ANAME_DB re-enable with patch.

Roland C. Dowdeswell elric at imrryr.org
Wed Sep 1 16:44:03 EDT 2010 

As an addition to my prior proposal of allowing .k5login to be able
to be disabled, I'd also like to see a more centralised way of
managing krb5_aname_to_lname() which is based on a strict lookup
table rather than a set of regular expressions.  Performing
conversions on principals using simple regular expressions does
not allow you to properly specify policy for any but the simplest
environments.  What you want is a defined mapping that can be simply
and programatically maintained.

I found ANAME_DB in the code but it appears to have been disabled,
so I revived it along with converting it to use the BDB code which
is already in the Kerberos libs rather than DBM.

The way to think of this is as a central .k5login for all users
which can be centrally managed and is stored in a relatively
efficient format.

Here is the patch:

Index: Makefile.in
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/Makefile.in,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 Makefile.in
--- Makefile.in	26 Sep 2006 20:30:18 -0000	1.1.1.3
+++ Makefile.in	1 Sep 2010 18:53:08 -0000
@@ -23,8 +23,16 @@
 LIBINITFUNC=profile_library_initializer krb5int_lib_init
 LIBFINIFUNC=profile_library_finalizer krb5int_lib_fini
 
+DBDIR = $(BUILDTOP)/util/db2
+DBOBJLISTS = $(DBOBJLISTS- at DB_VERSION@)
+DBOBJLISTS-sys =
+DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \
+	$(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \
+	$(DBDIR)/clib/OBJS.ST
+
 STOBJLISTS= \
 	OBJS.ST \
+	$(DBOBJLISTS) \
 	error_tables/OBJS.ST \
 	asn.1/OBJS.ST \
 	ccache/OBJS.ST \
Index: os/an_to_ln.c
===================================================================
RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 an_to_ln.c
--- os/an_to_ln.c	28 Mar 2005 21:43:37 -0000	1.1.1.1
+++ os/an_to_ln.c	1 Sep 2010 18:17:15 -0000
@@ -32,6 +32,7 @@
  * database lookup  (moved from configure script)
  */
 #define AN_TO_LN_RULES
+#define ANAME_DB
 
 #include "k5-int.h"
 #include <ctype.h>
@@ -51,14 +52,6 @@
 #ifndef	min
 #define	min(a,b)	((a>b) ? b : a)
 #endif	/* min */
-#ifdef ANAME_DB
-/*
- * Use standard DBM code.
- */
-#define	KDBM_OPEN(db, fl, mo)	dbm_open(db, fl, mo)
-#define	KDBM_CLOSE(db)		dbm_close(db)
-#define	KDBM_FETCH(db, key)	dbm_fetch(db, key)
-#endif /*ANAME_DB*/
 
 /*
  * Find the portion of the flattened principal name that we use for mapping.
@@ -86,12 +79,13 @@
 }
 
 #ifdef ANAME_DB
+
+#include <db.h>
+
 /*
- * Implementation:  This version uses a DBM database, indexed by aname,
- * to generate a lname.
- *
- * The entries in the database are normal C strings, and include the trailing
- * null in the DBM datum.size.
+ * Implementation:  This version uses the same format of BDB that the KDC
+ *                  uses.  The database is a simple hash of Kerberos princs
+ *                  to local names.
  */
 static krb5_error_code
 db_an_to_ln(context, dbname, aname, lnsize, lname)
@@ -102,40 +96,45 @@
     char *lname;
 {
 #if !defined(_WIN32)
-    DBM *db;
-    krb5_error_code retval;
-    datum key, contents;
+    DB *db;
+    DBT key;
+    DBT val;
+    krb5_error_code retval = KRB5_LNAME_NOTRANS;
+    int ret;
     char *princ_name;
 
     if ((retval = krb5_unparse_name(context, aname, &princ_name)))
 	return(retval);
-    key.dptr = princ_name;
-    key.dsize = strlen(princ_name)+1;	/* need to store the NULL for
-					   decoding */
 
-    db = KDBM_OPEN(dbname, O_RDONLY, 0600);
+    db = dbopen(dbname, O_RDONLY, 0, DB_HASH, NULL);
     if (!db) {
 	krb5_xfree(princ_name);
 	return KRB5_LNAME_CANTOPEN;
     }
 
-    contents = KDBM_FETCH(db, key);
+    key.data = princ_name;
+    key.size = strlen(princ_name);
 
+    ret = db->get(db, &key, &val, 0);
     krb5_xfree(princ_name);
 
-    if (contents.dptr == NULL) {
-	retval = KRB5_LNAME_NOTRANS;
-    } else {
-	strncpy(lname, contents.dptr, lnsize);
-	if (lnsize < contents.dsize)
-	    retval = KRB5_CONFIG_NOTENUFSPACE;
-	else if (lname[contents.dsize-1] != '\0')
-	    retval = KRB5_LNAME_BADFORMAT;
-	else
+    switch (ret) {
+    case 0: 
+	if (val.size < lnsize) {
+	    strncpy(lname, val.data, val.size);
+	    lname[val.size] = '\0';
 	    retval = 0;
+	} else {
+	    retval = KRB5_CONFIG_NOTENUFSPACE;
+	}
+	break;
+    case 1: 
+    default:
+	break;
     }
+
     /* can't close until we copy the contents. */
-    (void) KDBM_CLOSE(db);
+    (void) db->close(db);
     return retval;
 #else	/* !_WIN32 && !MACINTOSH */
     /*
@@ -259,6 +258,7 @@
 	    endp = startp;
     }
     *contextp = endp;
+fprintf(stderr, "match = %d\n", kret);
     return(kret);
 }
 

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list