1 #pragma ident "%Z%%M% %I% %E% SMI" 2 3 /* 4 * lib/kdb/kdb_ldap/ldap_krbcontainer.c 5 * 6 * Copyright (c) 2004-2005, Novell, Inc. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions are met: 11 * 12 * * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * * Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * * The copyright holder's name is not used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "ldap_main.h" 34 #include "kdb_ldap.h" 35 #include "ldap_err.h" 36 #include <libintl.h> 37 38 char *policyrefattribute[] = {"krbTicketPolicyReference",NULL}; 39 char *krbcontainerrefattr[] = {"krbContainerReference", NULL}; 40 41 /* 42 * Free the krb5_ldap_krbcontainer_params 43 */ 44 45 void 46 krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams) 47 { 48 if (cparams == NULL) 49 return; 50 51 if (cparams->policyreference) 52 krb5_xfree(cparams->policyreference); 53 54 if (cparams->parent) 55 krb5_xfree(cparams->parent); 56 57 if (cparams->DN) 58 krb5_xfree(cparams->DN); 59 60 krb5_xfree(cparams); 61 62 return; 63 } 64 65 /* 66 * Read the kerberos container. Kerberos container dn is read from the krb5.conf file. 67 * In case of eDirectory, if the dn is not present in the conf file, refer Security Container 68 * to fetch the dn information. 69 * 70 * Reading kerberos container includes reading the policyreference attribute and the policy 71 * object to read the attributes associated with it. 72 */ 73 74 krb5_error_code 75 krb5_ldap_read_krbcontainer_params(krb5_context context, 76 krb5_ldap_krbcontainer_params **cparamp) 77 78 { 79 krb5_error_code st=0, tempst=0; 80 LDAP *ld=NULL; 81 LDAPMessage *result=NULL, *ent=NULL; 82 krb5_ldap_krbcontainer_params *cparams=NULL; 83 kdb5_dal_handle *dal_handle=NULL; 84 krb5_ldap_context *ldap_context=NULL; 85 krb5_ldap_server_handle *ldap_server_handle=NULL; 86 87 SETUP_CONTEXT(); 88 GET_HANDLE(); 89 90 cparams =(krb5_ldap_krbcontainer_params *) malloc(sizeof(krb5_ldap_krbcontainer_params)); 91 CHECK_NULL(cparams); 92 memset((char *) cparams, 0, sizeof(krb5_ldap_krbcontainer_params)); 93 94 /* read kerberos containter location from [dbmodules] section of krb5.conf file */ 95 if (ldap_context->conf_section) { 96 if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section, 97 "ldap_kerberos_container_dn", NULL, 98 &cparams->DN)) != 0) { 99 krb5_set_error_message(context, st, gettext("Error reading kerberos container location " 100 "from krb5.conf")); 101 goto cleanup; 102 } 103 } 104 105 /* read kerberos containter location from [dbdefaults] section of krb5.conf file */ 106 if (cparams->DN == NULL) { 107 if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION, 108 "ldap_kerberos_container_dn", NULL, 109 NULL, &cparams->DN)) != 0) { 110 krb5_set_error_message(context, st, gettext("Error reading kerberos container location " 111 "from krb5.conf")); 112 goto cleanup; 113 } 114 } 115 116 #ifndef HAVE_EDIRECTORY 117 /* 118 * In case eDirectory, we can fall back to security container if the kerberos container location 119 * is missing in the conf file. In openldap we will have to return an error. 120 */ 121 if (cparams->DN == NULL) { 122 st = KRB5_KDB_SERVER_INTERNAL_ERR; 123 krb5_set_error_message(context, st, gettext("Kerberos container location not specified")); 124 goto cleanup; 125 } 126 #endif 127 128 if (cparams->DN != NULL) { 129 /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is 130 * not read 131 */ 132 LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS); 133 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) { 134 st = set_ldap_error(context, st, OP_SEARCH); 135 goto cleanup; 136 } 137 138 if (st == LDAP_NO_SUCH_OBJECT) { 139 st = KRB5_KDB_NOENTRY; 140 goto cleanup; 141 } 142 } 143 144 #ifdef HAVE_EDIRECTORY 145 /* 146 * If the kerberos location in the conf file is missing or invalid, fall back to the 147 * security container. If the kerberos location in the security container is also missing 148 * then fall back to the default value 149 */ 150 if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) { 151 /* 152 * kerberos container can be anywhere. locate it by reading the security 153 * container to find the location. 154 */ 155 LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr); 156 if ((ent = ldap_first_entry(ld, result)) != NULL) { 157 if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference", 158 &(cparams->DN), NULL)) != 0) 159 goto cleanup; 160 if (cparams->DN == NULL) { 161 cparams->DN = strdup(KERBEROS_CONTAINER); 162 CHECK_NULL(cparams->DN); 163 } 164 } 165 ldap_msgfree(result); 166 167 /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on 168 * Kerberos Container is not read 169 */ 170 LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute); 171 } 172 #endif 173 174 if ((ent = ldap_first_entry(ld, result))) { 175 if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference", 176 &(cparams->policyreference), NULL)) != 0) 177 goto cleanup; 178 } 179 ldap_msgfree(result); 180 181 if (cparams->policyreference != NULL) { 182 LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS); 183 if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) { 184 st = set_ldap_error(context, st, OP_SEARCH); 185 goto cleanup; 186 } 187 st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */ 188 189 ent=ldap_first_entry(ld, result); 190 if (ent != NULL) { 191 krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life)); 192 krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life)); 193 krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags)); 194 } 195 ldap_msgfree(result); 196 } 197 *cparamp=cparams; 198 199 cleanup: 200 if (st != 0) { 201 krb5_ldap_free_krbcontainer_params(cparams); 202 *cparamp=NULL; 203 } 204 krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); 205 return st; 206 } 207