1 #pragma ident "%Z%%M% %I% %E% SMI"
2
3 /*
4 * lib/kdb/kdb_ldap/ldap_service_rights.c
5 *
6 * Copyright (c) 2004-2005, Novell, Inc.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions are met:
11 *
12 * * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * * The copyright holder's name is not used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "ldap_main.h"
34 #include "ldap_services.h"
35 #include "ldap_err.h"
36
37 /* NOTE: add appropriate rights for krbpasswordexpiration attribute */
38
39 #ifdef HAVE_EDIRECTORY
40
41 static char *kdcrights_subtree[][2] = {
42 {"1#subtree#","#[Entry Rights]"},
43 {"2#subtree#","#CN"},
44 {"6#subtree#","#ObjectClass"},
45 {"2#subtree#","#krbTicketPolicyReference"},
46 {"2#subtree#","#krbUPEnabled"},
47 {"2#subtree#","#krbHostServer"},
48 {"2#subtree#","#krbServiceFlags"},
49 {"2#subtree#","#krbRealmReferences"},
50 {"2#subtree#","#krbTicketFlags"},
51 {"2#subtree#","#krbMaxTicketLife"},
52 {"2#subtree#","#krbMaxRenewableAge"},
53 {"2#subtree#","#krbPrincipalName"},
54 {"6#subtree#","#krbPrincipalKey"},
55 {"2#subtree#","#krbPrincipalExpiration"},
56 {"2#subtree#","#krbPwdPolicyReference"},
57 {"2#subtree#","#krbMaxPwdLife"},
58 {"6#subtree#","#ModifiersName"},
59 {"2#subtree#","#PasswordExpirationTime"},
60 {"2#subtree#","#PasswordExpirationInterval"},
61 {"2#subtree#","#PasswordMinimumLength"},
62 {"2#subtree#","#PasswordAllowChange"},
63 {"2#subtree#","#LoginDisabled"},
64 {"6#subtree#","#LastLoginTime"},
65 {"2#subtree#","#LoginExpirationTime"},
66 {"6#subtree#","#LoginIntruderAttempts"},
67 {"2#subtree#","#IntruderAttemptResetInterval"},
68 {"2#subtree#","#LoginIntruderLimit"},
69 {"6#subtree#","#LoginIntruderResetTime"},
70 {"2#subtree#","#DetectIntruder"},
71 {"2#subtree#","#LockoutAfterDetection"},
72 {"6#subtree#","#LockedByIntruder"},
73 {"2#subtree#","#krbPrincipalReferences"},
74 { "", "" }
75 };
76
77 static char *adminrights_subtree[][2]={
78 {"15#subtree#","#[Entry Rights]"},
79 {"6#subtree#","#CN"},
80 {"6#subtree#","#ObjectClass"},
81 {"6#subtree#","#krbTicketPolicyReference"},
82 {"6#subtree#","#krbUPEnabled"},
83 {"2#subtree#","#krbHostServer"},
84 {"2#subtree#","#krbServiceFlags"},
85 {"2#subtree#","#krbRealmReferences"},
86 {"6#subtree#","#krbTicketFlags"},
87 {"6#subtree#","#krbMaxTicketLife"},
88 {"6#subtree#","#krbMaxRenewableAge"},
89 {"6#subtree#","#krbPrincipalName"},
90 {"6#subtree#","#krbPrincipalKey"},
91 {"6#subtree#","#krbPrincipalExpiration"},
92 {"6#subtree#","#ModifiersName"},
93 {"6#subtree#","#PasswordExpirationTime"},
94 {"2#subtree#","#PasswordExpirationInterval"},
95 {"6#subtree#","#PasswordMinimumLength"},
96 {"6#subtree#","#PasswordAllowChange"},
97 {"6#subtree#","#LoginDisabled"},
98 {"2#subtree#","#LastLoginTime"},
99 {"2#subtree#","#LoginExpirationTime"},
100 {"2#subtree#","#LoginIntruderAttempts"},
101 {"6#subtree#","#IntruderAttemptResetInterval"},
102 {"6#subtree#","#LoginIntruderLimit"},
103 {"6#subtree#","#LoginIntruderResetTime"},
104 {"6#subtree#","#DetectIntruder"},
105 {"6#subtree#","#LockoutAfterDetection"},
106 {"2#subtree#","#LockedByIntruder"},
107 {"2#subtree#","#krbPrincipalReferences"},
108 {"6#subtree#","#Surname"},
109 {"4#subtree#","#passwordManagement"},
110 {"6#subtree#","#krbPwdHistoryLength"},
111 {"6#subtree#","#krbMinPwdLife"},
112 {"6#subtree#","#krbMaxPwdLife"},
113 {"6#subtree#","#krbPwdMinDiffChars"},
114 {"6#subtree#","#krbPwdMinLength"},
115 {"6#subtree#","#krbPwdPolicyReference"},
116 { "","" }
117 };
118
119 static char *pwdrights_subtree[][2] = {
120 {"1#subtree#","#[Entry Rights]"},
121 {"2#subtree#","#CN"},
122 {"2#subtree#","#ObjectClass"},
123 {"2#subtree#","#krbTicketPolicyReference"},
124 {"2#subtree#","#krbUPEnabled"},
125 {"2#subtree#","#krbHostServer"},
126 {"2#subtree#","#krbServiceFlags"},
127 {"2#subtree#","#krbRealmReferences"},
128 {"6#subtree#","#krbTicketFlags"},
129 {"2#subtree#","#krbMaxTicketLife"},
130 {"2#subtree#","#krbMaxRenewableAge"},
131 {"2#subtree#","#krbPrincipalName"},
132 {"6#subtree#","#krbPrincipalKey"},
133 {"2#subtree#","#krbPrincipalExpiration"},
134 {"4#subtree#","#passwordManagement"},
135 {"6#subtree#","#ModifiersName"},
136 {"2#subtree#","#krbPwdHistoryLength"},
137 {"2#subtree#","#krbMinPwdLife"},
138 {"2#subtree#","#krbMaxPwdLife"},
139 {"2#subtree#","#krbPwdMinDiffChars"},
140 {"2#subtree#","#krbPwdMinLength"},
141 {"2#subtree#","#krbPwdPolicyReference"},
142 { "", "" }
143 };
144
145 static char *kdcrights_realmcontainer[][2]={
146 {"1#subtree#","#[Entry Rights]"},
147 {"2#subtree#","#CN"},
148 {"6#subtree#","#ObjectClass"},
149 {"2#subtree#","#krbTicketPolicyReference"},
150 {"2#subtree#","#krbMKey"},
151 {"2#subtree#","#krbUPEnabled"},
152 {"2#subtree#","#krbSubTrees"},
153 {"2#subtree#","#krbPrincContainerRef"},
154 {"2#subtree#","#krbSearchScope"},
155 {"2#subtree#","#krbLdapServers"},
156 {"2#subtree#","#krbSupportedEncSaltTypes"},
157 {"2#subtree#","#krbDefaultEncSaltTypes"},
158 {"2#subtree#","#krbKdcServers"},
159 {"2#subtree#","#krbPwdServers"},
160 {"2#subtree#","#krbTicketFlags"},
161 {"2#subtree#","#krbMaxTicketLife"},
162 {"2#subtree#","#krbMaxRenewableAge"},
163 {"2#subtree#","#krbPrincipalName"},
164 {"6#subtree#","#krbPrincipalKey"},
165 {"2#subtree#","#krbPrincipalExpiration"},
166 {"2#subtree#","#krbPwdPolicyReference"},
167 {"2#subtree#","#krbMaxPwdLife"},
168 {"6#subtree#","#ModifiersName"},
169 {"2#subtree#","#PasswordExpirationTime"},
170 {"2#subtree#","#PasswordExpirationInterval"},
171 {"2#subtree#","#PasswordMinimumLength"},
172 {"2#subtree#","#PasswordAllowChange"},
173 {"2#subtree#","#LoginDisabled"},
174 {"6#subtree#","#LastLoginTime"},
175 {"2#subtree#","#LoginExpirationTime"},
176 {"6#subtree#","#LoginIntruderAttempts"},
177 {"2#subtree#","#IntruderAttemptResetInterval"},
178 {"2#subtree#","#LoginIntruderLimit"},
179 {"6#subtree#","#LoginIntruderResetTime"},
180 {"2#subtree#","#DetectIntruder"},
181 {"2#subtree#","#LockoutAfterDetection"},
182 {"6#subtree#","#LockedByIntruder"},
183 { "", "" }
184 };
185
186
187 static char *adminrights_realmcontainer[][2]={
188 {"15#subtree#","#[Entry Rights]"},
189 {"6#subtree#","#CN"},
190 {"6#subtree#","#ObjectClass"},
191 {"6#subtree#","#krbTicketPolicyReference"},
192 {"2#subtree#","#krbMKey"},
193 {"6#subtree#","#krbUPEnabled"},
194 {"2#subtree#","#krbSubTrees"},
195 {"2#subtree#","#krbPrincContainerRef"},
196 {"2#subtree#","#krbSearchScope"},
197 {"2#subtree#","#krbLdapServers"},
198 {"2#subtree#","#krbSupportedEncSaltTypes"},
199 {"2#subtree#","#krbDefaultEncSaltTypes"},
200 {"2#subtree#","#krbKdcServers"},
201 {"2#subtree#","#krbPwdServers"},
202 {"6#subtree#","#krbTicketFlags"},
203 {"6#subtree#","#krbMaxTicketLife"},
204 {"6#subtree#","#krbMaxRenewableAge"},
205 {"6#subtree#","#krbPrincipalName"},
206 {"6#subtree#","#krbPrincipalKey"},
207 {"6#subtree#","#krbPrincipalExpiration"},
208 {"6#subtree#","#ModifiersName"},
209 {"6#subtree#","#PasswordExpirationTime"},
210 {"2#subtree#","#PasswordExpirationInterval"},
211 {"6#subtree#","#PasswordMinimumLength"},
212 {"6#subtree#","#PasswordAllowChange"},
213 {"6#subtree#","#LoginDisabled"},
214 {"2#subtree#","#LastLoginTime"},
215 {"2#subtree#","#LoginExpirationTime"},
216 {"2#subtree#","#LoginIntruderAttempts"},
217 {"6#subtree#","#IntruderAttemptResetInterval"},
218 {"6#subtree#","#LoginIntruderLimit"},
219 {"6#subtree#","#LoginIntruderResetTime"},
220 {"6#subtree#","#DetectIntruder"},
221 {"6#subtree#","#LockoutAfterDetection"},
222 {"2#subtree#","#LockedByIntruder"},
223 {"6#subtree#","#Surname"},
224 {"6#subtree#","#krbPwdHistoryLength"},
225 {"6#subtree#","#krbMinPwdLife"},
226 {"6#subtree#","#krbMaxPwdLife"},
227 {"6#subtree#","#krbPwdMinDiffChars"},
228 {"6#subtree#","#krbPwdMinLength"},
229 {"6#subtree#","#krbPwdPolicyReference"},
230 { "","" }
231 };
232
233
234 static char *pwdrights_realmcontainer[][2]={
235 {"1#subtree#","#[Entry Rights]"},
236 {"2#subtree#","#CN"},
237 {"2#subtree#","#ObjectClass"},
238 {"2#subtree#","#krbTicketPolicyReference"},
239 {"2#subtree#","#krbMKey"},
240 {"2#subtree#","#krbUPEnabled"},
241 {"2#subtree#","#krbSubTrees"},
242 {"2#subtree#","#krbPrincContainerRef"},
243 {"2#subtree#","#krbSearchScope"},
244 {"2#subtree#","#krbLdapServers"},
245 {"2#subtree#","#krbSupportedEncSaltTypes"},
246 {"2#subtree#","#krbDefaultEncSaltTypes"},
247 {"2#subtree#","#krbKdcServers"},
248 {"2#subtree#","#krbPwdServers"},
249 {"6#subtree#","#krbTicketFlags"},
250 {"2#subtree#","#krbMaxTicketLife"},
251 {"2#subtree#","#krbMaxRenewableAge"},
252 {"2#subtree#","#krbPrincipalName"},
253 {"6#subtree#","#krbPrincipalKey"},
254 {"2#subtree#","#krbPrincipalExpiration"},
255 {"6#subtree#","#ModifiersName"},
256 {"2#subtree#","#krbPwdHistoryLength"},
257 {"2#subtree#","#krbMinPwdLife"},
258 {"2#subtree#","#krbMaxPwdLife"},
259 {"2#subtree#","#krbPwdMinDiffChars"},
260 {"2#subtree#","#krbPwdMinLength"},
261 {"2#subtree#","#krbPwdPolicyReference"},
262 { "", "" }
263 };
264
265 static char *security_container[][2] = {
266 {"1#subtree#","#[Entry Rights]"},
267 {"2#subtree#","#krbContainerReference"},
268 { "", "" }
269 };
270
271 static char *kerberos_container[][2] = {
272 {"1#subtree#","#[Entry Rights]"},
273 {"2#subtree#","#krbTicketPolicyReference"},
274 { "", "" }
275 };
276
277
278 /*
279 * This will set the rights for the Kerberos service objects.
280 * The function will read the subtree attribute from the specified
281 * realm name and will the appropriate rights on both the realm
282 * container and the subtree. The kerberos context passed should
283 * have a valid ldap handle, with appropriate rights to write acl
284 * attributes.
285 *
286 * krb5_context - IN The Kerberos context with valid ldap handle
287 *
288 */
289
290 krb5_error_code
krb5_ldap_add_service_rights(context,servicetype,serviceobjdn,realmname,subtreeparam,mask)291 krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
292 krb5_context context;
293 int servicetype;
294 char *serviceobjdn;
295 char *realmname;
296 char **subtreeparam;
297 int mask;
298 {
299
300 int st=0,i=0;
301 char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
302 LDAP *ld;
303 LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
304 LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
305 char *realmdn=NULL, **subtree=NULL;
306 kdb5_dal_handle *dal_handle=NULL;
307 krb5_ldap_context *ldap_context=NULL;
308 krb5_ldap_server_handle *ldap_server_handle=NULL;
309 int subtreecount=0;
310
311 SETUP_CONTEXT();
312 GET_HANDLE();
313
314 if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
315 || (ldap_context->krbcontainer->DN == NULL)) {
316 st=-1;
317 goto cleanup;
318 }
319
320 subtreecount=ldap_context->lrparams->subtreecount;
321 subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
322 if(subtree == NULL) {
323 st = ENOMEM;
324 goto cleanup;
325 }
326
327 /* If the subtree is null, set the value to root */
328 if(subtreeparam == NULL) {
329 subtree[0] = strdup("");
330 if(subtree[0] == NULL) {
331 st = ENOMEM;
332 goto cleanup;
333 }
334 }
335 else {
336 for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
337 subtree[i] = strdup(subtreeparam[i]);
338 if(subtree[i] == NULL) {
339 st = ENOMEM;
340 goto cleanup;
341 }
342 }
343 }
344
345 /* Set the rights for the service object on the security container */
346 seccontclass.mod_op = LDAP_MOD_ADD;
347 seccontclass.mod_type = "ACL";
348
349 for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
350
351 seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
352 strlen(serviceobjdn) +
353 strlen(security_container[i][1]) + 1);
354 if (seccontacls[0] == NULL) {
355 st = ENOMEM;
356 goto cleanup;
357 }
358
359 sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
360 security_container[i][1]);
361 seccontclass.mod_values = seccontacls;
362
363 seccontarr[0] = &seccontclass;
364
365 st = ldap_modify_ext_s(ld,
366 SECURITY_CONTAINER,
367 seccontarr,
368 NULL,
369 NULL);
370 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
371 free(seccontacls[0]);
372 st = set_ldap_error (context, st, OP_MOD);
373 goto cleanup;
374 }
375 free(seccontacls[0]);
376 }
377
378
379 /* Set the rights for the service object on the kerberos container */
380 krbcontclass.mod_op = LDAP_MOD_ADD;
381 krbcontclass.mod_type = "ACL";
382
383 for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
384 krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
385 + strlen(kerberos_container[i][1]) + 1);
386 if (krbcontacls[0] == NULL) {
387 st = ENOMEM;
388 goto cleanup;
389 }
390 sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
391 kerberos_container[i][1]);
392 krbcontclass.mod_values = krbcontacls;
393
394 krbcontarr[0] = &krbcontclass;
395
396 st = ldap_modify_ext_s(ld,
397 ldap_context->krbcontainer->DN,
398 krbcontarr,
399 NULL,
400 NULL);
401 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
402 free(krbcontacls[0]);
403 st = set_ldap_error (context, st, OP_MOD);
404 goto cleanup;
405 }
406 free(krbcontacls[0]);
407 }
408
409 /* Set the rights for the realm */
410 if (mask & LDAP_REALM_RIGHTS) {
411
412 /* Construct the realm dn from realm name */
413 realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
414 strlen(ldap_context->krbcontainer->DN) + 2);
415 if (realmdn == NULL) {
416 st = ENOMEM;
417 goto cleanup;
418 }
419 sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
420
421 realmclass.mod_op = LDAP_MOD_ADD;
422 realmclass.mod_type = "ACL";
423
424 if (servicetype == LDAP_KDC_SERVICE) {
425 for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
426 realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
427 + strlen(serviceobjdn) +
428 strlen(kdcrights_realmcontainer[i][1]) + 1);
429 if (realmacls[0] == NULL) {
430 st = ENOMEM;
431 goto cleanup;
432 }
433 sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
434 kdcrights_realmcontainer[i][1]);
435 realmclass.mod_values = realmacls;
436
437 realmarr[0] = &realmclass;
438
439 st = ldap_modify_ext_s(ld,
440 realmdn,
441 realmarr,
442 NULL,
443 NULL);
444 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
445 free(realmacls[0]);
446 st = set_ldap_error (context, st, OP_MOD);
447 goto cleanup;
448 }
449 free(realmacls[0]);
450 }
451 } else if (servicetype == LDAP_ADMIN_SERVICE) {
452 for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
453 realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
454 strlen(serviceobjdn) +
455 strlen(adminrights_realmcontainer[i][1]) + 1);
456 if (realmacls[0] == NULL) {
457 st = ENOMEM;
458 goto cleanup;
459 }
460 sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
461 adminrights_realmcontainer[i][1]);
462 realmclass.mod_values = realmacls;
463
464 realmarr[0] = &realmclass;
465
466 st = ldap_modify_ext_s(ld,
467 realmdn,
468 realmarr,
469 NULL,
470 NULL);
471 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
472 free(realmacls[0]);
473 st = set_ldap_error (context, st, OP_MOD);
474 goto cleanup;
475 }
476 free(realmacls[0]);
477 }
478 } else if (servicetype == LDAP_PASSWD_SERVICE) {
479 for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
480 realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
481 strlen(serviceobjdn) +
482 strlen(pwdrights_realmcontainer[i][1]) + 1);
483 if (realmacls[0] == NULL) {
484 st = ENOMEM;
485 goto cleanup;
486 }
487 sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
488 pwdrights_realmcontainer[i][1]);
489 realmclass.mod_values = realmacls;
490
491 realmarr[0] = &realmclass;
492
493
494 st = ldap_modify_ext_s(ld,
495 realmdn,
496 realmarr,
497 NULL,
498 NULL);
499 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
500 free(realmacls[0]);
501 st = set_ldap_error (context, st, OP_MOD);
502 goto cleanup;
503 }
504 free(realmacls[0]);
505 }
506 }
507 } /* Realm rights settings ends here */
508
509
510 /* Subtree rights to be set */
511 if (mask & LDAP_SUBTREE_RIGHTS) {
512 /* Populate the acl data to be added to the subtree */
513 subtreeclass.mod_op = LDAP_MOD_ADD;
514 subtreeclass.mod_type = "ACL";
515
516 if (servicetype == LDAP_KDC_SERVICE) {
517 for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
518 subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
519 strlen(serviceobjdn) +
520 strlen(kdcrights_subtree[i][1]) + 1);
521 if (subtreeacls[0] == NULL) {
522 st = ENOMEM;
523 goto cleanup;
524 }
525 sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
526 kdcrights_subtree[i][1]);
527 subtreeclass.mod_values = subtreeacls;
528
529 subtreearr[0] = &subtreeclass;
530
531 /* set rights to a list of subtrees */
532 for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
533 st = ldap_modify_ext_s(ld,
534 subtree[i],
535 subtreearr,
536 NULL,
537 NULL);
538 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
539 free(subtreeacls[0]);
540 st = set_ldap_error (context, st, OP_MOD);
541 goto cleanup;
542 }
543 }
544 free(subtreeacls[0]);
545 }
546 } else if (servicetype == LDAP_ADMIN_SERVICE) {
547 for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
548 subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
549 + strlen(serviceobjdn)
550 + strlen(adminrights_subtree[i][1]) + 1);
551 if (subtreeacls[0] == NULL) {
552 st = ENOMEM;
553 goto cleanup;
554 }
555 sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
556 adminrights_subtree[i][1]);
557 subtreeclass.mod_values = subtreeacls;
558
559 subtreearr[0] = &subtreeclass;
560
561 /* set rights to a list of subtrees */
562 for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
563 st = ldap_modify_ext_s(ld,
564 subtree[i],
565 subtreearr,
566 NULL,
567 NULL);
568 if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
569 free(subtreeacls[0]);
570 st = set_ldap_error (context, st, OP_MOD);
571 goto cleanup;
572 }
573 }
574 free(subtreeacls[0]);
575 }
576 } else if (servicetype == LDAP_PASSWD_SERVICE) {
577 for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
578 subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
579 + strlen(serviceobjdn)
580 + strlen(pwdrights_subtree[i][1]) + 1);
581 if (subtreeacls[0] == NULL) {
582 st = ENOMEM;
583 goto cleanup;
584 }
585 sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
586 pwdrights_subtree[i][1]);
587 subtreeclass.mod_values = subtreeacls;
588
589 subtreearr[0] = &subtreeclass;
590
591 /* set rights to a list of subtrees */
592 for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
593 st = ldap_modify_ext_s(ld,
594 subtree[i],
595 subtreearr,
596 NULL,
597 NULL);
598 if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
599 free(subtreeacls[0]);
600 st = set_ldap_error (context, st, OP_MOD);
601 goto cleanup;
602 }
603 }
604 free(subtreeacls[0]);
605 }
606 }
607 } /* Subtree rights settings ends here */
608 st = 0;
609
610 cleanup:
611
612 if (realmdn)
613 free(realmdn);
614
615 if (subtree)
616 free(subtree);
617
618 krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
619 return st;
620 }
621
622
623 /*
624 This will set the rights for the Kerberos service objects.
625 The function will read the subtree attribute from the specified
626 realm name and will the appropriate rights on both the realm
627 container and the subtree. The kerberos context passed should
628 have a valid ldap handle, with appropriate rights to write acl
629 attributes.
630
631 krb5_context - IN The Kerberos context with valid ldap handle
632
633 */
634
635 krb5_error_code
krb5_ldap_delete_service_rights(context,servicetype,serviceobjdn,realmname,subtreeparam,mask)636 krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
637 krb5_context context;
638 int servicetype;
639 char *serviceobjdn;
640 char *realmname;
641 char **subtreeparam;
642 int mask;
643 {
644
645 int st=0,i=0;
646 char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
647 LDAP *ld;
648 LDAPMod realmclass, subtreeclass;
649 LDAPMod *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
650 char *realmdn=NULL;
651 char **subtree=NULL;
652 kdb5_dal_handle *dal_handle=NULL;
653 krb5_ldap_context *ldap_context=NULL;
654 krb5_ldap_server_handle *ldap_server_handle=NULL;
655 int subtreecount = 0;
656
657 SETUP_CONTEXT();
658 GET_HANDLE();
659
660 if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
661 || (ldap_context->krbcontainer->DN == NULL)) {
662 st = -1;
663 goto cleanup;
664 }
665
666 subtreecount = 1;
667 while(subtreeparam[subtreecount])
668 subtreecount++;
669 subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
670 if(subtree == NULL) {
671 st = ENOMEM;
672 goto cleanup;
673 }
674
675 /* If the subtree is null, set the value to root */
676 if(subtreeparam == NULL) {
677 subtree[0] = strdup("");
678 if(subtree[0] == NULL) {
679 st = ENOMEM;
680 goto cleanup;
681 }
682 }
683 else {
684 for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
685 subtree[i] = strdup(subtreeparam[i]);
686 if(subtree[i] == NULL) {
687 st = ENOMEM;
688 goto cleanup;
689 }
690 }
691
692
693 /* Set the rights for the realm */
694 if (mask & LDAP_REALM_RIGHTS) {
695
696 /* Construct the realm dn from realm name */
697 realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
698 strlen(ldap_context->krbcontainer->DN) + 2);
699 if (realmdn == NULL) {
700 st = ENOMEM;
701 goto cleanup;
702 }
703 sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
704
705 realmclass.mod_op=LDAP_MOD_DELETE;
706 realmclass.mod_type="ACL";
707
708 if (servicetype == LDAP_KDC_SERVICE) {
709 for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
710 realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
711 + strlen(serviceobjdn) +
712 strlen(kdcrights_realmcontainer[i][1]) + 1);
713 if (realmacls[0] == NULL) {
714 st = ENOMEM;
715 goto cleanup;
716 }
717 sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
718 kdcrights_realmcontainer[i][1]);
719 realmclass.mod_values= realmacls;
720
721 realmarr[0]=&realmclass;
722
723 st = ldap_modify_ext_s(ld,
724 realmdn,
725 realmarr,
726 NULL,
727 NULL);
728 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
729 free(realmacls[0]);
730 st = set_ldap_error (context, st, OP_MOD);
731 goto cleanup;
732 }
733 free(realmacls[0]);
734 }
735 } else if (servicetype == LDAP_ADMIN_SERVICE) {
736 for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
737 realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
738 strlen(serviceobjdn) +
739 strlen(adminrights_realmcontainer[i][1]) + 1);
740 if (realmacls[0] == NULL) {
741 st = ENOMEM;
742 goto cleanup;
743 }
744 sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
745 adminrights_realmcontainer[i][1]);
746 realmclass.mod_values= realmacls;
747
748 realmarr[0]=&realmclass;
749
750 st = ldap_modify_ext_s(ld,
751 realmdn,
752 realmarr,
753 NULL,
754 NULL);
755 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
756 free(realmacls[0]);
757 st = set_ldap_error (context, st, OP_MOD);
758 goto cleanup;
759 }
760 free(realmacls[0]);
761 }
762 } else if (servicetype == LDAP_PASSWD_SERVICE) {
763 for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
764 realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
765 + strlen(serviceobjdn)
766 + strlen(pwdrights_realmcontainer[i][1]) + 1);
767 if (realmacls[0] == NULL) {
768 st = ENOMEM;
769 goto cleanup;
770 }
771 sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
772 pwdrights_realmcontainer[i][1]);
773 realmclass.mod_values= realmacls;
774
775 realmarr[0]=&realmclass;
776
777 st = ldap_modify_ext_s(ld,
778 realmdn,
779 realmarr,
780 NULL,
781 NULL);
782 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
783 free(realmacls[0]);
784 st = set_ldap_error (context, st, OP_MOD);
785 goto cleanup;
786 }
787 free(realmacls[0]);
788 }
789 }
790
791 } /* Realm rights setting ends here */
792
793
794 /* Set the rights for the subtree */
795 if (mask & LDAP_SUBTREE_RIGHTS) {
796
797 /* Populate the acl data to be added to the subtree */
798 subtreeclass.mod_op=LDAP_MOD_DELETE;
799 subtreeclass.mod_type="ACL";
800
801 if (servicetype == LDAP_KDC_SERVICE) {
802 for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
803 subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
804 + strlen(serviceobjdn)
805 + strlen(kdcrights_subtree[i][1]) + 1);
806 if (subtreeacls[0] == NULL) {
807 st = ENOMEM;
808 goto cleanup;
809 }
810 sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
811 kdcrights_subtree[i][1]);
812 subtreeclass.mod_values= subtreeacls;
813
814 subtreearr[0]=&subtreeclass;
815
816 for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
817 st = ldap_modify_ext_s(ld,
818 subtree[i],
819 subtreearr,
820 NULL,
821 NULL);
822 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
823 free(subtreeacls[0]);
824 st = set_ldap_error (context, st, OP_MOD);
825 goto cleanup;
826 }
827 }
828 free(subtreeacls[0]);
829 }
830 } else if (servicetype == LDAP_ADMIN_SERVICE) {
831 for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
832 subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
833 + strlen(serviceobjdn)
834 + strlen(adminrights_subtree[i][1]) + 1);
835 if (subtreeacls[0] == NULL) {
836 st = ENOMEM;
837 goto cleanup;
838 }
839 sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
840 adminrights_subtree[i][1]);
841 subtreeclass.mod_values= subtreeacls;
842
843 subtreearr[0]=&subtreeclass;
844
845 for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
846 st = ldap_modify_ext_s(ld,
847 subtree[i],
848 subtreearr,
849 NULL,
850 NULL);
851 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
852 free(subtreeacls[0]);
853 st = set_ldap_error (context, st, OP_MOD);
854 goto cleanup;
855 }
856 }
857 free(subtreeacls[0]);
858 }
859 } else if (servicetype == LDAP_PASSWD_SERVICE) {
860 for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
861 subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
862 + strlen(serviceobjdn)
863 + strlen(pwdrights_subtree[i][1]) + 1);
864 if (subtreeacls[0] == NULL) {
865 st = ENOMEM;
866 goto cleanup;
867 }
868 sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
869 pwdrights_subtree[i][1]);
870 subtreeclass.mod_values= subtreeacls;
871
872 subtreearr[0]=&subtreeclass;
873
874 for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
875 st = ldap_modify_ext_s(ld,
876 subtree[i],
877 subtreearr,
878 NULL,
879 NULL);
880 if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
881 free(subtreeacls[0]);
882 st = set_ldap_error (context, st, OP_MOD);
883 goto cleanup;
884 }
885 }
886 free(subtreeacls[0]);
887 }
888 }
889 } /* Subtree rights setting ends here */
890
891 st = 0;
892
893 cleanup:
894
895 if (realmdn)
896 free(realmdn);
897
898 if (subtree)
899 free(subtree);
900
901 krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
902 return st;
903 }
904
905 #endif
906