2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett.
4 * Copyright (c) 2003 - 2007, Kungliga Tekniska Högskolan.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 RCSID("$Id: hdb-ldap.c 22071 2007-11-14 20:04:50Z lha $");
46 static krb5_error_code LDAP__connect(krb5_context context, HDB *);
47 static krb5_error_code LDAP_close(krb5_context context, HDB *);
49 static krb5_error_code
50 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
53 static const char *default_structural_object = "account";
54 static char *structural_object;
55 static krb5_boolean samba_forwardable;
65 #define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
66 #define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
67 #define HDBSETMSGID(db,msgid) \
68 do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
69 #define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
70 #define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
71 #define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
77 static char * krb5kdcentry_attrs[] = {
84 "krb5KeyVersionNumber",
104 static char *krb5principal_attrs[] = {
109 "krb5PrincipalRealm",
118 LDAP_no_size_limit(krb5_context context, LDAP *lp)
120 int ret, limit = LDAP_NO_LIMIT;
122 ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
123 if (ret != LDAP_SUCCESS) {
124 krb5_set_error_string(context, "ldap_set_option: %s",
125 ldap_err2string(ret));
126 return HDB_ERR_BADVERSION;
132 check_ldap(krb5_context context, HDB *db, int ret)
137 case LDAP_SERVER_DOWN:
138 LDAP_close(context, db);
145 static krb5_error_code
146 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
151 if (*modlist == NULL) {
152 *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
153 if (*modlist == NULL)
157 for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
158 if ((*modlist)[cMods]->mod_op == modop &&
159 strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {
166 if ((*modlist)[cMods] == NULL) {
169 *modlist = (LDAPMod **)ber_memrealloc(*modlist,
170 (cMods + 2) * sizeof(LDAPMod *));
171 if (*modlist == NULL)
174 (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
175 if ((*modlist)[cMods] == NULL)
178 mod = (*modlist)[cMods];
180 mod->mod_type = ber_strdup(attribute);
181 if (mod->mod_type == NULL) {
183 (*modlist)[cMods] = NULL;
187 if (modop & LDAP_MOD_BVALUES) {
188 mod->mod_bvalues = NULL;
190 mod->mod_values = NULL;
193 (*modlist)[cMods + 1] = NULL;
199 static krb5_error_code
200 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
201 unsigned char *value, size_t len)
206 ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
213 bv = (*modlist)[cMods]->mod_bvalues;
215 for (i = 0; bv[i] != NULL; i++)
217 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
219 bv = ber_memalloc(2 * sizeof(*bv));
223 (*modlist)[cMods]->mod_bvalues = bv;
225 bv[i] = ber_memalloc(sizeof(*bv));;
229 bv[i]->bv_val = (void *)value;
238 static krb5_error_code
239 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
245 ret = LDAP__setmod(modlist, modop, attribute, &cMods);
252 bv = (*modlist)[cMods]->mod_values;
254 for (i = 0; bv[i] != NULL; i++)
256 bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
258 bv = ber_memalloc(2 * sizeof(*bv));
262 (*modlist)[cMods]->mod_values = bv;
264 bv[i] = ber_strdup(value);
274 static krb5_error_code
275 LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
276 const char *attribute, KerberosTime * time)
281 /* XXX not threadsafe */
283 strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
285 return LDAP_addmod(mods, modop, attribute, buf);
288 static krb5_error_code
289 LDAP_addmod_integer(krb5_context context,
290 LDAPMod *** mods, int modop,
291 const char *attribute, unsigned long l)
296 ret = asprintf(&buf, "%ld", l);
298 krb5_set_error_string(context, "asprintf: out of memory:");
301 ret = LDAP_addmod(mods, modop, attribute, buf);
306 static krb5_error_code
307 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
308 const char *attribute, char **ptr)
313 vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
316 return HDB_ERR_NOENTRY;
319 *ptr = strdup(vals[0]);
325 ldap_value_free(vals);
330 static krb5_error_code
331 LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
332 const char *attribute, int *ptr)
336 vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
338 return HDB_ERR_NOENTRY;
340 *ptr = atoi(vals[0]);
341 ldap_value_free(vals);
345 static krb5_error_code
346 LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
347 const char *attribute, KerberosTime * kt)
355 ret = LDAP_get_string_value(db, entry, attribute, &gentime);
359 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
362 return HDB_ERR_NOENTRY;
372 static krb5_error_code
373 LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
374 LDAPMessage * msg, LDAPMod *** pmods)
377 krb5_boolean is_new_entry;
379 LDAPMod **mods = NULL;
381 unsigned long oflags, nflags;
384 krb5_boolean is_samba_account = FALSE;
385 krb5_boolean is_account = FALSE;
386 krb5_boolean is_heimdal_entry = FALSE;
387 krb5_boolean is_heimdal_principal = FALSE;
395 ret = LDAP_message2entry(context, db, msg, &orig);
399 is_new_entry = FALSE;
401 values = ldap_get_values(HDB2LDAP(db), msg, "objectClass");
403 int num_objectclasses = ldap_count_values(values);
404 for (i=0; i < num_objectclasses; i++) {
405 if (strcasecmp(values[i], "sambaSamAccount") == 0) {
406 is_samba_account = TRUE;
407 } else if (strcasecmp(values[i], structural_object) == 0) {
409 } else if (strcasecmp(values[i], "krb5Principal") == 0) {
410 is_heimdal_principal = TRUE;
411 } else if (strcasecmp(values[i], "krb5KDCEntry") == 0) {
412 is_heimdal_entry = TRUE;
415 ldap_value_free(values);
419 * If this is just a "account" entry and no other objectclass
420 * is hanging on this entry, it's really a new entry.
422 if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
423 is_heimdal_entry == FALSE) {
424 if (is_account == TRUE) {
427 ret = HDB_ERR_NOENTRY;
436 /* to make it perfectly obvious we're depending on
437 * orig being intiialized to zero */
438 memset(&orig, 0, sizeof(orig));
440 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
444 /* account is the structural object class */
445 if (is_account == FALSE) {
446 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
453 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
454 is_heimdal_principal = TRUE;
458 ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
459 is_heimdal_entry = TRUE;
465 krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
468 if (is_heimdal_principal || is_heimdal_entry) {
470 ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
474 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
475 "krb5PrincipalName", tmp);
483 if (is_account || is_samba_account) {
484 ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
487 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
496 if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
497 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
498 "krb5KeyVersionNumber",
504 if (is_heimdal_entry && ent->entry.valid_start) {
505 if (orig.entry.valid_end == NULL
506 || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
507 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
509 ent->entry.valid_start);
515 if (ent->entry.valid_end) {
516 if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
517 if (is_heimdal_entry) {
518 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
520 ent->entry.valid_end);
524 if (is_samba_account) {
525 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
527 *(ent->entry.valid_end));
534 if (ent->entry.pw_end) {
535 if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
536 if (is_heimdal_entry) {
537 ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
544 if (is_samba_account) {
545 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
546 "sambaPwdMustChange",
547 *(ent->entry.pw_end));
555 #if 0 /* we we have last_pw_change */
556 if (is_samba_account && ent->entry.last_pw_change) {
557 if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
558 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
560 *(ent->entry.last_pw_change));
567 if (is_heimdal_entry && ent->entry.max_life) {
568 if (orig.entry.max_life == NULL
569 || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
571 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
573 *(ent->entry.max_life));
579 if (is_heimdal_entry && ent->entry.max_renew) {
580 if (orig.entry.max_renew == NULL
581 || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
583 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
585 *(ent->entry.max_renew));
591 oflags = HDBFlags2int(orig.entry.flags);
592 nflags = HDBFlags2int(ent->entry.flags);
594 if (is_heimdal_entry && oflags != nflags) {
596 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
603 /* Remove keys if they exists, and then replace keys. */
604 if (!is_new_entry && orig.entry.keys.len > 0) {
605 values = ldap_get_values(HDB2LDAP(db), msg, "krb5Key");
607 ldap_value_free(values);
609 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
615 for (i = 0; i < ent->entry.keys.len; i++) {
618 && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
622 /* the key might have been 'sealed', but samba passwords
623 are clear in the directory */
624 ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
628 nt = ent->entry.keys.val[i].key.keyvalue.data;
629 /* store in ntPassword, not krb5key */
630 ret = hex_encode(nt, 16, &ntHexPassword);
632 krb5_set_error_string(context, "hdb-ldap: failed to "
637 ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",
643 /* have to kill the LM passwod if it exists */
644 values = ldap_get_values(HDB2LDAP(db), msg, "sambaLMPassword");
646 ldap_value_free(values);
647 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
648 "sambaLMPassword", NULL);
653 } else if (is_heimdal_entry) {
655 size_t len, buf_size;
657 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
661 krb5_abortx(context, "internal error in ASN.1 encoder");
663 /* addmod_len _owns_ the key, doesn't need to copy it */
664 ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
670 if (ent->entry.etypes) {
671 int add_krb5EncryptionType = 0;
674 * Only add/modify krb5EncryptionType if it's a new heimdal
675 * entry or krb5EncryptionType already exists on the entry.
679 values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
681 ldap_value_free(values);
682 ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
686 add_krb5EncryptionType = 1;
688 } else if (is_heimdal_entry)
689 add_krb5EncryptionType = 1;
691 if (add_krb5EncryptionType) {
692 for (i = 0; i < ent->entry.etypes->len; i++) {
693 if (is_samba_account &&
694 ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
697 } else if (is_heimdal_entry) {
698 ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
699 "krb5EncryptionType",
700 ent->entry.etypes->val[i]);
715 else if (mods != NULL) {
716 ldap_mods_free(mods, 1);
721 hdb_free_entry(context, &orig);
726 static krb5_error_code
727 LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
728 krb5_principal * principal)
732 const char *filter = "(objectClass=krb5Principal)";
734 LDAPMessage *res = NULL, *e;
736 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
740 rc = ldap_search_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
741 filter, krb5principal_attrs,
743 if (check_ldap(context, db, rc)) {
744 krb5_set_error_string(context, "ldap_search_s: filter: %s error: %s",
745 filter, ldap_err2string(rc));
746 ret = HDB_ERR_NOENTRY;
750 e = ldap_first_entry(HDB2LDAP(db), res);
752 ret = HDB_ERR_NOENTRY;
756 values = ldap_get_values(HDB2LDAP(db), e, "krb5PrincipalName");
757 if (values == NULL) {
758 ret = HDB_ERR_NOENTRY;
762 ret = krb5_parse_name(context, values[0], principal);
763 ldap_value_free(values);
772 static krb5_error_code
773 LDAP__lookup_princ(krb5_context context,
775 const char *princname,
783 ret = LDAP__connect(context, db);
787 rc = asprintf(&filter,
788 "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
791 krb5_set_error_string(context, "asprintf: out of memory");
796 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
800 rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, filter,
801 krb5kdcentry_attrs, 0, msg);
802 if (check_ldap(context, db, rc)) {
803 krb5_set_error_string(context, "ldap_search_s: filter: %s - error: %s",
804 filter, ldap_err2string(rc));
805 ret = HDB_ERR_NOENTRY;
809 if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
815 rc = asprintf(&filter,
816 "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
817 structural_object, userid);
819 krb5_set_error_string(context, "asprintf: out of memory");
824 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
828 rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,
829 filter, krb5kdcentry_attrs, 0, msg);
830 if (check_ldap(context, db, rc)) {
831 krb5_set_error_string(context,
832 "ldap_search_s: filter: %s error: %s",
833 filter, ldap_err2string(rc));
834 ret = HDB_ERR_NOENTRY;
848 static krb5_error_code
849 LDAP_principal2message(krb5_context context, HDB * db,
850 krb5_const_principal princ, LDAPMessage ** msg)
852 char *name, *name_short = NULL;
858 ret = krb5_unparse_name(context, princ, &name);
862 ret = krb5_get_default_realms(context, &r0);
867 for (r = r0; *r != NULL; r++) {
868 if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
869 ret = krb5_unparse_name_short(context, princ, &name_short);
871 krb5_free_host_realm(context, r0);
878 krb5_free_host_realm(context, r0);
880 ret = LDAP__lookup_princ(context, db, name, name_short, msg);
888 * Construct an hdb_entry from a directory entry.
890 static krb5_error_code
891 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
894 char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
895 char *samba_acct_flags = NULL;
897 struct berval **keys;
899 int tmp_time, i, ret, have_arcfour = 0;
901 memset(ent, 0, sizeof(*ent));
902 ent->entry.flags = int2HDBFlags(0);
904 ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
906 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
910 ret = LDAP_get_string_value(db, msg, "uid",
913 ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
917 krb5_set_error_string(context, "hdb-ldap: ldap entry missing"
919 return HDB_ERR_NOENTRY;
925 ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
930 ent->entry.kvno = integer;
933 keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
938 ent->entry.keys.len = ldap_count_values_len(keys);
939 ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
940 if (ent->entry.keys.val == NULL) {
941 krb5_set_error_string(context, "calloc: out of memory");
945 for (i = 0; i < ent->entry.keys.len; i++) {
946 decode_Key((unsigned char *) keys[i]->bv_val,
947 (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
953 * This violates the ASN1 but it allows a principal to
954 * be related to a general directory entry without creating
955 * the keys. Hopefully it's OK.
957 ent->entry.keys.len = 0;
958 ent->entry.keys.val = NULL;
960 ret = HDB_ERR_NOENTRY;
965 values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
966 if (values != NULL) {
969 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
970 if (ent->entry.etypes == NULL) {
971 krb5_set_error_string(context, "malloc: out of memory");
975 ent->entry.etypes->len = ldap_count_values(values);
976 ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
977 if (ent->entry.etypes->val == NULL) {
978 krb5_set_error_string(context, "malloc: out of memory");
982 for (i = 0; i < ent->entry.etypes->len; i++) {
983 ent->entry.etypes->val[i] = atoi(values[i]);
985 ldap_value_free(values);
988 for (i = 0; i < ent->entry.keys.len; i++) {
989 if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
995 /* manually construct the NT (type 23) key */
996 ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
997 if (ret == 0 && have_arcfour == 0) {
1002 keys = realloc(ent->entry.keys.val,
1003 (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
1006 krb5_set_error_string(context, "malloc: out of memory");
1010 ent->entry.keys.val = keys;
1011 memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
1012 ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
1013 ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
1015 krb5_set_error_string(context, "malloc: out of memory");
1020 ret = hex_decode(ntPasswordIN,
1021 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
1022 ent->entry.keys.len++;
1024 if (ent->entry.etypes == NULL) {
1025 ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
1026 if (ent->entry.etypes == NULL) {
1027 krb5_set_error_string(context, "malloc: out of memory");
1031 ent->entry.etypes->val = NULL;
1032 ent->entry.etypes->len = 0;
1035 for (i = 0; i < ent->entry.etypes->len; i++)
1036 if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
1038 /* If there is no ARCFOUR enctype, add one */
1039 if (i == ent->entry.etypes->len) {
1040 etypes = realloc(ent->entry.etypes->val,
1041 (ent->entry.etypes->len + 1) *
1042 sizeof(ent->entry.etypes->val[0]));
1043 if (etypes == NULL) {
1044 krb5_set_error_string(context, "malloc: out of memory");
1048 ent->entry.etypes->val = etypes;
1049 ent->entry.etypes->val[ent->entry.etypes->len] =
1050 ETYPE_ARCFOUR_HMAC_MD5;
1051 ent->entry.etypes->len++;
1055 ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
1056 &ent->entry.created_by.time);
1058 ent->entry.created_by.time = time(NULL);
1060 ent->entry.created_by.principal = NULL;
1062 ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
1064 if (LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal)
1066 ent->entry.created_by.principal = NULL;
1071 ent->entry.modified_by = (Event *) malloc(sizeof(Event));
1072 if (ent->entry.modified_by == NULL) {
1073 krb5_set_error_string(context, "malloc: out of memory");
1077 ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
1078 &ent->entry.modified_by->time);
1080 ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
1081 if (LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal))
1082 ent->entry.modified_by->principal = NULL;
1085 free(ent->entry.modified_by);
1086 ent->entry.modified_by = NULL;
1089 ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
1090 if (ent->entry.valid_start == NULL) {
1091 krb5_set_error_string(context, "malloc: out of memory");
1095 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
1096 ent->entry.valid_start);
1099 free(ent->entry.valid_start);
1100 ent->entry.valid_start = NULL;
1103 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1104 if (ent->entry.valid_end == NULL) {
1105 krb5_set_error_string(context, "malloc: out of memory");
1109 ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
1110 ent->entry.valid_end);
1113 free(ent->entry.valid_end);
1114 ent->entry.valid_end = NULL;
1117 ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
1119 if (ent->entry.valid_end == NULL) {
1120 ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
1121 if (ent->entry.valid_end == NULL) {
1122 krb5_set_error_string(context, "malloc: out of memory");
1127 *ent->entry.valid_end = tmp_time;
1130 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1131 if (ent->entry.pw_end == NULL) {
1132 krb5_set_error_string(context, "malloc: out of memory");
1136 ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
1140 free(ent->entry.pw_end);
1141 ent->entry.pw_end = NULL;
1144 ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
1146 if (ent->entry.pw_end == NULL) {
1147 ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
1148 if (ent->entry.pw_end == NULL) {
1149 krb5_set_error_string(context, "malloc: out of memory");
1154 *ent->entry.pw_end = tmp_time;
1158 ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
1160 hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
1165 ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
1166 if (ent->entry.max_life == NULL) {
1167 krb5_set_error_string(context, "malloc: out of memory");
1171 ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
1173 free(ent->entry.max_life);
1174 ent->entry.max_life = NULL;
1176 *ent->entry.max_life = max_life;
1182 ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
1183 if (ent->entry.max_renew == NULL) {
1184 krb5_set_error_string(context, "malloc: out of memory");
1188 ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
1190 free(ent->entry.max_renew);
1191 ent->entry.max_renew = NULL;
1193 *ent->entry.max_renew = max_renew;
1196 values = ldap_get_values(HDB2LDAP(db), msg, "krb5KDCFlags");
1197 if (values != NULL) {
1199 tmp = strtoul(values[0], (char **) NULL, 10);
1200 if (tmp == ULONG_MAX && errno == ERANGE) {
1201 krb5_set_error_string(context, "strtoul: could not convert flag");
1209 ent->entry.flags = int2HDBFlags(tmp);
1211 /* Try and find Samba flags to put into the mix */
1212 ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
1214 /* parse the [UXW...] string:
1218 'H' Homedir required
1220 'U' User account (normal)
1221 'M' MNS logon user account - what is this ?
1222 'W' Workstation account
1225 'X' No Xpiry on password
1226 'I' Interdomain trust account
1231 int flags_len = strlen(samba_acct_flags);
1236 if (samba_acct_flags[0] != '['
1237 || samba_acct_flags[flags_len - 1] != ']')
1240 /* Allow forwarding */
1241 if (samba_forwardable)
1242 ent->entry.flags.forwardable = TRUE;
1244 for (i=0; i < flags_len; i++) {
1245 switch (samba_acct_flags[i]) {
1251 /* how to handle no password in kerberos? */
1254 ent->entry.flags.invalid = TRUE;
1259 /* temp duplicate */
1260 ent->entry.flags.invalid = TRUE;
1263 ent->entry.flags.client = TRUE;
1269 ent->entry.flags.server = TRUE;
1270 ent->entry.flags.client = TRUE;
1273 ent->entry.flags.invalid = TRUE;
1276 if (ent->entry.pw_end) {
1277 free(ent->entry.pw_end);
1278 ent->entry.pw_end = NULL;
1282 ent->entry.flags.server = TRUE;
1283 ent->entry.flags.client = TRUE;
1288 free(samba_acct_flags);
1295 free(unparsed_name);
1298 hdb_free_entry(context, ent);
1303 static krb5_error_code
1304 LDAP_close(krb5_context context, HDB * db)
1307 ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
1308 ((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
1314 static krb5_error_code
1315 LDAP_lock(krb5_context context, HDB * db, int operation)
1320 static krb5_error_code
1321 LDAP_unlock(krb5_context context, HDB * db)
1326 static krb5_error_code
1327 LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
1329 int msgid, rc, parserc;
1330 krb5_error_code ret;
1333 msgid = HDB2MSGID(db);
1335 return HDB_ERR_NOENTRY;
1338 rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
1340 case LDAP_RES_SEARCH_REFERENCE:
1344 case LDAP_RES_SEARCH_ENTRY:
1345 /* We have an entry. Parse it. */
1346 ret = LDAP_message2entry(context, db, e, entry);
1349 case LDAP_RES_SEARCH_RESULT:
1350 /* We're probably at the end of the results. If not, abandon. */
1352 ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
1354 if (parserc != LDAP_SUCCESS
1355 && parserc != LDAP_MORE_RESULTS_TO_RETURN) {
1356 krb5_set_error_string(context, "ldap_parse_result: %s",
1357 ldap_err2string(parserc));
1358 ldap_abandon(HDB2LDAP(db), msgid);
1360 ret = HDB_ERR_NOENTRY;
1361 HDBSETMSGID(db, -1);
1363 case LDAP_SERVER_DOWN:
1365 LDAP_close(context, db);
1366 HDBSETMSGID(db, -1);
1370 /* Some unspecified error (timeout?). Abandon. */
1372 ldap_abandon(HDB2LDAP(db), msgid);
1373 ret = HDB_ERR_NOENTRY;
1374 HDBSETMSGID(db, -1);
1377 } while (rc == LDAP_RES_SEARCH_REFERENCE);
1380 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1381 ret = hdb_unseal_keys(context, db, &entry->entry);
1383 hdb_free_entry(context, entry);
1390 static krb5_error_code
1391 LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
1392 hdb_entry_ex *entry)
1394 krb5_error_code ret;
1397 ret = LDAP__connect(context, db);
1401 ret = LDAP_no_size_limit(context, HDB2LDAP(db));
1405 msgid = ldap_search(HDB2LDAP(db), HDB2BASE(db),
1407 "(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
1408 krb5kdcentry_attrs, 0);
1410 return HDB_ERR_NOENTRY;
1412 HDBSETMSGID(db, msgid);
1414 return LDAP_seq(context, db, flags, entry);
1417 static krb5_error_code
1418 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
1419 hdb_entry_ex * entry)
1421 return LDAP_seq(context, db, flags, entry);
1424 static krb5_error_code
1425 LDAP__connect(krb5_context context, HDB * db)
1427 int rc, version = LDAP_VERSION3;
1429 * Empty credentials to do a SASL bind with LDAP. Note that empty
1430 * different from NULL credentials. If you provide NULL
1431 * credentials instead of empty credentials you will get a SASL
1432 * bind in progress message.
1434 struct berval bv = { 0, "" };
1437 /* connection has been opened. ping server. */
1438 struct sockaddr_un addr;
1439 socklen_t len = sizeof(addr);
1442 if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
1443 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
1444 /* the other end has died. reopen. */
1445 LDAP_close(context, db);
1449 if (HDB2LDAP(db) != NULL) /* server is UP */
1452 rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
1453 if (rc != LDAP_SUCCESS) {
1454 krb5_set_error_string(context, "ldap_initialize: %s",
1455 ldap_err2string(rc));
1456 return HDB_ERR_NOENTRY;
1459 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
1460 (const void *)&version);
1461 if (rc != LDAP_SUCCESS) {
1462 krb5_set_error_string(context, "ldap_set_option: %s",
1463 ldap_err2string(rc));
1464 LDAP_close(context, db);
1465 return HDB_ERR_BADVERSION;
1468 rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
1470 if (rc != LDAP_SUCCESS) {
1471 krb5_set_error_string(context, "ldap_sasl_bind_s: %s",
1472 ldap_err2string(rc));
1473 LDAP_close(context, db);
1474 return HDB_ERR_BADVERSION;
1480 static krb5_error_code
1481 LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
1483 /* Not the right place for this. */
1484 #ifdef HAVE_SIGACTION
1485 struct sigaction sa;
1488 sa.sa_handler = SIG_IGN;
1489 sigemptyset(&sa.sa_mask);
1491 sigaction(SIGPIPE, &sa, NULL);
1493 signal(SIGPIPE, SIG_IGN);
1494 #endif /* HAVE_SIGACTION */
1496 return LDAP__connect(context, db);
1499 static krb5_error_code
1500 LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
1501 unsigned flags, hdb_entry_ex * entry)
1503 LDAPMessage *msg, *e;
1504 krb5_error_code ret;
1506 ret = LDAP_principal2message(context, db, principal, &msg);
1510 e = ldap_first_entry(HDB2LDAP(db), msg);
1512 ret = HDB_ERR_NOENTRY;
1516 ret = LDAP_message2entry(context, db, e, entry);
1518 if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
1519 ret = hdb_unseal_keys(context, db, &entry->entry);
1521 hdb_free_entry(context, entry);
1531 static krb5_error_code
1532 LDAP_store(krb5_context context, HDB * db, unsigned flags,
1533 hdb_entry_ex * entry)
1535 LDAPMod **mods = NULL;
1536 krb5_error_code ret;
1539 LDAPMessage *msg = NULL, *e = NULL;
1540 char *dn = NULL, *name = NULL;
1542 ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
1544 e = ldap_first_entry(HDB2LDAP(db), msg);
1546 ret = krb5_unparse_name(context, entry->entry.principal, &name);
1552 ret = hdb_seal_keys(context, db, &entry->entry);
1556 /* turn new entry into LDAPMod array */
1557 ret = LDAP_entry2mods(context, db, entry, e, &mods);
1562 ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
1564 krb5_set_error_string(context, "asprintf: out of memory");
1568 } else if (flags & HDB_F_REPLACE) {
1569 /* Entry exists, and we're allowed to replace it. */
1570 dn = ldap_get_dn(HDB2LDAP(db), e);
1572 /* Entry exists, but we're not allowed to replace it. Bail. */
1573 ret = HDB_ERR_EXISTS;
1577 /* write entry into directory */
1579 /* didn't exist before */
1580 rc = ldap_add_s(HDB2LDAP(db), dn, mods);
1581 errfn = "ldap_add_s";
1583 /* already existed, send deltas only */
1584 rc = ldap_modify_s(HDB2LDAP(db), dn, mods);
1585 errfn = "ldap_modify_s";
1588 if (check_ldap(context, db, rc)) {
1589 char *ld_error = NULL;
1590 ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
1592 krb5_set_error_string(context, "%s: %s (DN=%s) %s: %s",
1593 errfn, name, dn, ldap_err2string(rc), ld_error);
1594 ret = HDB_ERR_CANT_LOCK_DB;
1605 ldap_mods_free(mods, 1);
1612 static krb5_error_code
1613 LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
1615 krb5_error_code ret;
1616 LDAPMessage *msg, *e;
1618 int rc, limit = LDAP_NO_LIMIT;
1620 ret = LDAP_principal2message(context, db, principal, &msg);
1624 e = ldap_first_entry(HDB2LDAP(db), msg);
1626 ret = HDB_ERR_NOENTRY;
1630 dn = ldap_get_dn(HDB2LDAP(db), e);
1632 ret = HDB_ERR_NOENTRY;
1636 rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
1637 if (rc != LDAP_SUCCESS) {
1638 krb5_set_error_string(context, "ldap_set_option: %s",
1639 ldap_err2string(rc));
1640 ret = HDB_ERR_BADVERSION;
1644 rc = ldap_delete_s(HDB2LDAP(db), dn);
1645 if (check_ldap(context, db, rc)) {
1646 krb5_set_error_string(context, "ldap_delete_s: %s",
1647 ldap_err2string(rc));
1648 ret = HDB_ERR_CANT_LOCK_DB;
1661 static krb5_error_code
1662 LDAP_destroy(krb5_context context, HDB * db)
1664 krb5_error_code ret;
1666 LDAP_close(context, db);
1668 ret = hdb_clear_master_key(context, db);
1672 free(HDB2CREATE(db));
1684 hdb_ldap_common(krb5_context context,
1686 const char *search_base,
1689 struct hdbldapdb *h;
1690 const char *create_base = NULL;
1692 if (search_base == NULL && search_base[0] == '\0') {
1693 krb5_set_error_string(context, "ldap search base not configured");
1694 return ENOMEM; /* XXX */
1697 if (structural_object == NULL) {
1700 p = krb5_config_get_string(context, NULL, "kdc",
1701 "hdb-ldap-structural-object", NULL);
1703 p = default_structural_object;
1704 structural_object = strdup(p);
1705 if (structural_object == NULL) {
1706 krb5_set_error_string(context, "malloc: out of memory");
1712 krb5_config_get_bool_default(context, NULL, TRUE,
1713 "kdc", "hdb-samba-forwardable", NULL);
1715 *db = calloc(1, sizeof(**db));
1717 krb5_set_error_string(context, "malloc: out of memory");
1720 memset(*db, 0, sizeof(**db));
1722 h = calloc(1, sizeof(*h));
1724 krb5_set_error_string(context, "malloc: out of memory");
1732 if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
1733 LDAP_destroy(context, *db);
1734 krb5_set_error_string(context, "strdup: out of memory");
1739 h->h_url = strdup(url);
1740 h->h_base = strdup(search_base);
1741 if (h->h_url == NULL || h->h_base == NULL) {
1742 LDAP_destroy(context, *db);
1743 krb5_set_error_string(context, "strdup: out of memory");
1748 create_base = krb5_config_get_string(context, NULL, "kdc",
1749 "hdb-ldap-create-base", NULL);
1750 if (create_base == NULL)
1751 create_base = h->h_base;
1753 h->h_createbase = strdup(create_base);
1754 if (h->h_createbase == NULL) {
1755 LDAP_destroy(context, *db);
1756 krb5_set_error_string(context, "strdup: out of memory");
1761 (*db)->hdb_master_key_set = 0;
1762 (*db)->hdb_openp = 0;
1763 (*db)->hdb_open = LDAP_open;
1764 (*db)->hdb_close = LDAP_close;
1765 (*db)->hdb_fetch = LDAP_fetch;
1766 (*db)->hdb_store = LDAP_store;
1767 (*db)->hdb_remove = LDAP_remove;
1768 (*db)->hdb_firstkey = LDAP_firstkey;
1769 (*db)->hdb_nextkey = LDAP_nextkey;
1770 (*db)->hdb_lock = LDAP_lock;
1771 (*db)->hdb_unlock = LDAP_unlock;
1772 (*db)->hdb_rename = NULL;
1773 (*db)->hdb__get = NULL;
1774 (*db)->hdb__put = NULL;
1775 (*db)->hdb__del = NULL;
1776 (*db)->hdb_destroy = LDAP_destroy;
1782 hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
1784 return hdb_ldap_common(context, db, arg, "ldapi:///");
1788 hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
1790 krb5_error_code ret;
1791 char *search_base, *p;
1793 asprintf(&p, "ldapi:%s", arg);
1795 krb5_set_error_string(context, "out of memory");
1799 search_base = strchr(p + strlen("ldapi://"), ':');
1800 if (search_base == NULL) {
1801 krb5_set_error_string(context, "search base missing");
1803 return HDB_ERR_BADVERSION;
1805 *search_base = '\0';
1808 ret = hdb_ldap_common(context, db, search_base, p);
1813 #ifdef OPENLDAP_MODULE
1815 struct hdb_so_method hdb_ldap_interface = {
1816 HDB_INTERFACE_VERSION,
1821 struct hdb_so_method hdb_ldapi_interface = {
1822 HDB_INTERFACE_VERSION,
1829 #endif /* OPENLDAP */