krb5 commit: Simplify LDAP KDB module container DN handling
Greg Hudson
ghudson at MIT.EDU
Thu Dec 20 11:35:54 EST 2012
https://github.com/krb5/krb5/commit/f0a14b5be4954559e1174e268bbfe097c1ab873c
commit f0a14b5be4954559e1174e268bbfe097c1ab873c
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Nov 18 13:59:48 2012 -0500
Simplify LDAP KDB module container DN handling
Outside of krb5_ldap_read_krbcontainer_params and
krb5_ldap_create_krbcontainer, no fields of
krb5_ldap_krbcontainer_params were used except for the DN. There was
code to create a krbTicketPolicyReference attribute (which would fail
because the schema doesn't allow that attribute, and was never
exercised because kdb5_ldap_util would never set the parameter) and to
read fields like max ticket life from the referenced ticket policy,
but those fields were never used.
Eliminate the structure and just store the container DN in
krb5_ldap_context. Continue creating the container object when
creating a realm (by calling krb5_ldap_create_krbcontainer
unconditionally; it now exits successfully if the container already
exists), but don't ever read it.
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c | 6 +-
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 106 ++++++-------------
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 4 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c | 49 ++--------
.../kdb/ldap/libkdb_ldap/ldap_krbcontainer.c | 99 ++----------------
.../kdb/ldap/libkdb_ldap/ldap_krbcontainer.h | 21 +----
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +-
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 83 ++++-----------
.../kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 3 +-
11 files changed, 87 insertions(+), 290 deletions(-)
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c
index 73b0d2f..6ec711f 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c
@@ -63,9 +63,9 @@ init_ldap_realm(int argc, char *argv[])
goto cleanup;
}
- if (ldap_context->krbcontainer == NULL) {
- retval = krb5_ldap_read_krbcontainer_params (util_context,
- &(ldap_context->krbcontainer));
+ if (ldap_context->container_dn == NULL) {
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
if (retval != 0) {
com_err(progname, retval,
_("while reading kerberos container information"));
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index a479c6e..1050fcd 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -467,70 +467,35 @@ kdb5_ldap_create(int argc, char *argv[])
}
/* read the kerberos container */
- if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
- &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
+ if (retval) {
/* Prompt the user for entering the DN of Kerberos container */
char krb_location[MAX_KRB_CONTAINER_LEN];
- krb5_ldap_krbcontainer_params kparams;
int krb_location_len = 0;
- memset(&kparams, 0, sizeof(kparams));
-
- /* Read the kerberos container location from configuration file */
- if (ldap_context->conf_section) {
- if ((retval=profile_get_string(util_context->profile,
- KDB_MODULE_SECTION, ldap_context->conf_section,
- KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- &kparams.DN)) != 0) {
- goto cleanup;
+
+ printf(_("Enter DN of Kerberos container: "));
+ if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
+ /* Remove the newline character at the end */
+ krb_location_len = strlen(krb_location);
+ if ((krb_location[krb_location_len - 1] == '\n') ||
+ (krb_location[krb_location_len - 1] == '\r')) {
+ krb_location[krb_location_len - 1] = '\0';
+ krb_location_len--;
}
- }
- if (kparams.DN == NULL) {
- if ((retval=profile_get_string(util_context->profile,
- KDB_MODULE_DEF_SECTION,
- KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- NULL, &kparams.DN)) != 0) {
+ ldap_context->container_dn = strdup(krb_location);
+ if (ldap_context->container_dn == NULL) {
+ retval = ENOMEM;
goto cleanup;
}
}
+ }
- printf(_("\nKerberos container is missing. Creating now...\n"));
- if (kparams.DN == NULL) {
- printf(_("Enter DN of Kerberos container: "));
- if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
- /* Remove the newline character at the end */
- krb_location_len = strlen(krb_location);
- if ((krb_location[krb_location_len - 1] == '\n') ||
- (krb_location[krb_location_len - 1] == '\r')) {
- krb_location[krb_location_len - 1] = '\0';
- krb_location_len--;
- }
- /* If the user has not given any input, take the default location */
- else if (krb_location[0] == '\0')
- kparams.DN = NULL;
- else
- kparams.DN = krb_location;
- } else
- kparams.DN = NULL;
- }
-
- /* create the kerberos container */
- retval = krb5_ldap_create_krbcontainer(util_context,
- ((kparams.DN != NULL) ? &kparams : NULL));
- if (retval)
- goto cleanup;
-
- retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer));
- if (retval) {
- com_err(progname, retval,
- _("while reading kerberos container information"));
- goto cleanup;
- }
- } else if (retval) {
- com_err(progname, retval,
- _("while reading kerberos container information"));
+ /* create the kerberos container if it doesn't exist */
+ retval = krb5_ldap_create_krbcontainer(util_context,
+ ldap_context->container_dn);
+ if (retval)
goto cleanup;
- }
if ((retval = krb5_ldap_create_realm(util_context,
/* global_params.realm, */ rparams, mask))) {
@@ -812,8 +777,9 @@ kdb5_ldap_modify(int argc, char *argv[])
goto cleanup;
}
- if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer)))) {
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
+ if (retval) {
com_err(progname, retval,
_("while reading Kerberos container information"));
goto err_nomsg;
@@ -965,8 +931,9 @@ kdb5_ldap_view(int argc, char *argv[])
}
/* Read the kerberos container information */
- if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
+ if (retval) {
com_err(progname, retval,
_("while reading kerberos container information"));
exit_status++;
@@ -1165,8 +1132,9 @@ kdb5_ldap_list(int argc, char *argv[])
}
/* Read the kerberos container information */
- if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
+ if (retval) {
com_err(progname, retval,
_("while reading kerberos container information"));
exit_status++;
@@ -1175,24 +1143,17 @@ kdb5_ldap_list(int argc, char *argv[])
retval = krb5_ldap_list_realm(util_context, &list);
if (retval != 0) {
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
com_err(progname, retval, _("while listing realms"));
exit_status++;
return;
}
/* This is to handle the case of realm not present */
- if (list == NULL) {
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
+ if (list == NULL)
return;
- }
for (plist = list; *plist != NULL; plist++) {
printf("%s\n", *plist);
}
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
krb5_free_list_entries(list);
free(list);
@@ -1589,9 +1550,10 @@ kdb5_ldap_destroy(int argc, char *argv[])
return;
}
- /* Read the kerberos container from the LDAP Server */
- if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
- &(ldap_context->krbcontainer))) != 0) {
+ /* Read the kerberos container DN */
+ retval = krb5_ldap_read_krbcontainer_dn(util_context,
+ &ldap_context->container_dn);
+ if (retval) {
com_err(progname, retval,
_("while reading kerberos container information"));
exit_status++;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index b52d088..a29b332 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -113,7 +113,7 @@ krb5_ldap_read_startup_information(krb5_context context)
int mask = 0;
SETUP_CONTEXT();
- if ((retval=krb5_ldap_read_krbcontainer_params(context, &(ldap_context->krbcontainer)))) {
+ if ((retval=krb5_ldap_read_krbcontainer_dn(context, &(ldap_context->container_dn)))) {
prepend_err_str(context, _("Unable to read Kerberos container"),
retval, retval);
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index b406007..30d3a4a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -212,7 +212,7 @@ typedef struct _krb5_ldap_context {
krb5_ldap_certificates **certificates;
krb5_ui_4 cert_count; /* certificate count */
k5_mutex_t hndl_lock;
- krb5_ldap_krbcontainer_params *krbcontainer;
+ char *container_dn;
krb5_ldap_realm_params *lrparams;
krb5_boolean disable_last_success;
krb5_boolean disable_lockout;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 5896724..cd4b4ca 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -334,8 +334,8 @@ krb5_ldap_free_ldap_context(krb5_ldap_context *ldap_context)
if (ldap_context == NULL)
return 0;
- krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
- ldap_context->krbcontainer = NULL;
+ free(ldap_context->container_dn);
+ ldap_context->container_dn = NULL;
krb5_ldap_free_realm_params(ldap_context->lrparams);
ldap_context->lrparams = NULL;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index 1dc4afc..86282ea 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -59,7 +59,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
krb5_ldap_context *ldap_context=NULL;
krb5_boolean realm_obj_created = FALSE;
krb5_boolean krbcontainer_obj_created = FALSE;
- krb5_ldap_krbcontainer_params kparams = {0};
int srv_cnt = 0;
int mask = 0;
@@ -218,43 +217,15 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
}
/* read the kerberos container */
- if ((status = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
-
- /* Read the kerberos container location from configuration file */
- if (ldap_context->conf_section) {
- if ((status = profile_get_string(context->profile,
- KDB_MODULE_SECTION, ldap_context->conf_section,
- KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
- if (kparams.DN == NULL) {
- if ((status = profile_get_string(context->profile,
- KDB_MODULE_DEF_SECTION,
- KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- NULL, &kparams.DN)) != 0) {
- goto cleanup;
- }
- }
-
- /* create the kerberos container */
- status = krb5_ldap_create_krbcontainer(context,
- ((kparams.DN != NULL) ? &kparams : NULL));
- if (status)
- goto cleanup;
-
- krbcontainer_obj_created = TRUE;
-
- status = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer));
- if (status)
- goto cleanup;
+ status = krb5_ldap_read_krbcontainer_dn(context,
+ &ldap_context->container_dn);
+ if (status)
+ goto cleanup;
- } else if (status) {
+ status = krb5_ldap_create_krbcontainer(context,
+ ldap_context->container_dn);
+ if (status)
goto cleanup;
- }
rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params));
if (rparams == NULL) {
@@ -287,16 +258,12 @@ cleanup:
if ((krbcontainer_obj_created) && (!realm_obj_created)) {
int rc;
rc = krb5_ldap_delete_krbcontainer(context,
- ((kparams.DN != NULL) ? &kparams : NULL));
+ ldap_context->container_dn);
krb5_set_error_message(context, rc,
_("could not complete roll-back, error "
"deleting Kerberos Container"));
}
- /* should call krb5_ldap_free_krbcontainer_params() but can't */
- if (kparams.DN != NULL)
- krb5_xfree(kparams.DN);
-
if (rparams)
krb5_ldap_free_realm_params(rparams);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
index fabe633..e3b42f5 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
@@ -32,67 +32,29 @@
#include "kdb_ldap.h"
#include "ldap_err.h"
-char *policyrefattribute[] = {"krbTicketPolicyReference",NULL};
-char *krbcontainerrefattr[] = {"krbContainerReference", NULL};
-
/*
- * Free the krb5_ldap_krbcontainer_params
- */
-
-void
-krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *cparams)
-{
- if (cparams == NULL)
- return;
-
- if (cparams->policyreference)
- krb5_xfree(cparams->policyreference);
-
- if (cparams->parent)
- krb5_xfree(cparams->parent);
-
- if (cparams->DN)
- krb5_xfree(cparams->DN);
-
- krb5_xfree(cparams);
-
- return;
-}
-
-/*
- * Read the kerberos container. Kerberos container dn is read from the krb5.conf file.
- * In case of eDirectory, if the dn is not present in the conf file, refer Security Container
- * to fetch the dn information.
- *
- * Reading kerberos container includes reading the policyreference attribute and the policy
- * object to read the attributes associated with it.
+ * Read the kerberos container location from krb5.conf.
*/
krb5_error_code
-krb5_ldap_read_krbcontainer_params(krb5_context context,
- krb5_ldap_krbcontainer_params **cparamp)
-
+krb5_ldap_read_krbcontainer_dn(krb5_context context, char **container_dn)
{
- krb5_error_code st=0, tempst=0;
+ krb5_error_code st=0;
LDAP *ld=NULL;
- LDAPMessage *result=NULL, *ent=NULL;
- krb5_ldap_krbcontainer_params *cparams=NULL;
+ char *dn=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
+ *container_dn = NULL;
SETUP_CONTEXT();
GET_HANDLE();
- cparams =(krb5_ldap_krbcontainer_params *) malloc(sizeof(krb5_ldap_krbcontainer_params));
- CHECK_NULL(cparams);
- memset(cparams, 0, sizeof(krb5_ldap_krbcontainer_params));
-
/* read kerberos containter location from [dbmodules] section of krb5.conf file */
if (ldap_context->conf_section) {
if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- &cparams->DN)) != 0) {
+ &dn)) != 0) {
krb5_set_error_message(context, st,
_("Error reading kerberos container "
"location from krb5.conf"));
@@ -101,10 +63,10 @@ krb5_ldap_read_krbcontainer_params(krb5_context context,
}
/* read kerberos containter location from [dbdefaults] section of krb5.conf file */
- if (cparams->DN == NULL) {
+ if (dn == NULL) {
if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
- NULL, &cparams->DN)) != 0) {
+ NULL, &dn)) != 0) {
krb5_set_error_message(context, st,
_("Error reading kerberos container "
"location from krb5.conf"));
@@ -112,57 +74,16 @@ krb5_ldap_read_krbcontainer_params(krb5_context context,
}
}
- if (cparams->DN == NULL) {
+ if (dn == NULL) {
st = KRB5_KDB_SERVER_INTERNAL_ERR;
krb5_set_error_message(context, st,
_("Kerberos container location not specified"));
goto cleanup;
}
- /* NOTE: krbmaxtktlife, krbmaxrenewableage ... present on Kerberos Container is
- * not read
- */
- LDAP_SEARCH_1(cparams->DN, LDAP_SCOPE_BASE, "(objectclass=krbContainer)", policyrefattribute, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
-
- if (st == LDAP_NO_SUCH_OBJECT) {
- st = KRB5_KDB_NOENTRY;
- goto cleanup;
- }
-
- if ((ent = ldap_first_entry(ld, result))) {
- if ((st=krb5_ldap_get_string(ld, ent, "krbticketpolicyreference",
- &(cparams->policyreference), NULL)) != 0)
- goto cleanup;
- }
- ldap_msgfree(result);
-
- if (cparams->policyreference != NULL) {
- LDAP_SEARCH_1(cparams->policyreference, LDAP_SCOPE_BASE, NULL, policy_attributes, IGNORE_STATUS);
- if (st != LDAP_SUCCESS && st!= LDAP_NO_SUCH_OBJECT) {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
- }
- st = LDAP_SUCCESS; /* reset the return status in case it is LDAP_NO_SUCH_OBJECT */
-
- ent=ldap_first_entry(ld, result);
- if (ent != NULL) {
- krb5_ldap_get_value(ld, ent, "krbmaxtktlife", &(cparams->max_life));
- krb5_ldap_get_value(ld, ent, "krbmaxrenewableage", &(cparams->max_renewable_life));
- krb5_ldap_get_value(ld, ent, "krbticketflags", &(cparams->tktflags));
- }
- ldap_msgfree(result);
- }
- *cparamp=cparams;
+ *container_dn = dn;
cleanup:
- if (st != 0) {
- krb5_ldap_free_krbcontainer_params(cparams);
- *cparamp=NULL;
- }
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h
index f1feb22..549f8ce 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.h
@@ -35,28 +35,13 @@
/* kerberos container structure */
-typedef struct _krb5_ldap_krbcontainer_params {
- char *parent;
- char *DN;
- char *policyreference;
- krb5_int32 max_life;
- krb5_int32 max_renewable_life;
- krb5_int32 tktflags;
-} krb5_ldap_krbcontainer_params;
-
-void
-krb5_ldap_free_krbcontainer_params(krb5_ldap_krbcontainer_params *);
-
krb5_error_code
-krb5_ldap_read_krbcontainer_params(krb5_context,
- krb5_ldap_krbcontainer_params **);
+krb5_ldap_read_krbcontainer_dn(krb5_context, char **);
krb5_error_code
-krb5_ldap_create_krbcontainer(krb5_context,
- const krb5_ldap_krbcontainer_params *);
+krb5_ldap_create_krbcontainer(krb5_context, const char *);
krb5_error_code
-krb5_ldap_delete_krbcontainer(krb5_context,
- const krb5_ldap_krbcontainer_params *);
+krb5_ldap_delete_krbcontainer(krb5_context, const char *);
#endif
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 00fbce1..1e671c7 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -517,7 +517,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
krb5_clear_error_message(context);
SETUP_CONTEXT();
- if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
+ if (ldap_context->lrparams == NULL || ldap_context->container_dn == NULL)
return EINVAL;
/* get ldap handle */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
index 7e0d456..35daf5f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
@@ -130,9 +130,9 @@ krb5_ldap_list_realm(krb5_context context, char ***realms)
SETUP_CONTEXT ();
/* get the kerberos container DN information */
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
+ if (ldap_context->container_dn == NULL) {
+ if ((st = krb5_ldap_read_krbcontainer_dn(context,
+ &(ldap_context->container_dn))) != 0)
goto cleanup;
}
@@ -141,7 +141,7 @@ krb5_ldap_list_realm(krb5_context context, char ***realms)
{
char *cn[] = {"cn", NULL};
- LDAP_SEARCH(ldap_context->krbcontainer->DN,
+ LDAP_SEARCH(ldap_context->container_dn,
LDAP_SCOPE_ONELEVEL,
"(objectclass=krbRealmContainer)",
cn);
@@ -359,7 +359,7 @@ krb5_ldap_modify_realm(krb5_context context, krb5_ldap_realm_params *rparams,
SETUP_CONTEXT ();
/* Check validity of arguments */
- if (ldap_context->krbcontainer == NULL ||
+ if (ldap_context->container_dn == NULL ||
rparams->tl_data == NULL ||
rparams->tl_data->tl_data_contents == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
@@ -474,17 +474,14 @@ cleanup:
/*
- * Create the Kerberos container in the Directory
+ * Create the Kerberos container in the Directory if it does not exist
*/
krb5_error_code
-krb5_ldap_create_krbcontainer(krb5_context context,
- const
- krb5_ldap_krbcontainer_params *krbcontparams)
+krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
{
LDAP *ld=NULL;
- char *strval[2]={NULL}, *kerberoscontdn=NULL, **rdns=NULL;
- int pmask=0;
+ char *strval[2]={NULL}, **rdns=NULL;
LDAPMod **mods = NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
@@ -496,9 +493,7 @@ krb5_ldap_create_krbcontainer(krb5_context context,
/* get ldap handle */
GET_HANDLE ();
- if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
- } else {
+ if (dn == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Kerberos Container information is missing"));
@@ -510,7 +505,7 @@ krb5_ldap_create_krbcontainer(krb5_context context,
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
- rdns = ldap_explode_dn(kerberoscontdn, 1);
+ rdns = ldap_explode_dn(dn, 1);
if (rdns == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
@@ -523,21 +518,11 @@ krb5_ldap_create_krbcontainer(krb5_context context,
if ((st=krb5_add_str_mem_ldap_mod(&mods, "cn", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
- /* check if the policy reference value exists and is of krbticketpolicyreference object class */
- if (krbcontparams && krbcontparams->policyreference) {
- st = checkattributevalue(ld, krbcontparams->policyreference, "objectclass", policyclass,
- &pmask);
- CHECK_CLASS_VALIDITY(st, pmask, _("ticket policy object value: "));
-
- strval[0] = krbcontparams->policyreference;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_ADD,
- strval)) != 0)
- goto cleanup;
- }
-
/* create the kerberos container */
- if ((st = ldap_add_ext_s(ld, kerberoscontdn, mods, NULL, NULL)) != LDAP_SUCCESS) {
+ st = ldap_add_ext_s(ld, dn, mods, NULL, NULL);
+ if (st == LDAP_ALREADY_EXISTS)
+ st = LDAP_SUCCESS;
+ if (st != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st,
@@ -561,12 +546,9 @@ cleanup:
*/
krb5_error_code
-krb5_ldap_delete_krbcontainer(krb5_context context,
- const
- krb5_ldap_krbcontainer_params *krbcontparams)
+krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn)
{
LDAP *ld=NULL;
- char *kerberoscontdn=NULL;
krb5_error_code st=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -577,9 +559,7 @@ krb5_ldap_delete_krbcontainer(krb5_context context,
/* get ldap handle */
GET_HANDLE ();
- if (krbcontparams != NULL && krbcontparams->DN != NULL) {
- kerberoscontdn = krbcontparams->DN;
- } else {
+ if (dn == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Kerberos Container information is missing"));
@@ -587,7 +567,7 @@ krb5_ldap_delete_krbcontainer(krb5_context context,
}
/* delete the kerberos container */
- if ((st = ldap_delete_ext_s(ld, kerberoscontdn, NULL, NULL)) != LDAP_SUCCESS) {
+ if ((st = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st,
@@ -626,8 +606,7 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
SETUP_CONTEXT ();
/* Check input validity ... */
- if (ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL ||
+ if (ldap_context->container_dn == NULL ||
rparams == NULL ||
rparams->realm_name == NULL ||
((mask & LDAP_REALM_SUBTREE) && rparams->subtree == NULL) ||
@@ -638,19 +617,12 @@ krb5_ldap_create_realm(krb5_context context, krb5_ldap_realm_params *rparams,
return st;
}
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
- }
-
/* get ldap handle */
GET_HANDLE ();
realm_name = rparams->realm_name;
- if (asprintf(&dn, "cn=%s,%s", realm_name,
- ldap_context->krbcontainer->DN) < 0)
+ if (asprintf(&dn, "cn=%s,%s", realm_name, ldap_context->container_dn) < 0)
dn = NULL;
CHECK_NULL(dn);
@@ -758,7 +730,7 @@ krb5_error_code
krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
krb5_ldap_realm_params **rlparamp, int *mask)
{
- char **values=NULL, *krbcontDN=NULL /*, *curr=NULL */;
+ char **values=NULL;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
@@ -771,19 +743,11 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
SETUP_CONTEXT ();
/* validate the input parameter */
- if (lrealm == NULL ||
- ldap_context->krbcontainer == NULL ||
- ldap_context->krbcontainer->DN == NULL) {
+ if (lrealm == NULL || ldap_context->container_dn == NULL) {
st = EINVAL;
goto cleanup;
}
- /* read kerberos container, if not read already */
- if (ldap_context->krbcontainer == NULL) {
- if ((st = krb5_ldap_read_krbcontainer_params(context,
- &(ldap_context->krbcontainer))) != 0)
- goto cleanup;
- }
/* get ldap handle */
GET_HANDLE ();
@@ -807,9 +771,8 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm,
/* set default values */
rlparams->search_scope = LDAP_SCOPE_SUBTREE;
- krbcontDN = ldap_context->krbcontainer->DN;
-
- if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm, krbcontDN) < 0) {
+ if (asprintf(&rlparams->realmdn, "cn=%s,%s", lrealm,
+ ldap_context->container_dn) < 0) {
rlparams->realmdn = NULL;
st = ENOMEM;
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
index 1467f51..36bde5a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
+++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
@@ -11,7 +11,7 @@ krb5_ldap_get_principal
krb5_ldap_delete_principal
krb5_ldap_free_principal
krb5_ldap_iterate
-krb5_ldap_read_krbcontainer_params
+krb5_ldap_read_krbcontainer_dn
krb5_ldap_list_realm
krb5_ldap_read_realm_params
krb5_ldap_free_realm_params
@@ -34,7 +34,6 @@ krb5_ldap_iterate_password_policy
krb5_dbe_free_contents
krb5_ldap_free_server_params
krb5_ldap_free_server_context_params
-krb5_ldap_free_krbcontainer_params
krb5_ldap_alloc
krb5_ldap_free
krb5_ldap_delete_realm_1
More information about the cvs-krb5
mailing list