Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/heimdal/lib/hdb/hdb-ldap.c
106846 views
1
/*

2
 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.

3
 * Copyright (c) 2004, Andrew Bartlett.

4
 * Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan.

5
 * All rights reserved.

6
 *

7
 * Redistribution and use in source and binary forms, with or without

8
 * modification, are permitted provided that the following conditions

9
 * are met:

10
 *

11
 * 1. Redistributions of source code must retain the above copyright

12
 *    notice, this list of conditions and the following disclaimer.

13
 *

14
 * 2. Redistributions in binary form must reproduce the above copyright

15
 *    notice, this list of conditions and the following disclaimer in the

16
 *    documentation and/or other materials provided with the distribution.

17
 *

18
 * 3. Neither the name of PADL Software  nor the names of its contributors

19
 *    may be used to endorse or promote products derived from this software

20
 *    without specific prior written permission.

21
 *

22
 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND

23
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

24
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

25
 * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE

26
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

27
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

28
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

29
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

30
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

31
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

32
 * SUCH DAMAGE.

33
 */

34


35
#include "hdb_locl.h"

36


37
#ifdef OPENLDAP

38


39
#include <lber.h>

40
#include <ldap.h>

41
#include <sys/un.h>

42
#include <hex.h>

43


44
static krb5_error_code LDAP__connect(krb5_context context, HDB *);

45
static krb5_error_code LDAP_close(krb5_context context, HDB *);

46


47
static krb5_error_code hdb_ldap_create(krb5_context context, HDB **, const char *);

48
static krb5_error_code hdb_ldapi_create(krb5_context context, HDB **, const char *);

49


50
static krb5_error_code

51
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,

52
		   int flags, hdb_entry_ex * ent);

53


54
static const char *default_structural_object = "account";

55
static char *structural_object;

56
static krb5_boolean samba_forwardable;

57


58
struct hdbldapdb {

59
    LDAP *h_lp;

60
    int   h_msgid;

61
    char *h_base;

62
    char *h_url;

63
    char *h_createbase;

64
};

65


66
#define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)

67
#define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)

68
#define HDBSETMSGID(db,msgid) \

69
	do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)

70
#define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)

71
#define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)

72
#define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)

73


74
/*

75
 *

76
 */

77


78
static char * krb5kdcentry_attrs[] = {

79
    "cn",

80
    "createTimestamp",

81
    "creatorsName",

82
    "krb5EncryptionType",

83
    "krb5KDCFlags",

84
    "krb5Key",

85
    "krb5KeyVersionNumber",

86
    "krb5MaxLife",

87
    "krb5MaxRenew",

88
    "krb5PasswordEnd",

89
    "krb5PrincipalName",

90
    "krb5PrincipalRealm",

91
    "krb5ValidEnd",

92
    "krb5ValidStart",

93
    "modifiersName",

94
    "modifyTimestamp",

95
    "objectClass",

96
    "sambaAcctFlags",

97
    "sambaKickoffTime",

98
    "sambaNTPassword",

99
    "sambaPwdLastSet",

100
    "sambaPwdMustChange",

101
    "uid",

102
    NULL

103
};

104


105
static char *krb5principal_attrs[] = {

106
    "cn",

107
    "createTimestamp",

108
    "creatorsName",

109
    "krb5PrincipalName",

110
    "krb5PrincipalRealm",

111
    "modifiersName",

112
    "modifyTimestamp",

113
    "objectClass",

114
    "uid",

115
    NULL

116
};

117


118
static int

119
LDAP_no_size_limit(krb5_context context, LDAP *lp)

120
{

121
    int ret, limit = LDAP_NO_LIMIT;

122


123
    ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);

124
    if (ret != LDAP_SUCCESS) {

125
	krb5_set_error_message(context, HDB_ERR_BADVERSION,

126
			       "ldap_set_option: %s",

127
			       ldap_err2string(ret));

128
	return HDB_ERR_BADVERSION;

129
    }

130
    return 0;

131
}

132


133
static int

134
check_ldap(krb5_context context, HDB *db, int ret)

135
{

136
    switch (ret) {

137
    case LDAP_SUCCESS:

138
	return 0;

139
    case LDAP_SERVER_DOWN:

140
	LDAP_close(context, db);

141
	return 1;

142
    default:

143
	return 1;

144
    }

145
}

146


147
static krb5_error_code

148
LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,

149
	     int *pIndex)

150
{

151
    int cMods;

152


153
    if (*modlist == NULL) {

154
	*modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));

155
	if (*modlist == NULL)

156
	    return ENOMEM;

157
    }

158


159
    for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {

160
	if ((*modlist)[cMods]->mod_op == modop &&

161
	    strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) {

162
	    break;

163
	}

164
    }

165


166
    *pIndex = cMods;

167


168
    if ((*modlist)[cMods] == NULL) {

169
	LDAPMod *mod;

170


171
	*modlist = (LDAPMod **)ber_memrealloc(*modlist,

172
					      (cMods + 2) * sizeof(LDAPMod *));

173
	if (*modlist == NULL)

174
	    return ENOMEM;

175


176
	(*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));

177
	if ((*modlist)[cMods] == NULL)

178
	    return ENOMEM;

179


180
	mod = (*modlist)[cMods];

181
	mod->mod_op = modop;

182
	mod->mod_type = ber_strdup(attribute);

183
	if (mod->mod_type == NULL) {

184
	    ber_memfree(mod);

185
	    (*modlist)[cMods] = NULL;

186
	    return ENOMEM;

187
	}

188


189
	if (modop & LDAP_MOD_BVALUES) {

190
	    mod->mod_bvalues = NULL;

191
	} else {

192
	    mod->mod_values = NULL;

193
	}

194


195
	(*modlist)[cMods + 1] = NULL;

196
    }

197


198
    return 0;

199
}

200


201
static krb5_error_code

202
LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,

203
		unsigned char *value, size_t len)

204
{

205
    krb5_error_code ret;

206
    int cMods, i = 0;

207


208
    ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);

209
    if (ret)

210
	return ret;

211


212
    if (value != NULL) {

213
	struct berval **bv;

214


215
	bv = (*modlist)[cMods]->mod_bvalues;

216
	if (bv != NULL) {

217
	    for (i = 0; bv[i] != NULL; i++)

218
		;

219
	    bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));

220
	} else

221
	    bv = ber_memalloc(2 * sizeof(*bv));

222
	if (bv == NULL)

223
	    return ENOMEM;

224


225
	(*modlist)[cMods]->mod_bvalues = bv;

226


227
	bv[i] = ber_memalloc(sizeof(**bv));;

228
	if (bv[i] == NULL)

229
	    return ENOMEM;

230


231
	bv[i]->bv_val = (void *)value;

232
	bv[i]->bv_len = len;

233


234
	bv[i + 1] = NULL;

235
    }

236


237
    return 0;

238
}

239


240
static krb5_error_code

241
LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,

242
	    const char *value)

243
{

244
    int cMods, i = 0;

245
    krb5_error_code ret;

246


247
    ret = LDAP__setmod(modlist, modop, attribute, &cMods);

248
    if (ret)

249
	return ret;

250


251
    if (value != NULL) {

252
	char **bv;

253


254
	bv = (*modlist)[cMods]->mod_values;

255
	if (bv != NULL) {

256
	    for (i = 0; bv[i] != NULL; i++)

257
		;

258
	    bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));

259
	} else

260
	    bv = ber_memalloc(2 * sizeof(*bv));

261
	if (bv == NULL)

262
	    return ENOMEM;

263


264
	(*modlist)[cMods]->mod_values = bv;

265


266
	bv[i] = ber_strdup(value);

267
	if (bv[i] == NULL)

268
	    return ENOMEM;

269


270
	bv[i + 1] = NULL;

271
    }

272


273
    return 0;

274
}

275


276
static krb5_error_code

277
LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,

278
			     const char *attribute, KerberosTime * time)

279
{

280
    char buf[22];

281
    struct tm *tm;

282


283
    /* XXX not threadsafe */

284
    tm = gmtime(time);

285
    strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);

286


287
    return LDAP_addmod(mods, modop, attribute, buf);

288
}

289


290
static krb5_error_code

291
LDAP_addmod_integer(krb5_context context,

292
		    LDAPMod *** mods, int modop,

293
		    const char *attribute, unsigned long l)

294
{

295
    krb5_error_code ret;

296
    char *buf;

297


298
    ret = asprintf(&buf, "%ld", l);

299
    if (ret < 0) {

300
	krb5_set_error_message(context, ENOMEM,

301
			       "asprintf: out of memory:");

302
	return ENOMEM;

303
    }

304
    ret = LDAP_addmod(mods, modop, attribute, buf);

305
    free (buf);

306
    return ret;

307
}

308


309
static krb5_error_code

310
LDAP_get_string_value(HDB * db, LDAPMessage * entry,

311
		      const char *attribute, char **ptr)

312
{

313
    struct berval **vals;

314


315
    vals = ldap_get_values_len(HDB2LDAP(db), entry, attribute);

316
    if (vals == NULL || vals[0] == NULL) {

317
	*ptr = NULL;

318
	return HDB_ERR_NOENTRY;

319
    }

320


321
    *ptr = malloc(vals[0]->bv_len + 1);

322
    if (*ptr == NULL) {

323
	ldap_value_free_len(vals);

324
	return ENOMEM;

325
    }

326


327
    memcpy(*ptr, vals[0]->bv_val, vals[0]->bv_len);

328
    (*ptr)[vals[0]->bv_len] = 0;

329


330
    ldap_value_free_len(vals);

331


332
    return 0;

333
}

334


335
static krb5_error_code

336
LDAP_get_integer_value(HDB * db, LDAPMessage * entry,

337
		       const char *attribute, int *ptr)

338
{

339
    krb5_error_code ret;

340
    char *val;

341


342
    ret = LDAP_get_string_value(db, entry, attribute, &val);

343
    if (ret)

344
	return ret;

345
    *ptr = atoi(val);

346
    free(val);

347
    return 0;

348
}

349


350
static krb5_error_code

351
LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,

352
				const char *attribute, KerberosTime * kt)

353
{

354
    char *tmp, *gentime;

355
    struct tm tm;

356
    int ret;

357


358
    *kt = 0;

359


360
    ret = LDAP_get_string_value(db, entry, attribute, &gentime);

361
    if (ret)

362
	return ret;

363


364
    tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);

365
    if (tmp == NULL) {

366
	free(gentime);

367
	return HDB_ERR_NOENTRY;

368
    }

369


370
    free(gentime);

371


372
    *kt = timegm(&tm);

373


374
    return 0;

375
}

376


377
static int

378
bervalstrcmp(struct berval *v, const char *str)

379
{

380
    size_t len = strlen(str);

381
    return (v->bv_len == len) && strncasecmp(str, (char *)v->bv_val, len) == 0;

382
}

383


384


385
static krb5_error_code

386
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,

387
		LDAPMessage * msg, LDAPMod *** pmods)

388
{

389
    krb5_error_code ret;

390
    krb5_boolean is_new_entry;

391
    char *tmp = NULL;

392
    LDAPMod **mods = NULL;

393
    hdb_entry_ex orig;

394
    unsigned long oflags, nflags;

395
    int i;

396


397
    krb5_boolean is_samba_account = FALSE;

398
    krb5_boolean is_account = FALSE;

399
    krb5_boolean is_heimdal_entry = FALSE;

400
    krb5_boolean is_heimdal_principal = FALSE;

401


402
    struct berval **vals;

403


404
    *pmods = NULL;

405


406
    if (msg != NULL) {

407


408
	ret = LDAP_message2entry(context, db, msg, 0, &orig);

409
	if (ret)

410
	    goto out;

411


412
	is_new_entry = FALSE;

413


414
	vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");

415
	if (vals) {

416
	    int num_objectclasses = ldap_count_values_len(vals);

417
	    for (i=0; i < num_objectclasses; i++) {

418
		if (bervalstrcmp(vals[i], "sambaSamAccount"))

419
		    is_samba_account = TRUE;

420
		else if (bervalstrcmp(vals[i], structural_object))

421
		    is_account = TRUE;

422
		else if (bervalstrcmp(vals[i], "krb5Principal"))

423
		    is_heimdal_principal = TRUE;

424
		else if (bervalstrcmp(vals[i], "krb5KDCEntry"))

425
		    is_heimdal_entry = TRUE;

426
	    }

427
	    ldap_value_free_len(vals);

428
	}

429


430
	/*

431
	 * If this is just a "account" entry and no other objectclass

432
	 * is hanging on this entry, it's really a new entry.

433
	 */

434
	if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&

435
	    is_heimdal_entry == FALSE) {

436
	    if (is_account == TRUE) {

437
		is_new_entry = TRUE;

438
	    } else {

439
		ret = HDB_ERR_NOENTRY;

440
		goto out;

441
	    }

442
	}

443
    } else

444
	is_new_entry = TRUE;

445


446
    if (is_new_entry) {

447


448
	/* to make it perfectly obvious we're depending on

449
	 * orig being intiialized to zero */

450
	memset(&orig, 0, sizeof(orig));

451


452
	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");

453
	if (ret)

454
	    goto out;

455


456
	/* account is the structural object class */

457
	if (is_account == FALSE) {

458
	    ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",

459
			      structural_object);

460
	    is_account = TRUE;

461
	    if (ret)

462
		goto out;

463
	}

464


465
	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");

466
	is_heimdal_principal = TRUE;

467
	if (ret)

468
	    goto out;

469


470
	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");

471
	is_heimdal_entry = TRUE;

472
	if (ret)

473
	    goto out;

474
    }

475


476
    if (is_new_entry ||

477
	krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)

478
	== FALSE)

479
    {

480
	if (is_heimdal_principal || is_heimdal_entry) {

481


482
	    ret = krb5_unparse_name(context, ent->entry.principal, &tmp);

483
	    if (ret)

484
		goto out;

485


486
	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,

487
			      "krb5PrincipalName", tmp);

488
	    if (ret) {

489
		free(tmp);

490
		goto out;

491
	    }

492
	    free(tmp);

493
	}

494


495
	if (is_account || is_samba_account) {

496
	    ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);

497
	    if (ret)

498
		goto out;

499
	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);

500
	    if (ret) {

501
		free(tmp);

502
		goto out;

503
	    }

504
	    free(tmp);

505
	}

506
    }

507


508
    if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {

509
	ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

510
			    "krb5KeyVersionNumber",

511
			    ent->entry.kvno);

512
	if (ret)

513
	    goto out;

514
    }

515


516
    if (is_heimdal_entry && ent->entry.valid_start) {

517
	if (orig.entry.valid_end == NULL

518
	    || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {

519
	    ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,

520
					       "krb5ValidStart",

521
					       ent->entry.valid_start);

522
	    if (ret)

523
		goto out;

524
	}

525
    }

526


527
    if (ent->entry.valid_end) {

528
 	if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {

529
	    if (is_heimdal_entry) {

530
		ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,

531
						   "krb5ValidEnd",

532
						   ent->entry.valid_end);

533
		if (ret)

534
		    goto out;

535
            }

536
	    if (is_samba_account) {

537
		ret = LDAP_addmod_integer(context, &mods,  LDAP_MOD_REPLACE,

538
					  "sambaKickoffTime",

539
					  *(ent->entry.valid_end));

540
		if (ret)

541
		    goto out;

542
	    }

543
   	}

544
    }

545


546
    if (ent->entry.pw_end) {

547
	if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {

548
	    if (is_heimdal_entry) {

549
		ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,

550
						   "krb5PasswordEnd",

551
						   ent->entry.pw_end);

552
		if (ret)

553
		    goto out;

554
	    }

555


556
	    if (is_samba_account) {

557
		ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

558
					  "sambaPwdMustChange",

559
					  *(ent->entry.pw_end));

560
		if (ret)

561
		    goto out;

562
	    }

563
	}

564
    }

565


566


567
#if 0 /* we we have last_pw_change */

568
    if (is_samba_account && ent->entry.last_pw_change) {

569
	if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {

570
	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

571
				      "sambaPwdLastSet",

572
				      *(ent->entry.last_pw_change));

573
	    if (ret)

574
		goto out;

575
	}

576
    }

577
#endif

578


579
    if (is_heimdal_entry && ent->entry.max_life) {

580
	if (orig.entry.max_life == NULL

581
	    || (*(ent->entry.max_life) != *(orig.entry.max_life))) {

582


583
	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

584
				      "krb5MaxLife",

585
				      *(ent->entry.max_life));

586
	    if (ret)

587
		goto out;

588
	}

589
    }

590


591
    if (is_heimdal_entry && ent->entry.max_renew) {

592
	if (orig.entry.max_renew == NULL

593
	    || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {

594


595
	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

596
				      "krb5MaxRenew",

597
				      *(ent->entry.max_renew));

598
	    if (ret)

599
		goto out;

600
	}

601
    }

602


603
    oflags = HDBFlags2int(orig.entry.flags);

604
    nflags = HDBFlags2int(ent->entry.flags);

605


606
    if (is_heimdal_entry && oflags != nflags) {

607


608
	ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

609
				  "krb5KDCFlags",

610
				  nflags);

611
	if (ret)

612
	    goto out;

613
    }

614


615
    /* Remove keys if they exists, and then replace keys. */

616
    if (!is_new_entry && orig.entry.keys.len > 0) {

617
	vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");

618
	if (vals) {

619
	    ldap_value_free_len(vals);

620


621
	    ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);

622
	    if (ret)

623
		goto out;

624
	}

625
    }

626


627
    for (i = 0; i < ent->entry.keys.len; i++) {

628


629
	if (is_samba_account

630
	    && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {

631
	    char *ntHexPassword;

632
	    char *nt;

633
	    time_t now = time(NULL);

634


635
	    /* the key might have been 'sealed', but samba passwords

636
	       are clear in the directory */

637
	    ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);

638
	    if (ret)

639
		goto out;

640


641
	    nt = ent->entry.keys.val[i].key.keyvalue.data;

642
	    /* store in ntPassword, not krb5key */

643
	    ret = hex_encode(nt, 16, &ntHexPassword);

644
	    if (ret < 0) {

645
		ret = ENOMEM;

646
		krb5_set_error_message(context, ret, "hdb-ldap: failed to "

647
				      "hex encode key");

648
		goto out;

649
	    }

650
	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword",

651
			      ntHexPassword);

652
	    free(ntHexPassword);

653
	    if (ret)

654
		goto out;

655
	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,

656
				      "sambaPwdLastSet", now);

657
	    if (ret)

658
		goto out;

659


660
	    /* have to kill the LM passwod if it exists */

661
	    vals = ldap_get_values_len(HDB2LDAP(db), msg, "sambaLMPassword");

662
	    if (vals) {

663
		ldap_value_free_len(vals);

664
		ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,

665
				  "sambaLMPassword", NULL);

666
		if (ret)

667
		    goto out;

668
	    }

669


670
	} else if (is_heimdal_entry) {

671
	    unsigned char *buf;

672
	    size_t len, buf_size;

673


674
	    ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);

675
	    if (ret)

676
		goto out;

677
	    if(buf_size != len)

678
		krb5_abortx(context, "internal error in ASN.1 encoder");

679


680
	    /* addmod_len _owns_ the key, doesn't need to copy it */

681
	    ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);

682
	    if (ret)

683
		goto out;

684
	}

685
    }

686


687
    if (ent->entry.etypes) {

688
	int add_krb5EncryptionType = 0;

689


690
	/*

691
	 * Only add/modify krb5EncryptionType if it's a new heimdal

692
	 * entry or krb5EncryptionType already exists on the entry.

693
	 */

694


695
	if (!is_new_entry) {

696
	    vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");

697
	    if (vals) {

698
		ldap_value_free_len(vals);

699
		ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",

700
				  NULL);

701
		if (ret)

702
		    goto out;

703
		add_krb5EncryptionType = 1;

704
	    }

705
	} else if (is_heimdal_entry)

706
	    add_krb5EncryptionType = 1;

707


708
	if (add_krb5EncryptionType) {

709
	    for (i = 0; i < ent->entry.etypes->len; i++) {

710
		if (is_samba_account &&

711
		    ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)

712
		{

713
		    ;

714
		} else if (is_heimdal_entry) {

715
		    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,

716
					      "krb5EncryptionType",

717
					      ent->entry.etypes->val[i]);

718
		    if (ret)

719
			goto out;

720
		}

721
	    }

722
	}

723
    }

724


725
    /* for clarity */

726
    ret = 0;

727


728
 out:

729


730
    if (ret == 0)

731
	*pmods = mods;

732
    else if (mods != NULL) {

733
	ldap_mods_free(mods, 1);

734
	*pmods = NULL;

735
    }

736


737
    if (msg)

738
	hdb_free_entry(context, &orig);

739


740
    return ret;

741
}

742


743
static krb5_error_code

744
LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,

745
		  krb5_principal * principal)

746
{

747
    krb5_error_code ret;

748
    int rc;

749
    const char *filter = "(objectClass=krb5Principal)";

750
    LDAPMessage *res = NULL, *e;

751
    char *p;

752


753
    ret = LDAP_no_size_limit(context, HDB2LDAP(db));

754
    if (ret)

755
	goto out;

756


757
    rc = ldap_search_ext_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,

758
			   filter, krb5principal_attrs, 0,

759
			   NULL, NULL, NULL,

760
			   0, &res);

761
    if (check_ldap(context, db, rc)) {

762
	ret = HDB_ERR_NOENTRY;

763
	krb5_set_error_message(context, ret, "ldap_search_ext_s: "

764
			       "filter: %s error: %s",

765
			       filter, ldap_err2string(rc));

766
	goto out;

767
    }

768


769
    e = ldap_first_entry(HDB2LDAP(db), res);

770
    if (e == NULL) {

771
	ret = HDB_ERR_NOENTRY;

772
	goto out;

773
    }

774


775
    ret = LDAP_get_string_value(db, e, "krb5PrincipalName", &p);

776
    if (ret) {

777
	ret = HDB_ERR_NOENTRY;

778
	goto out;

779
    }

780


781
    ret = krb5_parse_name(context, p, principal);

782
    free(p);

783


784
  out:

785
    if (res)

786
	ldap_msgfree(res);

787


788
    return ret;

789
}

790


791
static int

792
need_quote(unsigned char c)

793
{

794
    return (c & 0x80) ||

795
	(c < 32) ||

796
	(c == '(') ||

797
	(c == ')') ||

798
	(c == '*') ||

799
	(c == '\\') ||

800
	(c == 0x7f);

801
}

802


803
static const char hexchar[] = "0123456789ABCDEF";

804


805
static krb5_error_code

806
escape_value(krb5_context context, const char *unquoted, char **quoted)

807
{

808
    size_t i, len;

809


810
    for (i = 0, len = 0; unquoted[i] != '\0'; i++, len++) {

811
	if (need_quote((unsigned char)unquoted[i]))

812
	    len += 2;

813
    }

814


815
    *quoted = malloc(len + 1);

816
    if (*quoted == NULL) {

817
	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");

818
	return ENOMEM;

819
    }

820


821
    for (i = 0; unquoted[0] ; unquoted++) {

822
	if (need_quote((unsigned char)unquoted[0])) {

823
	    (*quoted)[i++] = '\\';

824
	    (*quoted)[i++] = hexchar[(unquoted[0] >> 4) & 0xf];

825
	    (*quoted)[i++] = hexchar[(unquoted[0]     ) & 0xf];

826
	} else

827
	    (*quoted)[i++] = (char)unquoted[0];

828
    }

829
    (*quoted)[i] = '\0';

830
    return 0;

831
}

832


833


834
static krb5_error_code

835
LDAP__lookup_princ(krb5_context context,

836
		   HDB *db,

837
		   const char *princname,

838
		   const char *userid,

839
		   LDAPMessage **msg)

840
{

841
    krb5_error_code ret;

842
    int rc;

843
    char *quote, *filter = NULL;

844


845
    ret = LDAP__connect(context, db);

846
    if (ret)

847
	return ret;

848


849
    /*

850
     * Quote searches that contain filter language, this quote

851
     * searches for *@REALM, which takes very long time.

852
     */

853


854
    ret = escape_value(context, princname, &quote);

855
    if (ret)

856
	goto out;

857


858
    rc = asprintf(&filter,

859
		  "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",

860
		  quote);

861
    free(quote);

862


863
    if (rc < 0) {

864
	ret = ENOMEM;

865
	krb5_set_error_message(context, ret, "malloc: out of memory");

866
	goto out;

867
    }

868


869
    ret = LDAP_no_size_limit(context, HDB2LDAP(db));

870
    if (ret)

871
	goto out;

872


873
    rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db),

874
			   LDAP_SCOPE_SUBTREE, filter,

875
			   krb5kdcentry_attrs, 0,

876
			   NULL, NULL, NULL,

877
			   0, msg);

878
    if (check_ldap(context, db, rc)) {

879
	ret = HDB_ERR_NOENTRY;

880
	krb5_set_error_message(context, ret, "ldap_search_ext_s: "

881
			      "filter: %s - error: %s",

882
			      filter, ldap_err2string(rc));

883
	goto out;

884
    }

885


886
    if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {

887
	free(filter);

888
	filter = NULL;

889
	ldap_msgfree(*msg);

890
	*msg = NULL;

891


892
	ret = escape_value(context, userid, &quote);

893
	if (ret)

894
	    goto out;

895


896
	rc = asprintf(&filter,

897
	    "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",

898
		      structural_object, quote);

899
	free(quote);

900
	if (rc < 0) {

901
	    ret = ENOMEM;

902
	    krb5_set_error_message(context, ret, "asprintf: out of memory");

903
	    goto out;

904
	}

905


906
	ret = LDAP_no_size_limit(context, HDB2LDAP(db));

907
	if (ret)

908
	    goto out;

909


910
	rc = ldap_search_ext_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE,

911
			       filter, krb5kdcentry_attrs, 0,

912
			       NULL, NULL, NULL,

913
			       0, msg);

914
	if (check_ldap(context, db, rc)) {

915
	    ret = HDB_ERR_NOENTRY;

916
	    krb5_set_error_message(context, ret,

917
				   "ldap_search_ext_s: filter: %s error: %s",

918
				   filter, ldap_err2string(rc));

919
	    goto out;

920
	}

921
    }

922


923
    ret = 0;

924


925
  out:

926
    if (filter)

927
	free(filter);

928


929
    return ret;

930
}

931


932
static krb5_error_code

933
LDAP_principal2message(krb5_context context, HDB * db,

934
		       krb5_const_principal princ, LDAPMessage ** msg)

935
{

936
    char *name, *name_short = NULL;

937
    krb5_error_code ret;

938
    krb5_realm *r, *r0;

939


940
    *msg = NULL;

941


942
    ret = krb5_unparse_name(context, princ, &name);

943
    if (ret)

944
	return ret;

945


946
    ret = krb5_get_default_realms(context, &r0);

947
    if(ret) {

948
	free(name);

949
	return ret;

950
    }

951
    for (r = r0; *r != NULL; r++) {

952
	if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {

953
	    ret = krb5_unparse_name_short(context, princ, &name_short);

954
	    if (ret) {

955
		krb5_free_host_realm(context, r0);

956
		free(name);

957
		return ret;

958
	    }

959
	    break;

960
	}

961
    }

962
    krb5_free_host_realm(context, r0);

963


964
    ret = LDAP__lookup_princ(context, db, name, name_short, msg);

965
    free(name);

966
    free(name_short);

967


968
    return ret;

969
}

970


971
/*

972
 * Construct an hdb_entry from a directory entry.

973
 */

974
static krb5_error_code

975
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,

976
		   int flags, hdb_entry_ex * ent)

977
{

978
    char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;

979
    char *samba_acct_flags = NULL;

980
    struct berval **keys;

981
    struct berval **vals;

982
    int tmp, tmp_time, i, ret, have_arcfour = 0;

983


984
    memset(ent, 0, sizeof(*ent));

985
    ent->entry.flags = int2HDBFlags(0);

986


987
    ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);

988
    if (ret == 0) {

989
	ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);

990
	if (ret)

991
	    goto out;

992
    } else {

993
	ret = LDAP_get_string_value(db, msg, "uid",

994
				    &unparsed_name);

995
	if (ret == 0) {

996
	    ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);

997
	    if (ret)

998
		goto out;

999
	} else {

1000
	    krb5_set_error_message(context, HDB_ERR_NOENTRY,

1001
				   "hdb-ldap: ldap entry missing"

1002
				  "principal name");

1003
	    return HDB_ERR_NOENTRY;

1004
	}

1005
    }

1006


1007
    {

1008
	int integer;

1009
	ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",

1010
				     &integer);

1011
	if (ret)

1012
	    ent->entry.kvno = 0;

1013
	else

1014
	    ent->entry.kvno = integer;

1015
    }

1016


1017
    keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");

1018
    if (keys != NULL) {

1019
	int i;

1020
	size_t l;

1021


1022
	ent->entry.keys.len = ldap_count_values_len(keys);

1023
	ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));

1024
	if (ent->entry.keys.val == NULL) {

1025
	    ret = ENOMEM;

1026
	    krb5_set_error_message(context, ret, "calloc: out of memory");

1027
	    goto out;

1028
	}

1029
	for (i = 0; i < ent->entry.keys.len; i++) {

1030
	    decode_Key((unsigned char *) keys[i]->bv_val,

1031
		       (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);

1032
	}

1033
	ber_bvecfree(keys);

1034
    } else {

1035
#if 1

1036
	/*

1037
	 * This violates the ASN1 but it allows a principal to

1038
	 * be related to a general directory entry without creating

1039
	 * the keys. Hopefully it's OK.

1040
	 */

1041
	ent->entry.keys.len = 0;

1042
	ent->entry.keys.val = NULL;

1043
#else

1044
	ret = HDB_ERR_NOENTRY;

1045
	goto out;

1046
#endif

1047
    }

1048


1049
    vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");

1050
    if (vals != NULL) {

1051
	int i;

1052


1053
	ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));

1054
	if (ent->entry.etypes == NULL) {

1055
	    ret = ENOMEM;

1056
	    krb5_set_error_message(context, ret,"malloc: out of memory");

1057
	    goto out;

1058
	}

1059
	ent->entry.etypes->len = ldap_count_values_len(vals);

1060
	ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));

1061
	if (ent->entry.etypes->val == NULL) {

1062
	    ret = ENOMEM;

1063
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1064
	    ent->entry.etypes->len = 0;

1065
	    goto out;

1066
	}

1067
	for (i = 0; i < ent->entry.etypes->len; i++) {

1068
	    char *buf;

1069


1070
	    buf = malloc(vals[i]->bv_len + 1);

1071
	    if (buf == NULL) {

1072
		ret = ENOMEM;

1073
		krb5_set_error_message(context, ret, "malloc: out of memory");

1074
		goto out;

1075
	    }

1076
	    memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);

1077
	    buf[vals[i]->bv_len] = '\0';

1078
	    ent->entry.etypes->val[i] = atoi(buf);

1079
	    free(buf);

1080
	}

1081
	ldap_value_free_len(vals);

1082
    }

1083


1084
    for (i = 0; i < ent->entry.keys.len; i++) {

1085
	if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {

1086
	    have_arcfour = 1;

1087
	    break;

1088
	}

1089
    }

1090


1091
    /* manually construct the NT (type 23) key */

1092
    ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);

1093
    if (ret == 0 && have_arcfour == 0) {

1094
	unsigned *etypes;

1095
	Key *keys;

1096
	int i;

1097


1098
	keys = realloc(ent->entry.keys.val,

1099
		       (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));

1100
	if (keys == NULL) {

1101
	    free(ntPasswordIN);

1102
	    ret = ENOMEM;

1103
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1104
	    goto out;

1105
	}

1106
	ent->entry.keys.val = keys;

1107
	memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));

1108
	ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;

1109
	ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);

1110
	if (ret) {

1111
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1112
	    free(ntPasswordIN);

1113
	    ret = ENOMEM;

1114
	    goto out;

1115
	}

1116
	ret = hex_decode(ntPasswordIN,

1117
			 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);

1118
	ent->entry.keys.len++;

1119


1120
	if (ent->entry.etypes == NULL) {

1121
	    ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));

1122
	    if (ent->entry.etypes == NULL) {

1123
		ret = ENOMEM;

1124
		krb5_set_error_message(context, ret, "malloc: out of memory");

1125
		goto out;

1126
	    }

1127
	    ent->entry.etypes->val = NULL;

1128
	    ent->entry.etypes->len = 0;

1129
	}

1130


1131
	for (i = 0; i < ent->entry.etypes->len; i++)

1132
	    if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)

1133
		break;

1134
	/* If there is no ARCFOUR enctype, add one */

1135
	if (i == ent->entry.etypes->len) {

1136
	    etypes = realloc(ent->entry.etypes->val,

1137
			     (ent->entry.etypes->len + 1) *

1138
			     sizeof(ent->entry.etypes->val[0]));

1139
	    if (etypes == NULL) {

1140
		ret = ENOMEM;

1141
		krb5_set_error_message(context, ret, "malloc: out of memory");

1142
		goto out;

1143
	    }

1144
	    ent->entry.etypes->val = etypes;

1145
	    ent->entry.etypes->val[ent->entry.etypes->len] =

1146
		ETYPE_ARCFOUR_HMAC_MD5;

1147
	    ent->entry.etypes->len++;

1148
	}

1149
    }

1150


1151
    ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",

1152
					  &ent->entry.created_by.time);

1153
    if (ret)

1154
	ent->entry.created_by.time = time(NULL);

1155


1156
    ent->entry.created_by.principal = NULL;

1157


1158
    if (flags & HDB_F_ADMIN_DATA) {

1159
	ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);

1160
	if (ret == 0) {

1161
	    LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);

1162
	    free(dn);

1163
	}

1164


1165
	ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));

1166
	if (ent->entry.modified_by == NULL) {

1167
	    ret = ENOMEM;

1168
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1169
	    goto out;

1170
	}

1171


1172
	ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",

1173
					      &ent->entry.modified_by->time);

1174
	if (ret == 0) {

1175
	    ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);

1176
	    if (ret == 0) {

1177
		LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);

1178
		free(dn);

1179
	    } else {

1180
		free(ent->entry.modified_by);

1181
		ent->entry.modified_by = NULL;

1182
	    }

1183
	}

1184
    }

1185


1186
    ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));

1187
    if (ent->entry.valid_start == NULL) {

1188
	ret = ENOMEM;

1189
	krb5_set_error_message(context, ret, "malloc: out of memory");

1190
	goto out;

1191
    }

1192
    ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",

1193
					  ent->entry.valid_start);

1194
    if (ret) {

1195
	/* OPTIONAL */

1196
	free(ent->entry.valid_start);

1197
	ent->entry.valid_start = NULL;

1198
    }

1199


1200
    ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));

1201
    if (ent->entry.valid_end == NULL) {

1202
	ret = ENOMEM;

1203
	krb5_set_error_message(context, ret, "malloc: out of memory");

1204
	goto out;

1205
    }

1206
    ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",

1207
					  ent->entry.valid_end);

1208
    if (ret) {

1209
	/* OPTIONAL */

1210
	free(ent->entry.valid_end);

1211
	ent->entry.valid_end = NULL;

1212
    }

1213


1214
    ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);

1215
    if (ret == 0) {

1216
 	if (ent->entry.valid_end == NULL) {

1217
 	    ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));

1218
 	    if (ent->entry.valid_end == NULL) {

1219
 		ret = ENOMEM;

1220
 		krb5_set_error_message(context, ret, "malloc: out of memory");

1221
 		goto out;

1222
 	    }

1223
 	}

1224
 	*ent->entry.valid_end = tmp_time;

1225
    }

1226


1227
    ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));

1228
    if (ent->entry.pw_end == NULL) {

1229
	ret = ENOMEM;

1230
	krb5_set_error_message(context, ret, "malloc: out of memory");

1231
	goto out;

1232
    }

1233
    ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",

1234
					  ent->entry.pw_end);

1235
    if (ret) {

1236
	/* OPTIONAL */

1237
	free(ent->entry.pw_end);

1238
	ent->entry.pw_end = NULL;

1239
    }

1240


1241
    ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);

1242
    if (ret == 0) {

1243
	time_t delta;

1244


1245
	if (ent->entry.pw_end == NULL) {

1246
            ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));

1247
            if (ent->entry.pw_end == NULL) {

1248
                ret = ENOMEM;

1249
                krb5_set_error_message(context, ret, "malloc: out of memory");

1250
                goto out;

1251
            }

1252
        }

1253


1254
	delta = krb5_config_get_time_default(context, NULL,

1255
					     365 * 24 * 60 * 60,

1256
					     "kadmin",

1257
					     "password_lifetime",

1258
					     NULL);

1259
        *ent->entry.pw_end = tmp_time + delta;

1260
    }

1261


1262
    ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);

1263
    if (ret == 0) {

1264
	if (ent->entry.pw_end == NULL) {

1265
	    ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));

1266
	    if (ent->entry.pw_end == NULL) {

1267
		ret = ENOMEM;

1268
		krb5_set_error_message(context, ret, "malloc: out of memory");

1269
		goto out;

1270
	    }

1271
	}

1272
	*ent->entry.pw_end = tmp_time;

1273
    }

1274


1275
    /* OPTIONAL */

1276
    ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);

1277
    if (ret == 0)

1278
	hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);

1279


1280
    {

1281
	int max_life;

1282


1283
	ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));

1284
	if (ent->entry.max_life == NULL) {

1285
	    ret = ENOMEM;

1286
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1287
	    goto out;

1288
	}

1289
	ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);

1290
	if (ret) {

1291
	    free(ent->entry.max_life);

1292
	    ent->entry.max_life = NULL;

1293
	} else

1294
	    *ent->entry.max_life = max_life;

1295
    }

1296


1297
    {

1298
	int max_renew;

1299


1300
	ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));

1301
	if (ent->entry.max_renew == NULL) {

1302
	    ret = ENOMEM;

1303
	    krb5_set_error_message(context, ret, "malloc: out of memory");

1304
	    goto out;

1305
	}

1306
	ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);

1307
	if (ret) {

1308
	    free(ent->entry.max_renew);

1309
	    ent->entry.max_renew = NULL;

1310
	} else

1311
	    *ent->entry.max_renew = max_renew;

1312
    }

1313


1314
    ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);

1315
    if (ret)

1316
	tmp = 0;

1317


1318
    ent->entry.flags = int2HDBFlags(tmp);

1319


1320
    /* Try and find Samba flags to put into the mix */

1321
    ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);

1322
    if (ret == 0) {

1323
	/* parse the [UXW...] string:

1324


1325
	   'N'    No password

1326
	   'D'    Disabled

1327
	   'H'    Homedir required

1328
	   'T'    Temp account.

1329
	   'U'    User account (normal)

1330
	   'M'    MNS logon user account - what is this ?

1331
	   'W'    Workstation account

1332
	   'S'    Server account

1333
	   'L'    Locked account

1334
	   'X'    No Xpiry on password

1335
	   'I'    Interdomain trust account

1336


1337
	*/

1338


1339
	int i;

1340
	int flags_len = strlen(samba_acct_flags);

1341


1342
	if (flags_len < 2)

1343
	    goto out2;

1344


1345
	if (samba_acct_flags[0] != '['

1346
	    || samba_acct_flags[flags_len - 1] != ']')

1347
	    goto out2;

1348


1349
	/* Allow forwarding */

1350
	if (samba_forwardable)

1351
	    ent->entry.flags.forwardable = TRUE;

1352


1353
	for (i=0; i < flags_len; i++) {

1354
	    switch (samba_acct_flags[i]) {

1355
	    case ' ':

1356
	    case '[':

1357
	    case ']':

1358
		break;

1359
	    case 'N':

1360
		/* how to handle no password in kerberos? */

1361
		break;

1362
	    case 'D':

1363
		ent->entry.flags.invalid = TRUE;

1364
		break;

1365
	    case 'H':

1366
		break;

1367
	    case 'T':

1368
		/* temp duplicate */

1369
		ent->entry.flags.invalid = TRUE;

1370
		break;

1371
	    case 'U':

1372
		ent->entry.flags.client = TRUE;

1373
		break;

1374
	    case 'M':

1375
		break;

1376
	    case 'W':

1377
	    case 'S':

1378
		ent->entry.flags.server = TRUE;

1379
		ent->entry.flags.client = TRUE;

1380
		break;

1381
	    case 'L':

1382
		ent->entry.flags.invalid = TRUE;

1383
		break;

1384
	    case 'X':

1385
		if (ent->entry.pw_end) {

1386
		    free(ent->entry.pw_end);

1387
		    ent->entry.pw_end = NULL;

1388
		}

1389
		break;

1390
	    case 'I':

1391
		ent->entry.flags.server = TRUE;

1392
		ent->entry.flags.client = TRUE;

1393
		break;

1394
	    }

1395
	}

1396
    out2:

1397
	free(samba_acct_flags);

1398
    }

1399


1400
    ret = 0;

1401


1402
out:

1403
    if (unparsed_name)

1404
	free(unparsed_name);

1405


1406
    if (ret)

1407
	hdb_free_entry(context, ent);

1408


1409
    return ret;

1410
}

1411


1412
static krb5_error_code

1413
LDAP_close(krb5_context context, HDB * db)

1414
{

1415
    if (HDB2LDAP(db)) {

1416
	ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);

1417
	((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;

1418
    }

1419


1420
    return 0;

1421
}

1422


1423
static krb5_error_code

1424
LDAP_lock(krb5_context context, HDB * db, int operation)

1425
{

1426
    return 0;

1427
}

1428


1429
static krb5_error_code

1430
LDAP_unlock(krb5_context context, HDB * db)

1431
{

1432
    return 0;

1433
}

1434


1435
static krb5_error_code

1436
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)

1437
{

1438
    int msgid, rc, parserc;

1439
    krb5_error_code ret;

1440
    LDAPMessage *e;

1441


1442
    msgid = HDB2MSGID(db);

1443
    if (msgid < 0)

1444
	return HDB_ERR_NOENTRY;

1445


1446
    do {

1447
	rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);

1448
	switch (rc) {

1449
	case LDAP_RES_SEARCH_REFERENCE:

1450
	    ldap_msgfree(e);

1451
	    ret = 0;

1452
	    break;

1453
	case LDAP_RES_SEARCH_ENTRY:

1454
	    /* We have an entry. Parse it. */

1455
	    ret = LDAP_message2entry(context, db, e, flags, entry);

1456
	    ldap_msgfree(e);

1457
	    break;

1458
	case LDAP_RES_SEARCH_RESULT:

1459
	    /* We're probably at the end of the results. If not, abandon. */

1460
	    parserc =

1461
		ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,

1462
				  NULL, NULL, 1);

1463
	    ret = HDB_ERR_NOENTRY;

1464
	    if (parserc != LDAP_SUCCESS

1465
		&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {

1466
	        krb5_set_error_message(context, ret, "ldap_parse_result: %s",

1467
				       ldap_err2string(parserc));

1468
		ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);

1469
	    }

1470
	    HDBSETMSGID(db, -1);

1471
	    break;

1472
	case LDAP_SERVER_DOWN:

1473
	    ldap_msgfree(e);

1474
	    LDAP_close(context, db);

1475
	    HDBSETMSGID(db, -1);

1476
	    ret = ENETDOWN;

1477
	    break;

1478
	default:

1479
	    /* Some unspecified error (timeout?). Abandon. */

1480
	    ldap_msgfree(e);

1481
	    ldap_abandon_ext(HDB2LDAP(db), msgid, NULL, NULL);

1482
	    ret = HDB_ERR_NOENTRY;

1483
	    HDBSETMSGID(db, -1);

1484
	    break;

1485
	}

1486
    } while (rc == LDAP_RES_SEARCH_REFERENCE);

1487


1488
    if (ret == 0) {

1489
	if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {

1490
	    ret = hdb_unseal_keys(context, db, &entry->entry);

1491
	    if (ret)

1492
		hdb_free_entry(context, entry);

1493
	}

1494
    }

1495


1496
    return ret;

1497
}

1498


1499
static krb5_error_code

1500
LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,

1501
	      hdb_entry_ex *entry)

1502
{

1503
    krb5_error_code ret;

1504
    int msgid;

1505


1506
    ret = LDAP__connect(context, db);

1507
    if (ret)

1508
	return ret;

1509


1510
    ret = LDAP_no_size_limit(context, HDB2LDAP(db));

1511
    if (ret)

1512
	return ret;

1513


1514
    ret = ldap_search_ext(HDB2LDAP(db), HDB2BASE(db),

1515
			LDAP_SCOPE_SUBTREE,

1516
			"(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",

1517
			krb5kdcentry_attrs, 0,

1518
			NULL, NULL, NULL, 0, &msgid);

1519
    if (msgid < 0)

1520
	return HDB_ERR_NOENTRY;

1521


1522
    HDBSETMSGID(db, msgid);

1523


1524
    return LDAP_seq(context, db, flags, entry);

1525
}

1526


1527
static krb5_error_code

1528
LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,

1529
	     hdb_entry_ex * entry)

1530
{

1531
    return LDAP_seq(context, db, flags, entry);

1532
}

1533


1534
static krb5_error_code

1535
LDAP__connect(krb5_context context, HDB * db)

1536
{

1537
    int rc, version = LDAP_VERSION3;

1538
    /*

1539
     * Empty credentials to do a SASL bind with LDAP. Note that empty

1540
     * different from NULL credentials. If you provide NULL

1541
     * credentials instead of empty credentials you will get a SASL

1542
     * bind in progress message.

1543
     */

1544
    struct berval bv = { 0, "" };

1545


1546
    if (HDB2LDAP(db)) {

1547
	/* connection has been opened. ping server. */

1548
	struct sockaddr_un addr;

1549
	socklen_t len = sizeof(addr);

1550
	int sd;

1551


1552
	if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&

1553
	    getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {

1554
	    /* the other end has died. reopen. */

1555
	    LDAP_close(context, db);

1556
	}

1557
    }

1558


1559
    if (HDB2LDAP(db) != NULL) /* server is UP */

1560
	return 0;

1561


1562
    rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));

1563
    if (rc != LDAP_SUCCESS) {

1564
	krb5_set_error_message(context, HDB_ERR_NOENTRY, "ldap_initialize: %s",

1565
			       ldap_err2string(rc));

1566
	return HDB_ERR_NOENTRY;

1567
    }

1568


1569
    rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,

1570
			 (const void *)&version);

1571
    if (rc != LDAP_SUCCESS) {

1572
	krb5_set_error_message(context, HDB_ERR_BADVERSION,

1573
			       "ldap_set_option: %s", ldap_err2string(rc));

1574
	LDAP_close(context, db);

1575
	return HDB_ERR_BADVERSION;

1576
    }

1577


1578
    rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,

1579
			  NULL, NULL, NULL);

1580
    if (rc != LDAP_SUCCESS) {

1581
	krb5_set_error_message(context, HDB_ERR_BADVERSION,

1582
			      "ldap_sasl_bind_s: %s", ldap_err2string(rc));

1583
	LDAP_close(context, db);

1584
	return HDB_ERR_BADVERSION;

1585
    }

1586


1587
    return 0;

1588
}

1589


1590
static krb5_error_code

1591
LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)

1592
{

1593
    /* Not the right place for this. */

1594
#ifdef HAVE_SIGACTION

1595
    struct sigaction sa;

1596


1597
    sa.sa_flags = 0;

1598
    sa.sa_handler = SIG_IGN;

1599
    sigemptyset(&sa.sa_mask);

1600


1601
    sigaction(SIGPIPE, &sa, NULL);

1602
#else

1603
    signal(SIGPIPE, SIG_IGN);

1604
#endif /* HAVE_SIGACTION */

1605


1606
    return LDAP__connect(context, db);

1607
}

1608


1609
static krb5_error_code

1610
LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,

1611
		unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)

1612
{

1613
    LDAPMessage *msg, *e;

1614
    krb5_error_code ret;

1615


1616
    ret = LDAP_principal2message(context, db, principal, &msg);

1617
    if (ret)

1618
	return ret;

1619


1620
    e = ldap_first_entry(HDB2LDAP(db), msg);

1621
    if (e == NULL) {

1622
	ret = HDB_ERR_NOENTRY;

1623
	goto out;

1624
    }

1625


1626
    ret = LDAP_message2entry(context, db, e, flags, entry);

1627
    if (ret == 0) {

1628
	if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {

1629
	    ret = hdb_unseal_keys(context, db, &entry->entry);

1630
	    if (ret)

1631
		hdb_free_entry(context, entry);

1632
	}

1633
    }

1634


1635
  out:

1636
    ldap_msgfree(msg);

1637


1638
    return ret;

1639
}

1640


1641
static krb5_error_code

1642
LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,

1643
	   unsigned flags, hdb_entry_ex * entry)

1644
{

1645
    return LDAP_fetch_kvno(context, db, principal,

1646
			   flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);

1647
}

1648


1649
static krb5_error_code

1650
LDAP_store(krb5_context context, HDB * db, unsigned flags,

1651
	   hdb_entry_ex * entry)

1652
{

1653
    LDAPMod **mods = NULL;

1654
    krb5_error_code ret;

1655
    const char *errfn;

1656
    int rc;

1657
    LDAPMessage *msg = NULL, *e = NULL;

1658
    char *dn = NULL, *name = NULL;

1659


1660
    ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);

1661
    if (ret == 0)

1662
	e = ldap_first_entry(HDB2LDAP(db), msg);

1663


1664
    ret = krb5_unparse_name(context, entry->entry.principal, &name);

1665
    if (ret) {

1666
	free(name);

1667
	return ret;

1668
    }

1669


1670
    ret = hdb_seal_keys(context, db, &entry->entry);

1671
    if (ret)

1672
	goto out;

1673


1674
    /* turn new entry into LDAPMod array */

1675
    ret = LDAP_entry2mods(context, db, entry, e, &mods);

1676
    if (ret)

1677
	goto out;

1678


1679
    if (e == NULL) {

1680
	ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));

1681
	if (ret < 0) {

1682
	    ret = ENOMEM;

1683
	    krb5_set_error_message(context, ret, "asprintf: out of memory");

1684
	    goto out;

1685
	}

1686
    } else if (flags & HDB_F_REPLACE) {

1687
	/* Entry exists, and we're allowed to replace it. */

1688
	dn = ldap_get_dn(HDB2LDAP(db), e);

1689
    } else {

1690
	/* Entry exists, but we're not allowed to replace it. Bail. */

1691
	ret = HDB_ERR_EXISTS;

1692
	goto out;

1693
    }

1694


1695
    /* write entry into directory */

1696
    if (e == NULL) {

1697
	/* didn't exist before */

1698
	rc = ldap_add_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );

1699
	errfn = "ldap_add_ext_s";

1700
    } else {

1701
	/* already existed, send deltas only */

1702
	rc = ldap_modify_ext_s(HDB2LDAP(db), dn, mods, NULL, NULL );

1703
	errfn = "ldap_modify_ext_s";

1704
    }

1705


1706
    if (check_ldap(context, db, rc)) {

1707
	char *ld_error = NULL;

1708
	ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,

1709
			&ld_error);

1710
	ret = HDB_ERR_CANT_LOCK_DB;

1711
	krb5_set_error_message(context, ret, "%s: %s (DN=%s) %s: %s",

1712
			      errfn, name, dn, ldap_err2string(rc), ld_error);

1713
    } else

1714
	ret = 0;

1715


1716
  out:

1717
    /* free stuff */

1718
    if (dn)

1719
	free(dn);

1720
    if (msg)

1721
	ldap_msgfree(msg);

1722
    if (mods)

1723
	ldap_mods_free(mods, 1);

1724
    if (name)

1725
	free(name);

1726


1727
    return ret;

1728
}

1729


1730
static krb5_error_code

1731
LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)

1732
{

1733
    krb5_error_code ret;

1734
    LDAPMessage *msg, *e;

1735
    char *dn = NULL;

1736
    int rc, limit = LDAP_NO_LIMIT;

1737


1738
    ret = LDAP_principal2message(context, db, principal, &msg);

1739
    if (ret)

1740
	goto out;

1741


1742
    e = ldap_first_entry(HDB2LDAP(db), msg);

1743
    if (e == NULL) {

1744
	ret = HDB_ERR_NOENTRY;

1745
	goto out;

1746
    }

1747


1748
    dn = ldap_get_dn(HDB2LDAP(db), e);

1749
    if (dn == NULL) {

1750
	ret = HDB_ERR_NOENTRY;

1751
	goto out;

1752
    }

1753


1754
    rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);

1755
    if (rc != LDAP_SUCCESS) {

1756
	ret = HDB_ERR_BADVERSION;

1757
	krb5_set_error_message(context, ret, "ldap_set_option: %s",

1758
			      ldap_err2string(rc));

1759
	goto out;

1760
    }

1761


1762
    rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );

1763
    if (check_ldap(context, db, rc)) {

1764
	ret = HDB_ERR_CANT_LOCK_DB;

1765
	krb5_set_error_message(context, ret, "ldap_delete_ext_s: %s",

1766
			       ldap_err2string(rc));

1767
    } else

1768
	ret = 0;

1769


1770
  out:

1771
    if (dn != NULL)

1772
	free(dn);

1773
    if (msg != NULL)

1774
	ldap_msgfree(msg);

1775


1776
    return ret;

1777
}

1778


1779
static krb5_error_code

1780
LDAP_destroy(krb5_context context, HDB * db)

1781
{

1782
    krb5_error_code ret;

1783


1784
    LDAP_close(context, db);

1785


1786
    ret = hdb_clear_master_key(context, db);

1787
    if (HDB2BASE(db))

1788
	free(HDB2BASE(db));

1789
    if (HDB2CREATE(db))

1790
	free(HDB2CREATE(db));

1791
    if (HDB2URL(db))

1792
	free(HDB2URL(db));

1793
    if (db->hdb_name)

1794
	free(db->hdb_name);

1795
    free(db->hdb_db);

1796
    free(db);

1797


1798
    return ret;

1799
}

1800


1801
static krb5_error_code

1802
hdb_ldap_common(krb5_context context,

1803
		HDB ** db,

1804
		const char *search_base,

1805
		const char *url)

1806
{

1807
    struct hdbldapdb *h;

1808
    const char *create_base = NULL;

1809


1810
    if (search_base == NULL && search_base[0] == '\0') {

1811
	krb5_set_error_message(context, ENOMEM, "ldap search base not configured");

1812
	return ENOMEM; /* XXX */

1813
    }

1814


1815
    if (structural_object == NULL) {

1816
	const char *p;

1817


1818
	p = krb5_config_get_string(context, NULL, "kdc",

1819
				   "hdb-ldap-structural-object", NULL);

1820
	if (p == NULL)

1821
	    p = default_structural_object;

1822
	structural_object = strdup(p);

1823
	if (structural_object == NULL) {

1824
	    krb5_set_error_message(context, ENOMEM, "malloc: out of memory");

1825
	    return ENOMEM;

1826
	}

1827
    }

1828


1829
    samba_forwardable =

1830
	krb5_config_get_bool_default(context, NULL, TRUE,

1831
				     "kdc", "hdb-samba-forwardable", NULL);

1832


1833
    *db = calloc(1, sizeof(**db));

1834
    if (*db == NULL) {

1835
	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");

1836
	return ENOMEM;

1837
    }

1838
    memset(*db, 0, sizeof(**db));

1839


1840
    h = calloc(1, sizeof(*h));

1841
    if (h == NULL) {

1842
	free(*db);

1843
	*db = NULL;

1844
	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");

1845
	return ENOMEM;

1846
    }

1847
    (*db)->hdb_db = h;

1848


1849
    /* XXX */

1850
    if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {

1851
	LDAP_destroy(context, *db);

1852
	*db = NULL;

1853
	krb5_set_error_message(context, ENOMEM, "strdup: out of memory");

1854
	return ENOMEM;

1855
    }

1856


1857
    h->h_url = strdup(url);

1858
    h->h_base = strdup(search_base);

1859
    if (h->h_url == NULL || h->h_base == NULL) {

1860
	LDAP_destroy(context, *db);

1861
	*db = NULL;

1862
	krb5_set_error_message(context, ENOMEM, "strdup: out of memory");

1863
	return ENOMEM;

1864
    }

1865


1866
    create_base = krb5_config_get_string(context, NULL, "kdc",

1867
					 "hdb-ldap-create-base", NULL);

1868
    if (create_base == NULL)

1869
	create_base = h->h_base;

1870


1871
    h->h_createbase = strdup(create_base);

1872
    if (h->h_createbase == NULL) {

1873
	LDAP_destroy(context, *db);

1874
	*db = NULL;

1875
	krb5_set_error_message(context, ENOMEM, "strdup: out of memory");

1876
	return ENOMEM;

1877
    }

1878


1879
    (*db)->hdb_master_key_set = 0;

1880
    (*db)->hdb_openp = 0;

1881
    (*db)->hdb_capability_flags = 0;

1882
    (*db)->hdb_open = LDAP_open;

1883
    (*db)->hdb_close = LDAP_close;

1884
    (*db)->hdb_fetch_kvno = LDAP_fetch_kvno;

1885
    (*db)->hdb_store = LDAP_store;

1886
    (*db)->hdb_remove = LDAP_remove;

1887
    (*db)->hdb_firstkey = LDAP_firstkey;

1888
    (*db)->hdb_nextkey = LDAP_nextkey;

1889
    (*db)->hdb_lock = LDAP_lock;

1890
    (*db)->hdb_unlock = LDAP_unlock;

1891
    (*db)->hdb_rename = NULL;

1892
    (*db)->hdb__get = NULL;

1893
    (*db)->hdb__put = NULL;

1894
    (*db)->hdb__del = NULL;

1895
    (*db)->hdb_destroy = LDAP_destroy;

1896


1897
    return 0;

1898
}

1899


1900
krb5_error_code

1901
hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)

1902
{

1903
    return hdb_ldap_common(context, db, arg, "ldapi:///");

1904
}

1905


1906
krb5_error_code

1907
hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)

1908
{

1909
    krb5_error_code ret;

1910
    char *search_base, *p;

1911


1912
    asprintf(&p, "ldapi:%s", arg);

1913
    if (p == NULL) {

1914
	*db = NULL;

1915
	krb5_set_error_message(context, ENOMEM, "out of memory");

1916
	return ENOMEM;

1917
    }

1918
    search_base = strchr(p + strlen("ldapi://"), ':');

1919
    if (search_base == NULL) {

1920
	*db = NULL;

1921
	krb5_set_error_message(context, HDB_ERR_BADVERSION,

1922
			       "search base missing");

1923
	return HDB_ERR_BADVERSION;

1924
    }

1925
    *search_base = '\0';

1926
    search_base++;

1927


1928
    ret = hdb_ldap_common(context, db, search_base, p);

1929
    free(p);

1930
    return ret;

1931
}

1932


1933
#ifdef OPENLDAP_MODULE

1934


1935
struct hdb_so_method hdb_ldap_interface = {

1936
    HDB_INTERFACE_VERSION,

1937
    "ldap",

1938
    hdb_ldap_create

1939
};

1940


1941
struct hdb_so_method hdb_ldapi_interface = {

1942
    HDB_INTERFACE_VERSION,

1943
    "ldapi",

1944
    hdb_ldapi_create

1945
};

1946


1947
#endif

1948


1949
#endif				/* OPENLDAP */

1950


1951