2
* lib/kdb/kdb_ldap/ldap_tkt_policy.c
4
* Copyright (c) 2004-2005, Novell, Inc.
7
* Redistribution and use in source and binary forms, with or without
8
* modification, are permitted provided that the following conditions are met:
10
* * Redistributions of source code must retain the above copyright notice,
11
* this list of conditions and the following disclaimer.
12
* * Redistributions in binary form must reproduce the above copyright
13
* notice, this list of conditions and the following disclaimer in the
14
* documentation and/or other materials provided with the distribution.
15
* * The copyright holder's name is not used to endorse or promote products
16
* derived from this software without specific prior written permission.
18
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28
* POSSIBILITY OF SUCH DAMAGE.
31
#include "ldap_main.h"
33
#include "ldap_tkt_policy.h"
36
/* Ticket policy object management */
39
* create the Ticket policy object in Directory.
42
krb5_ldap_create_policy(context, policy, mask)
44
krb5_ldap_policy_params *policy;
49
char *strval[3]={NULL}, *policy_dn = NULL;
51
kdb5_dal_handle *dal_handle=NULL;
52
krb5_ldap_context *ldap_context=NULL;
53
krb5_ldap_server_handle *ldap_server_handle=NULL;
55
/* validate the input parameters */
56
if (policy == NULL || policy->policy == NULL) {
58
krb5_set_error_message (context, st, "Ticket Policy Name missing");
65
if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0)
68
memset(strval, 0, sizeof(strval));
69
strval[0] = policy->policy;
70
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
73
memset(strval, 0, sizeof(strval));
74
strval[0] = "krbTicketPolicy";
75
strval[1] = "krbTicketPolicyaux";
76
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
79
if (mask & LDAP_POLICY_MAXTKTLIFE) {
80
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_ADD,
81
policy->maxtktlife)) != 0)
85
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
86
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_ADD,
87
policy->maxrenewlife)) != 0)
91
if (mask & LDAP_POLICY_TKTFLAGS) {
92
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_ADD,
93
policy->tktflags)) != 0)
97
/* ldap add operation */
98
if ((st=ldap_add_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
99
st = set_ldap_error (context, st, OP_ADD);
104
if (policy_dn != NULL)
107
ldap_mods_free(mods, 1);
108
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
114
* modify the Ticket policy object in Directory.
118
krb5_ldap_modify_policy(context, policy, mask)
119
krb5_context context;
120
krb5_ldap_policy_params *policy;
124
krb5_error_code st=0;
126
char *attrvalues[]={"krbTicketPolicy", "krbTicketPolicyAux", NULL}, *strval[2]={NULL};
127
char *policy_dn = NULL;
129
kdb5_dal_handle *dal_handle=NULL;
130
krb5_ldap_context *ldap_context=NULL;
131
krb5_ldap_server_handle *ldap_server_handle=NULL;
133
/* validate the input parameters */
134
if (policy == NULL || policy->policy==NULL) {
136
krb5_set_error_message (context, st, "Ticket Policy Name missing");
143
if ((st = krb5_ldap_name_to_policydn (context, policy->policy, &policy_dn)) != 0)
146
/* the policydn object should be of the krbTicketPolicy object class */
147
st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask);
148
CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
150
if ((objectmask & 0x02) == 0) { /* add krbticketpolicyaux to the object class list */
151
memset(strval, 0, sizeof(strval));
152
strval[0] = "krbTicketPolicyAux";
153
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
157
if (mask & LDAP_POLICY_MAXTKTLIFE) {
158
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE,
159
policy->maxtktlife)) != 0)
163
if (mask & LDAP_POLICY_MAXRENEWLIFE) {
164
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
165
policy->maxrenewlife)) != 0)
169
if (mask & LDAP_POLICY_TKTFLAGS) {
170
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
171
policy->tktflags)) != 0)
175
if ((st=ldap_modify_ext_s(ld, policy_dn, mods, NULL, NULL)) != LDAP_SUCCESS) {
176
st = set_ldap_error (context, st, OP_MOD);
181
if (policy_dn != NULL)
184
ldap_mods_free(mods, 1);
185
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
191
* Read the policy object from the Directory and populate the krb5_ldap_policy_params
196
krb5_ldap_read_policy(context, policyname, policy, omask)
197
krb5_context context;
199
krb5_ldap_policy_params **policy;
202
krb5_error_code st=0, tempst=0;
205
LDAPMessage *result=NULL,*ent=NULL;
206
char *attributes[] = { "krbMaxTicketLife", "krbMaxRenewableAge", "krbTicketFlags", NULL};
207
char *attrvalues[] = { "krbTicketPolicy", NULL}, *policy_dn = NULL;
208
krb5_ldap_policy_params *lpolicy=NULL;
209
kdb5_dal_handle *dal_handle=NULL;
210
krb5_ldap_context *ldap_context=NULL;
211
krb5_ldap_server_handle *ldap_server_handle=NULL;
213
/* validate the input parameters */
214
if (policyname == NULL || policy == NULL) {
216
krb5_set_error_message(context, st, "Ticket Policy Object information missing");
223
if ((st = krb5_ldap_name_to_policydn (context, policyname, &policy_dn)) != 0)
226
/* the policydn object should be of the krbTicketPolicy object class */
227
st = checkattributevalue(ld, policy_dn, "objectClass", attrvalues, &objectmask);
228
CHECK_CLASS_VALIDITY(st, objectmask, "ticket policy object: ");
230
/* Initialize ticket policy structure */
231
lpolicy =(krb5_ldap_policy_params *) malloc(sizeof(krb5_ldap_policy_params));
233
memset(lpolicy, 0, sizeof(krb5_ldap_policy_params));
235
if ((lpolicy->policy = strdup (policyname)) == NULL) {
240
lpolicy->tl_data = calloc (1, sizeof(*lpolicy->tl_data));
241
CHECK_NULL(lpolicy->tl_data);
242
lpolicy->tl_data->tl_data_type = KDB_TL_USER_INFO;
244
LDAP_SEARCH(policy_dn, LDAP_SCOPE_BASE, "(objectclass=krbTicketPolicy)", attributes);
248
ent=ldap_first_entry(ld, result);
250
if (krb5_ldap_get_value(ld, ent, "krbmaxticketlife", (int *) &(lpolicy->maxtktlife)) == 0)
251
*omask |= LDAP_POLICY_MAXTKTLIFE;
253
if (krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", (int *) &(lpolicy->maxrenewlife)) == 0)
254
*omask |= LDAP_POLICY_MAXRENEWLIFE;
256
if (krb5_ldap_get_value(ld, ent, "krbticketflags", (int *) &(lpolicy->tktflags)) == 0)
257
*omask |= LDAP_POLICY_TKTFLAGS;
259
ldap_msgfree(result);
261
lpolicy->mask = *omask;
262
store_tl_data(lpolicy->tl_data, KDB_TL_MASK, omask);
267
krb5_ldap_free_policy(context, lpolicy);
270
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
276
* Function to delete ticket policy object from the directory. Before
277
* calling this function krb5_ldap_read_policy should be called to
278
* check the existence of the object. This serves one major purpose,
279
* i.e., if the object to be is anything other than the ticket policy
280
* object then the krb5_ldap_read_policy returns an error and thus is
281
* not accidently deleted in this function.
283
* NOTE: Other kerberos objects (user/realm object) might be having
284
* references to the policy object to be deleted. This situation is
285
* not handled here, instead is taken care of at all the places where
286
* the deleted policy object is read, to ignore a return status of
287
* LDAP_NO_SUCH_OBJECT and continue.
291
krb5_ldap_delete_policy(context, policyname)
292
krb5_context context;
296
char *policy_dn = NULL;
297
krb5_error_code st = 0;
299
kdb5_dal_handle *dal_handle=NULL;
300
krb5_ldap_context *ldap_context=NULL;
301
krb5_ldap_server_handle *ldap_server_handle=NULL;
303
if (policyname == NULL) {
305
prepend_err_str (context,"Ticket Policy Object DN missing",st,st);
313
if ((st = krb5_ldap_name_to_policydn (context, policyname, &policy_dn)) != 0)
316
/* Checking for policy count for 0 and will not permit delete if
317
* it is greater than 0. */
319
if ((st = krb5_ldap_get_reference_count (context, policy_dn,
320
"krbTicketPolicyReference", &refcount, ld)) != 0)
324
if ((st=ldap_delete_ext_s(ld, policy_dn, NULL, NULL)) != 0) {
325
prepend_err_str (context,ldap_err2string(st),st,st);
331
prepend_err_str (context,"Delete Failed: One or more Principals associated with the Ticket Policy",st,st);
336
if (policy_dn != NULL)
338
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
344
* list policy objects from Directory
348
krb5_ldap_list_policy(context, containerdn, policy)
349
krb5_context context;
355
char *policycontainerdn = containerdn;
356
kdb5_dal_handle *dal_handle=NULL;
357
krb5_ldap_context *ldap_context=NULL;
358
krb5_error_code st=0;
361
if (policycontainerdn == NULL) {
362
policycontainerdn = ldap_context->lrparams->realmdn;
365
if ((st = krb5_ldap_list(context, &list, "krbTicketPolicy", policycontainerdn)) != 0)
368
for (i = 0; list[i] != NULL; i++);
372
*policy = (char **) calloc ((unsigned) count + 1, sizeof(char *));
373
if (*policy == NULL) {
378
for (i = 0, j = 0; list[i] != NULL; i++, j++) {
380
ret = krb5_ldap_policydn_to_name (context, list[i], &(*policy)[i]);
390
* Function to free the ticket policy object structure.
391
* Note: this function assumes that memory of the policy structure is dynamically allocated and hence the whole
392
* structure is freed up. Care should be taken not to call this function on a static structure
396
krb5_ldap_free_policy(context, policy)
397
krb5_context context;
398
krb5_ldap_policy_params *policy;
401
krb5_error_code st=0;
407
free (policy->policy);
409
if (policy->tl_data) {
410
if (policy->tl_data->tl_data_contents)
411
free (policy->tl_data->tl_data_contents);
412
free (policy->tl_data);
420
* This function is general object listing routine. It is currently
421
* used for ticket policy object listing.
425
krb5_ldap_list(context, list, objectclass, containerdn)
426
krb5_context context;
431
char *filter=NULL, *dn=NULL;
432
krb5_error_code st=0, tempst=0;
433
int i=0, count=0, filterlen=0;
435
LDAPMessage *result=NULL,*ent=NULL;
436
kdb5_dal_handle *dal_handle=NULL;
437
krb5_ldap_context *ldap_context=NULL;
438
krb5_ldap_server_handle *ldap_server_handle=NULL;
443
/* check if the containerdn exists */
445
if ((st=checkattributevalue(ld, containerdn, NULL, NULL, NULL)) != 0) {
446
prepend_err_str (context, "Error reading container object: ", st, st);
451
/* set the filter for the search operation */
452
filterlen = strlen("(objectclass=") + strlen(objectclass) + 1 + 1;
453
filter = malloc ((unsigned) filterlen);
454
if (filter == NULL) {
458
snprintf(filter, (unsigned) filterlen,"(objectclass=%s)",objectclass);
460
LDAP_SEARCH(containerdn, LDAP_SCOPE_SUBTREE, filter, NULL);
462
count = ldap_count_entries(ld, result);
464
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
465
st = set_ldap_error(context, st, OP_SEARCH);
468
*list = (char **) calloc ((unsigned) count+1, sizeof(char *));
474
for (ent=ldap_first_entry(ld, result), count=0; ent != NULL; ent=ldap_next_entry(ld, ent), ++count) {
475
if ((dn=ldap_get_dn(ld, ent)) == NULL)
477
if (((*list)[count] = strdup(dn)) == NULL) {
484
ldap_msgfree(result);
490
/* some error, free up all the memory */
493
for (i=0; (*list)[i]; ++i)
499
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);