xref: /titanic_41/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c (revision 54925bf60766fbb4f1f2d7c843721406a7b7a3fb)
1 #pragma ident	"%Z%%M%	%I%	%E% SMI"
2 
3 /*
4  * lib/kdb/kdb_ldap/ldap_krbcontainer.c
5  *
6  * Copyright (c) 2004-2005, Novell, Inc.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions are met:
11  *
12  *   * Redistributions of source code must retain the above copyright notice,
13  *       this list of conditions and the following disclaimer.
14  *   * Redistributions in binary form must reproduce the above copyright
15  *       notice, this list of conditions and the following disclaimer in the
16  *       documentation and/or other materials provided with the distribution.
17  *   * The copyright holder's name is not used to endorse or promote products
18  *       derived from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  * POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "ldap_main.h"
34 #include "kdb_ldap.h"
35 #include "ldap_err.h"
36 #include <libintl.h>
37 
38 char    *policyrefattribute[] = {"krbTicketPolicyReference",NULL};
39 char    *krbcontainerrefattr[] = {"krbContainerReference", NULL};
40 
41 /*
42  *  Free the krb5_ldap_krbcontainer_params
43  */
44 
45 void
krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params * cparams)46 krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams)
47 {
48     if (cparams == NULL)
49 	return;
50 
51     if (cparams->policyreference)
52 	krb5_xfree(cparams->policyreference);
53 
54     if (cparams->parent)
55 	krb5_xfree(cparams->parent);
56 
57     if (cparams->DN)
58 	krb5_xfree(cparams->DN);
59 
60     krb5_xfree(cparams);
61 
62     return;
63 }
64 
65 /*
66  * Read the kerberos container. Kerberos container dn is read from the krb5.conf file.
67  * In case of eDirectory, if the dn is not present in the conf file, refer Security Container
68  * to fetch the dn information.
69  *
70  * Reading kerberos container includes reading the policyreference attribute and the policy
71  * object to read the attributes associated with it.
72  */
73 
74 krb5_error_code
krb5_ldap_read_krbcontainer_params(krb5_context context,krb5_ldap_krbcontainer_params ** cparamp)75 krb5_ldap_read_krbcontainer_params(krb5_context	context,
76 				   krb5_ldap_krbcontainer_params **cparamp)
77 
78 {
79     krb5_error_code                 st=0, tempst=0;
80     LDAP                            *ld=NULL;
81     LDAPMessage                     *result=NULL, *ent=NULL;
82     krb5_ldap_krbcontainer_params   *cparams=NULL;
83     kdb5_dal_handle                 *dal_handle=NULL;
84     krb5_ldap_context               *ldap_context=NULL;
85     krb5_ldap_server_handle         *ldap_server_handle=NULL;
86 
87     SETUP_CONTEXT();
88     GET_HANDLE();
89 
90     cparams =(krb5_ldap_krbcontainer_params *) malloc(sizeof(krb5_ldap_krbcontainer_params));
91     CHECK_NULL(cparams);
92     memset((char *) cparams, 0, sizeof(krb5_ldap_krbcontainer_params));
93 
94     /* read kerberos containter location from [dbmodules] section of krb5.conf file */
95     if (ldap_context->conf_section) {
96 	if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
97 				   "ldap_kerberos_container_dn", NULL,
98 				   &cparams->DN)) != 0) {
99 	    krb5_set_error_message(context, st, gettext("Error reading kerberos container location "
100 				   "from krb5.conf"));
101 	    goto cleanup;
102 	}
103     }
104 
105     /* read kerberos containter location from [dbdefaults] section of krb5.conf file */
106     if (cparams->DN == NULL) {
107 	if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
108 				   "ldap_kerberos_container_dn", NULL,
109 				   NULL, &cparams->DN)) != 0) {
110 	    krb5_set_error_message(context, st, gettext("Error reading kerberos container location "
111 				   "from krb5.conf"));
112 	    goto cleanup;
113 	}
114     }
115 
116 #ifndef HAVE_EDIRECTORY
117 /*
118  * In case eDirectory, we can fall back to security container if the kerberos container location
119  * is missing in the conf file. In openldap we will have to return an error.
120  */
121     if (cparams->DN == NULL) {
122 	st = KRB5_KDB_SERVER_INTERNAL_ERR;
123 	krb5_set_error_message(context, st, gettext("Kerberos container location not specified"));
124 	goto cleanup;
125     }
126 #endif
127 
128     if (cparams->DN != NULL) {
129 	/* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
130 	 * not read
131 	 */
132 	LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
133 	if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
134 	    st = set_ldap_error(context, st, OP_SEARCH);
135 	    goto cleanup;
136 	}
137 
138 	if (st == LDAP_NO_SUCH_OBJECT) {
139 	    st = KRB5_KDB_NOENTRY;
140 	    goto cleanup;
141 	}
142     }
143 
144 #ifdef HAVE_EDIRECTORY
145     /*
146      * If the kerberos location in the conf file is missing or invalid, fall back to the
147      * security container. If the kerberos location in the security container is also missing
148      * then fall back to the default value
149      */
150     if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
151 	/*
152 	 * kerberos container can be anywhere. locate it by reading the security
153 	 * container to find the location.
154 	 */
155 	LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
156 	if ((ent = ldap_first_entry(ld, result)) != NULL) {
157 	    if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
158 					 &(cparams->DN), NULL)) != 0)
159 		goto cleanup;
160 	    if (cparams->DN == NULL) {
161 		cparams->DN = strdup(KERBEROS_CONTAINER);
162 		CHECK_NULL(cparams->DN);
163 	    }
164 	}
165 	ldap_msgfree(result);
166 
167 	/* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
168 	 * Kerberos Container is not read
169 	 */
170 	LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
171     }
172 #endif
173 
174     if ((ent = ldap_first_entry(ld, result))) {
175 	if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
176 				     &(cparams->policyreference), NULL)) != 0)
177 	    goto cleanup;
178     }
179     ldap_msgfree(result);
180 
181     if (cparams->policyreference != NULL) {
182 	LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
183 	if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) {
184 	    st = set_ldap_error(context, st, OP_SEARCH);
185 	    goto cleanup;
186 	}
187 	st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
188 
189 	ent=ldap_first_entry(ld, result);
190 	if (ent != NULL) {
191 	    krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
192 	    krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
193 	    krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
194 	}
195 	ldap_msgfree(result);
196     }
197     *cparamp=cparams;
198 
199 cleanup:
200     if (st != 0) {
201 	krb5_ldap_free_krbcontainer_params(cparams);
202 	*cparamp=NULL;
203     }
204     krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
205     return st;
206 }
207