xref: /illumos-gate/usr/src/cmd/krb5/ldap_util/kdb5_ldap_realm.c (revision b31b5de1357c915fe7dab4d9646d9d84f9fe69bc)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * kadmin/ldap_util/kdb5_ldap_realm.c
8  *
9  * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
10  * All Rights Reserved.
11  *
12  * Export of this software from the United States of America may
13  *   require a specific license from the United States Government.
14  *   It is the responsibility of any person or organization contemplating
15  *   export to obtain such a license before exporting.
16  *
17  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18  * distribute this software and its documentation for any purpose and
19  * without fee is hereby granted, provided that the above copyright
20  * notice appear in all copies and that both that copyright notice and
21  * this permission notice appear in supporting documentation, and that
22  * the name of M.I.T. not be used in advertising or publicity pertaining
23  * to distribution of the software without specific, written prior
24  * permission.  Furthermore if you modify this software you must label
25  * your software as modified software and not distribute it in such a
26  * fashion that it might be confused with the original M.I.T. software.
27  * M.I.T. makes no representations about the suitability of
28  * this software for any purpose.  It is provided "as is" without express
29  * or implied warranty.
30  */
31 
32 /*
33  * Copyright (C) 1998 by the FundsXpress, INC.
34  *
35  * All rights reserved.
36  *
37  * Export of this software from the United States of America may require
38  * a specific license from the United States Government.  It is the
39  * responsibility of any person or organization contemplating export to
40  * obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of FundsXpress. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  FundsXpress makes no representations about the suitability of
50  * this software for any purpose.  It is provided "as is" without express
51  * or implied warranty.
52  *
53  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
54  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
56  */
57 
58 /* Copyright (c) 2004-2005, Novell, Inc.
59  * All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions are met:
63  *
64  *   * Redistributions of source code must retain the above copyright notice,
65  *       this list of conditions and the following disclaimer.
66  *   * Redistributions in binary form must reproduce the above copyright
67  *       notice, this list of conditions and the following disclaimer in the
68  *       documentation and/or other materials provided with the distribution.
69  *   * The copyright holder's name is not used to endorse or promote products
70  *       derived from this software without specific prior written permission.
71  *
72  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
73  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
74  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
75  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
76  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
77  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
78  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
79  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
80  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
82  * POSSIBILITY OF SUCH DAMAGE.
83  */
84 
85 /*
86  * Create / Modify / Destroy / View / List realm(s)
87  */
88 
89 /* Needed for getting the definition of KRB5_TL_DB_ARGS */
90 #define SECURID
91 
92 #include <stdio.h>
93 #include <k5-int.h>
94 #include <kadm5/admin.h>
95 #include <libintl.h>
96 #include <locale.h>
97 #include "kdb5_ldap_util.h"
98 #include "kdb5_ldap_list.h"
99 #include <ldap_principal.h>
100 #include <ldap_krbcontainer.h>
101 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
102 
103 char *yes = "yes\n"; /* \n to compare against result of fgets */
104 krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
105 
106 struct realm_info rblock = {
107     KRB5_KDB_MAX_LIFE,
108     KRB5_KDB_MAX_RLIFE,
109     KRB5_KDB_EXPIRATION,
110     KRB5_KDB_DEF_FLAGS,
111     (krb5_keyblock *) NULL,
112     1,
113     &def_kslist
114 };
115 
116 krb5_data tgt_princ_entries[] = {
117     {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
118     {0, 0, 0} };
119 
120 krb5_data db_creator_entries[] = {
121     {0, sizeof("db_creation")-1, "db_creation"} };
122 
123 
124 static krb5_principal_data db_create_princ = {
125     0,					/* magic number */
126     {0, 0, 0},				/* krb5_data realm */
127     db_creator_entries,			/* krb5_data *data */
128     1,					/* int length */
129     KRB5_NT_SRV_INST			/* int type */
130 };
131 
132 extern char *mkey_password;
133 extern char *progname;
134 extern kadm5_config_params global_params;
135 
136 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
137 static int kdb_ldap_create_principal (krb5_context context, krb5_principal
138 				      princ, enum ap_op op, struct realm_info *pblock);
139 
140 
141 static char *strdur(time_t duration);
142 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
143 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
144 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
145 
146 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
147 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
148 
149 static int get_ticket_policy(rparams,i,argv,argc)
150     krb5_ldap_realm_params *rparams;
151     int *i;
152     char *argv[];
153     int argc;
154 {
155     time_t date;
156     time_t now;
157     int mask = 0;
158     krb5_error_code retval = 0;
159     krb5_boolean no_msg = FALSE;
160 
161     krb5_boolean print_usage = FALSE;
162     /* Solaris Kerberos */
163     char *me = progname;
164 
165     time(&now);
166     if (!strcmp(argv[*i], "-maxtktlife")) {
167 	if (++(*i) > argc-1)
168 	    goto err_usage;
169 	date = get_date(argv[*i]);
170 	if (date == (time_t)(-1)) {
171 	    retval = EINVAL;
172 	    com_err (me, retval, gettext("while providing time specification"));
173 	    goto err_nomsg;
174 	}
175 	rparams->max_life = date-now;
176 	mask |= LDAP_REALM_MAXTICKETLIFE;
177     }
178 
179 
180     else if (!strcmp(argv[*i], "-maxrenewlife")) {
181 	if (++(*i) > argc-1)
182 	    goto err_usage;
183 
184 	date = get_date(argv[*i]);
185 	if (date == (time_t)(-1)) {
186 	    retval = EINVAL;
187 	    com_err (me, retval, gettext("while providing time specification"));
188 	    goto err_nomsg;
189 	}
190 	rparams->max_renewable_life = date-now;
191 	mask |= LDAP_REALM_MAXRENEWLIFE;
192     } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
193 	if (*(argv[*i]) == '+')
194 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
195 	else if (*(argv[*i]) == '-')
196 	    rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
197 	else
198 	    goto err_usage;
199 
200 	mask |= LDAP_REALM_KRBTICKETFLAGS;
201     } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
202 	if (*(argv[*i]) == '+')
203 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
204 
205 	else if (*(argv[*i]) == '-')
206 	    rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
207 	else
208 	    goto err_usage;
209 
210 	mask |= LDAP_REALM_KRBTICKETFLAGS;
211     } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
212 	if (*(argv[*i]) == '+')
213 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
214 	else if (*(argv[*i]) == '-')
215 	    rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
216 	else
217 	    goto err_usage;
218 
219 	mask |= LDAP_REALM_KRBTICKETFLAGS;
220     } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
221 	if (*(argv[*i]) == '+')
222 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
223 	else if (*(argv[*i]) == '-')
224 	    rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
225 	else
226 	    goto err_usage;
227 
228 	mask |= LDAP_REALM_KRBTICKETFLAGS;
229     } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
230 	if (*(argv[*i]) == '+')
231 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
232 	else if (*(argv[*i]) == '-')
233 	    rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
234 	else
235 	    goto err_usage;
236 
237 	mask |= LDAP_REALM_KRBTICKETFLAGS;
238     }
239 
240     else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
241 	if (*(argv[*i]) == '+')
242 	    rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
243 	else if (*(argv[*i]) == '-')
244 	    rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
245 	else
246 	    goto err_usage;
247 
248 	mask |= LDAP_REALM_KRBTICKETFLAGS;
249     } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
250 	if (*(argv[*i]) == '+')
251 	    rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
252 	else if (*(argv[*i]) == '-')
253 	    rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
254 	else
255 	    goto err_usage;
256 
257 	mask |= LDAP_REALM_KRBTICKETFLAGS;
258     } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
259 	if (*(argv[*i]) == '+')
260 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
261 	else if (*(argv[*i]) == '-')
262 	    rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
263 	else
264 	    goto err_usage;
265 
266 	mask |= LDAP_REALM_KRBTICKETFLAGS;
267     } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
268 	if (*(argv[*i]) == '+')
269 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
270 	else if (*(argv[*i]) == '-')
271 	    rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
272 	else
273 	    goto err_usage;
274 
275 	mask |= LDAP_REALM_KRBTICKETFLAGS;
276     } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
277 	if (*(argv[*i]) == '+')
278 	    rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
279 	else if (*(argv[*i]) == '-')
280 	    rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
281 	else
282 	    goto err_usage;
283 
284 	mask |= LDAP_REALM_KRBTICKETFLAGS;
285     } else if (!strcmp((argv[*i] + 1), "needchange")) {
286 	if (*(argv[*i]) == '+')
287 	    rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
288 	else if (*(argv[*i]) == '-')
289 	    rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
290 	else
291 	    goto err_usage;
292 
293 	mask |= LDAP_REALM_KRBTICKETFLAGS;
294     } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
295 	if (*(argv[*i]) == '+')
296 	    rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
297 	else if (*(argv[*i]) == '-')
298 	    rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
299 	else
300 	    goto err_usage;
301 
302 	mask |=LDAP_REALM_KRBTICKETFLAGS;
303     }
304 err_usage:
305     print_usage = TRUE;
306 
307 err_nomsg:
308     no_msg = TRUE;
309 
310     return mask;
311 }
312 
313 /*
314  * This function will create a realm on the LDAP Server, with
315  * the specified attributes.
316  */
317 void kdb5_ldap_create(argc, argv)
318     int argc;
319     char *argv[];
320 {
321     krb5_error_code retval = 0;
322     krb5_keyblock master_keyblock;
323     krb5_ldap_realm_params *rparams = NULL;
324     krb5_principal master_princ = NULL;
325     kdb5_dal_handle *dal_handle = NULL;
326     krb5_ldap_context *ldap_context=NULL;
327     krb5_boolean realm_obj_created = FALSE;
328     krb5_boolean create_complete = FALSE;
329     krb5_boolean print_usage = FALSE;
330     krb5_boolean no_msg = FALSE;
331     char *oldcontainerref=NULL;
332     char pw_str[1024];
333     int do_stash = 0;
334     int i = 0;
335     int mask = 0, ret_mask = 0;
336     char **list = NULL;
337 #ifdef HAVE_EDIRECTORY
338     int rightsmask = 0;
339 #endif
340 
341     memset(&master_keyblock, 0, sizeof(master_keyblock));
342 
343     rparams = (krb5_ldap_realm_params *)malloc(
344 	sizeof(krb5_ldap_realm_params));
345     if (rparams == NULL) {
346 	retval = ENOMEM;
347 	goto cleanup;
348     }
349     memset(rparams, 0, sizeof(krb5_ldap_realm_params));
350 
351     /* Parse the arguments */
352     for (i = 1; i < argc; i++) {
353 	if (!strcmp(argv[i], "-subtrees")) {
354 	    if (++i > argc-1)
355 		goto err_usage;
356 
357 	    if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
358 		list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
359 		if (list == NULL) {
360 		    retval = ENOMEM;
361 		    goto cleanup;
362 		}
363 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
364 		    free(list);
365 		    list = NULL;
366 		    goto cleanup;
367 		}
368 
369 		rparams->subtreecount=0;
370 		while(list[rparams->subtreecount]!=NULL)
371 		    (rparams->subtreecount)++;
372 		rparams->subtree = list;
373 	    } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
374 		 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
375 		 /* Solaris Kerberos */
376 		 com_err(progname, EINVAL,
377 			  gettext("for subtree while creating realm '%s'"),
378 			   global_params.realm);
379 		 goto err_nomsg;
380 	    }
381 	    rparams->subtree[rparams->subtreecount] = NULL;
382 	    mask |= LDAP_REALM_SUBTREE;
383 	} else if (!strcmp(argv[i], "-containerref")) {
384 	    if (++i > argc-1)
385 		goto err_usage;
386 	    if(strncmp(argv[i], "", strlen(argv[i]))==0) {
387 		 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
388 		 /* Solaris Kerberos */
389 		 com_err(progname, EINVAL,
390 			  gettext("for container reference while creating realm '%s'"),
391 			   global_params.realm);
392 		 goto err_nomsg;
393 	    }
394 	    rparams->containerref = strdup(argv[i]);
395 	    if (rparams->containerref == NULL) {
396 		retval = ENOMEM;
397 		goto cleanup;
398 	    }
399 	    mask |= LDAP_REALM_CONTREF;
400 	} else if (!strcmp(argv[i], "-sscope")) {
401 	    if (++i > argc-1)
402 		goto err_usage;
403 	    /* Possible values for search scope are
404 	     * one (or 1) and sub (or 2)
405 	     */
406 	    if (!strcasecmp(argv[i], "one")) {
407 		rparams->search_scope = 1;
408 	    } else if (!strcasecmp(argv[i], "sub")) {
409 		rparams->search_scope = 2;
410 	    } else {
411 		rparams->search_scope = atoi(argv[i]);
412 		if ((rparams->search_scope != 1) &&
413 		    (rparams->search_scope != 2)) {
414 		    /* Solaris Kerberos */
415 		    com_err(progname, EINVAL,
416 			    gettext("invalid search scope while creating realm '%s'"),
417 			    global_params.realm);
418 		    goto err_nomsg;
419 		}
420 	    }
421 	    mask |= LDAP_REALM_SEARCHSCOPE;
422 	}
423 #ifdef HAVE_EDIRECTORY
424 	else if (!strcmp(argv[i], "-kdcdn")) {
425 	    if (++i > argc-1)
426 		goto err_usage;
427 	    rparams->kdcservers = (char **)malloc(
428 		sizeof(char *) * MAX_LIST_ENTRIES);
429 	    if (rparams->kdcservers == NULL) {
430 		retval = ENOMEM;
431 		goto cleanup;
432 	    }
433 	    memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
434 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
435 					  rparams->kdcservers))) {
436 		goto cleanup;
437 	    }
438 	    mask |= LDAP_REALM_KDCSERVERS;
439 	} else if (!strcmp(argv[i], "-admindn")) {
440 	    if (++i > argc-1)
441 		goto err_usage;
442 	    rparams->adminservers = (char **)malloc(
443 		sizeof(char *) * MAX_LIST_ENTRIES);
444 	    if (rparams->adminservers == NULL) {
445 		retval = ENOMEM;
446 		goto cleanup;
447 	    }
448 	    memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
449 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
450 					  rparams->adminservers))) {
451 		goto cleanup;
452 	    }
453 	    mask |= LDAP_REALM_ADMINSERVERS;
454 	} else if (!strcmp(argv[i], "-pwddn")) {
455 	    if (++i > argc-1)
456 		goto err_usage;
457 	    rparams->passwdservers = (char **)malloc(
458 		sizeof(char *) * MAX_LIST_ENTRIES);
459 	    if (rparams->passwdservers == NULL) {
460 		retval = ENOMEM;
461 		goto cleanup;
462 	    }
463 	    memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
464 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
465 					  rparams->passwdservers))) {
466 		goto cleanup;
467 	    }
468 	    mask |= LDAP_REALM_PASSWDSERVERS;
469 	}
470 #endif
471 	else if (!strcmp(argv[i], "-s")) {
472 	    do_stash = 1;
473 	} else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
474 	    mask|=ret_mask;
475 	}
476 
477 	else {
478 	    printf(gettext("'%s' is an invalid option\n"), argv[i]);
479 	    goto err_usage;
480 	}
481     }
482 
483     /* If the default enctype/salttype is not provided, use the
484      * default values and also add to the list of supported
485      * enctypes/salttype
486      */
487 
488     rblock.max_life = global_params.max_life;
489     rblock.max_rlife = global_params.max_rlife;
490     rblock.expiration = global_params.expiration;
491     rblock.flags = global_params.flags;
492     rblock.nkslist = global_params.num_keysalts;
493     rblock.kslist = global_params.keysalts;
494 
495     krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
496     krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
497 
498     printf(gettext("Initializing database for realm '%s'\n"), global_params.realm);
499 
500     if (!mkey_password) {
501 	unsigned int pw_size;
502 	printf(gettext("You will be prompted for the database Master Password.\n"));
503 	printf(gettext("It is important that you NOT FORGET this password.\n"));
504 	fflush(stdout);
505 
506 	pw_size = sizeof (pw_str);
507 	memset(pw_str, 0, pw_size);
508 
509 	retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
510 				    pw_str, &pw_size);
511 	if (retval) {
512 	    /* Solaris Kerberos */
513 	    com_err(progname, retval, gettext("while reading master key from keyboard"));
514 	    goto err_nomsg;
515 	}
516 	mkey_password = pw_str;
517     }
518 
519     rparams->mkey.enctype = global_params.enctype;
520     /* We are sure that 'mkey_password' is a regular string ... */
521     rparams->mkey.length = strlen(mkey_password) + 1;
522     rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
523     if (rparams->mkey.contents == NULL) {
524 	retval = ENOMEM;
525 	goto cleanup;
526     }
527 
528     rparams->realm_name = strdup(global_params.realm);
529     if (rparams->realm_name == NULL) {
530 	retval = ENOMEM;
531 	/* Solaris Kerberos */
532 	com_err(progname, ENOMEM, gettext("while creating realm '%s'"),
533 		global_params.realm);
534 	goto err_nomsg;
535     }
536 
537     dal_handle = (kdb5_dal_handle *) util_context->db_context;
538     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
539     if (!ldap_context) {
540 	retval = EINVAL;
541 	goto cleanup;
542     }
543 
544     /* read the kerberos container */
545     if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
546 						    &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
547 	/* Prompt the user for entering the DN of Kerberos container */
548 	char krb_location[MAX_KRB_CONTAINER_LEN];
549 	krb5_ldap_krbcontainer_params kparams;
550 	int krb_location_len = 0;
551 	memset(&kparams, 0, sizeof(kparams));
552 
553 	/* Read the kerberos container location from configuration file */
554 	if (ldap_context->conf_section) {
555 	    if ((retval=profile_get_string(util_context->profile,
556 					   KDB_MODULE_SECTION, ldap_context->conf_section,
557 					   "ldap_kerberos_container_dn", NULL,
558 					   &kparams.DN)) != 0) {
559 		goto cleanup;
560 	    }
561 	}
562 	if (kparams.DN == NULL) {
563 	    if ((retval=profile_get_string(util_context->profile,
564 					   KDB_MODULE_DEF_SECTION,
565 					   "ldap_kerberos_container_dn", NULL,
566 					   NULL, &kparams.DN)) != 0) {
567 		goto cleanup;
568 	    }
569 	}
570 
571 	printf(gettext("\nKerberos container is missing. Creating now...\n"));
572 	if (kparams.DN == NULL) {
573 #ifdef HAVE_EDIRECTORY
574 	    printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "));
575 #else
576 	    printf(gettext("Enter DN of Kerberos container: "));
577 #endif
578 	    if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
579 		/* Remove the newline character at the end */
580 		krb_location_len = strlen(krb_location);
581 		if ((krb_location[krb_location_len - 1] == '\n') ||
582 		    (krb_location[krb_location_len - 1] == '\r')) {
583 		    krb_location[krb_location_len - 1] = '\0';
584 		    krb_location_len--;
585 		}
586 		/* If the user has not given any input, take the default location */
587 		else if (krb_location[0] == '\0')
588 		    kparams.DN = NULL;
589 		else
590 		    kparams.DN = krb_location;
591 	    } else
592 		kparams.DN = NULL;
593 	}
594 
595 	/* create the kerberos container */
596 	retval = krb5_ldap_create_krbcontainer(util_context,
597 					       ((kparams.DN != NULL) ? &kparams : NULL));
598 	if (retval)
599 	    goto cleanup;
600 
601 	retval = krb5_ldap_read_krbcontainer_params(util_context,
602 						    &(ldap_context->krbcontainer));
603 	if (retval) {
604 	    /* Solaris Kerberos */
605 	    com_err(progname, retval, gettext("while reading kerberos container information"));
606 	    goto cleanup;
607 	}
608     } else if (retval) {
609 	/* Solaris Kerberos */
610 	com_err(progname, retval, gettext("while reading kerberos container information"));
611 	goto cleanup;
612     }
613 
614     if ((retval = krb5_ldap_create_realm(util_context,
615 					 /* global_params.realm, */ rparams, mask))) {
616 	goto cleanup;
617     }
618 
619     /* We just created the Realm container. Here starts our transaction tracking */
620     realm_obj_created = TRUE;
621 
622     if ((retval = krb5_ldap_read_realm_params(util_context,
623 					      global_params.realm,
624 					      &(ldap_context->lrparams),
625 					      &mask))) {
626 	/* Solaris Kerberos */
627 	com_err(progname, retval, gettext("while reading information of realm '%s'"),
628 		global_params.realm);
629 	goto err_nomsg;
630     }
631     ldap_context->lrparams->realm_name = strdup(global_params.realm);
632     if (ldap_context->lrparams->realm_name == NULL) {
633 	retval = ENOMEM;
634 	goto cleanup;
635     }
636 
637     /* assemble & parse the master key name */
638     if ((retval = krb5_db_setup_mkey_name(util_context,
639 					  global_params.mkey_name,
640 					  global_params.realm,
641 					  0, &master_princ))) {
642 	/* Solaris Kerberos */
643 	com_err(progname, retval, gettext("while setting up master key name"));
644 	goto err_nomsg;
645     }
646 
647     /* Obtain master key from master password */
648     {
649 	krb5_data master_salt, pwd;
650 
651 	pwd.data = mkey_password;
652 	pwd.length = strlen(mkey_password);
653 	retval = krb5_principal2salt(util_context, master_princ, &master_salt);
654 	if (retval) {
655 	    /* Solaris Kerberos */
656 	    com_err(progname, retval, gettext("while calculating master key salt"));
657 	    goto err_nomsg;
658 	}
659 
660 	retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
661 				      &pwd, &master_salt, &master_keyblock);
662 
663 	if (master_salt.data)
664 	    free(master_salt.data);
665 
666 	if (retval) {
667 	    /* Solaris Kerberos */
668 	    com_err(progname, retval, gettext("while transforming master key from password"));
669 	    goto err_nomsg;
670 	}
671 
672     }
673 
674     rblock.key = &master_keyblock;
675     ldap_context->lrparams->mkey = master_keyblock;
676     ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
677 	(master_keyblock.length);
678     if (ldap_context->lrparams->mkey.contents == NULL) {
679 	retval = ENOMEM;
680 	goto cleanup;
681     }
682     memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
683 	    master_keyblock.length);
684 
685     /* Create special principals inside the realm subtree */
686     {
687 	char princ_name[MAX_PRINC_SIZE];
688 	krb5_principal_data tgt_princ = {
689 	    0,					/* magic number */
690 	    {0, 0, 0},				/* krb5_data realm */
691 	    tgt_princ_entries,			/* krb5_data *data */
692 	    2,					/* int length */
693 	    KRB5_NT_SRV_INST			/* int type */
694 	};
695 	krb5_principal p, temp_p=NULL;
696 
697 	krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
698 	krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
699 	krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
700 	krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
701 	/* The container reference value is set to NULL, to avoid service principals
702 	 * getting created within the container reference at realm creation */
703 	if (ldap_context->lrparams->containerref != NULL) {
704 	    oldcontainerref = ldap_context->lrparams->containerref;
705 	    ldap_context->lrparams->containerref = NULL;
706 	}
707 
708 	/* Create 'K/M' ... */
709 	rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
710 	if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
711 	    /* Solaris Kerberos */
712 	    com_err(progname, retval, gettext("while adding entries to the database"));
713 	    goto err_nomsg;
714 	}
715 
716 	/* Create 'krbtgt' ... */
717 	rblock.flags = 0; /* reset the flags */
718 	if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
719 	    /* Solaris Kerberos */
720 	    com_err(progname, retval, gettext("while adding entries to the database"));
721 	    goto err_nomsg;
722 	}
723 	/*
724 	 * Solaris Kerberos:
725 	 * The kadmin/admin principal is unused on Solaris. This principal is used
726 	 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
727 	 * be used with host-based principals.
728 	 *
729 	 */
730 #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
731 	/* Create 'kadmin/admin' ... */
732 	snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
733 	if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
734 	    /* Solaris Kerberos */
735 	    com_err(progname, retval, gettext("while adding entries to the database"));
736 	    goto err_nomsg;
737 	}
738 	rblock.max_life = ADMIN_LIFETIME;
739 	rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
740 	if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
741 	    krb5_free_principal(util_context, p);
742 	    /* Solaris Kerberos */
743 	    com_err(progname, retval, gettext("while adding entries to the database"));
744 	    goto err_nomsg;
745 	}
746 	krb5_free_principal(util_context, p);
747 #endif /* ************** END IFDEF'ed OUT ***************************** */
748 
749 	/* Create 'kadmin/changepw' ... */
750 	snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
751 	if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
752 	    /* Solaris Kerberos */
753 	    com_err(progname, retval, gettext("while adding entries to the database"));
754 	    goto err_nomsg;
755 	}
756 	rblock.max_life = CHANGEPW_LIFETIME;
757 	rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
758 	if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
759 	    krb5_free_principal(util_context, p);
760 	    /* Solaris Kerberos */
761 	    com_err(progname, retval, gettext("while adding entries to the database"));
762 	    goto err_nomsg;
763 	}
764 	krb5_free_principal(util_context, p);
765 
766 	/* Create 'kadmin/history' ... */
767 	snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
768 	if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
769 	    /* Solaris Kerberos */
770 	    com_err(progname, retval, gettext("while adding entries to the database"));
771 	    goto err_nomsg;
772 	}
773 	rblock.max_life = global_params.max_life;
774 	rblock.flags = 0;
775 	if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
776 	    krb5_free_principal(util_context, p);
777 	    /* Solaris Kerberos */
778 	    com_err(progname, retval, gettext("while adding entries to the database"));
779 	    goto err_nomsg;
780 	}
781 	krb5_free_principal(util_context, p);
782 
783 	/* Create 'kadmin/<hostname>' ... */
784 	if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
785 	    /* Solaris Kerberos */
786 	    com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
787 	    goto err_nomsg;
788 	}
789 
790 	if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
791 	    /* Solaris Kerberos */
792 	    com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
793 	    goto err_nomsg;
794 	}
795 
796 	/* change the realm portion to the default realm */
797 	free(temp_p->realm.data);
798 	temp_p->realm.length = strlen(util_context->default_realm);
799 	temp_p->realm.data = strdup(util_context->default_realm);
800 	if (temp_p->realm.data == NULL) {
801 	    /* Solaris Kerberos */
802 	    com_err(progname, ENOMEM, gettext("while adding entries to the database"));
803 	    goto err_nomsg;
804 	}
805 
806 	rblock.max_life = ADMIN_LIFETIME;
807 	rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
808 	if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
809 	    krb5_free_principal(util_context, p);
810 	    /* Solaris Kerberos */
811 	    com_err(progname, retval, gettext("while adding entries to the database"));
812 	    goto err_nomsg;
813 	}
814 	krb5_free_principal(util_context, temp_p);
815 	krb5_free_principal(util_context, p);
816 
817 	/* Solaris Kerberos: Create 'changepw/<hostname>' ... */
818 	if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
819 	    /* Solaris Kerberos */
820 	    com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
821 	    goto err_nomsg;
822 	}
823 
824 	if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
825 	    /* Solaris Kerberos */
826 	    com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
827 	    goto err_nomsg;
828 	}
829 
830 	/* change the realm portion to the default realm */
831 	free(temp_p->realm.data);
832 	temp_p->realm.length = strlen(util_context->default_realm);
833 	temp_p->realm.data = strdup(util_context->default_realm);
834 	if (temp_p->realm.data == NULL) {
835 	    /* Solaris Kerberos */
836 	    com_err(progname, ENOMEM, gettext("while adding entries to the database"));
837 	    goto err_nomsg;
838 	}
839 
840 	rblock.max_life = ADMIN_LIFETIME;
841 	rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
842 	if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
843 	    krb5_free_principal(util_context, p);
844 	    /* Solaris Kerberos */
845 	    com_err(progname, retval, gettext("while adding entries to the database"));
846 	    goto err_nomsg;
847 	}
848 	krb5_free_principal(util_context, temp_p);
849 	krb5_free_principal(util_context, p);
850 
851 	if (oldcontainerref != NULL) {
852 	    ldap_context->lrparams->containerref = oldcontainerref;
853 	    oldcontainerref=NULL;
854 	}
855     }
856 
857 #ifdef HAVE_EDIRECTORY
858     if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
859 	(mask & LDAP_REALM_PASSWDSERVERS)) {
860 
861 	printf(gettext("Changing rights for the service object. Please wait ... "));
862 	fflush(stdout);
863 
864 	rightsmask =0;
865 	rightsmask |= LDAP_REALM_RIGHTS;
866 	rightsmask |= LDAP_SUBTREE_RIGHTS;
867 	if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
868 	    for (i=0; (rparams->kdcservers[i] != NULL); i++) {
869 		if ((retval=krb5_ldap_add_service_rights(util_context,
870 							 LDAP_KDC_SERVICE, rparams->kdcservers[i],
871 							 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
872 		    printf(gettext("failed\n"));
873 		    /* Solaris Kerberos */
874 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
875 			    rparams->realm_name);
876 		    goto err_nomsg;
877 		}
878 	    }
879 	}
880 
881 	rightsmask = 0;
882 	rightsmask |= LDAP_REALM_RIGHTS;
883 	rightsmask |= LDAP_SUBTREE_RIGHTS;
884 	if ((rparams != NULL) && (rparams->adminservers != NULL)) {
885 	    for (i=0; (rparams->adminservers[i] != NULL); i++) {
886 		if ((retval=krb5_ldap_add_service_rights(util_context,
887 							 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
888 							 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
889 		    printf(gettext("failed\n"));
890 		    /* Solaris Kerberos */
891 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
892 			    rparams->realm_name);
893 		    goto err_nomsg;
894 		}
895 	    }
896 	}
897 
898 	rightsmask = 0;
899 	rightsmask |= LDAP_REALM_RIGHTS;
900 	rightsmask |= LDAP_SUBTREE_RIGHTS;
901 	if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
902 	    for (i=0; (rparams->passwdservers[i] != NULL); i++) {
903 		if ((retval=krb5_ldap_add_service_rights(util_context,
904 							 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
905 							 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
906 		    printf(gettext("failed\n"));
907 		    /* Solaris Kerberos */
908 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
909 			    rparams->realm_name);
910 		    goto err_nomsg;
911 		}
912 	    }
913 	}
914 
915 	printf(gettext("done\n"));
916     }
917 #endif
918     /* The Realm creation is completed. Here is the end of transaction */
919     create_complete = TRUE;
920 
921     /* Stash the master key only if '-s' option is specified */
922     if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) {
923 	retval = krb5_def_store_mkey(util_context,
924 				     global_params.stash_file,
925 				     master_princ,
926 				     &master_keyblock, NULL);
927 	if (retval) {
928 	    /* Solaris Kerberos */
929 	    com_err(progname, errno, gettext("while storing key"));
930 	    printf(gettext("Warning: couldn't stash master key.\n"));
931 	}
932     }
933 
934     goto cleanup;
935 
936 
937 err_usage:
938     print_usage = TRUE;
939 
940 err_nomsg:
941     no_msg = TRUE;
942 
943 cleanup:
944     /* If the Realm creation is not complete, do the roll-back here */
945     if ((realm_obj_created) && (!create_complete))
946 	krb5_ldap_delete_realm(util_context, global_params.realm);
947 
948     if (rparams)
949 	krb5_ldap_free_realm_params(rparams);
950 
951     memset (pw_str, 0, sizeof (pw_str));
952 
953     if (print_usage)
954 	db_usage(CREATE_REALM);
955 
956     if (retval) {
957 	if (!no_msg) {
958 	    /* Solaris Kerberos */
959 	    com_err(progname, retval, gettext("while creating realm '%s'"),
960 		    global_params.realm);
961 	}
962 	exit_status++;
963     }
964 
965     return;
966 }
967 
968 
969 /*
970  * This function will modify the attributes of a given realm object
971  */
972 void kdb5_ldap_modify(argc, argv)
973     int argc;
974     char *argv[];
975 {
976     krb5_error_code retval = 0;
977     krb5_ldap_realm_params *rparams = NULL;
978     krb5_boolean print_usage = FALSE;
979     krb5_boolean no_msg = FALSE;
980     kdb5_dal_handle *dal_handle = NULL;
981     krb5_ldap_context *ldap_context=NULL;
982     int i = 0;
983     int mask = 0, rmask = 0, ret_mask = 0;
984     char **slist = {NULL};
985 #ifdef HAVE_EDIRECTORY
986     int j = 0;
987     char *list[MAX_LIST_ENTRIES];
988     int existing_entries = 0, list_entries = 0;
989     int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
990     char **tempstr = NULL;
991     char **oldkdcdns = NULL;
992     char **oldadmindns = NULL;
993     char **oldpwddns = NULL;
994     char **newkdcdns = NULL;
995     char **newsubtrees = NULL;
996     char **newadmindns = NULL;
997     char **newpwddns = NULL;
998     char **oldsubtrees = {NULL};
999     int rightsmask = 0;
1000     int subtree_changed = 0;
1001 #endif
1002 
1003     dal_handle = (kdb5_dal_handle *) util_context->db_context;
1004     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1005     if (!(ldap_context)) {
1006 	retval = EINVAL;
1007 	goto cleanup;
1008     }
1009 
1010     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1011 						     &(ldap_context->krbcontainer)))) {
1012 	/* Solaris Kerberos */
1013 	com_err(progname, retval, gettext("while reading Kerberos container information"));
1014 	goto err_nomsg;
1015     }
1016 
1017     retval = krb5_ldap_read_realm_params(util_context,
1018 					 global_params.realm, &rparams, &rmask);
1019     if (retval)
1020 	goto cleanup;
1021     /* Parse the arguments */
1022     for (i = 1; i < argc; i++) {
1023 	int k = 0;
1024 	if (!strcmp(argv[i], "-subtrees")) {
1025 	    if (++i > argc-1)
1026 		goto err_usage;
1027 
1028 	    if (rmask & LDAP_REALM_SUBTREE) {
1029 		if (rparams->subtree) {
1030 #ifdef HAVE_EDIRECTORY
1031 		    oldsubtrees =  (char **) calloc(rparams->subtreecount+1, sizeof(char *));
1032 		    if (oldsubtrees == NULL) {
1033 			retval = ENOMEM;
1034 			goto cleanup;
1035 		    }
1036 		    for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
1037 			oldsubtrees[k] = strdup(rparams->subtree[k]);
1038 			if( oldsubtrees[k] == NULL ) {
1039 			    retval = ENOMEM;
1040 			    goto cleanup;
1041 			}
1042 		    }
1043 #endif
1044 		    for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
1045 			free(rparams->subtree[k]);
1046 		    rparams->subtreecount=0;
1047 		}
1048 	    }
1049 	    if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
1050 		slist =  (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
1051 		if (slist == NULL) {
1052 		    retval = ENOMEM;
1053 		    goto cleanup;
1054 		}
1055 		if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
1056 		    free(slist);
1057 		    slist = NULL;
1058 		    goto cleanup;
1059 		}
1060 
1061 		rparams->subtreecount=0;
1062 		while(slist[rparams->subtreecount]!=NULL)
1063 		    (rparams->subtreecount)++;
1064 		rparams->subtree =  slist;
1065 	    } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1066 		 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
1067 		    /* Solaris Kerberos */
1068 		    com_err(progname, EINVAL,
1069 			    gettext("for subtree while modifying realm '%s'"),
1070 			    global_params.realm);
1071 		    goto err_nomsg;
1072 	    }
1073 	    rparams->subtree[rparams->subtreecount] = NULL;
1074 	    mask |= LDAP_REALM_SUBTREE;
1075 	} else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
1076 	    if (++i > argc-1)
1077 		goto err_usage;
1078 	    if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1079 		 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
1080 		 /* Solaris Kerberos */
1081 		 com_err(progname, EINVAL,
1082 			  gettext("for container reference while modifying realm '%s'"),
1083 			   global_params.realm);
1084 		 goto err_nomsg;
1085 	    }
1086 	    rparams->containerref = strdup(argv[i]);
1087 	    if (rparams->containerref == NULL) {
1088 		retval = ENOMEM;
1089 		goto cleanup;
1090 	    }
1091 	    mask |= LDAP_REALM_CONTREF;
1092 	} else if (!strcmp(argv[i], "-sscope")) {
1093 	    if (++i > argc-1)
1094 		goto err_usage;
1095 	    /* Possible values for search scope are
1096 	     * one (or 1) and sub (or 2)
1097 	     */
1098 	    if (strcasecmp(argv[i], "one") == 0) {
1099 		rparams->search_scope = 1;
1100 	    } else if (strcasecmp(argv[i], "sub") == 0) {
1101 		rparams->search_scope = 2;
1102 	    } else {
1103 		rparams->search_scope = atoi(argv[i]);
1104 		if ((rparams->search_scope != 1) &&
1105 		    (rparams->search_scope != 2)) {
1106 		    retval = EINVAL;
1107 		    /* Solaris Kerberos */
1108 		    com_err(progname, retval,
1109 			    gettext("specified for search scope while modifying information of realm '%s'"),
1110 			    global_params.realm);
1111 		    goto err_nomsg;
1112 		}
1113 	    }
1114 	    mask |= LDAP_REALM_SEARCHSCOPE;
1115 	}
1116 #ifdef HAVE_EDIRECTORY
1117 	else if (!strcmp(argv[i], "-kdcdn")) {
1118 	    if (++i > argc-1)
1119 		goto err_usage;
1120 
1121 	    if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1122 		if (!oldkdcdns) {
1123 		    /* Store the old kdc dns list for removing rights */
1124 		    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1125 		    if (oldkdcdns == NULL) {
1126 			retval = ENOMEM;
1127 			goto cleanup;
1128 		    }
1129 
1130 		    for (j=0; rparams->kdcservers[j] != NULL; j++) {
1131 			oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1132 			if (oldkdcdns[j] == NULL) {
1133 			    retval = ENOMEM;
1134 			    goto cleanup;
1135 			}
1136 		    }
1137 		    oldkdcdns[j] = NULL;
1138 		}
1139 
1140 		krb5_free_list_entries(rparams->kdcservers);
1141 		free(rparams->kdcservers);
1142 	    }
1143 
1144 	    rparams->kdcservers = (char **)malloc(
1145 		sizeof(char *) * MAX_LIST_ENTRIES);
1146 	    if (rparams->kdcservers == NULL) {
1147 		retval = ENOMEM;
1148 		goto cleanup;
1149 	    }
1150 	    memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1151 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1152 					  rparams->kdcservers))) {
1153 		goto cleanup;
1154 	    }
1155 	    mask |= LDAP_REALM_KDCSERVERS;
1156 	    /* Going to replace the existing value by this new value. Hence
1157 	     * setting flag indicating that add or clear options will be ignored
1158 	     */
1159 	    newkdcdn = 1;
1160 	} else if (!strcmp(argv[i], "-clearkdcdn")) {
1161 	    if (++i > argc-1)
1162 		goto err_usage;
1163 	    if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1164 		if (!oldkdcdns) {
1165 		    /* Store the old kdc dns list for removing rights */
1166 		    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1167 		    if (oldkdcdns == NULL) {
1168 			retval = ENOMEM;
1169 			goto cleanup;
1170 		    }
1171 
1172 		    for (j=0; rparams->kdcservers[j] != NULL; j++) {
1173 			oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1174 			if (oldkdcdns[j] == NULL) {
1175 			    retval = ENOMEM;
1176 			    goto cleanup;
1177 			}
1178 		    }
1179 		    oldkdcdns[j] = NULL;
1180 		}
1181 
1182 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1183 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1184 		    goto cleanup;
1185 		}
1186 		list_modify_str_array(&rparams->kdcservers, (const char **)list,
1187 				      LIST_MODE_DELETE);
1188 		mask |= LDAP_REALM_KDCSERVERS;
1189 		krb5_free_list_entries(list);
1190 	    }
1191 	} else if (!strcmp(argv[i], "-addkdcdn")) {
1192 	    if (++i > argc-1)
1193 		goto err_usage;
1194 	    if (!newkdcdn) {
1195 		if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
1196 		    /* Store the old kdc dns list for removing rights */
1197 		    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1198 		    if (oldkdcdns == NULL) {
1199 			retval = ENOMEM;
1200 			goto cleanup;
1201 		    }
1202 
1203 		    for (j = 0; rparams->kdcservers[j] != NULL; j++) {
1204 			oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1205 			if (oldkdcdns[j] == NULL) {
1206 			    retval = ENOMEM;
1207 			    goto cleanup;
1208 			}
1209 		    }
1210 		    oldkdcdns[j] = NULL;
1211 		}
1212 
1213 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1214 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1215 		    goto cleanup;
1216 		}
1217 		existing_entries = list_count_str_array(rparams->kdcservers);
1218 		list_entries = list_count_str_array(list);
1219 		if (rmask & LDAP_REALM_KDCSERVERS) {
1220 		    tempstr = (char **)realloc(
1221 			rparams->kdcservers,
1222 			sizeof(char *) * (existing_entries+list_entries+1));
1223 		    if (tempstr == NULL) {
1224 			retval = ENOMEM;
1225 			goto cleanup;
1226 		    }
1227 		    rparams->kdcservers = tempstr;
1228 		} else {
1229 		    rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1230 		    if (rparams->kdcservers == NULL) {
1231 			retval = ENOMEM;
1232 			goto cleanup;
1233 		    }
1234 		    memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
1235 		}
1236 		list_modify_str_array(&rparams->kdcservers, (const char **)list,
1237 				      LIST_MODE_ADD);
1238 		mask |= LDAP_REALM_KDCSERVERS;
1239 	    }
1240 	} else if (!strcmp(argv[i], "-admindn")) {
1241 	    if (++i > argc-1)
1242 		goto err_usage;
1243 
1244 	    if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1245 		if (!oldadmindns) {
1246 		    /* Store the old admin dns list for removing rights */
1247 		    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1248 		    if (oldadmindns == NULL) {
1249 			retval = ENOMEM;
1250 			goto cleanup;
1251 		    }
1252 
1253 		    for (j=0; rparams->adminservers[j] != NULL; j++) {
1254 			oldadmindns[j] = strdup(rparams->adminservers[j]);
1255 			if (oldadmindns[j] == NULL) {
1256 			    retval = ENOMEM;
1257 			    goto cleanup;
1258 			}
1259 		    }
1260 		    oldadmindns[j] = NULL;
1261 		}
1262 
1263 		krb5_free_list_entries(rparams->adminservers);
1264 		free(rparams->adminservers);
1265 	    }
1266 
1267 	    rparams->adminservers = (char **)malloc(
1268 		sizeof(char *) * MAX_LIST_ENTRIES);
1269 	    if (rparams->adminservers == NULL) {
1270 		retval = ENOMEM;
1271 		goto cleanup;
1272 	    }
1273 	    memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1274 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1275 					  rparams->adminservers))) {
1276 		goto cleanup;
1277 	    }
1278 	    mask |= LDAP_REALM_ADMINSERVERS;
1279 	    /* Going to replace the existing value by this new value. Hence
1280 	     * setting flag indicating that add or clear options will be ignored
1281 	     */
1282 	    newadmindn = 1;
1283 	} else if (!strcmp(argv[i], "-clearadmindn")) {
1284 	    if (++i > argc-1)
1285 		goto err_usage;
1286 
1287 	    if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1288 		if (!oldadmindns) {
1289 		    /* Store the old admin dns list for removing rights */
1290 		    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1291 		    if (oldadmindns == NULL) {
1292 			retval = ENOMEM;
1293 			goto cleanup;
1294 		    }
1295 
1296 		    for (j=0; rparams->adminservers[j] != NULL; j++) {
1297 			oldadmindns[j] = strdup(rparams->adminservers[j]);
1298 			if (oldadmindns[j] == NULL) {
1299 			    retval = ENOMEM;
1300 			    goto cleanup;
1301 			}
1302 		    }
1303 		    oldadmindns[j] = NULL;
1304 		}
1305 
1306 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1307 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1308 		    goto cleanup;
1309 		}
1310 		list_modify_str_array(&rparams->adminservers, (const char **)list,
1311 				      LIST_MODE_DELETE);
1312 		mask |= LDAP_REALM_ADMINSERVERS;
1313 		krb5_free_list_entries(list);
1314 	    }
1315 	} else if (!strcmp(argv[i], "-addadmindn")) {
1316 	    if (++i > argc-1)
1317 		goto err_usage;
1318 	    if (!newadmindn) {
1319 		if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
1320 		    /* Store the old admin dns list for removing rights */
1321 		    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1322 		    if (oldadmindns == NULL) {
1323 			retval = ENOMEM;
1324 			goto cleanup;
1325 		    }
1326 
1327 		    for (j=0; rparams->adminservers[j] != NULL; j++) {
1328 			oldadmindns[j] = strdup(rparams->adminservers[j]);
1329 			if (oldadmindns[j] == NULL) {
1330 			    retval = ENOMEM;
1331 			    goto cleanup;
1332 			}
1333 		    }
1334 		    oldadmindns[j] = NULL;
1335 		}
1336 
1337 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1338 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1339 		    goto cleanup;
1340 		}
1341 		existing_entries = list_count_str_array(rparams->adminservers);
1342 		list_entries = list_count_str_array(list);
1343 		if (rmask & LDAP_REALM_ADMINSERVERS) {
1344 		    tempstr = (char **)realloc(
1345 			rparams->adminservers,
1346 			sizeof(char *) * (existing_entries+list_entries+1));
1347 		    if (tempstr == NULL) {
1348 			retval = ENOMEM;
1349 			goto cleanup;
1350 		    }
1351 		    rparams->adminservers = tempstr;
1352 		} else {
1353 		    rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1354 		    if (rparams->adminservers == NULL) {
1355 			retval = ENOMEM;
1356 			goto cleanup;
1357 		    }
1358 		    memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
1359 		}
1360 		list_modify_str_array(&rparams->adminservers, (const char **)list,
1361 				      LIST_MODE_ADD);
1362 		mask |= LDAP_REALM_ADMINSERVERS;
1363 	    }
1364 	} else if (!strcmp(argv[i], "-pwddn")) {
1365 	    if (++i > argc-1)
1366 		goto err_usage;
1367 
1368 	    if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1369 		if (!oldpwddns) {
1370 		    /* Store the old pwd dns list for removing rights */
1371 		    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1372 		    if (oldpwddns == NULL) {
1373 			retval = ENOMEM;
1374 			goto cleanup;
1375 		    }
1376 
1377 		    for (j=0; rparams->passwdservers[j] != NULL; j++) {
1378 			oldpwddns[j] = strdup(rparams->passwdservers[j]);
1379 			if (oldpwddns[j] == NULL) {
1380 			    retval = ENOMEM;
1381 			    goto cleanup;
1382 			}
1383 		    }
1384 		    oldpwddns[j] = NULL;
1385 		}
1386 
1387 		krb5_free_list_entries(rparams->passwdservers);
1388 		free(rparams->passwdservers);
1389 	    }
1390 
1391 	    rparams->passwdservers = (char **)malloc(
1392 		sizeof(char *) * MAX_LIST_ENTRIES);
1393 	    if (rparams->passwdservers == NULL) {
1394 		retval = ENOMEM;
1395 		goto cleanup;
1396 	    }
1397 	    memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1398 	    if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1399 					  rparams->passwdservers))) {
1400 		goto cleanup;
1401 	    }
1402 	    mask |= LDAP_REALM_PASSWDSERVERS;
1403 	    /* Going to replace the existing value by this new value. Hence
1404 	     * setting flag indicating that add or clear options will be ignored
1405 	     */
1406 	    newpwddn = 1;
1407 	} else if (!strcmp(argv[i], "-clearpwddn")) {
1408 	    if (++i > argc-1)
1409 		goto err_usage;
1410 
1411 	    if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1412 		if (!oldpwddns) {
1413 		    /* Store the old pwd dns list for removing rights */
1414 		    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1415 		    if (oldpwddns == NULL) {
1416 			retval = ENOMEM;
1417 			goto cleanup;
1418 		    }
1419 
1420 		    for (j=0; rparams->passwdservers[j] != NULL; j++) {
1421 			oldpwddns[j] = strdup(rparams->passwdservers[j]);
1422 			if (oldpwddns[j] == NULL) {
1423 			    retval = ENOMEM;
1424 			    goto cleanup;
1425 			}
1426 		    }
1427 		    oldpwddns[j] = NULL;
1428 		}
1429 
1430 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1431 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1432 		    goto cleanup;
1433 		}
1434 		list_modify_str_array(&rparams->passwdservers, (const char**)list,
1435 				      LIST_MODE_DELETE);
1436 		mask |= LDAP_REALM_PASSWDSERVERS;
1437 		krb5_free_list_entries(list);
1438 	    }
1439 	} else if (!strcmp(argv[i], "-addpwddn")) {
1440 	    if (++i > argc-1)
1441 		goto err_usage;
1442 	    if (!newpwddn) {
1443 		if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
1444 		    /* Store the old pwd dns list for removing rights */
1445 		    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1446 		    if (oldpwddns == NULL) {
1447 			retval = ENOMEM;
1448 			goto cleanup;
1449 		    }
1450 
1451 		    for (j=0; rparams->passwdservers[j] != NULL; j++) {
1452 			oldpwddns[j] = strdup(rparams->passwdservers[j]);
1453 			if (oldpwddns[j] == NULL) {
1454 			    retval = ENOMEM;
1455 			    goto cleanup;
1456 			}
1457 		    }
1458 		    oldpwddns[j] = NULL;
1459 		}
1460 
1461 		memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1462 		if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1463 		    goto cleanup;
1464 		}
1465 		existing_entries = list_count_str_array(rparams->passwdservers);
1466 		list_entries = list_count_str_array(list);
1467 		if (rmask & LDAP_REALM_PASSWDSERVERS) {
1468 		    tempstr = (char **)realloc(
1469 			rparams->passwdservers,
1470 			sizeof(char *) * (existing_entries+list_entries+1));
1471 		    if (tempstr == NULL) {
1472 			retval = ENOMEM;
1473 			goto cleanup;
1474 		    }
1475 		    rparams->passwdservers = tempstr;
1476 		} else {
1477 		    rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1478 		    if (rparams->passwdservers == NULL) {
1479 			retval = ENOMEM;
1480 			goto cleanup;
1481 		    }
1482 		    memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
1483 		}
1484 		list_modify_str_array(&rparams->passwdservers, (const char**)list,
1485 				      LIST_MODE_ADD);
1486 		mask |= LDAP_REALM_PASSWDSERVERS;
1487 	    }
1488 	}
1489 #endif
1490 	else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
1491 	    mask|=ret_mask;
1492 	} else {
1493 	    printf(gettext("'%s' is an invalid option\n"), argv[i]);
1494 	    goto err_usage;
1495 	}
1496     }
1497 
1498     if ((retval = krb5_ldap_modify_realm(util_context,
1499 					 /* global_params.realm, */ rparams, mask))) {
1500 	goto cleanup;
1501     }
1502 
1503 #ifdef HAVE_EDIRECTORY
1504     if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
1505 	(mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1506 
1507 	printf(gettext("Changing rights for the service object. Please wait ... "));
1508 	fflush(stdout);
1509 
1510 	if (!(mask & LDAP_REALM_SUBTREE)) {
1511 	    if (rparams->subtree != NULL) {
1512 		for(i=0; rparams->subtree[i]!=NULL;i++) {
1513 		    oldsubtrees[i] = strdup(rparams->subtree[i]);
1514 		    if( oldsubtrees[i] == NULL ) {
1515 			retval = ENOMEM;
1516 			goto cleanup;
1517 		    }
1518 		}
1519 	    }
1520 	}
1521 
1522 	if ((mask & LDAP_REALM_SUBTREE)) {
1523 	    int check_subtree = 1;
1524 
1525 	    newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
1526 
1527 	    if (newsubtrees == NULL) {
1528 		retval = ENOMEM;
1529 		goto cleanup;
1530 	    }
1531 
1532 	    if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
1533 		for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
1534 		    newsubtrees[j] = strdup(rparams->subtree[j]);
1535 		    if (newsubtrees[j] == NULL) {
1536 			retval = ENOMEM;
1537 			goto cleanup;
1538 		    }
1539 		}
1540 		newsubtrees[j] = NULL;
1541 	    }
1542 	    for(j=0;oldsubtrees[j]!=NULL;j++) {
1543 		check_subtree = 1;
1544 		for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
1545 			(!oldsubtrees[j] && rparams->subtree[i])); i++) {
1546 		    if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
1547 			check_subtree = 0;
1548 			continue;
1549 		    }
1550 		}
1551 		if (check_subtree != 0) {
1552 		    subtree_changed=1;
1553 		    break;
1554 		}
1555 	    }
1556 	    /* this will return list of the disjoint members */
1557 	    disjoint_members( oldsubtrees, newsubtrees);
1558 	}
1559 
1560 	if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
1561 
1562 	    newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1563 	    if (newkdcdns == NULL) {
1564 		retval = ENOMEM;
1565 		goto cleanup;
1566 	    }
1567 
1568 	    if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1569 		for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
1570 		    newkdcdns[j] = strdup(rparams->kdcservers[j]);
1571 		    if (newkdcdns[j] == NULL) {
1572 			retval = ENOMEM;
1573 			goto cleanup;
1574 		    }
1575 		}
1576 		newkdcdns[j] = NULL;
1577 	    }
1578 
1579 	    if (!subtree_changed) {
1580 		disjoint_members(oldkdcdns, newkdcdns);
1581 	    } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1582 		if (!(mask & LDAP_REALM_KDCSERVERS)) {
1583 
1584 		    oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1585 		    if (oldkdcdns == NULL) {
1586 			retval = ENOMEM;
1587 			goto cleanup;
1588 		    }
1589 
1590 		    if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1591 			for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
1592 			    oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1593 			    if (oldkdcdns[j] == NULL) {
1594 				retval = ENOMEM;
1595 				goto cleanup;
1596 			    }
1597 			}
1598 			oldkdcdns[j] = NULL;
1599 		    }
1600 		}
1601 	    }
1602 
1603 	    rightsmask =0;
1604 	    rightsmask |= LDAP_REALM_RIGHTS;
1605 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1606 	    /* Remove the rights on the old subtrees */
1607 	    if (oldkdcdns) {
1608 		for (i=0; (oldkdcdns[i] != NULL); i++) {
1609 		    if ((retval=krb5_ldap_delete_service_rights(util_context,
1610 								LDAP_KDC_SERVICE, oldkdcdns[i],
1611 								rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1612 			printf(gettext("failed\n"));
1613 			/* Solaris Kerberos */
1614 			com_err(progname, retval, gettext("while assigning rights '%s'"),
1615 				rparams->realm_name);
1616 			goto err_nomsg;
1617 		    }
1618 		}
1619 	    }
1620 
1621 	    rightsmask =0;
1622 	    rightsmask |= LDAP_REALM_RIGHTS;
1623 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1624 	    if (newkdcdns) {
1625 		for (i=0; (newkdcdns[i] != NULL); i++) {
1626 
1627 		    if ((retval=krb5_ldap_add_service_rights(util_context,
1628 							     LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
1629 							     rparams->subtree, rightsmask)) != 0) {
1630 			printf(gettext("failed\n"));
1631 			/* Solaris Kerberos */
1632 			com_err(progname, retval, gettext("while assigning rights to '%s'"),
1633 				rparams->realm_name);
1634 			goto err_nomsg;
1635 		    }
1636 		}
1637 	    }
1638 	}
1639 
1640 	if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
1641 
1642 	    newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1643 	    if (newadmindns == NULL) {
1644 		retval = ENOMEM;
1645 		goto cleanup;
1646 	    }
1647 
1648 	    if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1649 		for (j=0;  rparams->adminservers[j]!= NULL; j++) {
1650 		    newadmindns[j] = strdup(rparams->adminservers[j]);
1651 		    if (newadmindns[j] == NULL) {
1652 			retval = ENOMEM;
1653 			goto cleanup;
1654 		    }
1655 		}
1656 		newadmindns[j] = NULL;
1657 	    }
1658 
1659 	    if (!subtree_changed) {
1660 		disjoint_members(oldadmindns, newadmindns);
1661 	    } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1662 		if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1663 
1664 		    oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1665 		    if (oldadmindns == NULL) {
1666 			retval = ENOMEM;
1667 			goto cleanup;
1668 		    }
1669 
1670 		    if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1671 			for (j=0;  rparams->adminservers[j]!= NULL; j++) {
1672 			    oldadmindns[j] = strdup(rparams->adminservers[j]);
1673 			    if (oldadmindns[j] == NULL) {
1674 				retval = ENOMEM;
1675 				goto cleanup;
1676 			    }
1677 			}
1678 			oldadmindns[j] = NULL;
1679 		    }
1680 		}
1681 	    }
1682 
1683 	    rightsmask = 0;
1684 	    rightsmask |= LDAP_REALM_RIGHTS;
1685 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1686 	    /* Remove the rights on the old subtrees */
1687 	    if (oldadmindns) {
1688 		for (i=0; (oldadmindns[i] != NULL); i++) {
1689 
1690 		    if ((retval=krb5_ldap_delete_service_rights(util_context,
1691 								LDAP_ADMIN_SERVICE, oldadmindns[i],
1692 								rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1693 			printf(gettext("failed\n"));
1694 			/* Solaris Kerberos */
1695 			com_err(progname, retval, gettext("while assigning rights '%s'"),
1696 				rparams->realm_name);
1697 			goto err_nomsg;
1698 		    }
1699 		}
1700 	    }
1701 
1702 	    rightsmask = 0;
1703 	    rightsmask |= LDAP_REALM_RIGHTS;
1704 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1705 	    /* Add rights on the new subtree for all the kdc dns */
1706 	    if (newadmindns) {
1707 		for (i=0; (newadmindns[i] != NULL); i++) {
1708 
1709 		    if ((retval=krb5_ldap_add_service_rights(util_context,
1710 							     LDAP_ADMIN_SERVICE, newadmindns[i],
1711 							     rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
1712 			printf(gettext("failed\n"));
1713 			/* Solaris Kerberos */
1714 			com_err(progname, retval, gettext("while assigning rights to '%s'"),
1715 				rparams->realm_name);
1716 			goto err_nomsg;
1717 		    }
1718 		}
1719 	    }
1720 	}
1721 
1722 
1723 	if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1724 
1725 	    newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1726 	    if (newpwddns == NULL) {
1727 		retval = ENOMEM;
1728 		goto cleanup;
1729 	    }
1730 
1731 	    if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1732 		for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
1733 		    newpwddns[j] = strdup(rparams->passwdservers[j]);
1734 		    if (newpwddns[j] == NULL) {
1735 			retval = ENOMEM;
1736 			goto cleanup;
1737 		    }
1738 		}
1739 		newpwddns[j] = NULL;
1740 	    }
1741 
1742 	    if (!subtree_changed) {
1743 		disjoint_members(oldpwddns, newpwddns);
1744 	    } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1745 		if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1746 
1747 		    oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1748 		    if (oldpwddns == NULL) {
1749 			retval = ENOMEM;
1750 			goto cleanup;
1751 		    }
1752 
1753 		    if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1754 			for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
1755 			    oldpwddns[j] = strdup(rparams->passwdservers[j]);
1756 			    if (oldpwddns[j] == NULL) {
1757 				retval = ENOMEM;
1758 				goto cleanup;
1759 			    }
1760 			}
1761 			oldpwddns[j] = NULL;
1762 		    }
1763 		}
1764 	    }
1765 
1766 	    rightsmask =0;
1767 	    rightsmask |= LDAP_REALM_RIGHTS;
1768 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1769 	    /* Remove the rights on the old subtrees */
1770 	    if (oldpwddns) {
1771 		for (i=0; (oldpwddns[i] != NULL); i++) {
1772 		    if ((retval = krb5_ldap_delete_service_rights(util_context,
1773 								  LDAP_PASSWD_SERVICE, oldpwddns[i],
1774 								  rparams->realm_name, oldsubtrees, rightsmask))) {
1775 			printf(gettext("failed\n"));
1776 			/* Solaris Kerberos */
1777 			com_err(progname, retval, gettext("while assigning rights '%s'"),
1778 				rparams->realm_name);
1779 			goto err_nomsg;
1780 		    }
1781 		}
1782 	    }
1783 
1784 	    rightsmask =0;
1785 	    rightsmask |= LDAP_REALM_RIGHTS;
1786 	    rightsmask |= LDAP_SUBTREE_RIGHTS;
1787 	    /* Add rights on the new subtree for all the kdc dns */
1788 	    if (newpwddns) {
1789 		for (i=0; (newpwddns[i] != NULL); i++) {
1790 		    if ((retval = krb5_ldap_add_service_rights(util_context,
1791 							       LDAP_PASSWD_SERVICE, newpwddns[i],
1792 							       rparams->realm_name, rparams->subtree, rightsmask))) {
1793 			printf(gettext("failed\n"));
1794 			/* Solaris Kerberos */
1795 			com_err(progname, retval, gettext("while assigning rights to '%s'"),
1796 				rparams->realm_name);
1797 			goto err_nomsg;
1798 		    }
1799 		}
1800 	    }
1801 	}
1802 
1803 	printf(gettext("done\n"));
1804     }
1805 #endif
1806 
1807     goto cleanup;
1808 
1809 err_usage:
1810     print_usage = TRUE;
1811 
1812 err_nomsg:
1813     no_msg = TRUE;
1814 
1815 cleanup:
1816     krb5_ldap_free_realm_params(rparams);
1817 
1818 
1819 #ifdef HAVE_EDIRECTORY
1820     if (oldkdcdns) {
1821 	for (i=0; oldkdcdns[i] != NULL; i++)
1822 	    free(oldkdcdns[i]);
1823 	free(oldkdcdns);
1824     }
1825     if (oldpwddns) {
1826 	for (i=0; oldpwddns[i] != NULL; i++)
1827 	    free(oldpwddns[i]);
1828 	free(oldpwddns);
1829     }
1830     if (oldadmindns) {
1831 	for (i=0; oldadmindns[i] != NULL; i++)
1832 	    free(oldadmindns[i]);
1833 	free(oldadmindns);
1834     }
1835     if (newkdcdns) {
1836 	for (i=0; newkdcdns[i] != NULL; i++)
1837 	    free(newkdcdns[i]);
1838 	free(newkdcdns);
1839     }
1840     if (newpwddns) {
1841 	for (i=0; newpwddns[i] != NULL; i++)
1842 	    free(newpwddns[i]);
1843 	free(newpwddns);
1844     }
1845     if (newadmindns) {
1846 	for (i=0; newadmindns[i] != NULL; i++)
1847 	    free(newadmindns[i]);
1848 	free(newadmindns);
1849     }
1850     if (oldsubtrees) {
1851 	for (i=0;oldsubtrees[i]!=NULL; i++)
1852 	    free(oldsubtrees[i]);
1853 	free(oldsubtrees);
1854     }
1855     if (newsubtrees) {
1856 	for (i=0;newsubtrees[i]!=NULL; i++)
1857 	    free(newsubtrees[i]);
1858 	free(oldsubtrees);
1859     }
1860 #endif
1861     if (print_usage) {
1862 	db_usage(MODIFY_REALM);
1863     }
1864 
1865     if (retval) {
1866 	if (!no_msg) {
1867 	    /* Solaris Kerberos */
1868 	    com_err(progname, retval, gettext("while modifying information of realm '%s'"),
1869 		    global_params.realm);
1870 	}
1871 	exit_status++;
1872     }
1873 
1874     return;
1875 }
1876 
1877 
1878 
1879 /*
1880  * This function displays the attributes of a Realm
1881  */
1882 void kdb5_ldap_view(argc, argv)
1883     int argc;
1884     char *argv[];
1885 {
1886     krb5_ldap_realm_params *rparams = NULL;
1887     krb5_error_code retval = 0;
1888     kdb5_dal_handle *dal_handle=NULL;
1889     krb5_ldap_context *ldap_context=NULL;
1890     int mask = 0;
1891 
1892     dal_handle = (kdb5_dal_handle *) util_context->db_context;
1893     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1894     if (!(ldap_context)) {
1895 	retval = EINVAL;
1896 	/* Solaris Kerberos */
1897 	com_err(progname, retval, gettext("while initializing database"));
1898 	exit_status++;
1899 	return;
1900     }
1901 
1902     /* Read the kerberos container information */
1903     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1904 						     &(ldap_context->krbcontainer))) != 0) {
1905 	/* Solaris Kerberos */
1906 	com_err(progname, retval, gettext("while reading kerberos container information"));
1907 	exit_status++;
1908 	return;
1909     }
1910 
1911     if ((retval = krb5_ldap_read_realm_params(util_context,
1912 					      global_params.realm, &rparams, &mask)) || (!rparams)) {
1913 	/* Solaris Kerberos */
1914 	com_err(progname, retval, gettext("while reading information of realm '%s'"),
1915 		global_params.realm);
1916 	exit_status++;
1917 	return;
1918     }
1919     print_realm_params(rparams, mask);
1920     krb5_ldap_free_realm_params(rparams);
1921 
1922     return;
1923 }
1924 
1925 static char *strdur(duration)
1926     time_t duration;
1927 {
1928     static char out[50];
1929     int neg, days, hours, minutes, seconds;
1930 
1931     if (duration < 0) {
1932 	duration *= -1;
1933 	neg = 1;
1934     } else
1935 	neg = 0;
1936     days = duration / (24 * 3600);
1937     duration %= 24 * 3600;
1938     hours = duration / 3600;
1939     duration %= 3600;
1940     minutes = duration / 60;
1941     duration %= 60;
1942     seconds = duration;
1943     snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
1944 	    days, days == 1 ? gettext("day") : gettext("days"),
1945 	    hours, minutes, seconds);
1946     return out;
1947 }
1948 
1949 /*
1950  * This function prints the attributes of a given realm to the
1951  * standard output.
1952  */
1953 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
1954 {
1955     char **slist = NULL;
1956     int num_entry_printed = 0, i = 0;
1957 
1958     /* Print the Realm Attributes on the standard output */
1959     printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm);
1960     if (mask & LDAP_REALM_SUBTREE) {
1961 	for (i=0; rparams->subtree[i]!=NULL; i++)
1962 	    printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]);
1963     }
1964     if (mask & LDAP_REALM_CONTREF)
1965 	printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref);
1966     if (mask & LDAP_REALM_SEARCHSCOPE) {
1967 	if ((rparams->search_scope != 1) &&
1968 	    (rparams->search_scope != 2)) {
1969 	    printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !"));
1970 	} else {
1971 	    printf("%25s: %-50s\n", gettext("SearchScope"),
1972 		   (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB"));
1973 	}
1974     }
1975     if (mask & LDAP_REALM_KDCSERVERS) {
1976 	printf("%25s:", gettext("KDC Services"));
1977 	if (rparams->kdcservers != NULL) {
1978 	    num_entry_printed = 0;
1979 	    for (slist = rparams->kdcservers; *slist != NULL; slist++) {
1980 		if (num_entry_printed)
1981 		    printf(" %25s %-50s\n", " ", *slist);
1982 		else
1983 		    printf(" %-50s\n", *slist);
1984 		num_entry_printed++;
1985 	    }
1986 	}
1987 	if (num_entry_printed == 0)
1988 	    printf("\n");
1989     }
1990     if (mask & LDAP_REALM_ADMINSERVERS) {
1991 	printf("%25s:", gettext("Admin Services"));
1992 	if (rparams->adminservers != NULL) {
1993 	    num_entry_printed = 0;
1994 	    for (slist = rparams->adminservers; *slist != NULL; slist++) {
1995 		if (num_entry_printed)
1996 		    printf(" %25s %-50s\n", " ", *slist);
1997 		else
1998 		    printf(" %-50s\n", *slist);
1999 		num_entry_printed++;
2000 	    }
2001 	}
2002 	if (num_entry_printed == 0)
2003 	    printf("\n");
2004     }
2005     if (mask & LDAP_REALM_PASSWDSERVERS) {
2006 	printf("%25s:", gettext("Passwd Services"));
2007 	if (rparams->passwdservers != NULL) {
2008 	    num_entry_printed = 0;
2009 	    for (slist = rparams->passwdservers; *slist != NULL; slist++) {
2010 		if (num_entry_printed)
2011 		    printf(" %25s %-50s\n", " ", *slist);
2012 		else
2013 		    printf(" %-50s\n", *slist);
2014 		num_entry_printed++;
2015 	    }
2016 	}
2017 	if (num_entry_printed == 0)
2018 	    printf("\n");
2019     }
2020     if (mask & LDAP_REALM_MAXTICKETLIFE) {
2021 	printf("%25s:", gettext("Maximum Ticket Life"));
2022 	printf(" %s \n", strdur(rparams->max_life));
2023     }
2024 
2025     if (mask & LDAP_REALM_MAXRENEWLIFE) {
2026 	printf("%25s:", gettext("Maximum Renewable Life"));
2027 	printf(" %s \n", strdur(rparams->max_renewable_life));
2028     }
2029 
2030     if (mask & LDAP_REALM_KRBTICKETFLAGS) {
2031 	int ticketflags = rparams->tktflags;
2032 
2033 	printf("%25s: ", gettext("Ticket flags"));
2034 	if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
2035 	    printf("%s ","DISALLOW_POSTDATED");
2036 
2037 	if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
2038 	    printf("%s ","DISALLOW_FORWARDABLE");
2039 
2040 	if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
2041 	    printf("%s ","DISALLOW_RENEWABLE");
2042 
2043 	if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
2044 	    printf("%s ","DISALLOW_PROXIABLE");
2045 
2046 	if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
2047 	    printf("%s ","DISALLOW_DUP_SKEY");
2048 
2049 	if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
2050 	    printf("%s ","REQUIRES_PRE_AUTH");
2051 
2052 	if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
2053 	    printf("%s ","REQUIRES_HW_AUTH");
2054 
2055 	if (ticketflags & KRB5_KDB_DISALLOW_SVR)
2056 	    printf("%s ","DISALLOW_SVR");
2057 
2058 	if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
2059 	    printf("%s ","DISALLOW_TGT_BASED");
2060 
2061 	if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
2062 	    printf("%s ","DISALLOW_ALL_TIX");
2063 
2064 	if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
2065 	    printf("%s ","REQUIRES_PWCHANGE");
2066 
2067 	if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
2068 	    printf("%s ","PWCHANGE_SERVICE");
2069 
2070 	printf("\n");
2071     }
2072 
2073 
2074     return;
2075 }
2076 
2077 
2078 
2079 /*
2080  * This function lists the Realm(s) present under the Kerberos container
2081  * on the LDAP Server.
2082  */
2083 void kdb5_ldap_list(argc, argv)
2084     int argc;
2085     char *argv[];
2086 {
2087     char **list = NULL;
2088     char **plist = NULL;
2089     krb5_error_code retval = 0;
2090     kdb5_dal_handle *dal_handle=NULL;
2091     krb5_ldap_context *ldap_context=NULL;
2092 
2093     dal_handle = (kdb5_dal_handle *)util_context->db_context;
2094     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2095     if (!(ldap_context)) {
2096 	retval = EINVAL;
2097 	exit_status++;
2098 	return;
2099     }
2100 
2101     /* Read the kerberos container information */
2102     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2103 						     &(ldap_context->krbcontainer))) != 0) {
2104 	/* Solaris Kerberos */
2105 	com_err(progname, retval, gettext("while reading kerberos container information"));
2106 	exit_status++;
2107 	return;
2108     }
2109 
2110     retval = krb5_ldap_list_realm(util_context, &list);
2111     if (retval != 0) {
2112 	krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2113 	ldap_context->krbcontainer = NULL;
2114 	/* Solaris Kerberos */
2115 	com_err (progname, retval, gettext("while listing realms"));
2116 	exit_status++;
2117 	return;
2118     }
2119     /* This is to handle the case of realm not present */
2120     if (list == NULL) {
2121 	krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2122 	ldap_context->krbcontainer = NULL;
2123 	return;
2124     }
2125 
2126     for (plist = list; *plist != NULL; plist++) {
2127 	printf("%s\n", *plist);
2128     }
2129     krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2130     ldap_context->krbcontainer = NULL;
2131     krb5_free_list_entries(list);
2132     free(list);
2133 
2134     return;
2135 }
2136 
2137 /*
2138  * Duplicating the following two functions here because
2139  * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch
2140  * here is that the backend is not initialized - kdb5_ldap_util doesn't go
2141  * through DAL.
2142  * 1. krb5_dbe_update_tl_data
2143  * 2. krb5_dbe_update_mod_princ_data
2144  */
2145 
2146 /* Start duplicate code ... */
2147 
2148 static krb5_error_code
2149 krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
2150     krb5_context context;
2151     krb5_db_entry *entry;
2152     krb5_tl_data *new_tl_data;
2153 {
2154     krb5_tl_data *tl_data = NULL;
2155     krb5_octet *tmp;
2156 
2157     /* copy the new data first, so we can fail cleanly if malloc()
2158      * fails */
2159 /*
2160     if ((tmp =
2161 	 (krb5_octet *) krb5_db_alloc(context, NULL,
2162 				      new_tl_data->tl_data_length)) == NULL)
2163 */
2164     if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
2165 	return (ENOMEM);
2166 
2167     /* Find an existing entry of the specified type and point at
2168      * it, or NULL if not found */
2169 
2170     if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) {	/* db_args can be multiple */
2171 	for (tl_data = entry->tl_data; tl_data;
2172 	     tl_data = tl_data->tl_data_next)
2173 	    if (tl_data->tl_data_type == new_tl_data->tl_data_type)
2174 		break;
2175     }
2176 
2177     /* if necessary, chain a new record in the beginning and point at it */
2178 
2179     if (!tl_data) {
2180 /*
2181 	if ((tl_data =
2182 	     (krb5_tl_data *) krb5_db_alloc(context, NULL,
2183 					    sizeof(krb5_tl_data)))
2184 	    == NULL) {
2185 */
2186 	if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
2187 	    free(tmp);
2188 	    return (ENOMEM);
2189 	}
2190 	memset(tl_data, 0, sizeof(krb5_tl_data));
2191 	tl_data->tl_data_next = entry->tl_data;
2192 	entry->tl_data = tl_data;
2193 	entry->n_tl_data++;
2194     }
2195 
2196     /* fill in the record */
2197 
2198     if (tl_data->tl_data_contents)
2199 	krb5_db_free(context, tl_data->tl_data_contents);
2200 
2201     tl_data->tl_data_type = new_tl_data->tl_data_type;
2202     tl_data->tl_data_length = new_tl_data->tl_data_length;
2203     tl_data->tl_data_contents = tmp;
2204     memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length);
2205 
2206     return (0);
2207 }
2208 
2209 static krb5_error_code
2210 krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
2211     krb5_context	  context;
2212     krb5_db_entry	* entry;
2213     krb5_timestamp	  mod_date;
2214     krb5_const_principal  mod_princ;
2215 {
2216     krb5_tl_data          tl_data;
2217 
2218     krb5_error_code 	  retval = 0;
2219     krb5_octet		* nextloc = 0;
2220     char		* unparse_mod_princ = 0;
2221     unsigned int	unparse_mod_princ_size;
2222 
2223     if ((retval = krb5_unparse_name(context, mod_princ,
2224 				    &unparse_mod_princ)))
2225 	return(retval);
2226 
2227     unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
2228 
2229     if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
2230 	== NULL) {
2231 	free(unparse_mod_princ);
2232 	return(ENOMEM);
2233     }
2234 
2235     tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
2236     tl_data.tl_data_length = unparse_mod_princ_size + 4;
2237     tl_data.tl_data_contents = nextloc;
2238 
2239     /* Mod Date */
2240     krb5_kdb_encode_int32(mod_date, nextloc);
2241 
2242     /* Mod Princ */
2243     memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size);
2244 
2245     retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data);
2246 
2247     free(unparse_mod_princ);
2248     free(nextloc);
2249 
2250     return(retval);
2251 }
2252 
2253 static krb5_error_code
2254 kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
2255     krb5_key_salt_tuple *ksent;
2256     krb5_pointer        ptr;
2257 {
2258     krb5_context        context;
2259     krb5_error_code     kret;
2260     struct iterate_args *iargs;
2261     krb5_keyblock       key;
2262     krb5_int32          ind;
2263     krb5_data   pwd;
2264     krb5_db_entry       *entry;
2265 
2266     iargs = (struct iterate_args *) ptr;
2267     kret = 0;
2268 
2269     context = iargs->ctx;
2270     entry = iargs->dbentp;
2271 
2272     /*
2273      * Convert the master key password into a key for this particular
2274      * encryption system.
2275      */
2276     pwd.data = mkey_password;
2277     pwd.length = strlen(mkey_password);
2278     kret = krb5_c_random_seed(context, &pwd);
2279     if (kret)
2280 	return kret;
2281 
2282     /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
2283     if ((entry->key_data =
2284 	     (krb5_key_data *) realloc(entry->key_data,
2285 					    (sizeof(krb5_key_data) *
2286 					    (entry->n_key_data + 1)))) == NULL)
2287 	return (ENOMEM);
2288 
2289     memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
2290     ind = entry->n_key_data++;
2291 
2292     if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
2293 					&key))) {
2294 	kret = krb5_dbekd_encrypt_key_data(context,
2295 					   iargs->rblock->key,
2296 					   &key,
2297 					   NULL,
2298 					   1,
2299 					   &entry->key_data[ind]);
2300 	krb5_free_keyblock_contents(context, &key);
2301     }
2302     /*}*/
2303 
2304     return(kret);
2305 }
2306 /* End duplicate code */
2307 
2308 /*
2309  * This function creates service principals when
2310  * creating the realm object.
2311  */
2312 static int
2313 kdb_ldap_create_principal (context, princ, op, pblock)
2314     krb5_context context;
2315     krb5_principal princ;
2316     enum ap_op op;
2317     struct realm_info *pblock;
2318 {
2319     int              retval=0, currlen=0, princtype = 2 /* Service Principal */;
2320     unsigned char    *curr=NULL;
2321     krb5_tl_data     *tl_data=NULL;
2322     krb5_db_entry    entry;
2323     int              nentry=1;
2324     long             mask = 0;
2325     krb5_keyblock    key;
2326     int              kvno = 0;
2327     kdb5_dal_handle *dal_handle = NULL;
2328     krb5_ldap_context *ldap_context=NULL;
2329     struct iterate_args   iargs;
2330     krb5_data       *pdata;
2331 
2332     if ((pblock == NULL) || (context == NULL)) {
2333 	retval = EINVAL;
2334 	goto cleanup;
2335     }
2336     dal_handle = (kdb5_dal_handle *) context->db_context;
2337     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2338     if (!(ldap_context)) {
2339 	retval = EINVAL;
2340 	goto cleanup;
2341     }
2342 
2343     memset(&entry, 0, sizeof(entry));
2344 
2345     tl_data = malloc(sizeof(*tl_data));
2346     if (tl_data == NULL) {
2347 	retval = ENOMEM;
2348 	goto cleanup;
2349     }
2350     memset(tl_data, 0, sizeof(*tl_data));
2351     tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
2352     tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
2353     curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
2354     if (tl_data->tl_data_contents == NULL) {
2355 	retval = ENOMEM;
2356 	goto cleanup;
2357     }
2358 
2359     memset(curr, 1, 1); /* Passing the mask as principal type */
2360     curr += 1;
2361     currlen = 2;
2362     STORE16_INT(curr, currlen);
2363     curr += currlen;
2364     STORE16_INT(curr, princtype);
2365     curr += currlen;
2366 
2367     mask |= KADM5_PRINCIPAL;
2368     mask |= KADM5_ATTRIBUTES ;
2369     mask |= KADM5_MAX_LIFE ;
2370     mask |= KADM5_MAX_RLIFE ;
2371     mask |= KADM5_PRINC_EXPIRE_TIME ;
2372     mask |= KADM5_KEY_DATA;
2373 
2374     entry.tl_data = tl_data;
2375     entry.n_tl_data += 1;
2376     /* Set the creator's name */
2377     {
2378 	krb5_timestamp now;
2379 	if ((retval = krb5_timeofday(context, &now)))
2380 	    goto cleanup;
2381 	if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
2382 			now, &db_create_princ)))
2383 	    goto cleanup;
2384     }
2385     entry.attributes = pblock->flags;
2386     entry.max_life = pblock->max_life;
2387     entry.max_renewable_life = pblock->max_rlife;
2388     entry.expiration = pblock->expiration;
2389     entry.mask = mask;
2390     if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
2391 	goto cleanup;
2392 
2393 
2394     switch (op) {
2395     case TGT_KEY:
2396 	if ((pdata = krb5_princ_component(context, princ, 1)) &&
2397 	    pdata->length == strlen("history") &&
2398 	    !memcmp(pdata->data, "history", strlen("history"))) {
2399 
2400 	    /* Allocate memory for storing the key */
2401 	    if ((entry.key_data = (krb5_key_data *) malloc(
2402 					      sizeof(krb5_key_data))) == NULL) {
2403 		retval = ENOMEM;
2404 		goto cleanup;
2405 	    }
2406 
2407 	    memset(entry.key_data, 0, sizeof(krb5_key_data));
2408 	    entry.n_key_data++;
2409 
2410 	    retval = krb5_c_make_random_key(context, global_params.enctype, &key);
2411 	    if (retval) {
2412 		goto cleanup;
2413 	    }
2414 	    kvno = 1; /* New key is getting set */
2415 	    retval = krb5_dbekd_encrypt_key_data(context,
2416 					&ldap_context->lrparams->mkey,
2417 					&key, NULL, kvno,
2418 					&entry.key_data[entry.n_key_data - 1]);
2419 	    krb5_free_keyblock_contents(context, &key);
2420 	    if (retval) {
2421 		goto cleanup;
2422 	    }
2423 	} else {
2424 	    /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
2425 	    iargs.ctx = context;
2426 	    iargs.rblock = pblock;
2427 	    iargs.dbentp = &entry;
2428 
2429 	    /*
2430 	     * create a set of random keys by iterating through the key/salt
2431 	     * list, ignoring salt types.
2432 	     */
2433 	    if ((retval = krb5_keysalt_iterate(pblock->kslist,
2434 					       pblock->nkslist,
2435 					       1,
2436 					       kdb_ldap_tgt_keysalt_iterate,
2437 					       (krb5_pointer) &iargs)))
2438 		return retval;
2439 	}
2440 	break;
2441 
2442     case MASTER_KEY:
2443 	/* Allocate memory for storing the key */
2444 	if ((entry.key_data = (krb5_key_data *) malloc(
2445 					      sizeof(krb5_key_data))) == NULL) {
2446 	    retval = ENOMEM;
2447 	    goto cleanup;
2448 	}
2449 
2450 	memset(entry.key_data, 0, sizeof(krb5_key_data));
2451 	entry.n_key_data++;
2452 	kvno = 1; /* New key is getting set */
2453 	retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
2454 					 &ldap_context->lrparams->mkey,
2455 					 NULL, kvno,
2456 					 &entry.key_data[entry.n_key_data - 1]);
2457 	if (retval) {
2458 	    goto cleanup;
2459 	}
2460 	break;
2461 
2462     case NULL_KEY:
2463     default:
2464 	break;
2465     } /* end of switch */
2466 
2467     retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
2468     if (retval) {
2469 	com_err(NULL, retval, gettext("while adding entries to database"));
2470 	goto cleanup;
2471     }
2472 
2473 cleanup:
2474     krb5_dbe_free_contents(context, &entry);
2475     return retval;
2476 }
2477 
2478 
2479 /*
2480  * This function destroys the realm object and the associated principals
2481  */
2482 void
2483 kdb5_ldap_destroy(argc, argv)
2484     int argc;
2485     char *argv[];
2486 {
2487     extern char *optarg;
2488     extern int optind;
2489     int optchar = 0;
2490     char buf[5] = {0};
2491     krb5_error_code retval = 0;
2492     int force = 0;
2493     int mask = 0;
2494     kdb5_dal_handle *dal_handle = NULL;
2495     krb5_ldap_context *ldap_context = NULL;
2496 #ifdef HAVE_EDIRECTORY
2497     int i = 0, rightsmask = 0;
2498     krb5_ldap_realm_params *rparams = NULL;
2499 #endif
2500     /* Solaris Kerberos: to remove stash file */
2501     char *stash_file = NULL;
2502     struct stat stb;
2503 
2504     optind = 1;
2505     while ((optchar = getopt(argc, argv, "f")) != -1) {
2506 	switch (optchar) {
2507 	case 'f':
2508 	    force++;
2509 	    break;
2510 	case '?':
2511 	default:
2512 	    db_usage(DESTROY_REALM);
2513 	    return;
2514 	    /*NOTREACHED*/
2515 	}
2516     }
2517 
2518     if (!force) {
2519 	printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm);
2520 	printf(gettext("(type 'yes' to confirm)? "));
2521 	if (fgets(buf, sizeof(buf), stdin) == NULL) {
2522 	    exit_status++;
2523 	    return;
2524 	}
2525 	if (strcmp(buf, yes)) {
2526 	    exit_status++;
2527 	    return;
2528 	}
2529 	printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm);
2530     }
2531 
2532     dal_handle = (kdb5_dal_handle *)util_context->db_context;
2533     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2534     if (!(ldap_context)) {
2535 	/* Solaris Kerberos */
2536 	com_err(progname, EINVAL, gettext("while initializing database"));
2537 	exit_status++;
2538 	return;
2539     }
2540 
2541     /* Read the kerberos container from the LDAP Server */
2542     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2543 						     &(ldap_context->krbcontainer))) != 0) {
2544 	/* Solaris Kerberos */
2545 	com_err(progname, retval, gettext("while reading kerberos container information"));
2546 	exit_status++;
2547 	return;
2548     }
2549 
2550     /* Read the Realm information from the LDAP Server */
2551     if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
2552 					      &(ldap_context->lrparams), &mask)) != 0) {
2553 	/* Solaris Kerberos */
2554 	com_err(progname, retval, gettext("while reading realm information"));
2555 	exit_status++;
2556 	return;
2557     }
2558 
2559 #ifdef HAVE_EDIRECTORY
2560     if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
2561 	(mask & LDAP_REALM_PASSWDSERVERS)) {
2562 
2563 	printf(gettext("Changing rights for the service object. Please wait ... "));
2564 	fflush(stdout);
2565 
2566 	rparams = ldap_context->lrparams;
2567 	rightsmask = 0;
2568 	rightsmask |= LDAP_REALM_RIGHTS;
2569 	rightsmask |= LDAP_SUBTREE_RIGHTS;
2570 	if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
2571 	    for (i=0; (rparams->kdcservers[i] != NULL); i++) {
2572 		if ((retval = krb5_ldap_delete_service_rights(util_context,
2573 							      LDAP_KDC_SERVICE, rparams->kdcservers[i],
2574 							      rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2575 		    printf(gettext("failed\n"));
2576 		    /* Solaris Kerberos */
2577 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
2578 			    rparams->realm_name);
2579 		    return;
2580 		}
2581 	    }
2582 	}
2583 	rightsmask = 0;
2584 	rightsmask |= LDAP_REALM_RIGHTS;
2585 	rightsmask |= LDAP_SUBTREE_RIGHTS;
2586 	if ((rparams != NULL) && (rparams->adminservers != NULL)) {
2587 	    for (i=0; (rparams->adminservers[i] != NULL); i++) {
2588 		if ((retval = krb5_ldap_delete_service_rights(util_context,
2589 							      LDAP_ADMIN_SERVICE, rparams->adminservers[i],
2590 							      rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2591 		    printf(gettext("failed\n"));
2592 		    /* Solaris Kerberos */
2593 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
2594 			    rparams->realm_name);
2595 		    return;
2596 		}
2597 	    }
2598 	}
2599 	rightsmask = 0;
2600 	rightsmask |= LDAP_REALM_RIGHTS;
2601 	rightsmask |= LDAP_SUBTREE_RIGHTS;
2602 	if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
2603 	    for (i=0; (rparams->passwdservers[i] != NULL); i++) {
2604 		if ((retval = krb5_ldap_delete_service_rights(util_context,
2605 							      LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
2606 							      rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2607 		    printf(gettext("failed\n"));
2608 		    /* Solaris Kerberos */
2609 		    com_err(progname, retval, gettext("while assigning rights to '%s'"),
2610 			    rparams->realm_name);
2611 		    return;
2612 		}
2613 	    }
2614 	}
2615 	printf(gettext("done\n"));
2616     }
2617 #endif
2618     /* Delete the realm container and all the associated principals */
2619     retval = krb5_ldap_delete_realm(util_context, global_params.realm);
2620     if (retval) {
2621 	/* Solaris Kerberos */
2622 	com_err(progname, retval, gettext("deleting database of '%s'"), global_params.realm);
2623 	exit_status++;
2624 	return;
2625     }
2626 
2627     /*
2628      * Solaris Kerberos: check for a stash file and delete it if necessary
2629      * This behavior exists in the Solaris version of kdb5_util destroy.
2630      */
2631     if (global_params.stash_file == NULL) {
2632 	char stashbuf[MAXPATHLEN+1];
2633 	int realm_len = strlen(global_params.realm);
2634 
2635 	(void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf));
2636 
2637 	if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) {
2638 	    (void) strncat(stashbuf, global_params.realm,
2639 		(MAXPATHLEN-strlen(stashbuf)));
2640 	} else {
2641 	    /* Solaris Kerberos */
2642 	    com_err(progname, EINVAL,
2643 		gettext("can not determine stash file name for '%s'"),
2644 		global_params.realm);
2645 	    exit_status++;
2646 	    return;
2647 	}
2648 	stash_file = stashbuf;
2649     } else {
2650 	stash_file = global_params.stash_file;
2651     }
2652     /* Make sure stash_file is a regular file before unlinking */
2653     if (stat(stash_file, &stb) == 0) {
2654 	if ((stb.st_mode & S_IFMT) == S_IFREG) {
2655 	    (void)unlink(stash_file);
2656 	} else {
2657 	    /* Solaris Kerberos */
2658 	    com_err(progname, EINVAL,
2659 		gettext("stash file '%s' not a regular file, can not delete"),
2660 		stash_file);
2661 	    exit_status++;
2662 	    return;
2663 	}
2664     } else if (errno != ENOENT) {
2665 	/*
2666 	 * If the error is something other than the file doesn't exist set an
2667 	 * error.
2668 	 */
2669 	/* Solaris Kerberos */
2670 	com_err(progname, EINVAL,
2671 	    gettext("could not stat stash file '%s', could not delete"),
2672 	    stash_file);
2673 	exit_status++;
2674 	return;
2675     }
2676 
2677     printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm);
2678 
2679     return;
2680 }
2681