) { + if (is_heimdal_entry) { + ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, + "krb5ValidEnd", + ent->entry.valid_end); + if (ret) + goto out; + } + if (is_samba_account) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "sambaKickoffTime", + *(ent->entry.valid_end)); + if (ret) + goto out; } - } + } } - if (ent->pw_end) { - if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) { - ret = - LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, - "krb5PasswordEnd", - ent->pw_end); - if (ret != 0) { - goto out; + if (ent->entry.pw_end) { + if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) { + if (is_heimdal_entry) { + ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, + "krb5PasswordEnd", + ent->entry.pw_end); + if (ret) + goto out; } - } - } - if (ent->max_life) { - if (orig.max_life == NULL - || (*(ent->max_life) != *(orig.max_life))) { - rc = asprintf(&tmp, "%d", *(ent->max_life)); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp); - free(tmp); - if (ret != 0) { - goto out; + if (is_samba_account) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "sambaPwdMustChange", + *(ent->entry.pw_end)); + if (ret) + goto out; } } } - if (ent->max_renew) { - if (orig.max_renew == NULL - || (*(ent->max_renew) != *(orig.max_renew))) { - rc = asprintf(&tmp, "%d", *(ent->max_renew)); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = - LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp); - free(tmp); - if (ret != 0) { + +#if 0 /* we we have last_pw_change */ + if (is_samba_account && ent->entry.last_pw_change) { + if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "sambaPwdLastSet", + *(ent->entry.last_pw_change)); + if (ret) goto out; - } } } +#endif - oflags = HDBFlags2int(orig.flags); - nflags = HDBFlags2int(ent->flags); + if (is_heimdal_entry && ent->entry.max_life) { + if (orig.entry.max_life == NULL + || (*(ent->entry.max_life) != *(orig.entry.max_life))) { - if (oflags != nflags) { - rc = asprintf(&tmp, "%lu", nflags); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp); - free(tmp); - if (ret != 0) { - goto out; + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "krb5MaxLife", + *(ent->entry.max_life)); + if (ret) + goto out; } } - if (is_new_entry == FALSE && orig.keys.len > 0) { - /* for the moment, clobber and replace keys. */ - ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL); - if (ret != 0) { - goto out; + if (is_heimdal_entry && ent->entry.max_renew) { + if (orig.entry.max_renew == NULL + || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) { + + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "krb5MaxRenew", + *(ent->entry.max_renew)); + if (ret) + goto out; } } - for (i = 0; i < ent->keys.len; i++) { - unsigned char *buf; - size_t len; + oflags = HDBFlags2int(orig.entry.flags); + nflags = HDBFlags2int(ent->entry.flags); - ASN1_MALLOC_ENCODE(Key, buf, len, &ent->keys.val[i], &len, ret); - if (ret != 0) - goto out; + if (is_heimdal_entry && oflags != nflags) { - /* addmod_len _owns_ the key, doesn't need to copy it */ - ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len); - if (ret != 0) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, + "krb5KDCFlags", + nflags); + if (ret) goto out; - } } - if (ent->etypes) { - /* clobber and replace encryption types. */ - if (is_new_entry == FALSE) { - ret = - LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType", - NULL); + /* Remove keys if they exists, and then replace keys. */ + if (!is_new_entry && orig.entry.keys.len > 0) { + values = ldap_get_values(HDB2LDAP(db), msg, "krb5Key"); + if (values) { + ldap_value_free(values); + + ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL); + if (ret) + goto out; } - for (i = 0; i < ent->etypes->len; i++) { - rc = asprintf(&tmp, "%d", ent->etypes->val[i]); - if (rc < 0) { - krb5_set_error_string(context, "asprintf: out of memory"); + } + + for (i = 0; i < ent->entry.keys.len; i++) { + + if (is_samba_account + && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { + char *ntHexPassword; + char *nt; + + /* the key might have been 'sealed', but samba passwords + are clear in the directory */ + ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]); + if (ret) + goto out; + + nt = ent->entry.keys.val[i].key.keyvalue.data; + /* store in ntPassword, not krb5key */ + ret = hex_encode(nt, 16, &ntHexPassword); + if (ret < 0) { + krb5_set_error_string(context, "hdb-ldap: failed to " + "hex encode key"); ret = ENOMEM; goto out; } - free(tmp); - ret = - LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType", - tmp); - if (ret != 0) { + ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword", + ntHexPassword); + free(ntHexPassword); + if (ret) goto out; + + /* have to kill the LM passwod if it exists */ + values = ldap_get_values(HDB2LDAP(db), msg, "sambaLMPassword"); + if (values) { + ldap_value_free(values); + ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, + "sambaLMPassword", NULL); + if (ret) + goto out; + } + + } else if (is_heimdal_entry) { + unsigned char *buf; + size_t len, buf_size; + + ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret); + if (ret) + goto out; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + /* addmod_len _owns_ the key, doesn't need to copy it */ + ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len); + if (ret) + goto out; + } + } + + if (ent->entry.etypes) { + int add_krb5EncryptionType = 0; + + /* + * Only add/modify krb5EncryptionType if it's a new heimdal + * entry or krb5EncryptionType already exists on the entry. + */ + + if (!is_new_entry) { + values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType"); + if (values) { + ldap_value_free(values); + ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType", + NULL); + if (ret) + goto out; + add_krb5EncryptionType = 1; + } + } else if (is_heimdal_entry) + add_krb5EncryptionType = 1; + + if (add_krb5EncryptionType) { + for (i = 0; i < ent->entry.etypes->len; i++) { + if (is_samba_account && + ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) + { + ; + } else if (is_heimdal_entry) { + ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD, + "krb5EncryptionType", + ent->entry.etypes->val[i]); + if (ret) + goto out; + } } } } @@ -495,18 +708,17 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent, /* for clarity */ ret = 0; - out: + out: - if (ret == 0) { + if (ret == 0) *pmods = mods; - } else if (mods != NULL) { + else if (mods != NULL) { ldap_mods_free(mods, 1); *pmods = NULL; } - if (msg != NULL) { + if (msg) hdb_free_entry(context, &orig); - } return ret; } @@ -516,33 +728,32 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn, krb5_principal * principal) { krb5_error_code ret; - int rc, limit = 1; + int rc; + const char *filter = "(objectClass=krb5Principal)"; char **values; LDAPMessage *res = NULL, *e; - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ret = HDB_ERR_BADVERSION; + ret = LDAP_no_size_limit(context, HDB2LDAP(db)); + if (ret) goto out; - } - rc = ldap_search_s((LDAP *) db->db, dn, LDAP_SCOPE_BASE, - "(objectclass=krb5Principal)", krb5principal_attrs, + rc = ldap_search_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE, + filter, krb5principal_attrs, 0, &res); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc)); + if (check_ldap(context, db, rc)) { + krb5_set_error_string(context, "ldap_search_s: filter: %s error: %s", + filter, ldap_err2string(rc)); ret = HDB_ERR_NOENTRY; goto out; } - e = ldap_first_entry((LDAP *) db->db, res); + e = ldap_first_entry(HDB2LDAP(db), res); if (e == NULL) { ret = HDB_ERR_NOENTRY; goto out; } - values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName"); + values = ldap_get_values(HDB2LDAP(db), e, "krb5PrincipalName"); if (values == NULL) { ret = HDB_ERR_NOENTRY; goto out; @@ -552,70 +763,123 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn, ldap_value_free(values); out: - if (res != NULL) { + if (res) ldap_msgfree(res); - } + return ret; } static krb5_error_code -LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname, - LDAPMessage ** msg) +LDAP__lookup_princ(krb5_context context, + HDB *db, + const char *princname, + const char *userid, + LDAPMessage **msg) { krb5_error_code ret; - int rc, limit = 1; + int rc; char *filter = NULL; - (void) LDAP__connect(context, db); + ret = LDAP__connect(context, db); + if (ret) + return ret; - rc = - asprintf(&filter, - "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))", - princname); + rc = asprintf(&filter, + "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))", + princname); if (rc < 0) { krb5_set_error_string(context, "asprintf: out of memory"); ret = ENOMEM; goto out; } - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ret = HDB_ERR_BADVERSION; + ret = LDAP_no_size_limit(context, HDB2LDAP(db)); + if (ret) goto out; - } - rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter, + rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, filter, krb5kdcentry_attrs, 0, msg); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc)); + if (check_ldap(context, db, rc)) { + krb5_set_error_string(context, "ldap_search_s: filter: %s - error: %s", + filter, ldap_err2string(rc)); ret = HDB_ERR_NOENTRY; goto out; } + if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) { + free(filter); + filter = NULL; + ldap_msgfree(*msg); + *msg = NULL; + + rc = asprintf(&filter, + "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))", + structural_object, userid); + if (rc < 0) { + krb5_set_error_string(context, "asprintf: out of memory"); + ret = ENOMEM; + goto out; + } + + ret = LDAP_no_size_limit(context, HDB2LDAP(db)); + if (ret) + goto out; + + rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, + filter, krb5kdcentry_attrs, 0, msg); + if (check_ldap(context, db, rc)) { + krb5_set_error_string(context, + "ldap_search_s: filter: %s error: %s", + filter, ldap_err2string(rc)); + ret = HDB_ERR_NOENTRY; + goto out; + } + } + ret = 0; out: - if (filter != NULL) { + if (filter) free(filter); - } + return ret; } static krb5_error_code LDAP_principal2message(krb5_context context, HDB * db, - krb5_principal princ, LDAPMessage ** msg) + krb5_const_principal princ, LDAPMessage ** msg) { - char *princname = NULL; + char *name, *name_short = NULL; krb5_error_code ret; + krb5_realm *r, *r0; - ret = krb5_unparse_name(context, princ, &princname); - if (ret != 0) { + *msg = NULL; + + ret = krb5_unparse_name(context, princ, &name); + if (ret) + return ret; + + ret = krb5_get_default_realms(context, &r0); + if(ret) { + free(name); return ret; } + for (r = r0; *r != NULL; r++) { + if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) { + ret = krb5_unparse_name_short(context, princ, &name_short); + if (ret) { + krb5_free_host_realm(context, r0); + free(name); + return ret; + } + break; + } + } + krb5_free_host_realm(context, r0); - ret = LDAP__lookup_princ(context, db, princname, msg); - free(princname); + ret = LDAP__lookup_princ(context, db, name, name_short, msg); + free(name); + free(name_short); return ret; } @@ -625,51 +889,62 @@ LDAP_principal2message(krb5_context context, HDB * db, */ static krb5_error_code LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - hdb_entry * ent) + hdb_entry_ex * ent) { - char *unparsed_name = NULL, *dn = NULL; - int ret; + char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL; + char *samba_acct_flags = NULL; unsigned long tmp; struct berval **keys; char **values; + int tmp_time, i, ret, have_arcfour = 0; memset(ent, 0, sizeof(*ent)); - ent->flags = int2HDBFlags(0); + ent->entry.flags = int2HDBFlags(0); - ret = - LDAP_get_string_value(db, msg, "krb5PrincipalName", - &unparsed_name); - if (ret != 0) { - return ret; - } - - ret = krb5_parse_name(context, unparsed_name, &ent->principal); - if (ret != 0) { - goto out; + ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name); + if (ret == 0) { + ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); + if (ret) + goto out; + } else { + ret = LDAP_get_string_value(db, msg, "uid", + &unparsed_name); + if (ret == 0) { + ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); + if (ret) + goto out; + } else { + krb5_set_error_string(context, "hdb-ldap: ldap entry missing" + "principal name"); + return HDB_ERR_NOENTRY; + } } - ret = - LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber", - &ent->kvno); - if (ret != 0) { - ent->kvno = 0; + { + int integer; + ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber", + &integer); + if (ret) + ent->entry.kvno = 0; + else + ent->entry.kvno = integer; } - keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key"); + keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key"); if (keys != NULL) { int i; size_t l; - ent->keys.len = ldap_count_values_len(keys); - ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key)); - if (ent->keys.val == NULL) { + ent->entry.keys.len = ldap_count_values_len(keys); + ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key)); + if (ent->entry.keys.val == NULL) { krb5_set_error_string(context, "calloc: out of memory"); ret = ENOMEM; goto out; } - for (i = 0; i < ent->keys.len; i++) { + for (i = 0; i < ent->entry.keys.len; i++) { decode_Key((unsigned char *) keys[i]->bv_val, - (size_t) keys[i]->bv_len, &ent->keys.val[i], &l); + (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l); } ber_bvecfree(keys); } else { @@ -679,124 +954,248 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, * be related to a general directory entry without creating * the keys. Hopefully it's OK. */ - ent->keys.len = 0; - ent->keys.val = NULL; + ent->entry.keys.len = 0; + ent->entry.keys.val = NULL; #else ret = HDB_ERR_NOENTRY; goto out; #endif } - ret = - LDAP_get_generalized_time_value(db, msg, "createTimestamp", - &ent->created_by.time); - if (ret != 0) { - ent->created_by.time = time(NULL); + values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType"); + if (values != NULL) { + int i; + + ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); + if (ent->entry.etypes == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ent->entry.etypes->len = ldap_count_values(values); + ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int)); + if (ent->entry.etypes->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + for (i = 0; i < ent->entry.etypes->len; i++) { + ent->entry.etypes->val[i] = atoi(values[i]); + } + ldap_value_free(values); } - ent->created_by.principal = NULL; + for (i = 0; i < ent->entry.keys.len; i++) { + if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { + have_arcfour = 1; + break; + } + } + + /* manually construct the NT (type 23) key */ + ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN); + if (ret == 0 && have_arcfour == 0) { + unsigned *etypes; + Key *keys; + int i; + + keys = realloc(ent->entry.keys.val, + (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0])); + if (keys == NULL) { + free(ntPasswordIN); + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ent->entry.keys.val = keys; + memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key)); + ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5; + ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16); + if (ret) { + krb5_set_error_string(context, "malloc: out of memory"); + free(ntPasswordIN); + ret = ENOMEM; + goto out; + } + ret = hex_decode(ntPasswordIN, + ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16); + ent->entry.keys.len++; + + if (ent->entry.etypes == NULL) { + ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); + if (ent->entry.etypes == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ent->entry.etypes->val = NULL; + ent->entry.etypes->len = 0; + } + + for (i = 0; i < ent->entry.etypes->len; i++) + if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5) + break; + /* If there is no ARCFOUR enctype, add one */ + if (i == ent->entry.etypes->len) { + etypes = realloc(ent->entry.etypes->val, + (ent->entry.etypes->len + 1) * + sizeof(ent->entry.etypes->val[0])); + if (etypes == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ent->entry.etypes->val = etypes; + ent->entry.etypes->val[ent->entry.etypes->len] = + ETYPE_ARCFOUR_HMAC_MD5; + ent->entry.etypes->len++; + } + } + + ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp", + &ent->entry.created_by.time); + if (ret) + ent->entry.created_by.time = time(NULL); + + ent->entry.created_by.principal = NULL; ret = LDAP_get_string_value(db, msg, "creatorsName", &dn); if (ret == 0) { - if (LDAP_dn2principal(context, db, dn, &ent->created_by.principal) + if (LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal) != 0) { - ent->created_by.principal = NULL; + ent->entry.created_by.principal = NULL; } free(dn); } - ent->modified_by = (Event *) malloc(sizeof(Event)); - if (ent->modified_by == NULL) { + ent->entry.modified_by = (Event *) malloc(sizeof(Event)); + if (ent->entry.modified_by == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto out; } - ret = - LDAP_get_generalized_time_value(db, msg, "modifyTimestamp", - &ent->modified_by->time); + ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp", + &ent->entry.modified_by->time); if (ret == 0) { ret = LDAP_get_string_value(db, msg, "modifiersName", &dn); - if (LDAP_dn2principal - (context, db, dn, &ent->modified_by->principal) != 0) { - ent->modified_by->principal = NULL; - } + if (LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal)) + ent->entry.modified_by->principal = NULL; free(dn); } else { - free(ent->modified_by); - ent->modified_by = NULL; + free(ent->entry.modified_by); + ent->entry.modified_by = NULL; } - if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime))) - == NULL) { + ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start)); + if (ent->entry.valid_start == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto out; } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5ValidStart", - ent->valid_start); - if (ret != 0) { + ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart", + ent->entry.valid_start); + if (ret) { /* OPTIONAL */ - free(ent->valid_start); - ent->valid_start = NULL; + free(ent->entry.valid_start); + ent->entry.valid_start = NULL; } - - if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) == - NULL) { + + ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); + if (ent->entry.valid_end == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto out; } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd", - ent->valid_end); - if (ret != 0) { + ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd", + ent->entry.valid_end); + if (ret) { /* OPTIONAL */ - free(ent->valid_end); - ent->valid_end = NULL; + free(ent->entry.valid_end); + ent->entry.valid_end = NULL; } - if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) == - NULL) { + ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time); + if (ret == 0) { + if (ent->entry.valid_end == NULL) { + ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); + if (ent->entry.valid_end == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + } + *ent->entry.valid_end = tmp_time; + } + + ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); + if (ent->entry.pw_end == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto out; } - ret = - LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd", - ent->pw_end); - if (ret != 0) { + ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd", + ent->entry.pw_end); + if (ret) { /* OPTIONAL */ - free(ent->pw_end); - ent->pw_end = NULL; + free(ent->entry.pw_end); + ent->entry.pw_end = NULL; } - ent->max_life = (int *) malloc(sizeof(int)); - if (ent->max_life == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life); - if (ret != 0) { - free(ent->max_life); - ent->max_life = NULL; + ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time); + if (ret == 0) { + if (ent->entry.pw_end == NULL) { + ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); + if (ent->entry.pw_end == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + } + *ent->entry.pw_end = tmp_time; } - ent->max_renew = (int *) malloc(sizeof(int)); - if (ent->max_renew == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; + /* OPTIONAL */ + ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time); + if (ret == 0) + hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time); + + { + int max_life; + + ent->entry.max_life = malloc(sizeof(*ent->entry.max_life)); + if (ent->entry.max_life == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life); + if (ret) { + free(ent->entry.max_life); + ent->entry.max_life = NULL; + } else + *ent->entry.max_life = max_life; } - ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew); - if (ret != 0) { - free(ent->max_renew); - ent->max_renew = NULL; + + { + int max_renew; + + ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew)); + if (ent->entry.max_renew == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew); + if (ret) { + free(ent->entry.max_renew); + ent->entry.max_renew = NULL; + } else + *ent->entry.max_renew = max_renew; } - values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags"); + values = ldap_get_values(HDB2LDAP(db), msg, "krb5KDCFlags"); if (values != NULL) { + errno = 0; tmp = strtoul(values[0], (char **) NULL, 10); if (tmp == ULONG_MAX && errno == ERANGE) { krb5_set_error_string(context, "strtoul: could not convert flag"); @@ -806,46 +1205,109 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, } else { tmp = 0; } - ent->flags = int2HDBFlags(tmp); - values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType"); - if (values != NULL) { - int i; + ent->entry.flags = int2HDBFlags(tmp); - ent->etypes = malloc(sizeof(*(ent->etypes))); - if (ent->etypes == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; - goto out; - } - ent->etypes->len = ldap_count_values(values); - ent->etypes->val = calloc(ent->etypes->len, sizeof(int)); - for (i = 0; i < ent->etypes->len; i++) { - ent->etypes->val[i] = atoi(values[i]); + /* Try and find Samba flags to put into the mix */ + ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags); + if (ret == 0) { + /* parse the [UXW...] string: + + 'N' No password + 'D' Disabled + 'H' Homedir required + 'T' Temp account. + 'U' User account (normal) + 'M' MNS logon user account - what is this ? + 'W' Workstation account + 'S' Server account + 'L' Locked account + 'X' No Xpiry on password + 'I' Interdomain trust account + + */ + + int i; + int flags_len = strlen(samba_acct_flags); + + if (flags_len < 2) + goto out2; + + if (samba_acct_flags[0] != '[' + || samba_acct_flags[flags_len - 1] != ']') + goto out2; + + /* Allow forwarding */ + if (samba_forwardable) + ent->entry.flags.forwardable = TRUE; + + for (i=0; i < flags_len; i++) { + switch (samba_acct_flags[i]) { + case ' ': + case '[': + case ']': + break; + case 'N': + /* how to handle no password in kerberos? */ + break; + case 'D': + ent->entry.flags.invalid = TRUE; + break; + case 'H': + break; + case 'T': + /* temp duplicate */ + ent->entry.flags.invalid = TRUE; + break; + case 'U': + ent->entry.flags.client = TRUE; + break; + case 'M': + break; + case 'W': + case 'S': + ent->entry.flags.server = TRUE; + ent->entry.flags.client = TRUE; + break; + case 'L': + ent->entry.flags.invalid = TRUE; + break; + case 'X': + if (ent->entry.pw_end) { + free(ent->entry.pw_end); + ent->entry.pw_end = NULL; + } + break; + case 'I': + ent->entry.flags.server = TRUE; + ent->entry.flags.client = TRUE; + break; + } } - ldap_value_free(values); + out2: + free(samba_acct_flags); } ret = 0; - out: - if (unparsed_name != NULL) { +out: + if (unparsed_name) free(unparsed_name); - } - if (ret != 0) { - /* I don't think this frees ent itself. */ + if (ret) hdb_free_entry(context, ent); - } return ret; } -static krb5_error_code LDAP_close(krb5_context context, HDB * db) +static krb5_error_code +LDAP_close(krb5_context context, HDB * db) { - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; - + if (HDB2LDAP(db)) { + ldap_unbind_ext(HDB2LDAP(db), NULL, NULL); + ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL; + } + return 0; } @@ -855,26 +1317,30 @@ LDAP_lock(krb5_context context, HDB * db, int operation) return 0; } -static krb5_error_code LDAP_unlock(krb5_context context, HDB * db) +static krb5_error_code +LDAP_unlock(krb5_context context, HDB * db) { return 0; } static krb5_error_code -LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry) +LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry) { int msgid, rc, parserc; krb5_error_code ret; LDAPMessage *e; - msgid = db->openp; /* BOGUS OVERLOADING */ - if (msgid < 0) { + msgid = HDB2MSGID(db); + if (msgid < 0) return HDB_ERR_NOENTRY; - } do { - rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e); + rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e); switch (rc) { + case LDAP_RES_SEARCH_REFERENCE: + ldap_msgfree(e); + ret = 0; + break; case LDAP_RES_SEARCH_ENTRY: /* We have an entry. Parse it. */ ret = LDAP_message2entry(context, db, e, entry); @@ -883,33 +1349,38 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry) case LDAP_RES_SEARCH_RESULT: /* We're probably at the end of the results. If not, abandon. */ parserc = - ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL, + ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL, NULL, NULL, 1); if (parserc != LDAP_SUCCESS && parserc != LDAP_MORE_RESULTS_TO_RETURN) { - krb5_set_error_string(context, "ldap_parse_result: %s", ldap_err2string(parserc)); - ldap_abandon((LDAP *) db->db, msgid); + krb5_set_error_string(context, "ldap_parse_result: %s", + ldap_err2string(parserc)); + ldap_abandon(HDB2LDAP(db), msgid); } ret = HDB_ERR_NOENTRY; - db->openp = -1; + HDBSETMSGID(db, -1); + break; + case LDAP_SERVER_DOWN: + ldap_msgfree(e); + LDAP_close(context, db); + HDBSETMSGID(db, -1); + ret = ENETDOWN; break; - case 0: - case -1: default: /* Some unspecified error (timeout?). Abandon. */ ldap_msgfree(e); - ldap_abandon((LDAP *) db->db, msgid); + ldap_abandon(HDB2LDAP(db), msgid); ret = HDB_ERR_NOENTRY; - db->openp = -1; + HDBSETMSGID(db, -1); break; } } while (rc == LDAP_RES_SEARCH_REFERENCE); if (ret == 0) { - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, entry); + if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { + ret = hdb_unseal_keys(context, db, &entry->entry); if (ret) - hdb_free_entry(context,entry); + hdb_free_entry(context, entry); } } @@ -917,45 +1388,41 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry) } static krb5_error_code -LDAP_firstkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) +LDAP_firstkey(krb5_context context, HDB *db, unsigned flags, + hdb_entry_ex *entry) { - int msgid, limit = LDAP_NO_LIMIT, rc; + krb5_error_code ret; + int msgid; - (void) LDAP__connect(context, db); + ret = LDAP__connect(context, db); + if (ret) + return ret; - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); - if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - return HDB_ERR_BADVERSION; - } + ret = LDAP_no_size_limit(context, HDB2LDAP(db)); + if (ret) + return ret; - msgid = ldap_search((LDAP *) db->db, db->name, - LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)", + msgid = ldap_search(HDB2LDAP(db), HDB2BASE(db), + LDAP_SCOPE_SUBTREE, + "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))", krb5kdcentry_attrs, 0); - if (msgid < 0) { + if (msgid < 0) return HDB_ERR_NOENTRY; - } - db->openp = msgid; + HDBSETMSGID(db, msgid); return LDAP_seq(context, db, flags, entry); } static krb5_error_code LDAP_nextkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) + hdb_entry_ex * entry) { return LDAP_seq(context, db, flags, entry); } static krb5_error_code -LDAP_rename(krb5_context context, HDB * db, const char *new_name) -{ - return HDB_ERR_DB_INUSE; -} - -static krb5_error_code LDAP__connect(krb5_context context, HDB * db) +LDAP__connect(krb5_context context, HDB * db) { int rc, version = LDAP_VERSION3; /* @@ -966,43 +1433,44 @@ static krb5_error_code LDAP__connect(krb5_context context, HDB * db) */ struct berval bv = { 0, "" }; - if (db->db != NULL) { + if (HDB2LDAP(db)) { /* connection has been opened. ping server. */ struct sockaddr_un addr; - socklen_t len; + socklen_t len = sizeof(addr); int sd; - if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 && + if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 && getpeername(sd, (struct sockaddr *) &addr, &len) < 0) { /* the other end has died. reopen. */ LDAP_close(context, db); } } - if (db->db != NULL) { - /* server is UP */ + if (HDB2LDAP(db) != NULL) /* server is UP */ return 0; - } - rc = ldap_initialize((LDAP **) & db->db, "ldapi:///"); + rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db)); if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_initialize: %s", ldap_err2string(rc)); + krb5_set_error_string(context, "ldap_initialize: %s", + ldap_err2string(rc)); return HDB_ERR_NOENTRY; } - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, (const void *)&version); + rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION, + (const void *)&version); if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; + krb5_set_error_string(context, "ldap_set_option: %s", + ldap_err2string(rc)); + LDAP_close(context, db); return HDB_ERR_BADVERSION; } - rc = ldap_sasl_bind_s((LDAP *) db->db, NULL, "EXTERNAL", &bv, NULL, NULL, NULL); + rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv, + NULL, NULL, NULL); if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_sasl_bind_s: %s", ldap_err2string(rc)); - ldap_unbind_ext((LDAP *) db->db, NULL, NULL); - db->db = NULL; + krb5_set_error_string(context, "ldap_sasl_bind_s: %s", + ldap_err2string(rc)); + LDAP_close(context, db); return HDB_ERR_BADVERSION; } @@ -1029,18 +1497,17 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode) } static krb5_error_code -LDAP_fetch(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) +LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal, + unsigned flags, hdb_entry_ex * entry) { LDAPMessage *msg, *e; krb5_error_code ret; - ret = LDAP_principal2message(context, db, entry->principal, &msg); - if (ret != 0) { + ret = LDAP_principal2message(context, db, principal, &msg); + if (ret) return ret; - } - e = ldap_first_entry((LDAP *) db->db, msg); + e = ldap_first_entry(HDB2LDAP(db), msg); if (e == NULL) { ret = HDB_ERR_NOENTRY; goto out; @@ -1048,10 +1515,10 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags, ret = LDAP_message2entry(context, db, e, entry); if (ret == 0) { - if (db->master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, entry); + if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { + ret = hdb_unseal_keys(context, db, &entry->entry); if (ret) - hdb_free_entry(context,entry); + hdb_free_entry(context, entry); } } @@ -1063,7 +1530,7 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags, static krb5_error_code LDAP_store(krb5_context context, HDB * db, unsigned flags, - hdb_entry * entry) + hdb_entry_ex * entry) { LDAPMod **mods = NULL; krb5_error_code ret; @@ -1072,60 +1539,27 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, LDAPMessage *msg = NULL, *e = NULL; char *dn = NULL, *name = NULL; - ret = krb5_unparse_name(context, entry->principal, &name); - if (ret != 0) { - goto out; - } + ret = LDAP_principal2message(context, db, entry->entry.principal, &msg); + if (ret == 0) + e = ldap_first_entry(HDB2LDAP(db), msg); - ret = LDAP__lookup_princ(context, db, name, &msg); - if (ret == 0) { - e = ldap_first_entry((LDAP *) db->db, msg); + ret = krb5_unparse_name(context, entry->entry.principal, &name); + if (ret) { + free(name); + return ret; } - ret = hdb_seal_keys(context, db, entry); - if (ret != 0) { + ret = hdb_seal_keys(context, db, &entry->entry); + if (ret) goto out; - } /* turn new entry into LDAPMod array */ ret = LDAP_entry2mods(context, db, entry, e, &mods); - if (ret != 0) { + if (ret) goto out; - } if (e == NULL) { - /* Doesn't exist yet. */ - char *p; - - e = NULL; - - /* normalize the naming attribute */ - for (p = name; *p != '\0'; p++) { - *p = (char) tolower((int) *p); - } - - /* - * We could do getpwnam() on the local component of - * the principal to find cn/sn but that's probably - * bad thing to do from inside a KDC. Better leave - * it to management tools. - */ - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name); - if (ret < 0) { - goto out; - } - - ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name); - if (ret < 0) { - goto out; - } - - if (db->name != NULL) { - ret = asprintf(&dn, "cn=%s,%s", name, db->name); - } else { - /* A bit bogus, but we don't have a search base */ - ret = asprintf(&dn, "cn=%s", name); - } + ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db)); if (ret < 0) { krb5_set_error_string(context, "asprintf: out of memory"); ret = ENOMEM; @@ -1133,7 +1567,7 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, } } else if (flags & HDB_F_REPLACE) { /* Entry exists, and we're allowed to replace it. */ - dn = ldap_get_dn((LDAP *) db->db, e); + dn = ldap_get_dn(HDB2LDAP(db), e); } else { /* Entry exists, but we're not allowed to replace it. Bail. */ ret = HDB_ERR_EXISTS; @@ -1143,182 +1577,253 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, /* write entry into directory */ if (e == NULL) { /* didn't exist before */ - rc = ldap_add_s((LDAP *) db->db, dn, mods); + rc = ldap_add_s(HDB2LDAP(db), dn, mods); errfn = "ldap_add_s"; } else { /* already existed, send deltas only */ - rc = ldap_modify_s((LDAP *) db->db, dn, mods); + rc = ldap_modify_s(HDB2LDAP(db), dn, mods); errfn = "ldap_modify_s"; } - if (rc == LDAP_SUCCESS) { - ret = 0; - } else { - krb5_set_error_string(context, "%s: %s (dn=%s) %s", - errfn, name, dn, ldap_err2string(rc)); + if (check_ldap(context, db, rc)) { + char *ld_error = NULL; + ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING, + &ld_error); + krb5_set_error_string(context, "%s: %s (DN=%s) %s: %s", + errfn, name, dn, ldap_err2string(rc), ld_error); ret = HDB_ERR_CANT_LOCK_DB; - } + } else + ret = 0; out: /* free stuff */ - if (dn != NULL) { + if (dn) free(dn); - } - - if (msg != NULL) { + if (msg) ldap_msgfree(msg); - } - - if (mods != NULL) { + if (mods) ldap_mods_free(mods, 1); - } - - if (name != NULL) { + if (name) free(name); - } return ret; } static krb5_error_code -LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry) +LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal) { krb5_error_code ret; LDAPMessage *msg, *e; char *dn = NULL; int rc, limit = LDAP_NO_LIMIT; - ret = LDAP_principal2message(context, db, entry->principal, &msg); - if (ret != 0) { + ret = LDAP_principal2message(context, db, principal, &msg); + if (ret) goto out; - } - e = ldap_first_entry((LDAP *) db->db, msg); + e = ldap_first_entry(HDB2LDAP(db), msg); if (e == NULL) { ret = HDB_ERR_NOENTRY; goto out; } - dn = ldap_get_dn((LDAP *) db->db, e); + dn = ldap_get_dn(HDB2LDAP(db), e); if (dn == NULL) { ret = HDB_ERR_NOENTRY; goto out; } - rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit); + rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit); if (rc != LDAP_SUCCESS) { - krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc)); + krb5_set_error_string(context, "ldap_set_option: %s", + ldap_err2string(rc)); ret = HDB_ERR_BADVERSION; goto out; } - rc = ldap_delete_s((LDAP *) db->db, dn); - if (rc == LDAP_SUCCESS) { - ret = 0; - } else { - krb5_set_error_string(context, "ldap_delete_s: %s", ldap_err2string(rc)); + rc = ldap_delete_s(HDB2LDAP(db), dn); + if (check_ldap(context, db, rc)) { + krb5_set_error_string(context, "ldap_delete_s: %s", + ldap_err2string(rc)); ret = HDB_ERR_CANT_LOCK_DB; - } + } else + ret = 0; out: - if (dn != NULL) { + if (dn != NULL) free(dn); - } - - if (msg != NULL) { + if (msg != NULL) ldap_msgfree(msg); - } return ret; } static krb5_error_code -LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply) -{ - fprintf(stderr, "LDAP__get not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code -LDAP__put(krb5_context context, HDB * db, int replace, - krb5_data key, krb5_data value) -{ - fprintf(stderr, "LDAP__put not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code -LDAP__del(krb5_context context, HDB * db, krb5_data key) -{ - fprintf(stderr, "LDAP__del not implemented\n"); - abort(); - return 0; -} - -static krb5_error_code LDAP_destroy(krb5_context context, HDB * db) +LDAP_destroy(krb5_context context, HDB * db) { krb5_error_code ret; + LDAP_close(context, db); + ret = hdb_clear_master_key(context, db); - if (db->name != NULL) { - free(db->name); - } + if (HDB2BASE(db)) + free(HDB2BASE(db)); + if (HDB2CREATE(db)) + free(HDB2CREATE(db)); + if (HDB2URL(db)) + free(HDB2URL(db)); + if (db->hdb_name) + free(db->hdb_name); + free(db->hdb_db); free(db); return ret; } krb5_error_code -hdb_ldap_create(krb5_context context, HDB ** db, const char *arg) +hdb_ldap_common(krb5_context context, + HDB ** db, + const char *search_base, + const char *url) { - *db = malloc(sizeof(**db)); + struct hdbldapdb *h; + const char *create_base = NULL; + + if (search_base == NULL && search_base[0] == '\0') { + krb5_set_error_string(context, "ldap search base not configured"); + return ENOMEM; /* XXX */ + } + + if (structural_object == NULL) { + const char *p; + + p = krb5_config_get_string(context, NULL, "kdc", + "hdb-ldap-structural-object", NULL); + if (p == NULL) + p = default_structural_object; + structural_object = strdup(p); + if (structural_object == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + } + + samba_forwardable = + krb5_config_get_bool_default(context, NULL, TRUE, + "kdc", "hdb-samba-forwardable", NULL); + + *db = calloc(1, sizeof(**db)); if (*db == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } + memset(*db, 0, sizeof(**db)); - (*db)->db = NULL; + h = calloc(1, sizeof(*h)); + if (h == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + free(*db); + *db = NULL; + return ENOMEM; + } + (*db)->hdb_db = h; - if (arg == NULL || arg[0] == '\0') { - /* - * if no argument specified in the configuration file - * then use NULL, which tells OpenLDAP to look in - * the ldap.conf file. This doesn't work for - * writing entries because we don't know where to - * put new principals. - */ - (*db)->name = NULL; - } else { - (*db)->name = strdup(arg); - if ((*db)->name == NULL) { - krb5_set_error_string(context, "strdup: out of memory"); - free(*db); - *db = NULL; - return ENOMEM; - } + /* XXX */ + if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) { + LDAP_destroy(context, *db); + krb5_set_error_string(context, "strdup: out of memory"); + *db = NULL; + return ENOMEM; + } + + h->h_url = strdup(url); + h->h_base = strdup(search_base); + if (h->h_url == NULL || h->h_base == NULL) { + LDAP_destroy(context, *db); + krb5_set_error_string(context, "strdup: out of memory"); + *db = NULL; + return ENOMEM; } - (*db)->master_key_set = 0; - (*db)->openp = 0; - (*db)->open = LDAP_open; - (*db)->close = LDAP_close; - (*db)->fetch = LDAP_fetch; - (*db)->store = LDAP_store; - (*db)->remove = LDAP_remove; - (*db)->firstkey = LDAP_firstkey; - (*db)->nextkey = LDAP_nextkey; - (*db)->lock = LDAP_lock; - (*db)->unlock = LDAP_unlock; - (*db)->rename = LDAP_rename; - /* can we ditch these? */ - (*db)->_get = LDAP__get; - (*db)->_put = LDAP__put; - (*db)->_del = LDAP__del; - (*db)->destroy = LDAP_destroy; + create_base = krb5_config_get_string(context, NULL, "kdc", + "hdb-ldap-create-base", NULL); + if (create_base == NULL) + create_base = h->h_base; + + h->h_createbase = strdup(create_base); + if (h->h_createbase == NULL) { + LDAP_destroy(context, *db); + krb5_set_error_string(context, "strdup: out of memory"); + *db = NULL; + return ENOMEM; + } + + (*db)->hdb_master_key_set = 0; + (*db)->hdb_openp = 0; + (*db)->hdb_open = LDAP_open; + (*db)->hdb_close = LDAP_close; + (*db)->hdb_fetch = LDAP_fetch; + (*db)->hdb_store = LDAP_store; + (*db)->hdb_remove = LDAP_remove; + (*db)->hdb_firstkey = LDAP_firstkey; + (*db)->hdb_nextkey = LDAP_nextkey; + (*db)->hdb_lock = LDAP_lock; + (*db)->hdb_unlock = LDAP_unlock; + (*db)->hdb_rename = NULL; + (*db)->hdb__get = NULL; + (*db)->hdb__put = NULL; + (*db)->hdb__del = NULL; + (*db)->hdb_destroy = LDAP_destroy; return 0; } +krb5_error_code +hdb_ldap_create(krb5_context context, HDB ** db, const char *arg) +{ + return hdb_ldap_common(context, db, arg, "ldapi:///"); +} + +krb5_error_code +hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg) +{ + krb5_error_code ret; + char *search_base, *p; + + asprintf(&p, "ldapi:%s", arg); + if (p == NULL) { + krb5_set_error_string(context, "out of memory"); + *db = NULL; + return ENOMEM; + } + search_base = strchr(p + strlen("ldapi://"), ':'); + if (search_base == NULL) { + krb5_set_error_string(context, "search base missing"); + *db = NULL; + return HDB_ERR_BADVERSION; + } + *search_base = '\0'; + search_base++; + + ret = hdb_ldap_common(context, db, search_base, p); + free(p); + return ret; +} + +#ifdef OPENLDAP_MODULE + +struct hdb_so_method hdb_ldap_interface = { + HDB_INTERFACE_VERSION, + "ldap", + hdb_ldap_create +}; + +struct hdb_so_method hdb_ldapi_interface = { + HDB_INTERFACE_VERSION, + "ldapi", + hdb_ldapi_create +}; + +#endif + #endif /* OPENLDAP */ |