1 #pragma ident "%Z%%M% %I% %E% SMI"
2
3 /*
4 * lib/kdb/kdb_ldap/ldap_krbcontainer.c
5 *
6 * Copyright (c) 2004-2005, Novell, Inc.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions are met:
11 *
12 * * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * * The copyright holder's name is not used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "ldap_main.h"
34 #include "kdb_ldap.h"
35 #include "ldap_err.h"
36 #include <libintl.h>
37
38 char *policyrefattribute[] = {"krbTicketPolicyReference",NULL};
39 char *krbcontainerrefattr[] = {"krbContainerReference", NULL};
40
41 /*
42 * Free the krb5_ldap_krbcontainer_params
43 */
44
45 void
krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params * cparams)46 krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams)
47 {
48 if (cparams == NULL)
49 return;
50
51 if (cparams->policyreference)
52 krb5_xfree(cparams->policyreference);
53
54 if (cparams->parent)
55 krb5_xfree(cparams->parent);
56
57 if (cparams->DN)
58 krb5_xfree(cparams->DN);
59
60 krb5_xfree(cparams);
61
62 return;
63 }
64
65 /*
66 * Read the kerberos container. Kerberos container dn is read from the krb5.conf file.
67 * In case of eDirectory, if the dn is not present in the conf file, refer Security Container
68 * to fetch the dn information.
69 *
70 * Reading kerberos container includes reading the policyreference attribute and the policy
71 * object to read the attributes associated with it.
72 */
73
74 krb5_error_code
krb5_ldap_read_krbcontainer_params(krb5_context context,krb5_ldap_krbcontainer_params ** cparamp)75 krb5_ldap_read_krbcontainer_params(krb5_context context,
76 krb5_ldap_krbcontainer_params **cparamp)
77
78 {
79 krb5_error_code st=0, tempst=0;
80 LDAP *ld=NULL;
81 LDAPMessage *result=NULL, *ent=NULL;
82 krb5_ldap_krbcontainer_params *cparams=NULL;
83 kdb5_dal_handle *dal_handle=NULL;
84 krb5_ldap_context *ldap_context=NULL;
85 krb5_ldap_server_handle *ldap_server_handle=NULL;
86
87 SETUP_CONTEXT();
88 GET_HANDLE();
89
90 cparams =(krb5_ldap_krbcontainer_params *) malloc(sizeof(krb5_ldap_krbcontainer_params));
91 CHECK_NULL(cparams);
92 memset((char *) cparams, 0, sizeof(krb5_ldap_krbcontainer_params));
93
94 /* read kerberos containter location from [dbmodules] section of krb5.conf file */
95 if (ldap_context->conf_section) {
96 if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
97 "ldap_kerberos_container_dn", NULL,
98 &cparams->DN)) != 0) {
99 krb5_set_error_message(context, st, gettext("Error reading kerberos container location "
100 "from krb5.conf"));
101 goto cleanup;
102 }
103 }
104
105 /* read kerberos containter location from [dbdefaults] section of krb5.conf file */
106 if (cparams->DN == NULL) {
107 if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
108 "ldap_kerberos_container_dn", NULL,
109 NULL, &cparams->DN)) != 0) {
110 krb5_set_error_message(context, st, gettext("Error reading kerberos container location "
111 "from krb5.conf"));
112 goto cleanup;
113 }
114 }
115
116 #ifndef HAVE_EDIRECTORY
117 /*
118 * In case eDirectory, we can fall back to security container if the kerberos container location
119 * is missing in the conf file. In openldap we will have to return an error.
120 */
121 if (cparams->DN == NULL) {
122 st = KRB5_KDB_SERVER_INTERNAL_ERR;
123 krb5_set_error_message(context, st, gettext("Kerberos container location not specified"));
124 goto cleanup;
125 }
126 #endif
127
128 if (cparams->DN != NULL) {
129 /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
130 * not read
131 */
132 LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
133 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
134 st = set_ldap_error(context, st, OP_SEARCH);
135 goto cleanup;
136 }
137
138 if (st == LDAP_NO_SUCH_OBJECT) {
139 st = KRB5_KDB_NOENTRY;
140 goto cleanup;
141 }
142 }
143
144 #ifdef HAVE_EDIRECTORY
145 /*
146 * If the kerberos location in the conf file is missing or invalid, fall back to the
147 * security container. If the kerberos location in the security container is also missing
148 * then fall back to the default value
149 */
150 if ((cparams->DN == NULL) || (st == LDAP_NO_SUCH_OBJECT)) {
151 /*
152 * kerberos container can be anywhere. locate it by reading the security
153 * container to find the location.
154 */
155 LDAP_SEARCH(SECURITY_CONTAINER, LDAP_SCOPE_BASE, NULL, krbcontainerrefattr);
156 if ((ent = ldap_first_entry(ld, result)) != NULL) {
157 if ((st=krb5_ldap_get_string(ld, ent, "krbcontainerreference",
158 &(cparams->DN), NULL)) != 0)
159 goto cleanup;
160 if (cparams->DN == NULL) {
161 cparams->DN = strdup(KERBEROS_CONTAINER);
162 CHECK_NULL(cparams->DN);
163 }
164 }
165 ldap_msgfree(result);
166
167 /* NOTE: krbmaxtktlife, krbmaxrenewableage ... attributes present on
168 * Kerberos Container is not read
169 */
170 LDAP_SEARCH(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute);
171 }
172 #endif
173
174 if ((ent = ldap_first_entry(ld, result))) {
175 if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
176 &(cparams->policyreference), NULL)) != 0)
177 goto cleanup;
178 }
179 ldap_msgfree(result);
180
181 if (cparams->policyreference != NULL) {
182 LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
183 if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) {
184 st = set_ldap_error(context, st, OP_SEARCH);
185 goto cleanup;
186 }
187 st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
188
189 ent=ldap_first_entry(ld, result);
190 if (ent != NULL) {
191 krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
192 krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
193 krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
194 }
195 ldap_msgfree(result);
196 }
197 *cparamp=cparams;
198
199 cleanup:
200 if (st != 0) {
201 krb5_ldap_free_krbcontainer_params(cparams);
202 *cparamp=NULL;
203 }
204 krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
205 return st;
206 }
207