xref: /illumos-gate/usr/src/cmd/krb5/ldap_util/kdb5_ldap_policy.c (revision bd211b8556ef6b18ebf137419bd5555d65271664)
1 #pragma ident	"%Z%%M%	%I%	%E% SMI"
2 
3 /*
4  * kadmin/ldap_util/kdb5_ldap_policy.c
5  */
6 
7 /* Copyright (c) 2004-2005, Novell, Inc.
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions are met:
12  *
13  *   * Redistributions of source code must retain the above copyright notice,
14  *       this list of conditions and the following disclaimer.
15  *   * Redistributions in binary form must reproduce the above copyright
16  *       notice, this list of conditions and the following disclaimer in the
17  *       documentation and/or other materials provided with the distribution.
18  *   * The copyright holder's name is not used to endorse or promote products
19  *       derived from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
22  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
25  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  */
33 
34 /*
35  * Create / Delete / Modify / View / List policy objects.
36  */
37 
38 #include <stdio.h>
39 #include <time.h>
40 #include <k5-int.h>
41 #include <kadm5/admin.h>
42 #include <libintl.h>
43 #include <locale.h>
44 #include "kdb5_ldap_util.h"
45 #include "kdb5_ldap_list.h"
46 #include "ldap_tkt_policy.h"
47 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
48 
49 static void print_policy_params(krb5_ldap_policy_params *policyparams, int mask);
50 static char *strdur(time_t duration);
51 
52 extern char *yes;
53 extern kadm5_config_params global_params;
54 
55 static krb5_error_code init_ldap_realm (int argc, char *argv[]) {
56     /* This operation is being performed in the context of a realm. So,
57      * initialize the realm */
58     int mask = 0;
59     krb5_error_code retval = 0;
60     kdb5_dal_handle *dal_handle = NULL;
61     krb5_ldap_context *ldap_context=NULL;
62 
63     dal_handle = (kdb5_dal_handle *) util_context->db_context;
64     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
65     if (!ldap_context) {
66         retval = EINVAL;
67         goto cleanup;
68     }
69 
70     if (ldap_context->krbcontainer == NULL) {
71         retval = krb5_ldap_read_krbcontainer_params (util_context,
72                 &(ldap_context->krbcontainer));
73         if (retval != 0) {
74             com_err(argv[0], retval, gettext("while reading kerberos container information"));
75             goto cleanup;
76         }
77     }
78 
79     if (ldap_context->lrparams == NULL) {
80         retval = krb5_ldap_read_realm_params(util_context,
81                 global_params.realm,
82                 &(ldap_context->lrparams),
83                 &mask);
84 
85         if (retval != 0) {
86             goto cleanup;
87         }
88     }
89 cleanup:
90     return retval;
91 }
92 
93 /*
94  * This function will create a ticket policy object with the
95  * specified attributes.
96  */
97 void
98 kdb5_ldap_create_policy(argc, argv)
99     int argc;
100     char *argv[];
101 {
102     char *me = argv[0];
103     krb5_error_code retval = 0;
104     krb5_ldap_policy_params *policyparams = NULL;
105     krb5_boolean print_usage = FALSE;
106     krb5_boolean no_msg = FALSE;
107     int mask = 0;
108     time_t date = 0;
109     time_t now = 0;
110     int i = 0;
111 
112     /* Check for number of arguments */
113     if ((argc < 2) || (argc > 16)) {
114 	goto err_usage;
115     }
116 
117     /* Allocate memory for policy parameters structure */
118     policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params));
119     if (policyparams == NULL) {
120 	retval = ENOMEM;
121 	goto cleanup;
122     }
123 
124     /* Get current time */
125     time (&now);
126 
127     /* Parse all arguments */
128     for (i = 1; i < argc; i++) {
129 	if (!strcmp(argv[i], "-maxtktlife")) {
130 	    if (++i > argc - 1)
131 		goto err_usage;
132 
133 	    date = get_date(argv[i]);
134 	    if (date == (time_t)(-1)) {
135 		retval = EINVAL;
136 		com_err (me, retval, gettext("while providing time specification"));
137 		goto err_nomsg;
138 	    }
139 
140 	    policyparams->maxtktlife = date - now;
141 
142 	    mask |= LDAP_POLICY_MAXTKTLIFE;
143 	} else if (!strcmp(argv[i], "-maxrenewlife")) {
144 	    if (++i > argc - 1)
145 		goto err_usage;
146 
147 	    date = get_date(argv[i]);
148 	    if (date == (time_t)(-1)) {
149 		retval = EINVAL;
150 		com_err (me, retval, gettext("while providing time specification"));
151 		goto err_nomsg;
152 	    }
153 
154 	    policyparams->maxrenewlife = date - now;
155 
156 	    mask |= LDAP_POLICY_MAXRENEWLIFE;
157 	} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
158 	    if (*(argv[i]) == '+')
159 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
160 	    else if (*(argv[i]) == '-')
161 		policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
162 	    else
163 		goto err_usage;
164 
165 	    mask |= LDAP_POLICY_TKTFLAGS;
166 	} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
167 	    if (*(argv[i]) == '+')
168 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
169 	    else if (*(argv[i]) == '-')
170 		policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
171 	    else
172 		goto err_usage;
173 
174 	    mask |= LDAP_POLICY_TKTFLAGS;
175 	} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
176 	    if (*(argv[i]) == '+')
177 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
178 	    else if (*(argv[i]) == '-')
179 		policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
180 	    else
181 		goto err_usage;
182 
183 	    mask |= LDAP_POLICY_TKTFLAGS;
184 	} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
185 	    if (*(argv[i]) == '+')
186 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
187 	    else if (*(argv[i]) == '-')
188 		policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
189 	    else
190 		goto err_usage;
191 
192 	    mask |= LDAP_POLICY_TKTFLAGS;
193 	} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
194 	    if (*(argv[i]) == '+')
195 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
196 	    else if (*(argv[i]) == '-')
197 		policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
198 	    else
199 		goto err_usage;
200 
201 	    mask |= LDAP_POLICY_TKTFLAGS;
202 	} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
203 	    if (*(argv[i]) == '+')
204 		policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
205 	    else if (*(argv[i]) == '-')
206 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
207 	    else
208 		goto err_usage;
209 
210 	    mask |= LDAP_POLICY_TKTFLAGS;
211 	} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
212 	    if (*(argv[i]) == '+')
213 		policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
214 	    else if (*(argv[i]) == '-')
215 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
216 	    else
217 		goto err_usage;
218 
219 	    mask |= LDAP_POLICY_TKTFLAGS;
220 	} else if (!strcmp((argv[i] + 1), "allow_svr")) {
221 	    if (*(argv[i]) == '+')
222 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
223 	    else if (*(argv[i]) == '-')
224 		policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
225 	    else
226 		goto err_usage;
227 
228 	    mask |= LDAP_POLICY_TKTFLAGS;
229 	} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
230 	    if (*(argv[i]) == '+')
231 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
232 	    else if (*(argv[i]) == '-')
233 		policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
234 	    else
235 		goto err_usage;
236 
237 	    mask |= LDAP_POLICY_TKTFLAGS;
238 	} else if (!strcmp((argv[i] + 1), "allow_tix")) {
239 	    if (*(argv[i]) == '+')
240 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
241 	    else if (*(argv[i]) == '-')
242 		policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
243 	    else
244 		goto err_usage;
245 
246 	    mask |= LDAP_POLICY_TKTFLAGS;
247 	} else if (!strcmp((argv[i] + 1), "needchange")) {
248 	    if (*(argv[i]) == '+')
249 		policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
250 	    else if (*(argv[i]) == '-')
251 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
252 	    else
253 		goto err_usage;
254 
255 	    mask |= LDAP_POLICY_TKTFLAGS;
256 	} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
257 	    if (*(argv[i]) == '+')
258 		policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
259 	    else if (*(argv[i]) == '-')
260 		policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
261 	    else
262 		goto err_usage;
263 
264 	    mask |= LDAP_POLICY_TKTFLAGS;
265 	} else { /* Any other argument must be policy DN */
266 	    /* First check if policy DN is already provided --
267 	       if so, there's a usage error */
268             if (policyparams->policy != NULL)
269 		goto err_usage;
270 
271 	    /* If not present already, fill up policy DN */
272             policyparams->policy = strdup(argv[i]);
273             if (policyparams->policy == NULL) {
274 		retval = ENOMEM;
275 		com_err(me, retval, gettext("while creating policy object"));
276 		goto err_nomsg;
277 	    }
278 	}
279     }
280 
281     /* policy DN is a mandatory argument. If not provided, print usage */
282     if (policyparams->policy == NULL)
283 	goto err_usage;
284 
285     if ((retval = init_ldap_realm (argc, argv))) {
286         com_err(me, retval, gettext("while reading realm information"));
287         goto err_nomsg;
288     }
289 
290     /* Create object with all attributes provided */
291     if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0)
292 	goto cleanup;
293 
294     goto cleanup;
295 
296 err_usage:
297     print_usage = TRUE;
298 
299 err_nomsg:
300     no_msg = TRUE;
301 
302 cleanup:
303     /* Clean-up structure */
304     krb5_ldap_free_policy (util_context, policyparams);
305 
306     if (print_usage)
307 	db_usage(CREATE_POLICY);
308 
309     if (retval) {
310 	if (!no_msg)
311 	    com_err(me, retval, gettext("while creating policy object"));
312 
313 	exit_status++;
314     }
315 
316     return;
317 }
318 
319 
320 /*
321  * This function will destroy the specified ticket policy
322  * object interactively, unless forced through an option.
323  */
324 void
325 kdb5_ldap_destroy_policy(argc, argv)
326     int argc;
327     char *argv[];
328 {
329     char *me = argv[0];
330     krb5_error_code retval = 0;
331     krb5_ldap_policy_params *policyparams = NULL;
332     krb5_boolean print_usage = FALSE;
333     krb5_boolean no_msg = FALSE;
334     char *policy = NULL;
335     unsigned int mask = 0;
336     int force = 0;
337     char buf[5] = {0};
338     int i = 0;
339 
340     if ((argc < 2) || (argc > 3)) {
341 	goto err_usage;
342     }
343 
344     for (i = 1; i < argc; i++) {
345 	if (strcmp(argv[i], "-force") == 0) {
346 	    force++;
347 	} else { /* Any other argument must be policy DN */
348 	    /* First check if policy DN is already provided --
349 	       if so, there's a usage error */
350             if (policy != NULL)
351 		goto err_usage;
352 
353 	    /* If not present already, fill up policy DN */
354             policy = strdup(argv[i]);
355             if (policy == NULL) {
356 		retval = ENOMEM;
357 		com_err(me, retval, gettext("while destroying policy object"));
358 		goto err_nomsg;
359 	    }
360 	}
361     }
362 
363     if (policy == NULL)
364 	goto err_usage;
365 
366     if (!force) {
367         printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy);
368 	printf(gettext("(type 'yes' to confirm)? "));
369 
370 	if (fgets(buf, sizeof(buf), stdin) == NULL) {
371 	    retval = EINVAL;
372 	    goto cleanup;
373 	}
374 
375 	if (strcmp(buf, yes)) {
376 	    exit_status++;
377 	    goto cleanup;
378 	}
379     }
380 
381     if ((retval = init_ldap_realm (argc, argv)))
382         goto err_nomsg;
383 
384     if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask)))
385 	goto cleanup;
386 
387 
388     if ((retval = krb5_ldap_delete_policy(util_context, policy)))
389 	goto cleanup;
390 
391     printf(gettext("** policy object '%s' deleted.\n"), policy);
392     goto cleanup;
393 
394 
395 err_usage:
396     print_usage = TRUE;
397 
398 err_nomsg:
399     no_msg = TRUE;
400 
401 cleanup:
402     /* Clean-up structure */
403     krb5_ldap_free_policy (util_context, policyparams);
404 
405     if (policy) {
406 	free (policy);
407     }
408 
409     if (print_usage) {
410 	db_usage(DESTROY_POLICY);
411     }
412 
413     if (retval) {
414 	if (!no_msg)
415 	    com_err(me, retval, gettext("while destroying policy object"));
416 
417 	exit_status++;
418     }
419 
420     return;
421 }
422 
423 
424 /*
425  * This function will modify the attributes of a given ticket
426  * policy object.
427  */
428 void
429 kdb5_ldap_modify_policy(argc, argv)
430     int argc;
431     char *argv[];
432 {
433     char *me = argv[0];
434     krb5_error_code retval = 0;
435     krb5_ldap_policy_params *policyparams = NULL;
436     krb5_boolean print_usage = FALSE;
437     krb5_boolean no_msg = FALSE;
438     char *policy = NULL;
439     unsigned int in_mask = 0, out_mask = 0;
440     time_t date = 0;
441     time_t now = 0;
442     int i = 0;
443 
444     /* Check for number of arguments -- minimum is 3
445        since atleast one parameter should be given in
446        addition to 'modify_policy' and policy DN */
447     if ((argc < 3) || (argc > 16)) {
448 	goto err_usage;
449     }
450 
451     /* Parse all arguments, only to pick up policy DN (Pass 1) */
452     for (i = 1; i < argc; i++) {
453 	/* Skip arguments next to 'maxtktlife'
454 	   and 'maxrenewlife' arguments */
455 	if (!strcmp(argv[i], "-maxtktlife")) {
456 	    ++i;
457 	} else if (!strcmp(argv[i], "-maxrenewlife")) {
458 	    ++i;
459 	}
460 	/* Do nothing for ticket flag arguments */
461 	else if (!strcmp((argv[i] + 1), "allow_postdated") ||
462 		 !strcmp((argv[i] + 1), "allow_forwardable") ||
463 		 !strcmp((argv[i] + 1), "allow_renewable") ||
464 		 !strcmp((argv[i] + 1), "allow_proxiable") ||
465 		 !strcmp((argv[i] + 1), "allow_dup_skey") ||
466 		 !strcmp((argv[i] + 1), "requires_preauth") ||
467 		 !strcmp((argv[i] + 1), "requires_hwauth") ||
468 		 !strcmp((argv[i] + 1), "allow_svr") ||
469 		 !strcmp((argv[i] + 1), "allow_tgs_req") ||
470 		 !strcmp((argv[i] + 1), "allow_tix") ||
471 		 !strcmp((argv[i] + 1), "needchange") ||
472 		 !strcmp((argv[i] + 1), "password_changing_service")) {
473 	} else { /* Any other argument must be policy DN */
474 	    /* First check if policy DN is already provided --
475 	       if so, there's a usage error */
476             if (policy != NULL)
477 		goto err_usage;
478 
479 	    /* If not present already, fill up policy DN */
480             policy = strdup(argv[i]);
481             if (policy == NULL) {
482 		retval = ENOMEM;
483 		com_err(me, retval, gettext("while modifying policy object"));
484 		goto err_nomsg;
485 	    }
486 	}
487     }
488 
489     if (policy == NULL)
490 	goto err_usage;
491 
492     if ((retval = init_ldap_realm (argc, argv)))
493 	goto cleanup;
494 
495     retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask);
496     if (retval) {
497         com_err(me, retval, gettext("while reading information of policy '%s'"), policy);
498 	goto err_nomsg;
499     }
500 
501     /* Get current time */
502     time (&now);
503 
504     /* Parse all arguments, but skip policy DN (Pass 2) */
505     for (i = 1; i < argc; i++) {
506 	if (!strcmp(argv[i], "-maxtktlife")) {
507 	    if (++i > argc - 1)
508 		goto err_usage;
509 
510 	    date = get_date(argv[i]);
511 	    if (date == (time_t)(-1)) {
512 		retval = EINVAL;
513 		com_err (me, retval, gettext("while providing time specification"));
514 		goto err_nomsg;
515 	    }
516 
517 	    policyparams->maxtktlife = date - now;
518 
519 	    out_mask |= LDAP_POLICY_MAXTKTLIFE;
520 	} else if (!strcmp(argv[i], "-maxrenewlife")) {
521 	    if (++i > argc - 1)
522 		goto err_usage;
523 
524 	    date = get_date(argv[i]);
525 	    if (date == (time_t)(-1)) {
526 		retval = EINVAL;
527 		com_err (me, retval, gettext("while providing time specification"));
528 		goto err_nomsg;
529 	    }
530 
531 	    policyparams->maxrenewlife = date - now;
532 
533 	    out_mask |= LDAP_POLICY_MAXRENEWLIFE;
534 	} else if (!strcmp((argv[i] + 1), "allow_postdated")) {
535 	    if (*(argv[i]) == '+')
536 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
537 	    else if (*(argv[i]) == '-')
538 		policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
539 	    else
540 		goto err_usage;
541 
542 	    out_mask |= LDAP_POLICY_TKTFLAGS;
543 	} else if (!strcmp((argv[i] + 1), "allow_forwardable")) {
544 	    if (*(argv[i]) == '+')
545 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
546 	    else if (*(argv[i]) == '-')
547 		policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
548 	    else
549 		goto err_usage;
550 
551 	    out_mask |= LDAP_POLICY_TKTFLAGS;
552 	} else if (!strcmp((argv[i] + 1), "allow_renewable")) {
553 	    if (*(argv[i]) == '+')
554 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
555 	    else if (*(argv[i]) == '-')
556 		policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
557 	    else
558 		goto err_usage;
559 
560 	    out_mask |= LDAP_POLICY_TKTFLAGS;
561 	} else if (!strcmp((argv[i] + 1), "allow_proxiable")) {
562 	    if (*(argv[i]) == '+')
563 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
564 	    else if (*(argv[i]) == '-')
565 		policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
566 	    else
567 		goto err_usage;
568 
569 	    out_mask |= LDAP_POLICY_TKTFLAGS;
570 	} else if (!strcmp((argv[i] + 1), "allow_dup_skey")) {
571 	    if (*(argv[i]) == '+')
572 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
573 	    else if (*(argv[i]) == '-')
574 		policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
575 	    else
576 		goto err_usage;
577 
578 	    out_mask |= LDAP_POLICY_TKTFLAGS;
579 	} else if (!strcmp((argv[i] + 1), "requires_preauth")) {
580 	    if (*(argv[i]) == '+')
581 		policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
582 	    else if (*(argv[i]) == '-')
583 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
584 	    else
585 		goto err_usage;
586 
587 	    out_mask |= LDAP_POLICY_TKTFLAGS;
588 	} else if (!strcmp((argv[i] + 1), "requires_hwauth")) {
589 	    if (*(argv[i]) == '+')
590 		policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
591 	    else if (*(argv[i]) == '-')
592 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
593 	    else
594 		goto err_usage;
595 
596 	    out_mask |= LDAP_POLICY_TKTFLAGS;
597 	} else if (!strcmp((argv[i] + 1), "allow_svr")) {
598 	    if (*(argv[i]) == '+')
599 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
600 	    else if (*(argv[i]) == '-')
601 		policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
602 	    else
603 		goto err_usage;
604 
605 	    out_mask |= LDAP_POLICY_TKTFLAGS;
606 	} else if (!strcmp((argv[i] + 1), "allow_tgs_req")) {
607 	    if (*(argv[i]) == '+')
608 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
609 	    else if (*(argv[i]) == '-')
610 		policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
611 	    else
612 		goto err_usage;
613 
614 	    out_mask |= LDAP_POLICY_TKTFLAGS;
615 	} else if (!strcmp((argv[i] + 1), "allow_tix")) {
616 	    if (*(argv[i]) == '+')
617 		policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
618 	    else if (*(argv[i]) == '-')
619 		policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
620 	    else
621 		goto err_usage;
622 
623 	    out_mask |= LDAP_POLICY_TKTFLAGS;
624 	} else if (!strcmp((argv[i] + 1), "needchange")) {
625 	    if (*(argv[i]) == '+')
626 		policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
627 	    else if (*(argv[i]) == '-')
628 		policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
629 	    else
630 		goto err_usage;
631 
632 	    out_mask |= LDAP_POLICY_TKTFLAGS;
633 	} else if (!strcmp((argv[i] + 1), "password_changing_service")) {
634 	    if (*(argv[i]) == '+')
635 		policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
636 	    else if (*(argv[i]) == '-')
637 		policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
638 	    else
639 		goto err_usage;
640 
641 	    out_mask |= LDAP_POLICY_TKTFLAGS;
642 	} else {
643 	    /* Any other argument must be policy DN
644 	       -- skip it */
645 	}
646     }
647 
648     /* Modify attributes of object */
649     if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask)))
650 	goto cleanup;
651 
652     goto cleanup;
653 
654 err_usage:
655     print_usage = TRUE;
656 
657 err_nomsg:
658     no_msg = TRUE;
659 
660 cleanup:
661     /* Clean-up structure */
662     krb5_ldap_free_policy (util_context, policyparams);
663 
664     if (policy)
665         free (policy);
666 
667     if (print_usage)
668 	db_usage(MODIFY_POLICY);
669 
670     if (retval) {
671 	if (!no_msg)
672 	    com_err(me, retval, gettext("while modifying policy object"));
673 
674 	exit_status++;
675     }
676 
677     return;
678 }
679 
680 
681 /*
682  * This function will display information about the given policy object,
683  * fetching the information from the LDAP Server.
684  */
685 void
686 kdb5_ldap_view_policy(argc, argv)
687     int argc;
688     char *argv[];
689 {
690     char *me = argv[0];
691     krb5_ldap_policy_params *policyparams = NULL;
692     krb5_error_code retval = 0;
693     krb5_boolean print_usage = FALSE;
694     char *policy = NULL;
695     unsigned int mask = 0;
696 
697     if (argc != 2) {
698 	goto err_usage;
699     }
700 
701     policy = strdup(argv[1]);
702     if (policy == NULL) {
703 	com_err(me, ENOMEM, gettext("while viewing policy"));
704 	exit_status++;
705 	goto cleanup;
706     }
707 
708     if ((retval = init_ldap_realm (argc, argv)))
709         goto cleanup;
710 
711     if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) {
712 	com_err(me, retval, gettext("while viewing policy '%s'"), policy);
713 	exit_status++;
714 	goto cleanup;
715     }
716 
717     print_policy_params (policyparams, mask);
718 
719     goto cleanup;
720 
721 err_usage:
722     print_usage = TRUE;
723 
724 cleanup:
725     krb5_ldap_free_policy (util_context, policyparams);
726 
727     if (policy)
728 	free (policy);
729 
730     if (print_usage) {
731 	db_usage(VIEW_POLICY);
732     }
733 
734     return;
735 }
736 
737 
738 /*
739  * This function will print the policy object information to the
740  * standard output.
741  */
742 static void
743 print_policy_params(policyparams, mask)
744     krb5_ldap_policy_params *policyparams;
745     int mask;
746 {
747     /* Print the policy DN */
748     printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy);
749 
750     /* Print max. ticket life and max. renewable life, if present */
751     if (mask & LDAP_POLICY_MAXTKTLIFE)
752 	printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife));
753     if (mask & LDAP_POLICY_MAXRENEWLIFE)
754 	printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife));
755 
756     /* Service flags are printed */
757     printf("%25s: ", gettext("Ticket flags"));
758     if (mask & LDAP_POLICY_TKTFLAGS) {
759 	int ticketflags = policyparams->tktflags;
760 
761 	if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
762 	    printf("%s ","DISALLOW_POSTDATED");
763 
764 	if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
765 	    printf("%s ","DISALLOW_FORWARDABLE");
766 
767 	if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
768 	    printf("%s ","DISALLOW_RENEWABLE");
769 
770 	if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
771 	    printf("%s ","DISALLOW_PROXIABLE");
772 
773 	if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
774 	    printf("%s ","DISALLOW_DUP_SKEY");
775 
776 	if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
777 	    printf("%s ","REQUIRES_PRE_AUTH");
778 
779 	if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
780 	    printf("%s ","REQUIRES_HW_AUTH");
781 
782 	if (ticketflags & KRB5_KDB_DISALLOW_SVR)
783 	    printf("%s ","DISALLOW_SVR");
784 
785 	if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
786 	    printf("%s ","DISALLOW_TGT_BASED");
787 
788 	if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
789 	    printf("%s ","DISALLOW_ALL_TIX");
790 
791 	if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
792 	    printf("%s ","REQUIRES_PWCHANGE");
793 
794 	if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
795 	    printf("%s ","PWCHANGE_SERVICE");
796     }
797     printf("\n");
798 
799     return;
800 }
801 
802 
803 /*
804  * This function will list the DNs of policy objects under a specific
805  * sub-tree (entire tree by default)
806  */
807 void kdb5_ldap_list_policies(argc, argv)
808     int argc;
809     char *argv[];
810 {
811     char *me = argv[0];
812     krb5_error_code retval = 0;
813     krb5_boolean print_usage = FALSE;
814     char *basedn = NULL;
815     char **list = NULL;
816     char **plist = NULL;
817 
818     /* Check for number of arguments */
819     if ((argc != 1) && (argc != 3)) {
820 	goto err_usage;
821     }
822 
823     if ((retval = init_ldap_realm (argc, argv)))
824 	goto cleanup;
825 
826     retval = krb5_ldap_list_policy(util_context, basedn, &list);
827     if ((retval != 0) || (list == NULL))
828 	goto cleanup;
829 
830     for (plist = list; *plist != NULL; plist++) {
831 	printf("%s\n", *plist);
832     }
833 
834     goto cleanup;
835 
836 err_usage:
837     print_usage = TRUE;
838 
839 cleanup:
840     if (list != NULL) {
841 	krb5_free_list_entries (list);
842 	free (list);
843     }
844 
845     if (basedn)
846 	free (basedn);
847 
848     if (print_usage) {
849 	db_usage(LIST_POLICY);
850     }
851 
852     if (retval) {
853 	com_err(me, retval, gettext("while listing policy objects"));
854 	exit_status++;
855     }
856 
857     return;
858 }
859 
860 
861 /* Reproduced from kadmin.c, instead of linking
862    the entire kadmin.o */
863 static char *strdur(duration)
864     time_t duration;
865 {
866     static char out[50];
867     int neg, days, hours, minutes, seconds;
868 
869     if (duration < 0) {
870 	duration *= -1;
871 	neg = 1;
872     } else
873 	neg = 0;
874     days = duration / (24 * 3600);
875     duration %= 24 * 3600;
876     hours = duration / 3600;
877     duration %= 3600;
878     minutes = duration / 60;
879     duration %= 60;
880     seconds = duration;
881     snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
882 	    days, days == 1 ? gettext("day") : gettext("days"),
883 	    hours, minutes, seconds);
884     return out;
885 }
886