2
* Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3
* Copyright (c) 2004, Andrew Bartlett.
4
* Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.
7
* Redistribution and use in source and binary forms, with or without
8
* modification, are permitted provided that the following conditions
11
* 1. Redistributions of source code must retain the above copyright
12
* notice, this list of conditions and the following disclaimer.
14
* 2. Redistributions in binary form must reproduce the above copyright
15
* notice, this list of conditions and the following disclaimer in the
16
* documentation and/or other materials provided with the distribution.
18
* 3. Neither the name of PADL Software nor the names of its contributors
19
* may be used to endorse or promote products derived from this software
20
* without specific prior written permission.
22
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
44
static krb5_error_code LDAP__connect(krb5_context context, HDB *);
45
static krb5_error_code LDAP_close(krb5_context context, HDB *);
47
static krb5_error_code
48
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
49
int flags, hdb_entry_ex * ent);
51
static const char *default_structural_object = "account";
52
static char *structural_object;
53
static krb5_boolean samba_forwardable;
63
#define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
64
#define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
65
#define HDBSETMSGID(db,msgid) \
66
do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
67
#define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
68
#define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
69
#define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
75
static char * krb5kdcentry_attrs[] = {
82
"krb5KeyVersionNumber",
102
static char *krb5principal_attrs[] = {
107
"krb5PrincipalRealm",
116
LDAP_no_size_limit(krb5_context context, LDAP *lp)
118
int ret, limit = LDAP_NO_LIMIT;
120
ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
121
if (ret != LDAP_SUCCESS) {
122
krb5_set_error_message(context, HDB_ERR_BADVERSION,
123
"ldap_set_option: %s",
124
ldap_err2string(ret));
125
return HDB_ERR_BADVERSION;
131
check_ldap(krb5_context context, HDB *db, int ret)
136
case LDAP_SERVER_DOWN:
137
LDAP_close(context, db);
144
static krb5_error_code
145
LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
150
if (*modlist == NULL) {
151
*modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
152
if (*modlist == NULL)
156
for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
157
if ((*modlist)[cMods]->mod_op == modop &&
158
strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
165
if ((*modlist)[cMods] == NULL) {
168
*modlist = (LDAPMod **)ber_memrealloc(*modlist,
169
(cMods + 2) * sizeof(LDAPMod *));
170
if (*modlist == NULL)
173
(*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
174
if ((*modlist)[cMods] == NULL)
177
mod = (*modlist)[cMods];
179
mod->mod_type = ber_strdup(attribute);
180
if (mod->mod_type == NULL) {
182
(*modlist)[cMods] = NULL;
186
if (modop & LDAP_MOD_BVALUES) {
187
mod->mod_bvalues = NULL;
189
mod->mod_values = NULL;
192
(*modlist)[cMods + 1] = NULL;
198
static krb5_error_code
199
LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
200
unsigned char *value, size_t len)
205
ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
212
bv = (*modlist)[cMods]->mod_bvalues;
214
for (i = 0; bv[i] != NULL; i++)
216
bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
218
bv = ber_memalloc(2 * sizeof(*bv));
222
(*modlist)[cMods]->mod_bvalues = bv;
224
bv[i] = ber_memalloc(sizeof(**bv));;
228
bv[i]->bv_val = (void *)value;
237
static krb5_error_code
238
LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
244
ret = LDAP__setmod(modlist, modop, attribute, &cMods);
251
bv = (*modlist)[cMods]->mod_values;
253
for (i = 0; bv[i] != NULL; i++)
255
bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
257
bv = ber_memalloc(2 * sizeof(*bv));
261
(*modlist)[cMods]->mod_values = bv;
263
bv[i] = ber_strdup(value);
273
static krb5_error_code
274
LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
275
const char *attribute, KerberosTime * time)
280
/* XXX not threadsafe */
282
strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
284
return LDAP_addmod(mods, modop, attribute, buf);
287
static krb5_error_code
288
LDAP_addmod_integer(krb5_context context,
289
LDAPMod *** mods, int modop,
290
const char *attribute, unsigned long l)
295
ret = asprintf(&buf, "%ld", l);
297
krb5_set_error_message(context, ENOMEM,
298
"asprintf: out of memory:");
301
ret = LDAP_addmod(mods, modop, attribute, buf);
306
static krb5_error_code
307
LDAP_get_string_value(HDB * db, LDAPMessage * entry,
308
const char *attribute, char **ptr)
310
struct berval **vals;
312
vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);
313
if (vals == NULL || vals[0] == NULL) {
315
return HDB_ERR_NOENTRY;
318
*ptr = malloc(vals[0]->bv_len + 1);
320
ldap_value_free_len(vals);
324
memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);
325
(*ptr)[vals[0]->bv_len] = 0;
327
ldap_value_free_len(vals);
332
static krb5_error_code
333
LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
334
const char *attribute, int *ptr)
339
ret = LDAP_get_string_value(db, entry, attribute, &val);
347
static krb5_error_code
348
LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
349
const char *attribute, KerberosTime * kt)
357
ret = LDAP_get_string_value(db, entry, attribute, &gentime);
361
tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
364
return HDB_ERR_NOENTRY;
375
bervalstrcmp(struct berval *v, const char *str)
377
size_t len = strlen(str);
378
return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;
382
static krb5_error_code
383
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
384
LDAPMessage * msg, LDAPMod *** pmods)
387
krb5_boolean is_new_entry;
389
LDAPMod **mods = NULL;
391
unsigned long oflags, nflags;
394
krb5_boolean is_samba_account = FALSE;
395
krb5_boolean is_account = FALSE;
396
krb5_boolean is_heimdal_entry = FALSE;
397
krb5_boolean is_heimdal_principal = FALSE;
399
struct berval **vals;
405
ret = LDAP_message2entry(context, db, msg, 0, &orig);
409
is_new_entry = FALSE;
411
vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
413
int num_objectclasses = ldap_count_values_len(vals);
414
for (i=0; i < num_objectclasses; i++) {
415
if (bervalstrcmp(vals[i], "sambaSamAccount"))
416
is_samba_account = TRUE;
417
else if (bervalstrcmp(vals[i], structural_object))
419
else if (bervalstrcmp(vals[i], "krb5Principal"))
420
is_heimdal_principal = TRUE;
421
else if (bervalstrcmp(vals[i], "krb5KDCEntry"))
422
is_heimdal_entry = TRUE;
424
ldap_value_free_len(vals);
428
* If this is just a "account" entry and no other objectclass
429
* is hanging on this entry, it's really a new entry.
431
if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
432
is_heimdal_entry == FALSE) {
433
if (is_account == TRUE) {
436
ret = HDB_ERR_NOENTRY;
445
/* to make it perfectly obvious we're depending on
446
* orig being intiialized to zero */
447
memset(&orig, 0, sizeof(orig));
449
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
453
/* account is the structural object class */
454
if (is_account == FALSE) {
455
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
462
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
463
is_heimdal_principal = TRUE;
467
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
468
is_heimdal_entry = TRUE;
474
krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
477
if (is_heimdal_principal || is_heimdal_entry) {
479
ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
483
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
484
"krb5PrincipalName", tmp);
492
if (is_account || is_samba_account) {
493
ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
496
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
505
if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
506
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
507
"krb5KeyVersionNumber",
513
if (is_heimdal_entry && ent->entry.valid_start) {
514
if (orig.entry.valid_end == NULL
515
|| (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
516
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
518
ent->entry.valid_start);
524
if (ent->entry.valid_end) {
525
if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
526
if (is_heimdal_entry) {
527
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
529
ent->entry.valid_end);
533
if (is_samba_account) {
534
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
536
*(ent->entry.valid_end));
543
if (ent->entry.pw_end) {
544
if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
545
if (is_heimdal_entry) {
546
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
553
if (is_samba_account) {
554
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
555
"sambaPwdMustChange",
556
*(ent->entry.pw_end));
564
#if 0 /* we we have last_pw_change */
565
if (is_samba_account && ent->entry.last_pw_change) {
566
if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
567
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
569
*(ent->entry.last_pw_change));
576
if (is_heimdal_entry && ent->entry.max_life) {
577
if (orig.entry.max_life == NULL
578
|| (*(ent->entry.max_life) != *(orig.entry.max_life))) {
580
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
582
*(ent->entry.max_life));
588
if (is_heimdal_entry && ent->entry.max_renew) {
589
if (orig.entry.max_renew == NULL
590
|| (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
592
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
594
*(ent->entry.max_renew));
600
oflags = HDBFlags2int(orig.entry.flags);
601
nflags = HDBFlags2int(ent->entry.flags);
603
if (is_heimdal_entry && oflags != nflags) {
605
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
612
/* Remove keys if they exists, and then replace keys. */
613
if (!is_new_entry && orig.entry.keys.len > 0) {
614
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
616
ldap_value_free_len(vals);
618
ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
624
for (i = 0; i < ent->entry.keys.len; i++) {
627
&& ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
630
time_t now = time(NULL);
632
/* the key might have been 'sealed', but samba passwords
633
are clear in the directory */
634
ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
638
nt = ent->entry.keys.val[i].key.keyvalue.data;
639
/* store in ntPassword, not krb5key */
640
ret = hex_encode(nt, 16, &ntHexPassword);
643
krb5_set_error_message(context, ret, "hdb-ldap: failed to "
647
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
652
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
653
"sambaPwdLastSet", now);
657
/* have to kill the LM passwod if it exists */
658
vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");
660
ldap_value_free_len(vals);
661
ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
662
"sambaLMPassword", NULL);
667
} else if (is_heimdal_entry) {
669
size_t len, buf_size;
671
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
675
krb5_abortx(context, "internal error in ASN.1 encoder");
677
/* addmod_len _owns_ the key, doesn't need to copy it */
678
ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
684
if (ent->entry.etypes) {
685
int add_krb5EncryptionType = 0;
688
* Only add/modify krb5EncryptionType if it's a new heimdal
689
* entry or krb5EncryptionType already exists on the entry.
693
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
695
ldap_value_free_len(vals);
696
ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
700
add_krb5EncryptionType = 1;
702
} else if (is_heimdal_entry)
703
add_krb5EncryptionType = 1;
705
if (add_krb5EncryptionType) {
706
for (i = 0; i < ent->entry.etypes->len; i++) {
707
if (is_samba_account &&
708
ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
711
} else if (is_heimdal_entry) {
712
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
713
"krb5EncryptionType",
714
ent->entry.etypes->val[i]);
729
else if (mods != NULL) {
730
ldap_mods_free(mods, 1);
735
hdb_free_entry(context, &orig);
740
static krb5_error_code
741
LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
742
krb5_principal * principal)
746
const char *filter = "(objectClass=krb5Principal)";
747
LDAPMessage *res = NULL, *e;
750
ret = LDAP_no_size_limit(context, HDB2LDAP(db));
754
rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
755
filter, krb5principal_attrs, 0,
758
if (check_ldap(context, db, rc)) {
759
ret = HDB_ERR_NOENTRY;
760
krb5_set_error_message(context, ret, "ldap_search_ext_s: "
761
"filter: %s error: %s",
762
filter, ldap_err2string(rc));
766
e = ldap_first_entry(HDB2LDAP(db), res);
768
ret = HDB_ERR_NOENTRY;
772
ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);
774
ret = HDB_ERR_NOENTRY;
778
ret = krb5_parse_name(context, p, principal);
789
need_quote(unsigned char c)
800
const static char hexchar[] = "0123456789ABCDEF";
802
static krb5_error_code
803
escape_value(krb5_context context, const unsigned char *unquoted, char **quoted)
807
for (i = 0, len = 0; unquoted[i] != '\0'; i++, len++) {
808
if (need_quote((unsigned char)unquoted[i]))
812
*quoted = malloc(len + 1);
813
if (*quoted == NULL) {
814
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
818
for (i = 0; unquoted[0] ; unquoted++) {
819
if (need_quote((unsigned char *)unquoted[0])) {
820
(*quoted)[i++] = '\\';
821
(*quoted)[i++] = hexchar[(unquoted[0] >> 4) & 0xf];
822
(*quoted)[i++] = hexchar[(unquoted[0] ) & 0xf];
824
(*quoted)[i++] = (char)unquoted[0];
831
static krb5_error_code
832
LDAP__lookup_princ(krb5_context context,
834
const char *princname,
840
char *quote, *filter = NULL;
842
ret = LDAP__connect(context, db);
847
* Quote searches that contain filter language, this quote
848
* searches for *@REALM, which takes very long time.
851
ret = escape_value(context, princname, "e);
855
rc = asprintf(&filter,
856
"(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
862
krb5_set_error_message(context, ret, "malloc: out of memory");
866
ret = LDAP_no_size_limit(context, HDB2LDAP(db));
870
rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),
871
LDAP_SCOPE_SUBTREE, filter,
872
krb5kdcentry_attrs, 0,
875
if (check_ldap(context, db, rc)) {
876
ret = HDB_ERR_NOENTRY;
877
krb5_set_error_message(context, ret, "ldap_search_ext_s: "
878
"filter: %s - error: %s",
879
filter, ldap_err2string(rc));
883
if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
889
ret = escape_value(context, userid, "e);
893
rc = asprintf(&filter,
894
"(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
895
structural_object, quote);
899
krb5_set_error_message(context, ret, "asprintf: out of memory");
903
ret = LDAP_no_size_limit(context, HDB2LDAP(db));
907
rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
908
filter, krb5kdcentry_attrs, 0,
911
if (check_ldap(context, db, rc)) {
912
ret = HDB_ERR_NOENTRY;
913
krb5_set_error_message(context, ret,
914
"ldap_search_ext_s: filter: %s error: %s",
915
filter, ldap_err2string(rc));
929
static krb5_error_code
930
LDAP_principal2message(krb5_context context, HDB * db,
931
krb5_const_principal princ, LDAPMessage ** msg)
933
char *name, *name_short = NULL;
939
ret = krb5_unparse_name(context, princ, &name);
943
ret = krb5_get_default_realms(context, &r0);
948
for (r = r0; *r != NULL; r++) {
949
if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
950
ret = krb5_unparse_name_short(context, princ, &name_short);
952
krb5_free_host_realm(context, r0);
959
krb5_free_host_realm(context, r0);
961
ret = LDAP__lookup_princ(context, db, name, name_short, msg);
969
* Construct an hdb_entry from a directory entry.
971
static krb5_error_code
972
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
973
int flags, hdb_entry_ex * ent)
975
char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
976
char *samba_acct_flags = NULL;
977
struct berval **keys;
978
struct berval **vals;
979
int tmp, tmp_time, i, ret, have_arcfour = 0;
981
memset(ent, 0, sizeof(*ent));
982
ent->entry.flags = int2HDBFlags(0);
984
ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
986
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
990
ret = LDAP_get_string_value(db, msg, "uid",
993
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
997
krb5_set_error_message(context, HDB_ERR_NOENTRY,
998
"hdb-ldap: ldap entry missing"
1000
return HDB_ERR_NOENTRY;
1006
ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
1009
ent->entry.kvno = 0;
1011
ent->entry.kvno = integer;
1014
keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
1019
ent->entry.keys.len = ldap_count_values_len(keys);
1020
ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
1021
if (ent->entry.keys.val == NULL) {
1023
krb5_set_error_message(context, ret, "calloc: out of memory");
1026
for (i = 0; i < ent->entry.keys.len; i++) {
1027
decode_Key((unsigned char *) keys[i]->bv_val,
1028
(size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
1034
* This violates the ASN1 but it allows a principal to
1035
* be related to a general directory entry without creating
1036
* the keys. Hopefully it's OK.
1038
ent->entry.keys.len = 0;
1039
ent->entry.keys.val = NULL;
1041
ret = HDB_ERR_NOENTRY;
1046
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
1050
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1051
if (ent->entry.etypes == NULL) {
1053
krb5_set_error_message(context, ret,"malloc: out of memory");
1056
ent->entry.etypes->len = ldap_count_values_len(vals);
1057
ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
1058
if (ent->entry.etypes->val == NULL) {
1060
krb5_set_error_message(context, ret, "malloc: out of memory");
1061
ent->entry.etypes->len = 0;
1064
for (i = 0; i < ent->entry.etypes->len; i++) {
1067
buf = malloc(vals[i]->bv_len + 1);
1070
krb5_set_error_message(context, ret, "malloc: out of memory");
1073
memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
1074
buf[vals[i]->bv_len] = '\0';
1075
ent->entry.etypes->val[i] = atoi(buf);
1078
ldap_value_free_len(vals);
1081
for (i = 0; i < ent->entry.keys.len; i++) {
1082
if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
1088
/* manually construct the NT (type 23) key */
1089
ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
1090
if (ret == 0 && have_arcfour == 0) {
1095
keys = realloc(ent->entry.keys.val,
1096
(ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1100
krb5_set_error_message(context, ret, "malloc: out of memory");
1103
ent->entry.keys.val = keys;
1104
memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1105
ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1106
ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1108
krb5_set_error_message(context, ret, "malloc: out of memory");
1113
ret = hex_decode(ntPasswordIN,
1114
ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1115
ent->entry.keys.len++;
1117
if (ent->entry.etypes == NULL) {
1118
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1119
if (ent->entry.etypes == NULL) {
1121
krb5_set_error_message(context, ret, "malloc: out of memory");
1124
ent->entry.etypes->val = NULL;
1125
ent->entry.etypes->len = 0;
1128
for (i = 0; i < ent->entry.etypes->len; i++)
1129
if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1131
/* If there is no ARCFOUR enctype, add one */
1132
if (i == ent->entry.etypes->len) {
1133
etypes = realloc(ent->entry.etypes->val,
1134
(ent->entry.etypes->len + 1) *
1135
sizeof(ent->entry.etypes->val[0]));
1136
if (etypes == NULL) {
1138
krb5_set_error_message(context, ret, "malloc: out of memory");
1141
ent->entry.etypes->val = etypes;
1142
ent->entry.etypes->val[ent->entry.etypes->len] =
1143
ETYPE_ARCFOUR_HMAC_MD5;
1144
ent->entry.etypes->len++;
1148
ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1149
&ent->entry.created_by.time);
1151
ent->entry.created_by.time = time(NULL);
1153
ent->entry.created_by.principal = NULL;
1155
if (flags & HDB_F_ADMIN_DATA) {
1156
ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1158
LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);
1162
ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));
1163
if (ent->entry.modified_by == NULL) {
1165
krb5_set_error_message(context, ret, "malloc: out of memory");
1169
ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1170
&ent->entry.modified_by->time);
1172
ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1174
LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);
1177
free(ent->entry.modified_by);
1178
ent->entry.modified_by = NULL;
1183
ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1184
if (ent->entry.valid_start == NULL) {
1186
krb5_set_error_message(context, ret, "malloc: out of memory");
1189
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1190
ent->entry.valid_start);
1193
free(ent->entry.valid_start);
1194
ent->entry.valid_start = NULL;
1197
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1198
if (ent->entry.valid_end == NULL) {
1200
krb5_set_error_message(context, ret, "malloc: out of memory");
1203
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1204
ent->entry.valid_end);
1207
free(ent->entry.valid_end);
1208
ent->entry.valid_end = NULL;
1211
ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1213
if (ent->entry.valid_end == NULL) {
1214
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1215
if (ent->entry.valid_end == NULL) {
1217
krb5_set_error_message(context, ret, "malloc: out of memory");
1221
*ent->entry.valid_end = tmp_time;
1224
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1225
if (ent->entry.pw_end == NULL) {
1227
krb5_set_error_message(context, ret, "malloc: out of memory");
1230
ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1234
free(ent->entry.pw_end);
1235
ent->entry.pw_end = NULL;
1238
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1242
if (ent->entry.pw_end == NULL) {
1243
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1244
if (ent->entry.pw_end == NULL) {
1246
krb5_set_error_message(context, ret, "malloc: out of memory");
1251
delta = krb5_config_get_time_default(context, NULL,
1254
"password_lifetime",
1256
*ent->entry.pw_end = tmp_time + delta;
1259
ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1261
if (ent->entry.pw_end == NULL) {
1262
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1263
if (ent->entry.pw_end == NULL) {
1265
krb5_set_error_message(context, ret, "malloc: out of memory");
1269
*ent->entry.pw_end = tmp_time;
1273
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1275
hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1280
ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1281
if (ent->entry.max_life == NULL) {
1283
krb5_set_error_message(context, ret, "malloc: out of memory");
1286
ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1288
free(ent->entry.max_life);
1289
ent->entry.max_life = NULL;
1291
*ent->entry.max_life = max_life;
1297
ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1298
if (ent->entry.max_renew == NULL) {
1300
krb5_set_error_message(context, ret, "malloc: out of memory");
1303
ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1305
free(ent->entry.max_renew);
1306
ent->entry.max_renew = NULL;
1308
*ent->entry.max_renew = max_renew;
1311
ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
1315
ent->entry.flags = int2HDBFlags(tmp);
1317
/* Try and find Samba flags to put into the mix */
1318
ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1320
/* parse the [UXW...] string:
1324
'H' Homedir required
1326
'U' User account (normal)
1327
'M' MNS logon user account - what is this ?
1328
'W' Workstation account
1331
'X' No Xpiry on password
1332
'I' Interdomain trust account
1337
int flags_len = strlen(samba_acct_flags);
1342
if (samba_acct_flags[0] != '['
1343
|| samba_acct_flags[flags_len - 1] != ']')
1346
/* Allow forwarding */
1347
if (samba_forwardable)
1348
ent->entry.flags.forwardable = TRUE;
1350
for (i=0; i < flags_len; i++) {
1351
switch (samba_acct_flags[i]) {
1357
/* how to handle no password in kerberos? */
1360
ent->entry.flags.invalid = TRUE;
1365
/* temp duplicate */
1366
ent->entry.flags.invalid = TRUE;
1369
ent->entry.flags.client = TRUE;
1375
ent->entry.flags.server = TRUE;
1376
ent->entry.flags.client = TRUE;
1379
ent->entry.flags.invalid = TRUE;
1382
if (ent->entry.pw_end) {
1383
free(ent->entry.pw_end);
1384
ent->entry.pw_end = NULL;
1388
ent->entry.flags.server = TRUE;
1389
ent->entry.flags.client = TRUE;
1394
free(samba_acct_flags);
1401
free(unparsed_name);
1404
hdb_free_entry(context, ent);
1409
static krb5_error_code
1410
LDAP_close(krb5_context context, HDB * db)
1413
ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1414
((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1420
static krb5_error_code
1421
LDAP_lock(krb5_context context, HDB * db, int operation)
1426
static krb5_error_code
1427
LDAP_unlock(krb5_context context, HDB * db)
1432
static krb5_error_code
1433
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1435
int msgid, rc, parserc;
1436
krb5_error_code ret;
1439
msgid = HDB2MSGID(db);
1441
return HDB_ERR_NOENTRY;
1444
rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1446
case LDAP_RES_SEARCH_REFERENCE:
1450
case LDAP_RES_SEARCH_ENTRY:
1451
/* We have an entry. Parse it. */
1452
ret = LDAP_message2entry(context, db, e, flags, entry);
1455
case LDAP_RES_SEARCH_RESULT:
1456
/* We're probably at the end of the results. If not, abandon. */
1458
ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1460
ret = HDB_ERR_NOENTRY;
1461
if (parserc != LDAP_SUCCESS
1462
&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1463
krb5_set_error_message(context, ret, "ldap_parse_result: %s",
1464
ldap_err2string(parserc));
1465
ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1467
HDBSETMSGID(db, -1);
1469
case LDAP_SERVER_DOWN:
1471
LDAP_close(context, db);
1472
HDBSETMSGID(db, -1);
1476
/* Some unspecified error (timeout?). Abandon. */
1478
ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);
1479
ret = HDB_ERR_NOENTRY;
1480
HDBSETMSGID(db, -1);
1483
} while (rc == LDAP_RES_SEARCH_REFERENCE);
1486
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1487
ret = hdb_unseal_keys(context, db, &entry->entry);
1489
hdb_free_entry(context, entry);
1496
static krb5_error_code
1497
LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1498
hdb_entry_ex *entry)
1500
krb5_error_code ret;
1503
ret = LDAP__connect(context, db);
1507
ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1511
ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),
1513
"(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1514
krb5kdcentry_attrs, 0,
1515
NULL, NULL, NULL, 0, &msgid);
1517
return HDB_ERR_NOENTRY;
1519
HDBSETMSGID(db, msgid);
1521
return LDAP_seq(context, db, flags, entry);
1524
static krb5_error_code
1525
LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1526
hdb_entry_ex * entry)
1528
return LDAP_seq(context, db, flags, entry);
1531
static krb5_error_code
1532
LDAP__connect(krb5_context context, HDB * db)
1534
int rc, version = LDAP_VERSION3;
1536
* Empty credentials to do a SASL bind with LDAP. Note that empty
1537
* different from NULL credentials. If you provide NULL
1538
* credentials instead of empty credentials you will get a SASL
1539
* bind in progress message.
1541
struct berval bv = { 0, "" };
1544
/* connection has been opened. ping server. */
1545
struct sockaddr_un addr;
1546
socklen_t len = sizeof(addr);
1549
if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1550
getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1551
/* the other end has died. reopen. */
1552
LDAP_close(context, db);
1556
if (HDB2LDAP(db) != NULL) /* server is UP */
1559
rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1560
if (rc != LDAP_SUCCESS) {
1561
krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",
1562
ldap_err2string(rc));
1563
return HDB_ERR_NOENTRY;
1566
rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1567
(const void *)&version);
1568
if (rc != LDAP_SUCCESS) {
1569
krb5_set_error_message(context, HDB_ERR_BADVERSION,
1570
"ldap_set_option: %s", ldap_err2string(rc));
1571
LDAP_close(context, db);
1572
return HDB_ERR_BADVERSION;
1575
rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
1577
if (rc != LDAP_SUCCESS) {
1578
krb5_set_error_message(context, HDB_ERR_BADVERSION,
1579
"ldap_sasl_bind_s: %s", ldap_err2string(rc));
1580
LDAP_close(context, db);
1581
return HDB_ERR_BADVERSION;
1587
static krb5_error_code
1588
LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1590
/* Not the right place for this. */
1591
#ifdef HAVE_SIGACTION
1592
struct sigaction sa;
1595
sa.sa_handler = SIG_IGN;
1596
sigemptyset(&sa.sa_mask);
1598
sigaction(SIGPIPE, &sa, NULL);
1600
signal(SIGPIPE, SIG_IGN);
1601
#endif /* HAVE_SIGACTION */
1603
return LDAP__connect(context, db);
1606
static krb5_error_code
1607
LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
1608
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
1610
LDAPMessage *msg, *e;
1611
krb5_error_code ret;
1613
ret = LDAP_principal2message(context, db, principal, &msg);
1617
e = ldap_first_entry(HDB2LDAP(db), msg);
1619
ret = HDB_ERR_NOENTRY;
1623
ret = LDAP_message2entry(context, db, e, flags, entry);
1625
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1626
ret = hdb_unseal_keys(context, db, &entry->entry);
1628
hdb_free_entry(context, entry);
1638
static krb5_error_code
1639
LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1640
unsigned flags, hdb_entry_ex * entry)
1642
return LDAP_fetch_kvno(context, db, principal,
1643
flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
1646
static krb5_error_code
1647
LDAP_store(krb5_context context, HDB * db, unsigned flags,
1648
hdb_entry_ex * entry)
1650
LDAPMod **mods = NULL;
1651
krb5_error_code ret;
1654
LDAPMessage *msg = NULL, *e = NULL;
1655
char *dn = NULL, *name = NULL;
1657
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1659
e = ldap_first_entry(HDB2LDAP(db), msg);
1661
ret = krb5_unparse_name(context, entry->entry.principal, &name);
1667
ret = hdb_seal_keys(context, db, &entry->entry);
1671
/* turn new entry into LDAPMod array */
1672
ret = LDAP_entry2mods(context, db, entry, e, &mods);
1677
ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1680
krb5_set_error_message(context, ret, "asprintf: out of memory");
1683
} else if (flags & HDB_F_REPLACE) {
1684
/* Entry exists, and we're allowed to replace it. */
1685
dn = ldap_get_dn(HDB2LDAP(db), e);
1687
/* Entry exists, but we're not allowed to replace it. Bail. */
1688
ret = HDB_ERR_EXISTS;
1692
/* write entry into directory */
1694
/* didn't exist before */
1695
rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1696
errfn = "ldap_add_ext_s";
1698
/* already existed, send deltas only */
1699
rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );
1700
errfn = "ldap_modify_ext_s";
1703
if (check_ldap(context, db, rc)) {
1704
char *ld_error = NULL;
1705
ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1707
ret = HDB_ERR_CANT_LOCK_DB;
1708
krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",
1709
errfn, name, dn, ldap_err2string(rc), ld_error);
1720
ldap_mods_free(mods, 1);
1727
static krb5_error_code
1728
LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1730
krb5_error_code ret;
1731
LDAPMessage *msg, *e;
1733
int rc, limit = LDAP_NO_LIMIT;
1735
ret = LDAP_principal2message(context, db, principal, &msg);
1739
e = ldap_first_entry(HDB2LDAP(db), msg);
1741
ret = HDB_ERR_NOENTRY;
1745
dn = ldap_get_dn(HDB2LDAP(db), e);
1747
ret = HDB_ERR_NOENTRY;
1751
rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1752
if (rc != LDAP_SUCCESS) {
1753
ret = HDB_ERR_BADVERSION;
1754
krb5_set_error_message(context, ret, "ldap_set_option: %s",
1755
ldap_err2string(rc));
1759
rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
1760
if (check_ldap(context, db, rc)) {
1761
ret = HDB_ERR_CANT_LOCK_DB;
1762
krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",
1763
ldap_err2string(rc));
1776
static krb5_error_code
1777
LDAP_destroy(krb5_context context, HDB * db)
1779
krb5_error_code ret;
1781
LDAP_close(context, db);
1783
ret = hdb_clear_master_key(context, db);
1787
free(HDB2CREATE(db));
1798
static krb5_error_code
1799
hdb_ldap_common(krb5_context context,
1801
const char *search_base,
1804
struct hdbldapdb *h;
1805
const char *create_base = NULL;
1807
if (search_base == NULL && search_base[0] == '\0') {
1808
krb5_set_error_message(context, ENOMEM, "ldap search base not configured");
1809
return ENOMEM; /* XXX */
1812
if (structural_object == NULL) {
1815
p = krb5_config_get_string(context, NULL, "kdc",
1816
"hdb-ldap-structural-object", NULL);
1818
p = default_structural_object;
1819
structural_object = strdup(p);
1820
if (structural_object == NULL) {
1821
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1827
krb5_config_get_bool_default(context, NULL, TRUE,
1828
"kdc", "hdb-samba-forwardable", NULL);
1830
*db = calloc(1, sizeof(**db));
1832
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1835
memset(*db, 0, sizeof(**db));
1837
h = calloc(1, sizeof(*h));
1841
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1847
if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1848
LDAP_destroy(context, *db);
1850
krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1854
h->h_url = strdup(url);
1855
h->h_base = strdup(search_base);
1856
if (h->h_url == NULL || h->h_base == NULL) {
1857
LDAP_destroy(context, *db);
1859
krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1863
create_base = krb5_config_get_string(context, NULL, "kdc",
1864
"hdb-ldap-create-base", NULL);
1865
if (create_base == NULL)
1866
create_base = h->h_base;
1868
h->h_createbase = strdup(create_base);
1869
if (h->h_createbase == NULL) {
1870
LDAP_destroy(context, *db);
1872
krb5_set_error_message(context, ENOMEM, "strdup: out of memory");
1876
(*db)->hdb_master_key_set = 0;
1877
(*db)->hdb_openp = 0;
1878
(*db)->hdb_capability_flags = 0;
1879
(*db)->hdb_open = LDAP_open;
1880
(*db)->hdb_close = LDAP_close;
1881
(*db)->hdb_fetch_kvno = LDAP_fetch_kvno;
1882
(*db)->hdb_store = LDAP_store;
1883
(*db)->hdb_remove = LDAP_remove;
1884
(*db)->hdb_firstkey = LDAP_firstkey;
1885
(*db)->hdb_nextkey = LDAP_nextkey;
1886
(*db)->hdb_lock = LDAP_lock;
1887
(*db)->hdb_unlock = LDAP_unlock;
1888
(*db)->hdb_rename = NULL;
1889
(*db)->hdb__get = NULL;
1890
(*db)->hdb__put = NULL;
1891
(*db)->hdb__del = NULL;
1892
(*db)->hdb_destroy = LDAP_destroy;
1898
hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1900
return hdb_ldap_common(context, db, arg, "ldapi:///");
1904
hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1906
krb5_error_code ret;
1907
char *search_base, *p;
1909
asprintf(&p, "ldapi:%s", arg);
1912
krb5_set_error_message(context, ENOMEM, "out of memory");
1915
search_base = strchr(p + strlen("ldapi://"), ':');
1916
if (search_base == NULL) {
1918
krb5_set_error_message(context, HDB_ERR_BADVERSION,
1919
"search base missing");
1920
return HDB_ERR_BADVERSION;
1922
*search_base = '\0';
1925
ret = hdb_ldap_common(context, db, search_base, p);
1930
#ifdef OPENLDAP_MODULE
1932
struct hdb_so_method hdb_ldap_interface = {
1933
HDB_INTERFACE_VERSION,
1938
struct hdb_so_method hdb_ldapi_interface = {
1939
HDB_INTERFACE_VERSION,
1946
#endif /* OPENLDAP */