1
2 /*
3 * kadmin/ldap_util/kdb5_ldap_policy.c
4 */
5
6 /*
7 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
8 * Use is subject to license terms.
9 */
10
11 /* Copyright (c) 2004-2005, Novell, Inc.
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions are met:
16 *
17 * * Redistributions of source code must retain the above copyright notice,
18 * this list of conditions and the following disclaimer.
19 * * Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * * The copyright holder's name is not used to endorse or promote products
23 * derived from this software without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
26 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
29 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
31 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
33 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
34 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 /*
39 * Create / Delete / Modify / View / List policy objects.
40 */
41
42 #include <stdio.h>
43 #include <time.h>
44 #include <k5-int.h>
45 #include <kadm5/admin.h>
46 #include <libintl.h>
47 #include <locale.h>
48 #include "kdb5_ldap_util.h"
49 #include "kdb5_ldap_list.h"
50 #include "ldap_tkt_policy.h"
51 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
52
53 static void print_policy_params(krb5_ldap_policy_params *policyparams, int mask);
54 static char *strdur(time_t duration);
55
56 extern char *yes;
57 extern kadm5_config_params global_params;
58
init_ldap_realm(int argc,char * argv[])59 static krb5_error_code init_ldap_realm (int argc, char *argv[]) {
60 /* This operation is being performed in the context of a realm. So,
61 * initialize the realm */
62 int mask = 0;
63 krb5_error_code retval = 0;
64 kdb5_dal_handle *dal_handle = NULL;
65 krb5_ldap_context *ldap_context=NULL;
66
67 dal_handle = (kdb5_dal_handle *) util_context->db_context;
68 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
69 if (!ldap_context) {
70 retval = EINVAL;
71 goto cleanup;
72 }
73
74 if (ldap_context->krbcontainer == NULL) {
75 retval = krb5_ldap_read_krbcontainer_params (util_context,
76 &(ldap_context->krbcontainer));
77 if (retval != 0) {
78 /* Solaris Kerberos */
79 com_err(progname, retval, gettext("while reading kerberos container information"));
80 goto cleanup;
81 }
82 }
83
84 if (ldap_context->lrparams == NULL) {
85 retval = krb5_ldap_read_realm_params(util_context,
86 global_params.realm,
87 &(ldap_context->lrparams),
88 &mask);
89
90 if (retval != 0) {
91 goto cleanup;
92 }
93 }
94 cleanup:
95 return retval;
96 }
97
98 /*
99 * This function will create a ticket policy object with the
100 * specified attributes.
101 */
102 void
kdb5_ldap_create_policy(argc,argv)103 kdb5_ldap_create_policy(argc, argv)
104 int argc;
105 char *argv[];
106 {
107 /* Solaris Kerberos */
108 char *me = progname;
109
110 krb5_error_code retval = 0;
111 krb5_ldap_policy_params *policyparams = NULL;
112 krb5_boolean print_usage = FALSE;
113 krb5_boolean no_msg = FALSE;
114 int mask = 0;
115 time_t date = 0;
116 time_t now = 0;
117 int i = 0;
118
119 /* Check for number of arguments */
120 if ((argc < 2) || (argc > 16)) {
121 goto err_usage;
122 }
123
124 /* Allocate memory for policy parameters structure */
125 policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
126 if (policyparams == NULL) {
127 retval = ENOMEM;
128 goto cleanup;
129 }
130
131 /* Get current time */
132 time (&now);
133
134 /* Parse all arguments */
135 for (i = 1; i < argc; i++) {
136 if (!strcmp(argv[i], "-maxtktlife")) {
137 if (++i > argc - 1)
138 goto err_usage;
139
140 date = get_date(argv[i]);
141 if (date == (time_t)(-1)) {
142 retval = EINVAL;
143 com_err (me, retval, gettext("while providing time specification"));
144 goto err_nomsg;
145 }
146
147 policyparams->maxtktlife = date - now;
148
149 mask |= LDAP_POLICY_MAXTKTLIFE;
150 } else if (!strcmp(argv[i], "-maxrenewlife")) {
151 if (++i > argc - 1)
152 goto err_usage;
153
154 date = get_date(argv[i]);
155 if (date == (time_t)(-1)) {
156 retval = EINVAL;
157 com_err (me, retval, gettext("while providing time specification"));
158 goto err_nomsg;
159 }
160
161 policyparams->maxrenewlife = date - now;
162
163 mask |= LDAP_POLICY_MAXRENEWLIFE;
164 } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
165 if (*(argv[i]) == '+')
166 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
167 else if (*(argv[i]) == '-')
168 policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
169 else
170 goto err_usage;
171
172 mask |= LDAP_POLICY_TKTFLAGS;
173 } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
174 if (*(argv[i]) == '+')
175 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
176 else if (*(argv[i]) == '-')
177 policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
178 else
179 goto err_usage;
180
181 mask |= LDAP_POLICY_TKTFLAGS;
182 } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
183 if (*(argv[i]) == '+')
184 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
185 else if (*(argv[i]) == '-')
186 policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
187 else
188 goto err_usage;
189
190 mask |= LDAP_POLICY_TKTFLAGS;
191 } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
192 if (*(argv[i]) == '+')
193 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
194 else if (*(argv[i]) == '-')
195 policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
196 else
197 goto err_usage;
198
199 mask |= LDAP_POLICY_TKTFLAGS;
200 } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
201 if (*(argv[i]) == '+')
202 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
203 else if (*(argv[i]) == '-')
204 policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
205 else
206 goto err_usage;
207
208 mask |= LDAP_POLICY_TKTFLAGS;
209 } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
210 if (*(argv[i]) == '+')
211 policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
212 else if (*(argv[i]) == '-')
213 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
214 else
215 goto err_usage;
216
217 mask |= LDAP_POLICY_TKTFLAGS;
218 } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
219 if (*(argv[i]) == '+')
220 policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
221 else if (*(argv[i]) == '-')
222 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
223 else
224 goto err_usage;
225
226 mask |= LDAP_POLICY_TKTFLAGS;
227 } else if (!strcmp((argv[i] + 1), "allow_svr")) {
228 if (*(argv[i]) == '+')
229 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
230 else if (*(argv[i]) == '-')
231 policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
232 else
233 goto err_usage;
234
235 mask |= LDAP_POLICY_TKTFLAGS;
236 } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
237 if (*(argv[i]) == '+')
238 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
239 else if (*(argv[i]) == '-')
240 policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
241 else
242 goto err_usage;
243
244 mask |= LDAP_POLICY_TKTFLAGS;
245 } else if (!strcmp((argv[i] + 1), "allow_tix")) {
246 if (*(argv[i]) == '+')
247 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
248 else if (*(argv[i]) == '-')
249 policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
250 else
251 goto err_usage;
252
253 mask |= LDAP_POLICY_TKTFLAGS;
254 } else if (!strcmp((argv[i] + 1), "needchange")) {
255 if (*(argv[i]) == '+')
256 policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
257 else if (*(argv[i]) == '-')
258 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
259 else
260 goto err_usage;
261
262 mask |= LDAP_POLICY_TKTFLAGS;
263 } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
264 if (*(argv[i]) == '+')
265 policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
266 else if (*(argv[i]) == '-')
267 policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
268 else
269 goto err_usage;
270
271 mask |= LDAP_POLICY_TKTFLAGS;
272 } else { /* Any other argument must be policy DN */
273 /* First check if policy DN is already provided --
274 if so, there's a usage error */
275 if (policyparams->policy != NULL)
276 goto err_usage;
277
278 /* If not present already, fill up policy DN */
279 policyparams->policy = strdup(argv[i]);
280 if (policyparams->policy == NULL) {
281 retval = ENOMEM;
282 com_err(me, retval, gettext("while creating policy object"));
283 goto err_nomsg;
284 }
285 }
286 }
287
288 /* policy DN is a mandatory argument. If not provided, print usage */
289 if (policyparams->policy == NULL)
290 goto err_usage;
291
292 if ((retval = init_ldap_realm (argc, argv))) {
293 com_err(me, retval, gettext("while reading realm information"));
294 goto err_nomsg;
295 }
296
297 /* Create object with all attributes provided */
298 if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
299 goto cleanup;
300
301 goto cleanup;
302
303 err_usage:
304 print_usage = TRUE;
305
306 err_nomsg:
307 no_msg = TRUE;
308
309 cleanup:
310 /* Clean-up structure */
311 krb5_ldap_free_policy (util_context, policyparams);
312
313 if (print_usage)
314 db_usage(CREATE_POLICY);
315
316 if (retval) {
317 if (!no_msg)
318 com_err(me, retval, gettext("while creating policy object"));
319
320 exit_status++;
321 }
322
323 return;
324 }
325
326
327 /*
328 * This function will destroy the specified ticket policy
329 * object interactively, unless forced through an option.
330 */
331 void
kdb5_ldap_destroy_policy(argc,argv)332 kdb5_ldap_destroy_policy(argc, argv)
333 int argc;
334 char *argv[];
335 {
336 /* Solaris Kerberos */
337 char *me = progname;
338
339 krb5_error_code retval = 0;
340 krb5_ldap_policy_params *policyparams = NULL;
341 krb5_boolean print_usage = FALSE;
342 krb5_boolean no_msg = FALSE;
343 char *policy = NULL;
344 unsigned int mask = 0;
345 int force = 0;
346 char buf[5] = {0};
347 int i = 0;
348
349 if ((argc < 2) || (argc > 3)) {
350 goto err_usage;
351 }
352
353 for (i = 1; i < argc; i++) {
354 if (strcmp(argv[i], "-force") == 0) {
355 force++;
356 } else { /* Any other argument must be policy DN */
357 /* First check if policy DN is already provided --
358 if so, there's a usage error */
359 if (policy != NULL)
360 goto err_usage;
361
362 /* If not present already, fill up policy DN */
363 policy = strdup(argv[i]);
364 if (policy == NULL) {
365 retval = ENOMEM;
366 com_err(me, retval, gettext("while destroying policy object"));
367 goto err_nomsg;
368 }
369 }
370 }
371
372 if (policy == NULL)
373 goto err_usage;
374
375 if (!force) {
376 printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy);
377 printf(gettext("(type 'yes' to confirm)? "));
378
379 if (fgets(buf, sizeof(buf), stdin) == NULL) {
380 retval = EINVAL;
381 goto cleanup;
382 }
383
384 if (strcmp(buf, yes)) {
385 exit_status++;
386 goto cleanup;
387 }
388 }
389
390 if ((retval = init_ldap_realm (argc, argv)))
391 goto err_nomsg;
392
393 if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
394 goto cleanup;
395
396
397 if ((retval = krb5_ldap_delete_policy(util_context, policy)))
398 goto cleanup;
399
400 printf(gettext("** policy object '%s' deleted.\n"), policy);
401 goto cleanup;
402
403
404 err_usage:
405 print_usage = TRUE;
406
407 err_nomsg:
408 no_msg = TRUE;
409
410 cleanup:
411 /* Clean-up structure */
412 krb5_ldap_free_policy (util_context, policyparams);
413
414 if (policy) {
415 free (policy);
416 }
417
418 if (print_usage) {
419 db_usage(DESTROY_POLICY);
420 }
421
422 if (retval) {
423 if (!no_msg)
424 com_err(me, retval, gettext("while destroying policy object"));
425
426 exit_status++;
427 }
428
429 return;
430 }
431
432
433 /*
434 * This function will modify the attributes of a given ticket
435 * policy object.
436 */
437 void
kdb5_ldap_modify_policy(argc,argv)438 kdb5_ldap_modify_policy(argc, argv)
439 int argc;
440 char *argv[];
441 {
442 /* Solaris Kerberos */
443 char *me = progname;
444
445 krb5_error_code retval = 0;
446 krb5_ldap_policy_params *policyparams = NULL;
447 krb5_boolean print_usage = FALSE;
448 krb5_boolean no_msg = FALSE;
449 char *policy = NULL;
450 unsigned int in_mask = 0, out_mask = 0;
451 time_t date = 0;
452 time_t now = 0;
453 int i = 0;
454
455 /* Check for number of arguments -- minimum is 3
456 since atleast one parameter should be given in
457 addition to 'modify_policy' and policy DN */
458 if ((argc < 3) || (argc > 16)) {
459 goto err_usage;
460 }
461
462 /* Parse all arguments, only to pick up policy DN (Pass 1) */
463 for (i = 1; i < argc; i++) {
464 /* Skip arguments next to 'maxtktlife'
465 and 'maxrenewlife' arguments */
466 if (!strcmp(argv[i], "-maxtktlife")) {
467 ++i;
468 } else if (!strcmp(argv[i], "-maxrenewlife")) {
469 ++i;
470 }
471 /* Do nothing for ticket flag arguments */
472 else if (!strcmp((argv[i] + 1), "allow_postdated") ||
473 !strcmp((argv[i] + 1), "allow_forwardable") ||
474 !strcmp((argv[i] + 1), "allow_renewable") ||
475 !strcmp((argv[i] + 1), "allow_proxiable") ||
476 !strcmp((argv[i] + 1), "allow_dup_skey") ||
477 !strcmp((argv[i] + 1), "requires_preauth") ||
478 !strcmp((argv[i] + 1), "requires_hwauth") ||
479 !strcmp((argv[i] + 1), "allow_svr") ||
480 !strcmp((argv[i] + 1), "allow_tgs_req") ||
481 !strcmp((argv[i] + 1), "allow_tix") ||
482 !strcmp((argv[i] + 1), "needchange") ||
483 !strcmp((argv[i] + 1), "password_changing_service")) {
484 } else { /* Any other argument must be policy DN */
485 /* First check if policy DN is already provided --
486 if so, there's a usage error */
487 if (policy != NULL)
488 goto err_usage;
489
490 /* If not present already, fill up policy DN */
491 policy = strdup(argv[i]);
492 if (policy == NULL) {
493 retval = ENOMEM;
494 com_err(me, retval, gettext("while modifying policy object"));
495 goto err_nomsg;
496 }
497 }
498 }
499
500 if (policy == NULL)
501 goto err_usage;
502
503 if ((retval = init_ldap_realm (argc, argv)))
504 goto cleanup;
505
506 retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
507 if (retval) {
508 com_err(me, retval, gettext("while reading information of policy '%s'"), policy);
509 goto err_nomsg;
510 }
511
512 /* Get current time */
513 time (&now);
514
515 /* Parse all arguments, but skip policy DN (Pass 2) */
516 for (i = 1; i < argc; i++) {
517 if (!strcmp(argv[i], "-maxtktlife")) {
518 if (++i > argc - 1)
519 goto err_usage;
520
521 date = get_date(argv[i]);
522 if (date == (time_t)(-1)) {
523 retval = EINVAL;
524 com_err (me, retval, gettext("while providing time specification"));
525 goto err_nomsg;
526 }
527
528 policyparams->maxtktlife = date - now;
529
530 out_mask |= LDAP_POLICY_MAXTKTLIFE;
531 } else if (!strcmp(argv[i], "-maxrenewlife")) {
532 if (++i > argc - 1)
533 goto err_usage;
534
535 date = get_date(argv[i]);
536 if (date == (time_t)(-1)) {
537 retval = EINVAL;
538 com_err (me, retval, gettext("while providing time specification"));
539 goto err_nomsg;
540 }
541
542 policyparams->maxrenewlife = date - now;
543
544 out_mask |= LDAP_POLICY_MAXRENEWLIFE;
545 } else if (!strcmp((argv[i] + 1), "allow_postdated")) {
546 if (*(argv[i]) == '+')
547 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
548 else if (*(argv[i]) == '-')
549 policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
550 else
551 goto err_usage;
552
553 out_mask |= LDAP_POLICY_TKTFLAGS;
554 } else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
555 if (*(argv[i]) == '+')
556 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
557 else if (*(argv[i]) == '-')
558 policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
559 else
560 goto err_usage;
561
562 out_mask |= LDAP_POLICY_TKTFLAGS;
563 } else if (!strcmp((argv[i] + 1), "allow_renewable")) {
564 if (*(argv[i]) == '+')
565 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
566 else if (*(argv[i]) == '-')
567 policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
568 else
569 goto err_usage;
570
571 out_mask |= LDAP_POLICY_TKTFLAGS;
572 } else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
573 if (*(argv[i]) == '+')
574 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
575 else if (*(argv[i]) == '-')
576 policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
577 else
578 goto err_usage;
579
580 out_mask |= LDAP_POLICY_TKTFLAGS;
581 } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
582 if (*(argv[i]) == '+')
583 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
584 else if (*(argv[i]) == '-')
585 policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
586 else
587 goto err_usage;
588
589 out_mask |= LDAP_POLICY_TKTFLAGS;
590 } else if (!strcmp((argv[i] + 1), "requires_preauth")) {
591 if (*(argv[i]) == '+')
592 policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
593 else if (*(argv[i]) == '-')
594 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
595 else
596 goto err_usage;
597
598 out_mask |= LDAP_POLICY_TKTFLAGS;
599 } else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
600 if (*(argv[i]) == '+')
601 policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
602 else if (*(argv[i]) == '-')
603 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
604 else
605 goto err_usage;
606
607 out_mask |= LDAP_POLICY_TKTFLAGS;
608 } else if (!strcmp((argv[i] + 1), "allow_svr")) {
609 if (*(argv[i]) == '+')
610 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
611 else if (*(argv[i]) == '-')
612 policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
613 else
614 goto err_usage;
615
616 out_mask |= LDAP_POLICY_TKTFLAGS;
617 } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
618 if (*(argv[i]) == '+')
619 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
620 else if (*(argv[i]) == '-')
621 policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
622 else
623 goto err_usage;
624
625 out_mask |= LDAP_POLICY_TKTFLAGS;
626 } else if (!strcmp((argv[i] + 1), "allow_tix")) {
627 if (*(argv[i]) == '+')
628 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
629 else if (*(argv[i]) == '-')
630 policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
631 else
632 goto err_usage;
633
634 out_mask |= LDAP_POLICY_TKTFLAGS;
635 } else if (!strcmp((argv[i] + 1), "needchange")) {
636 if (*(argv[i]) == '+')
637 policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
638 else if (*(argv[i]) == '-')
639 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
640 else
641 goto err_usage;
642
643 out_mask |= LDAP_POLICY_TKTFLAGS;
644 } else if (!strcmp((argv[i] + 1), "password_changing_service")) {
645 if (*(argv[i]) == '+')
646 policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
647 else if (*(argv[i]) == '-')
648 policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
649 else
650 goto err_usage;
651
652 out_mask |= LDAP_POLICY_TKTFLAGS;
653 } else {
654 /* Any other argument must be policy DN
655 -- skip it */
656 }
657 }
658
659 /* Modify attributes of object */
660 if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
661 goto cleanup;
662
663 goto cleanup;
664
665 err_usage:
666 print_usage = TRUE;
667
668 err_nomsg:
669 no_msg = TRUE;
670
671 cleanup:
672 /* Clean-up structure */
673 krb5_ldap_free_policy (util_context, policyparams);
674
675 if (policy)
676 free (policy);
677
678 if (print_usage)
679 db_usage(MODIFY_POLICY);
680
681 if (retval) {
682 if (!no_msg)
683 com_err(me, retval, gettext("while modifying policy object"));
684
685 exit_status++;
686 }
687
688 return;
689 }
690
691
692 /*
693 * This function will display information about the given policy object,
694 * fetching the information from the LDAP Server.
695 */
696 void
kdb5_ldap_view_policy(argc,argv)697 kdb5_ldap_view_policy(argc, argv)
698 int argc;
699 char *argv[];
700 {
701 /* Solaris Kerberos */
702 char *me = progname;
703
704 krb5_ldap_policy_params *policyparams = NULL;
705 krb5_error_code retval = 0;
706 krb5_boolean print_usage = FALSE;
707 char *policy = NULL;
708 unsigned int mask = 0;
709
710 if (argc != 2) {
711 goto err_usage;
712 }
713
714 policy = strdup(argv[1]);
715 if (policy == NULL) {
716 com_err(me, ENOMEM, gettext("while viewing policy"));
717 exit_status++;
718 goto cleanup;
719 }
720
721 if ((retval = init_ldap_realm (argc, argv)))
722 goto cleanup;
723
724 if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
725 com_err(me, retval, gettext("while viewing policy '%s'"), policy);
726 exit_status++;
727 goto cleanup;
728 }
729
730 print_policy_params (policyparams, mask);
731
732 goto cleanup;
733
734 err_usage:
735 print_usage = TRUE;
736
737 cleanup:
738 krb5_ldap_free_policy (util_context, policyparams);
739
740 if (policy)
741 free (policy);
742
743 if (print_usage) {
744 db_usage(VIEW_POLICY);
745 }
746
747 return;
748 }
749
750
751 /*
752 * This function will print the policy object information to the
753 * standard output.
754 */
755 static void
print_policy_params(policyparams,mask)756 print_policy_params(policyparams, mask)
757 krb5_ldap_policy_params *policyparams;
758 int mask;
759 {
760 /* Print the policy DN */
761 printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy);
762
763 /* Print max. ticket life and max. renewable life, if present */
764 if (mask & LDAP_POLICY_MAXTKTLIFE)
765 printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife));
766 if (mask & LDAP_POLICY_MAXRENEWLIFE)
767 printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife));
768
769 /* Service flags are printed */
770 printf("%25s: ", gettext("Ticket flags"));
771 if (mask & LDAP_POLICY_TKTFLAGS) {
772 int ticketflags = policyparams->tktflags;
773
774 if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
775 printf("%s ","DISALLOW_POSTDATED");
776
777 if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
778 printf("%s ","DISALLOW_FORWARDABLE");
779
780 if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
781 printf("%s ","DISALLOW_RENEWABLE");
782
783 if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
784 printf("%s ","DISALLOW_PROXIABLE");
785
786 if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
787 printf("%s ","DISALLOW_DUP_SKEY");
788
789 if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
790 printf("%s ","REQUIRES_PRE_AUTH");
791
792 if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
793 printf("%s ","REQUIRES_HW_AUTH");
794
795 if (ticketflags & KRB5_KDB_DISALLOW_SVR)
796 printf("%s ","DISALLOW_SVR");
797
798 if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
799 printf("%s ","DISALLOW_TGT_BASED");
800
801 if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
802 printf("%s ","DISALLOW_ALL_TIX");
803
804 if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
805 printf("%s ","REQUIRES_PWCHANGE");
806
807 if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
808 printf("%s ","PWCHANGE_SERVICE");
809 }
810 printf("\n");
811
812 return;
813 }
814
815
816 /*
817 * This function will list the DNs of policy objects under a specific
818 * sub-tree (entire tree by default)
819 */
kdb5_ldap_list_policies(argc,argv)820 void kdb5_ldap_list_policies(argc, argv)
821 int argc;
822 char *argv[];
823 {
824 /* Solaris Kerberos */
825 char *me = progname;
826
827 krb5_error_code retval = 0;
828 krb5_boolean print_usage = FALSE;
829 char *basedn = NULL;
830 char **list = NULL;
831 char **plist = NULL;
832
833 /* Check for number of arguments */
834 if ((argc != 1) && (argc != 3)) {
835 goto err_usage;
836 }
837
838 if ((retval = init_ldap_realm (argc, argv)))
839 goto cleanup;
840
841 retval = krb5_ldap_list_policy(util_context, basedn, &list);
842 if ((retval != 0) || (list == NULL))
843 goto cleanup;
844
845 for (plist = list; *plist != NULL; plist++) {
846 printf("%s\n", *plist);
847 }
848
849 goto cleanup;
850
851 err_usage:
852 print_usage = TRUE;
853
854 cleanup:
855 if (list != NULL) {
856 krb5_free_list_entries (list);
857 free (list);
858 }
859
860 if (basedn)
861 free (basedn);
862
863 if (print_usage) {
864 db_usage(LIST_POLICY);
865 }
866
867 if (retval) {
868 com_err(me, retval, gettext("while listing policy objects"));
869 exit_status++;
870 }
871
872 return;
873 }
874
875
876 /* Reproduced from kadmin.c, instead of linking
877 the entire kadmin.o */
strdur(duration)878 static char *strdur(duration)
879 time_t duration;
880 {
881 static char out[50];
882 int neg, days, hours, minutes, seconds;
883
884 if (duration < 0) {
885 duration *= -1;
886 neg = 1;
887 } else
888 neg = 0;
889 days = duration / (24 * 3600);
890 duration %= 24 * 3600;
891 hours = duration / 3600;
892 duration %= 3600;
893 minutes = duration / 60;
894 duration %= 60;
895 seconds = duration;
896 snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
897 days, days == 1 ? gettext("day") : gettext("days"),
898 hours, minutes, seconds);
899 return out;
900 }
901