1 /*
   2  * Copyright 2017 Gary Mills
   3  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
   4  * Use is subject to license terms.
   5  */
   6 
   7 /*
   8  * kadmin/ldap_util/kdb5_ldap_realm.c
   9  *
  10  * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
  11  * All Rights Reserved.
  12  *
  13  * Export of this software from the United States of America may
  14  *   require a specific license from the United States Government.
  15  *   It is the responsibility of any person or organization contemplating
  16  *   export to obtain such a license before exporting.
  17  *
  18  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  19  * distribute this software and its documentation for any purpose and
  20  * without fee is hereby granted, provided that the above copyright
  21  * notice appear in all copies and that both that copyright notice and
  22  * this permission notice appear in supporting documentation, and that
  23  * the name of M.I.T. not be used in advertising or publicity pertaining
  24  * to distribution of the software without specific, written prior
  25  * permission.  Furthermore if you modify this software you must label
  26  * your software as modified software and not distribute it in such a
  27  * fashion that it might be confused with the original M.I.T. software.
  28  * M.I.T. makes no representations about the suitability of
  29  * this software for any purpose.  It is provided "as is" without express
  30  * or implied warranty.
  31  */
  32 
  33 /*
  34  * Copyright (C) 1998 by the FundsXpress, INC.
  35  *
  36  * All rights reserved.
  37  *
  38  * Export of this software from the United States of America may require
  39  * a specific license from the United States Government.  It is the
  40  * responsibility of any person or organization contemplating export to
  41  * obtain such a license before exporting.
  42  *
  43  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  44  * distribute this software and its documentation for any purpose and
  45  * without fee is hereby granted, provided that the above copyright
  46  * notice appear in all copies and that both that copyright notice and
  47  * this permission notice appear in supporting documentation, and that
  48  * the name of FundsXpress. not be used in advertising or publicity pertaining
  49  * to distribution of the software without specific, written prior
  50  * permission.  FundsXpress makes no representations about the suitability of
  51  * this software for any purpose.  It is provided "as is" without express
  52  * or implied warranty.
  53  *
  54  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  55  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  56  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  57  */
  58 
  59 /* Copyright (c) 2004-2005, Novell, Inc.
  60  * All rights reserved.
  61  *
  62  * Redistribution and use in source and binary forms, with or without
  63  * modification, are permitted provided that the following conditions are met:
  64  *
  65  *   * Redistributions of source code must retain the above copyright notice,
  66  *       this list of conditions and the following disclaimer.
  67  *   * Redistributions in binary form must reproduce the above copyright
  68  *       notice, this list of conditions and the following disclaimer in the
  69  *       documentation and/or other materials provided with the distribution.
  70  *   * The copyright holder's name is not used to endorse or promote products
  71  *       derived from this software without specific prior written permission.
  72  *
  73  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  74  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  75  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  76  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  77  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  78  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  79  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  80  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  81  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  82  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  83  * POSSIBILITY OF SUCH DAMAGE.
  84  */
  85 
  86 /*
  87  * Create / Modify / Destroy / View / List realm(s)
  88  */
  89 
  90 /* Needed for getting the definition of KRB5_TL_DB_ARGS */
  91 #define SECURID
  92 
  93 #include <stdio.h>
  94 #include <k5-int.h>
  95 #include <kadm5/admin.h>
  96 #include <libintl.h>
  97 #include <locale.h>
  98 #include "kdb5_ldap_util.h"
  99 #include "kdb5_ldap_list.h"
 100 #include <ldap_principal.h>
 101 #include <ldap_krbcontainer.h>
 102 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
 103 
 104 char *yes = "yes\n"; /* \n to compare against result of fgets */
 105 krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
 106 
 107 struct realm_info rblock = {
 108     KRB5_KDB_MAX_LIFE,
 109     KRB5_KDB_MAX_RLIFE,
 110     KRB5_KDB_EXPIRATION,
 111     KRB5_KDB_DEF_FLAGS,
 112     (krb5_keyblock *) NULL,
 113     1,
 114     &def_kslist
 115 };
 116 
 117 krb5_data tgt_princ_entries[] = {
 118     {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
 119     {0, 0, 0} };
 120 
 121 krb5_data db_creator_entries[] = {
 122     {0, sizeof("db_creation")-1, "db_creation"} };
 123 
 124 
 125 static krb5_principal_data db_create_princ = {
 126     0,                                  /* magic number */
 127     {0, 0, 0},                          /* krb5_data realm */
 128     db_creator_entries,                 /* krb5_data *data */
 129     1,                                  /* int length */
 130     KRB5_NT_SRV_INST                    /* int type */
 131 };
 132 
 133 extern char *mkey_password;
 134 extern char *progname;
 135 extern kadm5_config_params global_params;
 136 
 137 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
 138 static int kdb_ldap_create_principal (krb5_context context, krb5_principal
 139                                       princ, enum ap_op op, struct realm_info *pblock);
 140 
 141 
 142 static char *strdur(time_t duration);
 143 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
 144 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
 145 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
 146 
 147 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
 148 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
 149 
 150 static int get_ticket_policy(rparams,i,argv,argc)
 151     krb5_ldap_realm_params *rparams;
 152     int *i;
 153     char *argv[];
 154     int argc;
 155 {
 156     time_t date;
 157     time_t now;
 158     int mask = 0;
 159     krb5_error_code retval = 0;
 160 
 161     /* Solaris Kerberos */
 162     char *me = progname;
 163 
 164     time(&now);
 165     if (!strcmp(argv[*i], "-maxtktlife")) {
 166         if (++(*i) > argc-1)
 167             goto err_nomsg;
 168         date = get_date(argv[*i]);
 169         if (date == (time_t)(-1)) {
 170             retval = EINVAL;
 171             com_err (me, retval, gettext("while providing time specification"));
 172             goto err_nomsg;
 173         }
 174         rparams->max_life = date-now;
 175         mask |= LDAP_REALM_MAXTICKETLIFE;
 176     }
 177 
 178 
 179     else if (!strcmp(argv[*i], "-maxrenewlife")) {
 180         if (++(*i) > argc-1)
 181             goto err_nomsg;
 182 
 183         date = get_date(argv[*i]);
 184         if (date == (time_t)(-1)) {
 185             retval = EINVAL;
 186             com_err (me, retval, gettext("while providing time specification"));
 187             goto err_nomsg;
 188         }
 189         rparams->max_renewable_life = date-now;
 190         mask |= LDAP_REALM_MAXRENEWLIFE;
 191     } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
 192         if (*(argv[*i]) == '+')
 193             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
 194         else if (*(argv[*i]) == '-')
 195             rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
 196         else
 197             goto err_nomsg;
 198 
 199         mask |= LDAP_REALM_KRBTICKETFLAGS;
 200     } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
 201         if (*(argv[*i]) == '+')
 202             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
 203 
 204         else if (*(argv[*i]) == '-')
 205             rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
 206         else
 207             goto err_nomsg;
 208 
 209         mask |= LDAP_REALM_KRBTICKETFLAGS;
 210     } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
 211         if (*(argv[*i]) == '+')
 212             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
 213         else if (*(argv[*i]) == '-')
 214             rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
 215         else
 216             goto err_nomsg;
 217 
 218         mask |= LDAP_REALM_KRBTICKETFLAGS;
 219     } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
 220         if (*(argv[*i]) == '+')
 221             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
 222         else if (*(argv[*i]) == '-')
 223             rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
 224         else
 225             goto err_nomsg;
 226 
 227         mask |= LDAP_REALM_KRBTICKETFLAGS;
 228     } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
 229         if (*(argv[*i]) == '+')
 230             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
 231         else if (*(argv[*i]) == '-')
 232             rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
 233         else
 234             goto err_nomsg;
 235 
 236         mask |= LDAP_REALM_KRBTICKETFLAGS;
 237     }
 238 
 239     else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
 240         if (*(argv[*i]) == '+')
 241             rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
 242         else if (*(argv[*i]) == '-')
 243             rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
 244         else
 245             goto err_nomsg;
 246 
 247         mask |= LDAP_REALM_KRBTICKETFLAGS;
 248     } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
 249         if (*(argv[*i]) == '+')
 250             rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
 251         else if (*(argv[*i]) == '-')
 252             rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
 253         else
 254             goto err_nomsg;
 255 
 256         mask |= LDAP_REALM_KRBTICKETFLAGS;
 257     } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
 258         if (*(argv[*i]) == '+')
 259             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
 260         else if (*(argv[*i]) == '-')
 261             rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
 262         else
 263             goto err_nomsg;
 264 
 265         mask |= LDAP_REALM_KRBTICKETFLAGS;
 266     } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
 267         if (*(argv[*i]) == '+')
 268             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
 269         else if (*(argv[*i]) == '-')
 270             rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
 271         else
 272             goto err_nomsg;
 273 
 274         mask |= LDAP_REALM_KRBTICKETFLAGS;
 275     } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
 276         if (*(argv[*i]) == '+')
 277             rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
 278         else if (*(argv[*i]) == '-')
 279             rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
 280         else
 281             goto err_nomsg;
 282 
 283         mask |= LDAP_REALM_KRBTICKETFLAGS;
 284     } else if (!strcmp((argv[*i] + 1), "needchange")) {
 285         if (*(argv[*i]) == '+')
 286             rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
 287         else if (*(argv[*i]) == '-')
 288             rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
 289         else
 290             goto err_nomsg;
 291 
 292         mask |= LDAP_REALM_KRBTICKETFLAGS;
 293     } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
 294         if (*(argv[*i]) == '+')
 295             rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
 296         else if (*(argv[*i]) == '-')
 297             rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
 298         else
 299             goto err_nomsg;
 300 
 301         mask |=LDAP_REALM_KRBTICKETFLAGS;
 302     }
 303 
 304 err_nomsg:
 305 
 306     return mask;
 307 }
 308 
 309 /*
 310  * This function will create a realm on the LDAP Server, with
 311  * the specified attributes.
 312  */
 313 void kdb5_ldap_create(argc, argv)
 314     int argc;
 315     char *argv[];
 316 {
 317     krb5_error_code retval = 0;
 318     krb5_keyblock master_keyblock;
 319     krb5_ldap_realm_params *rparams = NULL;
 320     krb5_principal master_princ = NULL;
 321     kdb5_dal_handle *dal_handle = NULL;
 322     krb5_ldap_context *ldap_context=NULL;
 323     krb5_boolean realm_obj_created = FALSE;
 324     krb5_boolean create_complete = FALSE;
 325     krb5_boolean print_usage = FALSE;
 326     krb5_boolean no_msg = FALSE;
 327     char *oldcontainerref=NULL;
 328     char pw_str[1024];
 329     int do_stash = 0;
 330     int i = 0;
 331     int mask = 0, ret_mask = 0;
 332     char **list = NULL;
 333 #ifdef HAVE_EDIRECTORY
 334     int rightsmask = 0;
 335 #endif
 336 
 337     memset(&master_keyblock, 0, sizeof(master_keyblock));
 338 
 339     rparams = (krb5_ldap_realm_params *)malloc(
 340         sizeof(krb5_ldap_realm_params));
 341     if (rparams == NULL) {
 342         retval = ENOMEM;
 343         goto cleanup;
 344     }
 345     memset(rparams, 0, sizeof(krb5_ldap_realm_params));
 346 
 347     /* Parse the arguments */
 348     for (i = 1; i < argc; i++) {
 349         if (!strcmp(argv[i], "-subtrees")) {
 350             if (++i > argc-1)
 351                 goto err_usage;
 352 
 353             if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
 354                 list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
 355                 if (list == NULL) {
 356                     retval = ENOMEM;
 357                     goto cleanup;
 358                 }
 359                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
 360                     free(list);
 361                     list = NULL;
 362                     goto cleanup;
 363                 }
 364 
 365                 rparams->subtreecount=0;
 366                 while(list[rparams->subtreecount]!=NULL)
 367                     (rparams->subtreecount)++;
 368                 rparams->subtree = list;
 369             } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
 370                  /* dont allow subtree value to be set at the root(NULL, "") of the tree */
 371                  /* Solaris Kerberos */
 372                  com_err(progname, EINVAL,
 373                           gettext("for subtree while creating realm '%s'"),
 374                            global_params.realm);
 375                  goto err_nomsg;
 376             }
 377             rparams->subtree[rparams->subtreecount] = NULL;
 378             mask |= LDAP_REALM_SUBTREE;
 379         } else if (!strcmp(argv[i], "-containerref")) {
 380             if (++i > argc-1)
 381                 goto err_usage;
 382             if(strncmp(argv[i], "", strlen(argv[i]))==0) {
 383                  /* dont allow containerref value to be set at the root(NULL, "") of the tree */
 384                  /* Solaris Kerberos */
 385                  com_err(progname, EINVAL,
 386                           gettext("for container reference while creating realm '%s'"),
 387                            global_params.realm);
 388                  goto err_nomsg;
 389             }
 390             rparams->containerref = strdup(argv[i]);
 391             if (rparams->containerref == NULL) {
 392                 retval = ENOMEM;
 393                 goto cleanup;
 394             }
 395             mask |= LDAP_REALM_CONTREF;
 396         } else if (!strcmp(argv[i], "-sscope")) {
 397             if (++i > argc-1)
 398                 goto err_usage;
 399             /* Possible values for search scope are
 400              * one (or 1) and sub (or 2)
 401              */
 402             if (!strcasecmp(argv[i], "one")) {
 403                 rparams->search_scope = 1;
 404             } else if (!strcasecmp(argv[i], "sub")) {
 405                 rparams->search_scope = 2;
 406             } else {
 407                 rparams->search_scope = atoi(argv[i]);
 408                 if ((rparams->search_scope != 1) &&
 409                     (rparams->search_scope != 2)) {
 410                     /* Solaris Kerberos */
 411                     com_err(progname, EINVAL,
 412                             gettext("invalid search scope while creating realm '%s'"),
 413                             global_params.realm);
 414                     goto err_nomsg;
 415                 }
 416             }
 417             mask |= LDAP_REALM_SEARCHSCOPE;
 418         }
 419 #ifdef HAVE_EDIRECTORY
 420         else if (!strcmp(argv[i], "-kdcdn")) {
 421             if (++i > argc-1)
 422                 goto err_usage;
 423             rparams->kdcservers = (char **)malloc(
 424                 sizeof(char *) * MAX_LIST_ENTRIES);
 425             if (rparams->kdcservers == NULL) {
 426                 retval = ENOMEM;
 427                 goto cleanup;
 428             }
 429             memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
 430             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
 431                                           rparams->kdcservers))) {
 432                 goto cleanup;
 433             }
 434             mask |= LDAP_REALM_KDCSERVERS;
 435         } else if (!strcmp(argv[i], "-admindn")) {
 436             if (++i > argc-1)
 437                 goto err_usage;
 438             rparams->adminservers = (char **)malloc(
 439                 sizeof(char *) * MAX_LIST_ENTRIES);
 440             if (rparams->adminservers == NULL) {
 441                 retval = ENOMEM;
 442                 goto cleanup;
 443             }
 444             memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
 445             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
 446                                           rparams->adminservers))) {
 447                 goto cleanup;
 448             }
 449             mask |= LDAP_REALM_ADMINSERVERS;
 450         } else if (!strcmp(argv[i], "-pwddn")) {
 451             if (++i > argc-1)
 452                 goto err_usage;
 453             rparams->passwdservers = (char **)malloc(
 454                 sizeof(char *) * MAX_LIST_ENTRIES);
 455             if (rparams->passwdservers == NULL) {
 456                 retval = ENOMEM;
 457                 goto cleanup;
 458             }
 459             memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
 460             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
 461                                           rparams->passwdservers))) {
 462                 goto cleanup;
 463             }
 464             mask |= LDAP_REALM_PASSWDSERVERS;
 465         }
 466 #endif
 467         else if (!strcmp(argv[i], "-s")) {
 468             do_stash = 1;
 469         } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
 470             mask|=ret_mask;
 471         }
 472 
 473         else {
 474             printf(gettext("'%s' is an invalid option\n"), argv[i]);
 475             goto err_usage;
 476         }
 477     }
 478 
 479     /* If the default enctype/salttype is not provided, use the
 480      * default values and also add to the list of supported
 481      * enctypes/salttype
 482      */
 483 
 484     rblock.max_life = global_params.max_life;
 485     rblock.max_rlife = global_params.max_rlife;
 486     rblock.expiration = global_params.expiration;
 487     rblock.flags = global_params.flags;
 488     rblock.nkslist = global_params.num_keysalts;
 489     rblock.kslist = global_params.keysalts;
 490 
 491     krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
 492     krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
 493 
 494     printf(gettext("Initializing database for realm '%s'\n"), global_params.realm);
 495 
 496     if (!mkey_password) {
 497         unsigned int pw_size;
 498         printf(gettext("You will be prompted for the database Master Password.\n"));
 499         printf(gettext("It is important that you NOT FORGET this password.\n"));
 500         fflush(stdout);
 501 
 502         pw_size = sizeof (pw_str);
 503         memset(pw_str, 0, pw_size);
 504 
 505         retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
 506                                     pw_str, &pw_size);
 507         if (retval) {
 508             /* Solaris Kerberos */
 509             com_err(progname, retval, gettext("while reading master key from keyboard"));
 510             goto err_nomsg;
 511         }
 512         mkey_password = pw_str;
 513     }
 514 
 515     rparams->mkey.enctype = global_params.enctype;
 516     /* We are sure that 'mkey_password' is a regular string ... */
 517     rparams->mkey.length = strlen(mkey_password) + 1;
 518     rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
 519     if (rparams->mkey.contents == NULL) {
 520         retval = ENOMEM;
 521         goto cleanup;
 522     }
 523 
 524     rparams->realm_name = strdup(global_params.realm);
 525     if (rparams->realm_name == NULL) {
 526         retval = ENOMEM;
 527         /* Solaris Kerberos */
 528         com_err(progname, ENOMEM, gettext("while creating realm '%s'"),
 529                 global_params.realm);
 530         goto err_nomsg;
 531     }
 532 
 533     dal_handle = (kdb5_dal_handle *) util_context->db_context;
 534     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
 535     if (!ldap_context) {
 536         retval = EINVAL;
 537         goto cleanup;
 538     }
 539 
 540     /* read the kerberos container */
 541     if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
 542                                                     &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
 543         /* Prompt the user for entering the DN of Kerberos container */
 544         char krb_location[MAX_KRB_CONTAINER_LEN];
 545         krb5_ldap_krbcontainer_params kparams;
 546         int krb_location_len = 0;
 547         memset(&kparams, 0, sizeof(kparams));
 548 
 549         /* Read the kerberos container location from configuration file */
 550         if (ldap_context->conf_section) {
 551             if ((retval=profile_get_string(util_context->profile,
 552                                            KDB_MODULE_SECTION, ldap_context->conf_section,
 553                                            "ldap_kerberos_container_dn", NULL,
 554                                            &kparams.DN)) != 0) {
 555                 goto cleanup;
 556             }
 557         }
 558         if (kparams.DN == NULL) {
 559             if ((retval=profile_get_string(util_context->profile,
 560                                            KDB_MODULE_DEF_SECTION,
 561                                            "ldap_kerberos_container_dn", NULL,
 562                                            NULL, &kparams.DN)) != 0) {
 563                 goto cleanup;
 564             }
 565         }
 566 
 567         printf(gettext("\nKerberos container is missing. Creating now...\n"));
 568         if (kparams.DN == NULL) {
 569 #ifdef HAVE_EDIRECTORY
 570             printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "));
 571 #else
 572             printf(gettext("Enter DN of Kerberos container: "));
 573 #endif
 574             if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
 575                 /* Remove the newline character at the end */
 576                 krb_location_len = strlen(krb_location);
 577                 if ((krb_location[krb_location_len - 1] == '\n') ||
 578                     (krb_location[krb_location_len - 1] == '\r')) {
 579                     krb_location[krb_location_len - 1] = '\0';
 580                     krb_location_len--;
 581                 }
 582                 /* If the user has not given any input, take the default location */
 583                 else if (krb_location[0] == '\0')
 584                     kparams.DN = NULL;
 585                 else
 586                     kparams.DN = krb_location;
 587             } else
 588                 kparams.DN = NULL;
 589         }
 590 
 591         /* create the kerberos container */
 592         retval = krb5_ldap_create_krbcontainer(util_context,
 593                                                ((kparams.DN != NULL) ? &kparams : NULL));
 594         if (retval)
 595             goto cleanup;
 596 
 597         retval = krb5_ldap_read_krbcontainer_params(util_context,
 598                                                     &(ldap_context->krbcontainer));
 599         if (retval) {
 600             /* Solaris Kerberos */
 601             com_err(progname, retval, gettext("while reading kerberos container information"));
 602             goto cleanup;
 603         }
 604     } else if (retval) {
 605         /* Solaris Kerberos */
 606         com_err(progname, retval, gettext("while reading kerberos container information"));
 607         goto cleanup;
 608     }
 609 
 610     if ((retval = krb5_ldap_create_realm(util_context,
 611                                          /* global_params.realm, */ rparams, mask))) {
 612         goto cleanup;
 613     }
 614 
 615     /* We just created the Realm container. Here starts our transaction tracking */
 616     realm_obj_created = TRUE;
 617 
 618     if ((retval = krb5_ldap_read_realm_params(util_context,
 619                                               global_params.realm,
 620                                               &(ldap_context->lrparams),
 621                                               &mask))) {
 622         /* Solaris Kerberos */
 623         com_err(progname, retval, gettext("while reading information of realm '%s'"),
 624                 global_params.realm);
 625         goto err_nomsg;
 626     }
 627     ldap_context->lrparams->realm_name = strdup(global_params.realm);
 628     if (ldap_context->lrparams->realm_name == NULL) {
 629         retval = ENOMEM;
 630         goto cleanup;
 631     }
 632 
 633     /* assemble & parse the master key name */
 634     if ((retval = krb5_db_setup_mkey_name(util_context,
 635                                           global_params.mkey_name,
 636                                           global_params.realm,
 637                                           0, &master_princ))) {
 638         /* Solaris Kerberos */
 639         com_err(progname, retval, gettext("while setting up master key name"));
 640         goto err_nomsg;
 641     }
 642 
 643     /* Obtain master key from master password */
 644     {
 645         krb5_data master_salt, pwd;
 646 
 647         pwd.data = mkey_password;
 648         pwd.length = strlen(mkey_password);
 649         retval = krb5_principal2salt(util_context, master_princ, &master_salt);
 650         if (retval) {
 651             /* Solaris Kerberos */
 652             com_err(progname, retval, gettext("while calculating master key salt"));
 653             goto err_nomsg;
 654         }
 655 
 656         retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
 657                                       &pwd, &master_salt, &master_keyblock);
 658 
 659         if (master_salt.data)
 660             free(master_salt.data);
 661 
 662         if (retval) {
 663             /* Solaris Kerberos */
 664             com_err(progname, retval, gettext("while transforming master key from password"));
 665             goto err_nomsg;
 666         }
 667 
 668     }
 669 
 670     rblock.key = &master_keyblock;
 671     ldap_context->lrparams->mkey = master_keyblock;
 672     ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
 673         (master_keyblock.length);
 674     if (ldap_context->lrparams->mkey.contents == NULL) {
 675         retval = ENOMEM;
 676         goto cleanup;
 677     }
 678     memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
 679             master_keyblock.length);
 680 
 681     /* Create special principals inside the realm subtree */
 682     {
 683         char princ_name[MAX_PRINC_SIZE];
 684         krb5_principal_data tgt_princ = {
 685             0,                                  /* magic number */
 686             {0, 0, 0},                          /* krb5_data realm */
 687             tgt_princ_entries,                  /* krb5_data *data */
 688             2,                                  /* int length */
 689             KRB5_NT_SRV_INST                    /* int type */
 690         };
 691         krb5_principal p, temp_p=NULL;
 692 
 693         krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
 694         krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
 695         krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
 696         krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
 697         /* The container reference value is set to NULL, to avoid service principals
 698          * getting created within the container reference at realm creation */
 699         if (ldap_context->lrparams->containerref != NULL) {
 700             oldcontainerref = ldap_context->lrparams->containerref;
 701             ldap_context->lrparams->containerref = NULL;
 702         }
 703 
 704         /* Create 'K/M' ... */
 705         rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
 706         if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
 707             /* Solaris Kerberos */
 708             com_err(progname, retval, gettext("while adding entries to the database"));
 709             goto err_nomsg;
 710         }
 711 
 712         /* Create 'krbtgt' ... */
 713         rblock.flags = 0; /* reset the flags */
 714         if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
 715             /* Solaris Kerberos */
 716             com_err(progname, retval, gettext("while adding entries to the database"));
 717             goto err_nomsg;
 718         }
 719         /*
 720          * Solaris Kerberos:
 721          * The kadmin/admin principal is unused on Solaris. This principal is used
 722          * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
 723          * be used with host-based principals. 
 724          *
 725          */
 726 #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
 727         /* Create 'kadmin/admin' ... */
 728         snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
 729         if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
 730             /* Solaris Kerberos */
 731             com_err(progname, retval, gettext("while adding entries to the database"));
 732             goto err_nomsg;
 733         }
 734         rblock.max_life = ADMIN_LIFETIME;
 735         rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
 736         if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
 737             krb5_free_principal(util_context, p);
 738             /* Solaris Kerberos */
 739             com_err(progname, retval, gettext("while adding entries to the database"));
 740             goto err_nomsg;
 741         }
 742         krb5_free_principal(util_context, p);
 743 #endif /* ************** END IFDEF'ed OUT ***************************** */
 744 
 745         /* Create 'kadmin/changepw' ... */
 746         snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
 747         if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
 748             /* Solaris Kerberos */
 749             com_err(progname, retval, gettext("while adding entries to the database"));
 750             goto err_nomsg;
 751         }
 752         rblock.max_life = CHANGEPW_LIFETIME;
 753         rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
 754         if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
 755             krb5_free_principal(util_context, p);
 756             /* Solaris Kerberos */
 757             com_err(progname, retval, gettext("while adding entries to the database"));
 758             goto err_nomsg;
 759         }
 760         krb5_free_principal(util_context, p);
 761 
 762         /* Create 'kadmin/history' ... */
 763         snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
 764         if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
 765             /* Solaris Kerberos */
 766             com_err(progname, retval, gettext("while adding entries to the database"));
 767             goto err_nomsg;
 768         }
 769         rblock.max_life = global_params.max_life;
 770         rblock.flags = 0;
 771         if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
 772             krb5_free_principal(util_context, p);
 773             /* Solaris Kerberos */
 774             com_err(progname, retval, gettext("while adding entries to the database"));
 775             goto err_nomsg;
 776         }
 777         krb5_free_principal(util_context, p);
 778 
 779         /* Create 'kadmin/<hostname>' ... */
 780         if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
 781             /* Solaris Kerberos */
 782             com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
 783             goto err_nomsg;
 784         }
 785 
 786         if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
 787             /* Solaris Kerberos */
 788             com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
 789             goto err_nomsg;
 790         }
 791 
 792         /* change the realm portion to the default realm */
 793         free(temp_p->realm.data);
 794         temp_p->realm.length = strlen(util_context->default_realm);
 795         temp_p->realm.data = strdup(util_context->default_realm);
 796         if (temp_p->realm.data == NULL) {
 797             /* Solaris Kerberos */
 798             com_err(progname, ENOMEM, gettext("while adding entries to the database"));
 799             goto err_nomsg;
 800         }
 801 
 802         rblock.max_life = ADMIN_LIFETIME;
 803         rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
 804         if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
 805             krb5_free_principal(util_context, p);
 806             /* Solaris Kerberos */
 807             com_err(progname, retval, gettext("while adding entries to the database"));
 808             goto err_nomsg;
 809         }
 810         krb5_free_principal(util_context, temp_p);
 811         krb5_free_principal(util_context, p);
 812 
 813         /* Solaris Kerberos: Create 'changepw/<hostname>' ... */
 814         if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
 815             /* Solaris Kerberos */
 816             com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
 817             goto err_nomsg;
 818         }
 819 
 820         if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
 821             /* Solaris Kerberos */
 822             com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
 823             goto err_nomsg;
 824         }
 825 
 826         /* change the realm portion to the default realm */
 827         free(temp_p->realm.data);
 828         temp_p->realm.length = strlen(util_context->default_realm);
 829         temp_p->realm.data = strdup(util_context->default_realm);
 830         if (temp_p->realm.data == NULL) {
 831             /* Solaris Kerberos */
 832             com_err(progname, ENOMEM, gettext("while adding entries to the database"));
 833             goto err_nomsg;
 834         }
 835 
 836         rblock.max_life = ADMIN_LIFETIME;
 837         rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
 838         if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
 839             krb5_free_principal(util_context, p);
 840             /* Solaris Kerberos */
 841             com_err(progname, retval, gettext("while adding entries to the database"));
 842             goto err_nomsg;
 843         }
 844         krb5_free_principal(util_context, temp_p);
 845         krb5_free_principal(util_context, p);
 846 
 847         if (oldcontainerref != NULL) {
 848             ldap_context->lrparams->containerref = oldcontainerref;
 849             oldcontainerref=NULL;
 850         }
 851     }
 852 
 853 #ifdef HAVE_EDIRECTORY
 854     if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
 855         (mask & LDAP_REALM_PASSWDSERVERS)) {
 856 
 857         printf(gettext("Changing rights for the service object. Please wait ... "));
 858         fflush(stdout);
 859 
 860         rightsmask =0;
 861         rightsmask |= LDAP_REALM_RIGHTS;
 862         rightsmask |= LDAP_SUBTREE_RIGHTS;
 863         if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
 864             for (i=0; (rparams->kdcservers[i] != NULL); i++) {
 865                 if ((retval=krb5_ldap_add_service_rights(util_context,
 866                                                          LDAP_KDC_SERVICE, rparams->kdcservers[i],
 867                                                          rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
 868                     printf(gettext("failed\n"));
 869                     /* Solaris Kerberos */
 870                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
 871                             rparams->realm_name);
 872                     goto err_nomsg;
 873                 }
 874             }
 875         }
 876 
 877         rightsmask = 0;
 878         rightsmask |= LDAP_REALM_RIGHTS;
 879         rightsmask |= LDAP_SUBTREE_RIGHTS;
 880         if ((rparams != NULL) && (rparams->adminservers != NULL)) {
 881             for (i=0; (rparams->adminservers[i] != NULL); i++) {
 882                 if ((retval=krb5_ldap_add_service_rights(util_context,
 883                                                          LDAP_ADMIN_SERVICE, rparams->adminservers[i],
 884                                                          rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
 885                     printf(gettext("failed\n"));
 886                     /* Solaris Kerberos */
 887                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
 888                             rparams->realm_name);
 889                     goto err_nomsg;
 890                 }
 891             }
 892         }
 893 
 894         rightsmask = 0;
 895         rightsmask |= LDAP_REALM_RIGHTS;
 896         rightsmask |= LDAP_SUBTREE_RIGHTS;
 897         if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
 898             for (i=0; (rparams->passwdservers[i] != NULL); i++) {
 899                 if ((retval=krb5_ldap_add_service_rights(util_context,
 900                                                          LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
 901                                                          rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
 902                     printf(gettext("failed\n"));
 903                     /* Solaris Kerberos */
 904                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
 905                             rparams->realm_name);
 906                     goto err_nomsg;
 907                 }
 908             }
 909         }
 910 
 911         printf(gettext("done\n"));
 912     }
 913 #endif
 914     /* The Realm creation is completed. Here is the end of transaction */
 915     create_complete = TRUE;
 916 
 917     /* Stash the master key only if '-s' option is specified */
 918     if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) {
 919         retval = krb5_def_store_mkey(util_context,
 920                                      global_params.stash_file,
 921                                      master_princ,
 922                                      &master_keyblock, NULL);
 923         if (retval) {
 924             /* Solaris Kerberos */
 925             com_err(progname, errno, gettext("while storing key"));
 926             printf(gettext("Warning: couldn't stash master key.\n"));
 927         }
 928     }
 929 
 930     goto cleanup;
 931 
 932 
 933 err_usage:
 934     print_usage = TRUE;
 935 
 936 err_nomsg:
 937     no_msg = TRUE;
 938 
 939 cleanup:
 940     /* If the Realm creation is not complete, do the roll-back here */
 941     if ((realm_obj_created) && (!create_complete))
 942         krb5_ldap_delete_realm(util_context, global_params.realm);
 943 
 944     if (rparams)
 945         krb5_ldap_free_realm_params(rparams);
 946 
 947     memset (pw_str, 0, sizeof (pw_str));
 948 
 949     if (print_usage)
 950         db_usage(CREATE_REALM);
 951 
 952     if (retval) {
 953         if (!no_msg) {
 954             /* Solaris Kerberos */
 955             com_err(progname, retval, gettext("while creating realm '%s'"),
 956                     global_params.realm);
 957         }
 958         exit_status++;
 959     }
 960 
 961     return;
 962 }
 963 
 964 
 965 /*
 966  * This function will modify the attributes of a given realm object
 967  */
 968 void kdb5_ldap_modify(argc, argv)
 969     int argc;
 970     char *argv[];
 971 {
 972     krb5_error_code retval = 0;
 973     krb5_ldap_realm_params *rparams = NULL;
 974     krb5_boolean print_usage = FALSE;
 975     krb5_boolean no_msg = FALSE;
 976     kdb5_dal_handle *dal_handle = NULL;
 977     krb5_ldap_context *ldap_context=NULL;
 978     int i = 0;
 979     int mask = 0, rmask = 0, ret_mask = 0;
 980     char **slist = {NULL};
 981 #ifdef HAVE_EDIRECTORY
 982     int j = 0;
 983     char *list[MAX_LIST_ENTRIES];
 984     int existing_entries = 0, list_entries = 0;
 985     int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
 986     char **tempstr = NULL;
 987     char **oldkdcdns = NULL;
 988     char **oldadmindns = NULL;
 989     char **oldpwddns = NULL;
 990     char **newkdcdns = NULL;
 991     char **newsubtrees = NULL;
 992     char **newadmindns = NULL;
 993     char **newpwddns = NULL;
 994     char **oldsubtrees = {NULL};
 995     int rightsmask = 0;
 996     int subtree_changed = 0;
 997 #endif
 998 
 999     dal_handle = (kdb5_dal_handle *) util_context->db_context;
1000     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1001     if (!(ldap_context)) {
1002         retval = EINVAL;
1003         goto cleanup;
1004     }
1005 
1006     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1007                                                      &(ldap_context->krbcontainer)))) {
1008         /* Solaris Kerberos */
1009         com_err(progname, retval, gettext("while reading Kerberos container information"));
1010         goto err_nomsg;
1011     }
1012 
1013     retval = krb5_ldap_read_realm_params(util_context,
1014                                          global_params.realm, &rparams, &rmask);
1015     if (retval)
1016         goto cleanup;
1017     /* Parse the arguments */
1018     for (i = 1; i < argc; i++) {
1019         int k = 0;
1020         if (!strcmp(argv[i], "-subtrees")) {
1021             if (++i > argc-1)
1022                 goto err_usage;
1023 
1024             if (rmask & LDAP_REALM_SUBTREE) {
1025                 if (rparams->subtree) {
1026 #ifdef HAVE_EDIRECTORY
1027                     oldsubtrees =  (char **) calloc(rparams->subtreecount+1, sizeof(char *));
1028                     if (oldsubtrees == NULL) {
1029                         retval = ENOMEM;
1030                         goto cleanup;
1031                     }
1032                     for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
1033                         oldsubtrees[k] = strdup(rparams->subtree[k]);
1034                         if( oldsubtrees[k] == NULL ) {
1035                             retval = ENOMEM;
1036                             goto cleanup;
1037                         }
1038                     }
1039 #endif
1040                     for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
1041                         free(rparams->subtree[k]);
1042                     rparams->subtreecount=0;
1043                 }
1044             }
1045             if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
1046                 slist =  (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
1047                 if (slist == NULL) {
1048                     retval = ENOMEM;
1049                     goto cleanup;
1050                 }
1051                 if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
1052                     free(slist);
1053                     slist = NULL;
1054                     goto cleanup;
1055                 }
1056 
1057                 rparams->subtreecount=0;
1058                 while(slist[rparams->subtreecount]!=NULL)
1059                     (rparams->subtreecount)++;
1060                 rparams->subtree =  slist;
1061             } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1062                  /* dont allow subtree value to be set at the root(NULL, "") of the tree */
1063                     /* Solaris Kerberos */
1064                     com_err(progname, EINVAL,
1065                             gettext("for subtree while modifying realm '%s'"),
1066                             global_params.realm);
1067                     goto err_nomsg;
1068             }
1069             rparams->subtree[rparams->subtreecount] = NULL;
1070             mask |= LDAP_REALM_SUBTREE;
1071         } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
1072             if (++i > argc-1)
1073                 goto err_usage;
1074             if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1075                  /* dont allow containerref value to be set at the root(NULL, "") of the tree */
1076                  /* Solaris Kerberos */
1077                  com_err(progname, EINVAL,
1078                           gettext("for container reference while modifying realm '%s'"),
1079                            global_params.realm);
1080                  goto err_nomsg;
1081             }
1082             rparams->containerref = strdup(argv[i]);
1083             if (rparams->containerref == NULL) {
1084                 retval = ENOMEM;
1085                 goto cleanup;
1086             }
1087             mask |= LDAP_REALM_CONTREF;
1088         } else if (!strcmp(argv[i], "-sscope")) {
1089             if (++i > argc-1)
1090                 goto err_usage;
1091             /* Possible values for search scope are
1092              * one (or 1) and sub (or 2)
1093              */
1094             if (strcasecmp(argv[i], "one") == 0) {
1095                 rparams->search_scope = 1;
1096             } else if (strcasecmp(argv[i], "sub") == 0) {
1097                 rparams->search_scope = 2;
1098             } else {
1099                 rparams->search_scope = atoi(argv[i]);
1100                 if ((rparams->search_scope != 1) &&
1101                     (rparams->search_scope != 2)) {
1102                     retval = EINVAL;
1103                     /* Solaris Kerberos */
1104                     com_err(progname, retval,
1105                             gettext("specified for search scope while modifying information of realm '%s'"),
1106                             global_params.realm);
1107                     goto err_nomsg;
1108                 }
1109             }
1110             mask |= LDAP_REALM_SEARCHSCOPE;
1111         }
1112 #ifdef HAVE_EDIRECTORY
1113         else if (!strcmp(argv[i], "-kdcdn")) {
1114             if (++i > argc-1)
1115                 goto err_usage;
1116 
1117             if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1118                 if (!oldkdcdns) {
1119                     /* Store the old kdc dns list for removing rights */
1120                     oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1121                     if (oldkdcdns == NULL) {
1122                         retval = ENOMEM;
1123                         goto cleanup;
1124                     }
1125 
1126                     for (j=0; rparams->kdcservers[j] != NULL; j++) {
1127                         oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1128                         if (oldkdcdns[j] == NULL) {
1129                             retval = ENOMEM;
1130                             goto cleanup;
1131                         }
1132                     }
1133                     oldkdcdns[j] = NULL;
1134                 }
1135 
1136                 krb5_free_list_entries(rparams->kdcservers);
1137                 free(rparams->kdcservers);
1138             }
1139 
1140             rparams->kdcservers = (char **)malloc(
1141                 sizeof(char *) * MAX_LIST_ENTRIES);
1142             if (rparams->kdcservers == NULL) {
1143                 retval = ENOMEM;
1144                 goto cleanup;
1145             }
1146             memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1147             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1148                                           rparams->kdcservers))) {
1149                 goto cleanup;
1150             }
1151             mask |= LDAP_REALM_KDCSERVERS;
1152             /* Going to replace the existing value by this new value. Hence
1153              * setting flag indicating that add or clear options will be ignored
1154              */
1155             newkdcdn = 1;
1156         } else if (!strcmp(argv[i], "-clearkdcdn")) {
1157             if (++i > argc-1)
1158                 goto err_usage;
1159             if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1160                 if (!oldkdcdns) {
1161                     /* Store the old kdc dns list for removing rights */
1162                     oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1163                     if (oldkdcdns == NULL) {
1164                         retval = ENOMEM;
1165                         goto cleanup;
1166                     }
1167 
1168                     for (j=0; rparams->kdcservers[j] != NULL; j++) {
1169                         oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1170                         if (oldkdcdns[j] == NULL) {
1171                             retval = ENOMEM;
1172                             goto cleanup;
1173                         }
1174                     }
1175                     oldkdcdns[j] = NULL;
1176                 }
1177 
1178                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1179                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1180                     goto cleanup;
1181                 }
1182                 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1183                                       LIST_MODE_DELETE);
1184                 mask |= LDAP_REALM_KDCSERVERS;
1185                 krb5_free_list_entries(list);
1186             }
1187         } else if (!strcmp(argv[i], "-addkdcdn")) {
1188             if (++i > argc-1)
1189                 goto err_usage;
1190             if (!newkdcdn) {
1191                 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
1192                     /* Store the old kdc dns list for removing rights */
1193                     oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1194                     if (oldkdcdns == NULL) {
1195                         retval = ENOMEM;
1196                         goto cleanup;
1197                     }
1198 
1199                     for (j = 0; rparams->kdcservers[j] != NULL; j++) {
1200                         oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1201                         if (oldkdcdns[j] == NULL) {
1202                             retval = ENOMEM;
1203                             goto cleanup;
1204                         }
1205                     }
1206                     oldkdcdns[j] = NULL;
1207                 }
1208 
1209                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1210                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1211                     goto cleanup;
1212                 }
1213                 existing_entries = list_count_str_array(rparams->kdcservers);
1214                 list_entries = list_count_str_array(list);
1215                 if (rmask & LDAP_REALM_KDCSERVERS) {
1216                     tempstr = (char **)realloc(
1217                         rparams->kdcservers,
1218                         sizeof(char *) * (existing_entries+list_entries+1));
1219                     if (tempstr == NULL) {
1220                         retval = ENOMEM;
1221                         goto cleanup;
1222                     }
1223                     rparams->kdcservers = tempstr;
1224                 } else {
1225                     rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1226                     if (rparams->kdcservers == NULL) {
1227                         retval = ENOMEM;
1228                         goto cleanup;
1229                     }
1230                     memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
1231                 }
1232                 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1233                                       LIST_MODE_ADD);
1234                 mask |= LDAP_REALM_KDCSERVERS;
1235             }
1236         } else if (!strcmp(argv[i], "-admindn")) {
1237             if (++i > argc-1)
1238                 goto err_usage;
1239 
1240             if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1241                 if (!oldadmindns) {
1242                     /* Store the old admin dns list for removing rights */
1243                     oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1244                     if (oldadmindns == NULL) {
1245                         retval = ENOMEM;
1246                         goto cleanup;
1247                     }
1248 
1249                     for (j=0; rparams->adminservers[j] != NULL; j++) {
1250                         oldadmindns[j] = strdup(rparams->adminservers[j]);
1251                         if (oldadmindns[j] == NULL) {
1252                             retval = ENOMEM;
1253                             goto cleanup;
1254                         }
1255                     }
1256                     oldadmindns[j] = NULL;
1257                 }
1258 
1259                 krb5_free_list_entries(rparams->adminservers);
1260                 free(rparams->adminservers);
1261             }
1262 
1263             rparams->adminservers = (char **)malloc(
1264                 sizeof(char *) * MAX_LIST_ENTRIES);
1265             if (rparams->adminservers == NULL) {
1266                 retval = ENOMEM;
1267                 goto cleanup;
1268             }
1269             memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1270             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1271                                           rparams->adminservers))) {
1272                 goto cleanup;
1273             }
1274             mask |= LDAP_REALM_ADMINSERVERS;
1275             /* Going to replace the existing value by this new value. Hence
1276              * setting flag indicating that add or clear options will be ignored
1277              */
1278             newadmindn = 1;
1279         } else if (!strcmp(argv[i], "-clearadmindn")) {
1280             if (++i > argc-1)
1281                 goto err_usage;
1282 
1283             if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1284                 if (!oldadmindns) {
1285                     /* Store the old admin dns list for removing rights */
1286                     oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1287                     if (oldadmindns == NULL) {
1288                         retval = ENOMEM;
1289                         goto cleanup;
1290                     }
1291 
1292                     for (j=0; rparams->adminservers[j] != NULL; j++) {
1293                         oldadmindns[j] = strdup(rparams->adminservers[j]);
1294                         if (oldadmindns[j] == NULL) {
1295                             retval = ENOMEM;
1296                             goto cleanup;
1297                         }
1298                     }
1299                     oldadmindns[j] = NULL;
1300                 }
1301 
1302                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1303                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1304                     goto cleanup;
1305                 }
1306                 list_modify_str_array(&rparams->adminservers, (const char **)list,
1307                                       LIST_MODE_DELETE);
1308                 mask |= LDAP_REALM_ADMINSERVERS;
1309                 krb5_free_list_entries(list);
1310             }
1311         } else if (!strcmp(argv[i], "-addadmindn")) {
1312             if (++i > argc-1)
1313                 goto err_usage;
1314             if (!newadmindn) {
1315                 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
1316                     /* Store the old admin dns list for removing rights */
1317                     oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1318                     if (oldadmindns == NULL) {
1319                         retval = ENOMEM;
1320                         goto cleanup;
1321                     }
1322 
1323                     for (j=0; rparams->adminservers[j] != NULL; j++) {
1324                         oldadmindns[j] = strdup(rparams->adminservers[j]);
1325                         if (oldadmindns[j] == NULL) {
1326                             retval = ENOMEM;
1327                             goto cleanup;
1328                         }
1329                     }
1330                     oldadmindns[j] = NULL;
1331                 }
1332 
1333                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1334                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1335                     goto cleanup;
1336                 }
1337                 existing_entries = list_count_str_array(rparams->adminservers);
1338                 list_entries = list_count_str_array(list);
1339                 if (rmask & LDAP_REALM_ADMINSERVERS) {
1340                     tempstr = (char **)realloc(
1341                         rparams->adminservers,
1342                         sizeof(char *) * (existing_entries+list_entries+1));
1343                     if (tempstr == NULL) {
1344                         retval = ENOMEM;
1345                         goto cleanup;
1346                     }
1347                     rparams->adminservers = tempstr;
1348                 } else {
1349                     rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1350                     if (rparams->adminservers == NULL) {
1351                         retval = ENOMEM;
1352                         goto cleanup;
1353                     }
1354                     memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
1355                 }
1356                 list_modify_str_array(&rparams->adminservers, (const char **)list,
1357                                       LIST_MODE_ADD);
1358                 mask |= LDAP_REALM_ADMINSERVERS;
1359             }
1360         } else if (!strcmp(argv[i], "-pwddn")) {
1361             if (++i > argc-1)
1362                 goto err_usage;
1363 
1364             if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1365                 if (!oldpwddns) {
1366                     /* Store the old pwd dns list for removing rights */
1367                     oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1368                     if (oldpwddns == NULL) {
1369                         retval = ENOMEM;
1370                         goto cleanup;
1371                     }
1372 
1373                     for (j=0; rparams->passwdservers[j] != NULL; j++) {
1374                         oldpwddns[j] = strdup(rparams->passwdservers[j]);
1375                         if (oldpwddns[j] == NULL) {
1376                             retval = ENOMEM;
1377                             goto cleanup;
1378                         }
1379                     }
1380                     oldpwddns[j] = NULL;
1381                 }
1382 
1383                 krb5_free_list_entries(rparams->passwdservers);
1384                 free(rparams->passwdservers);
1385             }
1386 
1387             rparams->passwdservers = (char **)malloc(
1388                 sizeof(char *) * MAX_LIST_ENTRIES);
1389             if (rparams->passwdservers == NULL) {
1390                 retval = ENOMEM;
1391                 goto cleanup;
1392             }
1393             memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1394             if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1395                                           rparams->passwdservers))) {
1396                 goto cleanup;
1397             }
1398             mask |= LDAP_REALM_PASSWDSERVERS;
1399             /* Going to replace the existing value by this new value. Hence
1400              * setting flag indicating that add or clear options will be ignored
1401              */
1402             newpwddn = 1;
1403         } else if (!strcmp(argv[i], "-clearpwddn")) {
1404             if (++i > argc-1)
1405                 goto err_usage;
1406 
1407             if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1408                 if (!oldpwddns) {
1409                     /* Store the old pwd dns list for removing rights */
1410                     oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1411                     if (oldpwddns == NULL) {
1412                         retval = ENOMEM;
1413                         goto cleanup;
1414                     }
1415 
1416                     for (j=0; rparams->passwdservers[j] != NULL; j++) {
1417                         oldpwddns[j] = strdup(rparams->passwdservers[j]);
1418                         if (oldpwddns[j] == NULL) {
1419                             retval = ENOMEM;
1420                             goto cleanup;
1421                         }
1422                     }
1423                     oldpwddns[j] = NULL;
1424                 }
1425 
1426                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1427                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1428                     goto cleanup;
1429                 }
1430                 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1431                                       LIST_MODE_DELETE);
1432                 mask |= LDAP_REALM_PASSWDSERVERS;
1433                 krb5_free_list_entries(list);
1434             }
1435         } else if (!strcmp(argv[i], "-addpwddn")) {
1436             if (++i > argc-1)
1437                 goto err_usage;
1438             if (!newpwddn) {
1439                 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
1440                     /* Store the old pwd dns list for removing rights */
1441                     oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1442                     if (oldpwddns == NULL) {
1443                         retval = ENOMEM;
1444                         goto cleanup;
1445                     }
1446 
1447                     for (j=0; rparams->passwdservers[j] != NULL; j++) {
1448                         oldpwddns[j] = strdup(rparams->passwdservers[j]);
1449                         if (oldpwddns[j] == NULL) {
1450                             retval = ENOMEM;
1451                             goto cleanup;
1452                         }
1453                     }
1454                     oldpwddns[j] = NULL;
1455                 }
1456 
1457                 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1458                 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1459                     goto cleanup;
1460                 }
1461                 existing_entries = list_count_str_array(rparams->passwdservers);
1462                 list_entries = list_count_str_array(list);
1463                 if (rmask & LDAP_REALM_PASSWDSERVERS) {
1464                     tempstr = (char **)realloc(
1465                         rparams->passwdservers,
1466                         sizeof(char *) * (existing_entries+list_entries+1));
1467                     if (tempstr == NULL) {
1468                         retval = ENOMEM;
1469                         goto cleanup;
1470                     }
1471                     rparams->passwdservers = tempstr;
1472                 } else {
1473                     rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1474                     if (rparams->passwdservers == NULL) {
1475                         retval = ENOMEM;
1476                         goto cleanup;
1477                     }
1478                     memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
1479                 }
1480                 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1481                                       LIST_MODE_ADD);
1482                 mask |= LDAP_REALM_PASSWDSERVERS;
1483             }
1484         }
1485 #endif
1486         else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
1487             mask|=ret_mask;
1488         } else {
1489             printf(gettext("'%s' is an invalid option\n"), argv[i]);
1490             goto err_usage;
1491         }
1492     }
1493 
1494     if ((retval = krb5_ldap_modify_realm(util_context,
1495                                          /* global_params.realm, */ rparams, mask))) {
1496         goto cleanup;
1497     }
1498 
1499 #ifdef HAVE_EDIRECTORY
1500     if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
1501         (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1502 
1503         printf(gettext("Changing rights for the service object. Please wait ... "));
1504         fflush(stdout);
1505 
1506         if (!(mask & LDAP_REALM_SUBTREE)) {
1507             if (rparams->subtree != NULL) {
1508                 for(i=0; rparams->subtree[i]!=NULL;i++) {
1509                     oldsubtrees[i] = strdup(rparams->subtree[i]);
1510                     if( oldsubtrees[i] == NULL ) {
1511                         retval = ENOMEM;
1512                         goto cleanup;
1513                     }
1514                 }
1515             }
1516         }
1517 
1518         if ((mask & LDAP_REALM_SUBTREE)) {
1519             int check_subtree = 1;
1520 
1521             newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
1522 
1523             if (newsubtrees == NULL) {
1524                 retval = ENOMEM;
1525                 goto cleanup;
1526             }
1527 
1528             if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
1529                 for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
1530                     newsubtrees[j] = strdup(rparams->subtree[j]);
1531                     if (newsubtrees[j] == NULL) {
1532                         retval = ENOMEM;
1533                         goto cleanup;
1534                     }
1535                 }
1536                 newsubtrees[j] = NULL;
1537             }
1538             for(j=0;oldsubtrees[j]!=NULL;j++) {
1539                 check_subtree = 1;
1540                 for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
1541                         (!oldsubtrees[j] && rparams->subtree[i])); i++) {
1542                     if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
1543                         check_subtree = 0;
1544                         continue;
1545                     }
1546                 }
1547                 if (check_subtree != 0) {
1548                     subtree_changed=1;
1549                     break;
1550                 }
1551             }
1552             /* this will return list of the disjoint members */
1553             disjoint_members( oldsubtrees, newsubtrees);
1554         }
1555 
1556         if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
1557 
1558             newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1559             if (newkdcdns == NULL) {
1560                 retval = ENOMEM;
1561                 goto cleanup;
1562             }
1563 
1564             if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1565                 for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
1566                     newkdcdns[j] = strdup(rparams->kdcservers[j]);
1567                     if (newkdcdns[j] == NULL) {
1568                         retval = ENOMEM;
1569                         goto cleanup;
1570                     }
1571                 }
1572                 newkdcdns[j] = NULL;
1573             }
1574 
1575             if (!subtree_changed) {
1576                 disjoint_members(oldkdcdns, newkdcdns);
1577             } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1578                 if (!(mask & LDAP_REALM_KDCSERVERS)) {
1579 
1580                     oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1581                     if (oldkdcdns == NULL) {
1582                         retval = ENOMEM;
1583                         goto cleanup;
1584                     }
1585 
1586                     if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1587                         for (j=0;  rparams->kdcservers[j]!= NULL; j++) {
1588                             oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1589                             if (oldkdcdns[j] == NULL) {
1590                                 retval = ENOMEM;
1591                                 goto cleanup;
1592                             }
1593                         }
1594                         oldkdcdns[j] = NULL;
1595                     }
1596                 }
1597             }
1598 
1599             rightsmask =0;
1600             rightsmask |= LDAP_REALM_RIGHTS;
1601             rightsmask |= LDAP_SUBTREE_RIGHTS;
1602             /* Remove the rights on the old subtrees */
1603             if (oldkdcdns) {
1604                 for (i=0; (oldkdcdns[i] != NULL); i++) {
1605                     if ((retval=krb5_ldap_delete_service_rights(util_context,
1606                                                                 LDAP_KDC_SERVICE, oldkdcdns[i],
1607                                                                 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1608                         printf(gettext("failed\n"));
1609                         /* Solaris Kerberos */
1610                         com_err(progname, retval, gettext("while assigning rights '%s'"),
1611                                 rparams->realm_name);
1612                         goto err_nomsg;
1613                     }
1614                 }
1615             }
1616 
1617             rightsmask =0;
1618             rightsmask |= LDAP_REALM_RIGHTS;
1619             rightsmask |= LDAP_SUBTREE_RIGHTS;
1620             if (newkdcdns) {
1621                 for (i=0; (newkdcdns[i] != NULL); i++) {
1622 
1623                     if ((retval=krb5_ldap_add_service_rights(util_context,
1624                                                              LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
1625                                                              rparams->subtree, rightsmask)) != 0) {
1626                         printf(gettext("failed\n"));
1627                         /* Solaris Kerberos */
1628                         com_err(progname, retval, gettext("while assigning rights to '%s'"),
1629                                 rparams->realm_name);
1630                         goto err_nomsg;
1631                     }
1632                 }
1633             }
1634         }
1635 
1636         if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
1637 
1638             newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1639             if (newadmindns == NULL) {
1640                 retval = ENOMEM;
1641                 goto cleanup;
1642             }
1643 
1644             if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1645                 for (j=0;  rparams->adminservers[j]!= NULL; j++) {
1646                     newadmindns[j] = strdup(rparams->adminservers[j]);
1647                     if (newadmindns[j] == NULL) {
1648                         retval = ENOMEM;
1649                         goto cleanup;
1650                     }
1651                 }
1652                 newadmindns[j] = NULL;
1653             }
1654 
1655             if (!subtree_changed) {
1656                 disjoint_members(oldadmindns, newadmindns);
1657             } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1658                 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1659 
1660                     oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1661                     if (oldadmindns == NULL) {
1662                         retval = ENOMEM;
1663                         goto cleanup;
1664                     }
1665 
1666                     if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1667                         for (j=0;  rparams->adminservers[j]!= NULL; j++) {
1668                             oldadmindns[j] = strdup(rparams->adminservers[j]);
1669                             if (oldadmindns[j] == NULL) {
1670                                 retval = ENOMEM;
1671                                 goto cleanup;
1672                             }
1673                         }
1674                         oldadmindns[j] = NULL;
1675                     }
1676                 }
1677             }
1678 
1679             rightsmask = 0;
1680             rightsmask |= LDAP_REALM_RIGHTS;
1681             rightsmask |= LDAP_SUBTREE_RIGHTS;
1682             /* Remove the rights on the old subtrees */
1683             if (oldadmindns) {
1684                 for (i=0; (oldadmindns[i] != NULL); i++) {
1685 
1686                     if ((retval=krb5_ldap_delete_service_rights(util_context,
1687                                                                 LDAP_ADMIN_SERVICE, oldadmindns[i],
1688                                                                 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1689                         printf(gettext("failed\n"));
1690                         /* Solaris Kerberos */
1691                         com_err(progname, retval, gettext("while assigning rights '%s'"),
1692                                 rparams->realm_name);
1693                         goto err_nomsg;
1694                     }
1695                 }
1696             }
1697 
1698             rightsmask = 0;
1699             rightsmask |= LDAP_REALM_RIGHTS;
1700             rightsmask |= LDAP_SUBTREE_RIGHTS;
1701             /* Add rights on the new subtree for all the kdc dns */
1702             if (newadmindns) {
1703                 for (i=0; (newadmindns[i] != NULL); i++) {
1704 
1705                     if ((retval=krb5_ldap_add_service_rights(util_context,
1706                                                              LDAP_ADMIN_SERVICE, newadmindns[i],
1707                                                              rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
1708                         printf(gettext("failed\n"));
1709                         /* Solaris Kerberos */
1710                         com_err(progname, retval, gettext("while assigning rights to '%s'"),
1711                                 rparams->realm_name);
1712                         goto err_nomsg;
1713                     }
1714                 }
1715             }
1716         }
1717 
1718 
1719         if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1720 
1721             newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1722             if (newpwddns == NULL) {
1723                 retval = ENOMEM;
1724                 goto cleanup;
1725             }
1726 
1727             if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1728                 for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
1729                     newpwddns[j] = strdup(rparams->passwdservers[j]);
1730                     if (newpwddns[j] == NULL) {
1731                         retval = ENOMEM;
1732                         goto cleanup;
1733                     }
1734                 }
1735                 newpwddns[j] = NULL;
1736             }
1737 
1738             if (!subtree_changed) {
1739                 disjoint_members(oldpwddns, newpwddns);
1740             } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1741                 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1742 
1743                     oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1744                     if (oldpwddns == NULL) {
1745                         retval = ENOMEM;
1746                         goto cleanup;
1747                     }
1748 
1749                     if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1750                         for (j=0;  rparams->passwdservers[j]!= NULL; j++) {
1751                             oldpwddns[j] = strdup(rparams->passwdservers[j]);
1752                             if (oldpwddns[j] == NULL) {
1753                                 retval = ENOMEM;
1754                                 goto cleanup;
1755                             }
1756                         }
1757                         oldpwddns[j] = NULL;
1758                     }
1759                 }
1760             }
1761 
1762             rightsmask =0;
1763             rightsmask |= LDAP_REALM_RIGHTS;
1764             rightsmask |= LDAP_SUBTREE_RIGHTS;
1765             /* Remove the rights on the old subtrees */
1766             if (oldpwddns) {
1767                 for (i=0; (oldpwddns[i] != NULL); i++) {
1768                     if ((retval = krb5_ldap_delete_service_rights(util_context,
1769                                                                   LDAP_PASSWD_SERVICE, oldpwddns[i],
1770                                                                   rparams->realm_name, oldsubtrees, rightsmask))) {
1771                         printf(gettext("failed\n"));
1772                         /* Solaris Kerberos */
1773                         com_err(progname, retval, gettext("while assigning rights '%s'"),
1774                                 rparams->realm_name);
1775                         goto err_nomsg;
1776                     }
1777                 }
1778             }
1779 
1780             rightsmask =0;
1781             rightsmask |= LDAP_REALM_RIGHTS;
1782             rightsmask |= LDAP_SUBTREE_RIGHTS;
1783             /* Add rights on the new subtree for all the kdc dns */
1784             if (newpwddns) {
1785                 for (i=0; (newpwddns[i] != NULL); i++) {
1786                     if ((retval = krb5_ldap_add_service_rights(util_context,
1787                                                                LDAP_PASSWD_SERVICE, newpwddns[i],
1788                                                                rparams->realm_name, rparams->subtree, rightsmask))) {
1789                         printf(gettext("failed\n"));
1790                         /* Solaris Kerberos */
1791                         com_err(progname, retval, gettext("while assigning rights to '%s'"),
1792                                 rparams->realm_name);
1793                         goto err_nomsg;
1794                     }
1795                 }
1796             }
1797         }
1798 
1799         printf(gettext("done\n"));
1800     }
1801 #endif
1802 
1803     goto cleanup;
1804 
1805 err_usage:
1806     print_usage = TRUE;
1807 
1808 err_nomsg:
1809     no_msg = TRUE;
1810 
1811 cleanup:
1812     krb5_ldap_free_realm_params(rparams);
1813 
1814 
1815 #ifdef HAVE_EDIRECTORY
1816     if (oldkdcdns) {
1817         for (i=0; oldkdcdns[i] != NULL; i++)
1818             free(oldkdcdns[i]);
1819         free(oldkdcdns);
1820     }
1821     if (oldpwddns) {
1822         for (i=0; oldpwddns[i] != NULL; i++)
1823             free(oldpwddns[i]);
1824         free(oldpwddns);
1825     }
1826     if (oldadmindns) {
1827         for (i=0; oldadmindns[i] != NULL; i++)
1828             free(oldadmindns[i]);
1829         free(oldadmindns);
1830     }
1831     if (newkdcdns) {
1832         for (i=0; newkdcdns[i] != NULL; i++)
1833             free(newkdcdns[i]);
1834         free(newkdcdns);
1835     }
1836     if (newpwddns) {
1837         for (i=0; newpwddns[i] != NULL; i++)
1838             free(newpwddns[i]);
1839         free(newpwddns);
1840     }
1841     if (newadmindns) {
1842         for (i=0; newadmindns[i] != NULL; i++)
1843             free(newadmindns[i]);
1844         free(newadmindns);
1845     }
1846     if (oldsubtrees) {
1847         for (i=0;oldsubtrees[i]!=NULL; i++)
1848             free(oldsubtrees[i]);
1849         free(oldsubtrees);
1850     }
1851     if (newsubtrees) {
1852         for (i=0;newsubtrees[i]!=NULL; i++)
1853             free(newsubtrees[i]);
1854         free(oldsubtrees);
1855     }
1856 #endif
1857     if (print_usage) {
1858         db_usage(MODIFY_REALM);
1859     }
1860 
1861     if (retval) {
1862         if (!no_msg) {
1863             /* Solaris Kerberos */
1864             com_err(progname, retval, gettext("while modifying information of realm '%s'"),
1865                     global_params.realm);
1866         }
1867         exit_status++;
1868     }
1869 
1870     return;
1871 }
1872 
1873 
1874 
1875 /*
1876  * This function displays the attributes of a Realm
1877  */
1878 void kdb5_ldap_view(argc, argv)
1879     int argc;
1880     char *argv[];
1881 {
1882     krb5_ldap_realm_params *rparams = NULL;
1883     krb5_error_code retval = 0;
1884     kdb5_dal_handle *dal_handle=NULL;
1885     krb5_ldap_context *ldap_context=NULL;
1886     int mask = 0;
1887 
1888     dal_handle = (kdb5_dal_handle *) util_context->db_context;
1889     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1890     if (!(ldap_context)) {
1891         retval = EINVAL;
1892         /* Solaris Kerberos */
1893         com_err(progname, retval, gettext("while initializing database"));
1894         exit_status++;
1895         return;
1896     }
1897 
1898     /* Read the kerberos container information */
1899     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1900                                                      &(ldap_context->krbcontainer))) != 0) {
1901         /* Solaris Kerberos */
1902         com_err(progname, retval, gettext("while reading kerberos container information"));
1903         exit_status++;
1904         return;
1905     }
1906 
1907     if ((retval = krb5_ldap_read_realm_params(util_context,
1908                                               global_params.realm, &rparams, &mask)) || (!rparams)) {
1909         /* Solaris Kerberos */
1910         com_err(progname, retval, gettext("while reading information of realm '%s'"),
1911                 global_params.realm);
1912         exit_status++;
1913         return;
1914     }
1915     print_realm_params(rparams, mask);
1916     krb5_ldap_free_realm_params(rparams);
1917 
1918     return;
1919 }
1920 
1921 static char *strdur(duration)
1922     time_t duration;
1923 {
1924     static char out[50];
1925     int neg, days, hours, minutes, seconds;
1926 
1927     if (duration < 0) {
1928         duration *= -1;
1929         neg = 1;
1930     } else
1931         neg = 0;
1932     days = duration / (24 * 3600);
1933     duration %= 24 * 3600;
1934     hours = duration / 3600;
1935     duration %= 3600;
1936     minutes = duration / 60;
1937     duration %= 60;
1938     seconds = duration;
1939     snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
1940             days, days == 1 ? gettext("day") : gettext("days"),
1941             hours, minutes, seconds);
1942     return out;
1943 }
1944 
1945 /*
1946  * This function prints the attributes of a given realm to the
1947  * standard output.
1948  */
1949 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
1950 {
1951     char **slist = NULL;
1952     int num_entry_printed = 0, i = 0;
1953 
1954     /* Print the Realm Attributes on the standard output */
1955     printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm);
1956     if (mask & LDAP_REALM_SUBTREE) {
1957         for (i=0; rparams->subtree[i]!=NULL; i++)
1958             printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]);
1959     }
1960     if (mask & LDAP_REALM_CONTREF)
1961         printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref);
1962     if (mask & LDAP_REALM_SEARCHSCOPE) {
1963         if ((rparams->search_scope != 1) &&
1964             (rparams->search_scope != 2)) {
1965             printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !"));
1966         } else {
1967             printf("%25s: %-50s\n", gettext("SearchScope"),
1968                    (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB"));
1969         }
1970     }
1971     if (mask & LDAP_REALM_KDCSERVERS) {
1972         printf("%25s:", gettext("KDC Services"));
1973         if (rparams->kdcservers != NULL) {
1974             num_entry_printed = 0;
1975             for (slist = rparams->kdcservers; *slist != NULL; slist++) {
1976                 if (num_entry_printed)
1977                     printf(" %25s %-50s\n", " ", *slist);
1978                 else
1979                     printf(" %-50s\n", *slist);
1980                 num_entry_printed++;
1981             }
1982         }
1983         if (num_entry_printed == 0)
1984             printf("\n");
1985     }
1986     if (mask & LDAP_REALM_ADMINSERVERS) {
1987         printf("%25s:", gettext("Admin Services"));
1988         if (rparams->adminservers != NULL) {
1989             num_entry_printed = 0;
1990             for (slist = rparams->adminservers; *slist != NULL; slist++) {
1991                 if (num_entry_printed)
1992                     printf(" %25s %-50s\n", " ", *slist);
1993                 else
1994                     printf(" %-50s\n", *slist);
1995                 num_entry_printed++;
1996             }
1997         }
1998         if (num_entry_printed == 0)
1999             printf("\n");
2000     }
2001     if (mask & LDAP_REALM_PASSWDSERVERS) {
2002         printf("%25s:", gettext("Passwd Services"));
2003         if (rparams->passwdservers != NULL) {
2004             num_entry_printed = 0;
2005             for (slist = rparams->passwdservers; *slist != NULL; slist++) {
2006                 if (num_entry_printed)
2007                     printf(" %25s %-50s\n", " ", *slist);
2008                 else
2009                     printf(" %-50s\n", *slist);
2010                 num_entry_printed++;
2011             }
2012         }
2013         if (num_entry_printed == 0)
2014             printf("\n");
2015     }
2016     if (mask & LDAP_REALM_MAXTICKETLIFE) {
2017         printf("%25s:", gettext("Maximum Ticket Life"));
2018         printf(" %s \n", strdur(rparams->max_life));
2019     }
2020 
2021     if (mask & LDAP_REALM_MAXRENEWLIFE) {
2022         printf("%25s:", gettext("Maximum Renewable Life"));
2023         printf(" %s \n", strdur(rparams->max_renewable_life));
2024     }
2025 
2026     if (mask & LDAP_REALM_KRBTICKETFLAGS) {
2027         int ticketflags = rparams->tktflags;
2028 
2029         printf("%25s: ", gettext("Ticket flags"));
2030         if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
2031             printf("%s ","DISALLOW_POSTDATED");
2032 
2033         if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
2034             printf("%s ","DISALLOW_FORWARDABLE");
2035 
2036         if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
2037             printf("%s ","DISALLOW_RENEWABLE");
2038 
2039         if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
2040             printf("%s ","DISALLOW_PROXIABLE");
2041 
2042         if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
2043             printf("%s ","DISALLOW_DUP_SKEY");
2044 
2045         if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
2046             printf("%s ","REQUIRES_PRE_AUTH");
2047 
2048         if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
2049             printf("%s ","REQUIRES_HW_AUTH");
2050 
2051         if (ticketflags & KRB5_KDB_DISALLOW_SVR)
2052             printf("%s ","DISALLOW_SVR");
2053 
2054         if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
2055             printf("%s ","DISALLOW_TGT_BASED");
2056 
2057         if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
2058             printf("%s ","DISALLOW_ALL_TIX");
2059 
2060         if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
2061             printf("%s ","REQUIRES_PWCHANGE");
2062 
2063         if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
2064             printf("%s ","PWCHANGE_SERVICE");
2065 
2066         printf("\n");
2067     }
2068 
2069 
2070     return;
2071 }
2072 
2073 
2074 
2075 /*
2076  * This function lists the Realm(s) present under the Kerberos container
2077  * on the LDAP Server.
2078  */
2079 void kdb5_ldap_list(argc, argv)
2080     int argc;
2081     char *argv[];
2082 {
2083     char **list = NULL;
2084     char **plist = NULL;
2085     krb5_error_code retval = 0;
2086     kdb5_dal_handle *dal_handle=NULL;
2087     krb5_ldap_context *ldap_context=NULL;
2088 
2089     dal_handle = (kdb5_dal_handle *)util_context->db_context;
2090     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2091     if (!(ldap_context)) {
2092         retval = EINVAL;
2093         exit_status++;
2094         return;
2095     }
2096 
2097     /* Read the kerberos container information */
2098     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2099                                                      &(ldap_context->krbcontainer))) != 0) {
2100         /* Solaris Kerberos */
2101         com_err(progname, retval, gettext("while reading kerberos container information"));
2102         exit_status++;
2103         return;
2104     }
2105 
2106     retval = krb5_ldap_list_realm(util_context, &list);
2107     if (retval != 0) {
2108         krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2109         ldap_context->krbcontainer = NULL;
2110         /* Solaris Kerberos */
2111         com_err (progname, retval, gettext("while listing realms"));
2112         exit_status++;
2113         return;
2114     }
2115     /* This is to handle the case of realm not present */
2116     if (list == NULL) {
2117         krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2118         ldap_context->krbcontainer = NULL;
2119         return;
2120     }
2121 
2122     for (plist = list; *plist != NULL; plist++) {
2123         printf("%s\n", *plist);
2124     }
2125     krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2126     ldap_context->krbcontainer = NULL;
2127     krb5_free_list_entries(list);
2128     free(list);
2129 
2130     return;
2131 }
2132 
2133 /*
2134  * Duplicating the following two functions here because
2135  * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch
2136  * here is that the backend is not initialized - kdb5_ldap_util doesn't go
2137  * through DAL.
2138  * 1. krb5_dbe_update_tl_data
2139  * 2. krb5_dbe_update_mod_princ_data
2140  */
2141 
2142 /* Start duplicate code ... */
2143 
2144 static krb5_error_code
2145 krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
2146     krb5_context context;
2147     krb5_db_entry *entry;
2148     krb5_tl_data *new_tl_data;
2149 {
2150     krb5_tl_data *tl_data = NULL;
2151     krb5_octet *tmp;
2152 
2153     /* copy the new data first, so we can fail cleanly if malloc()
2154      * fails */
2155 /*
2156     if ((tmp =
2157          (krb5_octet *) krb5_db_alloc(context, NULL,
2158                                       new_tl_data->tl_data_length)) == NULL)
2159 */
2160     if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
2161         return (ENOMEM);
2162 
2163     /* Find an existing entry of the specified type and point at
2164      * it, or NULL if not found */
2165 
2166     if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) {      /* db_args can be multiple */
2167         for (tl_data = entry->tl_data; tl_data;
2168              tl_data = tl_data->tl_data_next)
2169             if (tl_data->tl_data_type == new_tl_data->tl_data_type)
2170                 break;
2171     }
2172 
2173     /* if necessary, chain a new record in the beginning and point at it */
2174 
2175     if (!tl_data) {
2176 /*
2177         if ((tl_data =
2178              (krb5_tl_data *) krb5_db_alloc(context, NULL,
2179                                             sizeof(krb5_tl_data)))
2180             == NULL) {
2181 */
2182         if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
2183             free(tmp);
2184             return (ENOMEM);
2185         }
2186         memset(tl_data, 0, sizeof(krb5_tl_data));
2187         tl_data->tl_data_next = entry->tl_data;
2188         entry->tl_data = tl_data;
2189         entry->n_tl_data++;
2190     }
2191 
2192     /* fill in the record */
2193 
2194     if (tl_data->tl_data_contents)
2195         krb5_db_free(context, tl_data->tl_data_contents);
2196 
2197     tl_data->tl_data_type = new_tl_data->tl_data_type;
2198     tl_data->tl_data_length = new_tl_data->tl_data_length;
2199     tl_data->tl_data_contents = tmp;
2200     memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length);
2201 
2202     return (0);
2203 }
2204 
2205 static krb5_error_code
2206 krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
2207     krb5_context          context;
2208     krb5_db_entry       * entry;
2209     krb5_timestamp        mod_date;
2210     krb5_const_principal  mod_princ;
2211 {
2212     krb5_tl_data          tl_data;
2213 
2214     krb5_error_code       retval = 0;
2215     krb5_octet          * nextloc = 0;
2216     char                * unparse_mod_princ = 0;
2217     unsigned int        unparse_mod_princ_size;
2218 
2219     if ((retval = krb5_unparse_name(context, mod_princ,
2220                                     &unparse_mod_princ)))
2221         return(retval);
2222 
2223     unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
2224 
2225     if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
2226         == NULL) {
2227         free(unparse_mod_princ);
2228         return(ENOMEM);
2229     }
2230 
2231     tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
2232     tl_data.tl_data_length = unparse_mod_princ_size + 4;
2233     tl_data.tl_data_contents = nextloc;
2234 
2235     /* Mod Date */
2236     krb5_kdb_encode_int32(mod_date, nextloc);
2237 
2238     /* Mod Princ */
2239     memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size);
2240 
2241     retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data);
2242 
2243     free(unparse_mod_princ);
2244     free(nextloc);
2245 
2246     return(retval);
2247 }
2248 
2249 static krb5_error_code
2250 kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
2251     krb5_key_salt_tuple *ksent;
2252     krb5_pointer        ptr;
2253 {
2254     krb5_context        context;
2255     krb5_error_code     kret;
2256     struct iterate_args *iargs;
2257     krb5_keyblock       key;
2258     krb5_int32          ind;
2259     krb5_data   pwd;
2260     krb5_db_entry       *entry;
2261 
2262     iargs = (struct iterate_args *) ptr;
2263     kret = 0;
2264 
2265     context = iargs->ctx;
2266     entry = iargs->dbentp;
2267 
2268     /*
2269      * Convert the master key password into a key for this particular
2270      * encryption system.
2271      */
2272     pwd.data = mkey_password;
2273     pwd.length = strlen(mkey_password);
2274     kret = krb5_c_random_seed(context, &pwd);
2275     if (kret)
2276         return kret;
2277 
2278     /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
2279     if ((entry->key_data =
2280              (krb5_key_data *) realloc(entry->key_data,
2281                                             (sizeof(krb5_key_data) *
2282                                             (entry->n_key_data + 1)))) == NULL)
2283         return (ENOMEM);
2284 
2285     memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
2286     ind = entry->n_key_data++;
2287 
2288     if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
2289                                         &key))) {
2290         kret = krb5_dbekd_encrypt_key_data(context,
2291                                            iargs->rblock->key,
2292                                            &key,
2293                                            NULL,
2294                                            1,
2295                                            &entry->key_data[ind]);
2296         krb5_free_keyblock_contents(context, &key);
2297     }
2298     /*}*/
2299 
2300     return(kret);
2301 }
2302 /* End duplicate code */
2303 
2304 /*
2305  * This function creates service principals when
2306  * creating the realm object.
2307  */
2308 static int
2309 kdb_ldap_create_principal (context, princ, op, pblock)
2310     krb5_context context;
2311     krb5_principal princ;
2312     enum ap_op op;
2313     struct realm_info *pblock;
2314 {
2315     int              retval=0, currlen=0, princtype = 2 /* Service Principal */;
2316     unsigned char    *curr=NULL;
2317     krb5_tl_data     *tl_data=NULL;
2318     krb5_db_entry    entry;
2319     int              nentry=1;
2320     long             mask = 0;
2321     krb5_keyblock    key;
2322     int              kvno = 0;
2323     kdb5_dal_handle *dal_handle = NULL;
2324     krb5_ldap_context *ldap_context=NULL;
2325     struct iterate_args   iargs;
2326     krb5_data       *pdata;
2327 
2328     if ((pblock == NULL) || (context == NULL)) {
2329         retval = EINVAL;
2330         goto cleanup;
2331     }
2332     dal_handle = (kdb5_dal_handle *) context->db_context;
2333     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2334     if (!(ldap_context)) {
2335         retval = EINVAL;
2336         goto cleanup;
2337     }
2338 
2339     memset(&entry, 0, sizeof(entry));
2340 
2341     tl_data = malloc(sizeof(*tl_data));
2342     if (tl_data == NULL) {
2343         retval = ENOMEM;
2344         goto cleanup;
2345     }
2346     memset(tl_data, 0, sizeof(*tl_data));
2347     tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
2348     tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
2349     curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
2350     if (tl_data->tl_data_contents == NULL) {
2351         retval = ENOMEM;
2352         goto cleanup;
2353     }
2354 
2355     memset(curr, 1, 1); /* Passing the mask as principal type */
2356     curr += 1;
2357     currlen = 2;
2358     STORE16_INT(curr, currlen);
2359     curr += currlen;
2360     STORE16_INT(curr, princtype);
2361     curr += currlen;
2362 
2363     mask |= KADM5_PRINCIPAL;
2364     mask |= KADM5_ATTRIBUTES ;
2365     mask |= KADM5_MAX_LIFE ;
2366     mask |= KADM5_MAX_RLIFE ;
2367     mask |= KADM5_PRINC_EXPIRE_TIME ;
2368     mask |= KADM5_KEY_DATA;
2369 
2370     entry.tl_data = tl_data;
2371     entry.n_tl_data += 1;
2372     /* Set the creator's name */
2373     {
2374         krb5_timestamp now;
2375         if ((retval = krb5_timeofday(context, &now)))
2376             goto cleanup;
2377         if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
2378                         now, &db_create_princ)))
2379             goto cleanup;
2380     }
2381     entry.attributes = pblock->flags;
2382     entry.max_life = pblock->max_life;
2383     entry.max_renewable_life = pblock->max_rlife;
2384     entry.expiration = pblock->expiration;
2385     entry.mask = mask;
2386     if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
2387         goto cleanup;
2388 
2389 
2390     switch (op) {
2391     case TGT_KEY:
2392         if ((pdata = krb5_princ_component(context, princ, 1)) &&
2393             pdata->length == strlen("history") &&
2394             !memcmp(pdata->data, "history", strlen("history"))) {
2395 
2396             /* Allocate memory for storing the key */
2397             if ((entry.key_data = (krb5_key_data *) malloc(
2398                                               sizeof(krb5_key_data))) == NULL) {
2399                 retval = ENOMEM;
2400                 goto cleanup;
2401             }
2402 
2403             memset(entry.key_data, 0, sizeof(krb5_key_data));
2404             entry.n_key_data++;
2405 
2406             retval = krb5_c_make_random_key(context, global_params.enctype, &key);
2407             if (retval) {
2408                 goto cleanup;
2409             }
2410             kvno = 1; /* New key is getting set */
2411             retval = krb5_dbekd_encrypt_key_data(context,
2412                                         &ldap_context->lrparams->mkey,
2413                                         &key, NULL, kvno,
2414                                         &entry.key_data[entry.n_key_data - 1]);
2415             krb5_free_keyblock_contents(context, &key);
2416             if (retval) {
2417                 goto cleanup;
2418             }
2419         } else {
2420             /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
2421             iargs.ctx = context;
2422             iargs.rblock = pblock;
2423             iargs.dbentp = &entry;
2424 
2425             /*
2426              * create a set of random keys by iterating through the key/salt
2427              * list, ignoring salt types.
2428              */
2429             if ((retval = krb5_keysalt_iterate(pblock->kslist,
2430                                                pblock->nkslist,
2431                                                1,
2432                                                kdb_ldap_tgt_keysalt_iterate,
2433                                                (krb5_pointer) &iargs)))
2434                 return retval;
2435         }
2436         break;
2437 
2438     case MASTER_KEY:
2439         /* Allocate memory for storing the key */
2440         if ((entry.key_data = (krb5_key_data *) malloc(
2441                                               sizeof(krb5_key_data))) == NULL) {
2442             retval = ENOMEM;
2443             goto cleanup;
2444         }
2445 
2446         memset(entry.key_data, 0, sizeof(krb5_key_data));
2447         entry.n_key_data++;
2448         kvno = 1; /* New key is getting set */
2449         retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
2450                                          &ldap_context->lrparams->mkey,
2451                                          NULL, kvno,
2452                                          &entry.key_data[entry.n_key_data - 1]);
2453         if (retval) {
2454             goto cleanup;
2455         }
2456         break;
2457 
2458     case NULL_KEY:
2459     default:
2460         break;
2461     } /* end of switch */
2462 
2463     retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
2464     if (retval) {
2465         com_err(NULL, retval, gettext("while adding entries to database"));
2466         goto cleanup;
2467     }
2468 
2469 cleanup:
2470     krb5_dbe_free_contents(context, &entry);
2471     return retval;
2472 }
2473 
2474 
2475 /*
2476  * This function destroys the realm object and the associated principals
2477  */
2478 void
2479 kdb5_ldap_destroy(argc, argv)
2480     int argc;
2481     char *argv[];
2482 {
2483     extern char *optarg;
2484     extern int optind;
2485     int optchar = 0;
2486     char buf[5] = {0};
2487     krb5_error_code retval = 0;
2488     int force = 0;
2489     int mask = 0;
2490     kdb5_dal_handle *dal_handle = NULL;
2491     krb5_ldap_context *ldap_context = NULL;
2492 #ifdef HAVE_EDIRECTORY
2493     int i = 0, rightsmask = 0;
2494     krb5_ldap_realm_params *rparams = NULL;
2495 #endif
2496     /* Solaris Kerberos: to remove stash file */
2497     char *stash_file = NULL;
2498     struct stat stb;
2499 
2500     optind = 1;
2501     while ((optchar = getopt(argc, argv, "f")) != -1) {
2502         switch (optchar) {
2503         case 'f':
2504             force++;
2505             break;
2506         case '?':
2507         default:
2508             db_usage(DESTROY_REALM);
2509             return;
2510             /*NOTREACHED*/
2511         }
2512     }
2513 
2514     if (!force) {
2515         printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm);
2516         printf(gettext("(type 'yes' to confirm)? "));
2517         if (fgets(buf, sizeof(buf), stdin) == NULL) {
2518             exit_status++;
2519             return;
2520         }
2521         if (strcmp(buf, yes)) {
2522             exit_status++;
2523             return;
2524         }
2525         printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm);
2526     }
2527 
2528     dal_handle = (kdb5_dal_handle *)util_context->db_context;
2529     ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2530     if (!(ldap_context)) {
2531         /* Solaris Kerberos */
2532         com_err(progname, EINVAL, gettext("while initializing database"));
2533         exit_status++;
2534         return;
2535     }
2536 
2537     /* Read the kerberos container from the LDAP Server */
2538     if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2539                                                      &(ldap_context->krbcontainer))) != 0) {
2540         /* Solaris Kerberos */
2541         com_err(progname, retval, gettext("while reading kerberos container information"));
2542         exit_status++;
2543         return;
2544     }
2545 
2546     /* Read the Realm information from the LDAP Server */
2547     if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
2548                                               &(ldap_context->lrparams), &mask)) != 0) {
2549         /* Solaris Kerberos */
2550         com_err(progname, retval, gettext("while reading realm information"));
2551         exit_status++;
2552         return;
2553     }
2554 
2555 #ifdef HAVE_EDIRECTORY
2556     if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
2557         (mask & LDAP_REALM_PASSWDSERVERS)) {
2558 
2559         printf(gettext("Changing rights for the service object. Please wait ... "));
2560         fflush(stdout);
2561 
2562         rparams = ldap_context->lrparams;
2563         rightsmask = 0;
2564         rightsmask |= LDAP_REALM_RIGHTS;
2565         rightsmask |= LDAP_SUBTREE_RIGHTS;
2566         if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
2567             for (i=0; (rparams->kdcservers[i] != NULL); i++) {
2568                 if ((retval = krb5_ldap_delete_service_rights(util_context,
2569                                                               LDAP_KDC_SERVICE, rparams->kdcservers[i],
2570                                                               rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2571                     printf(gettext("failed\n"));
2572                     /* Solaris Kerberos */
2573                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
2574                             rparams->realm_name);
2575                     return;
2576                 }
2577             }
2578         }
2579         rightsmask = 0;
2580         rightsmask |= LDAP_REALM_RIGHTS;
2581         rightsmask |= LDAP_SUBTREE_RIGHTS;
2582         if ((rparams != NULL) && (rparams->adminservers != NULL)) {
2583             for (i=0; (rparams->adminservers[i] != NULL); i++) {
2584                 if ((retval = krb5_ldap_delete_service_rights(util_context,
2585                                                               LDAP_ADMIN_SERVICE, rparams->adminservers[i],
2586                                                               rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2587                     printf(gettext("failed\n"));
2588                     /* Solaris Kerberos */
2589                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
2590                             rparams->realm_name);
2591                     return;
2592                 }
2593             }
2594         }
2595         rightsmask = 0;
2596         rightsmask |= LDAP_REALM_RIGHTS;
2597         rightsmask |= LDAP_SUBTREE_RIGHTS;
2598         if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
2599             for (i=0; (rparams->passwdservers[i] != NULL); i++) {
2600                 if ((retval = krb5_ldap_delete_service_rights(util_context,
2601                                                               LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
2602                                                               rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2603                     printf(gettext("failed\n"));
2604                     /* Solaris Kerberos */
2605                     com_err(progname, retval, gettext("while assigning rights to '%s'"),
2606                             rparams->realm_name);
2607                     return;
2608                 }
2609             }
2610         }
2611         printf(gettext("done\n"));
2612     }
2613 #endif
2614     /* Delete the realm container and all the associated principals */
2615     retval = krb5_ldap_delete_realm(util_context, global_params.realm);
2616     if (retval) {
2617         /* Solaris Kerberos */
2618         com_err(progname, retval, gettext("deleting database of '%s'"), global_params.realm);
2619         exit_status++;
2620         return;
2621     }
2622 
2623     /*
2624      * Solaris Kerberos: check for a stash file and delete it if necessary
2625      * This behavior exists in the Solaris version of kdb5_util destroy.
2626      */
2627     if (global_params.stash_file == NULL) {
2628         char stashbuf[MAXPATHLEN+1];
2629         int realm_len = strlen(global_params.realm);
2630 
2631         (void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf)); 
2632 
2633         if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) {
2634             (void) strncat(stashbuf, global_params.realm,
2635                 (MAXPATHLEN-strlen(stashbuf)));
2636         } else {
2637             /* Solaris Kerberos */
2638             com_err(progname, EINVAL,
2639                 gettext("can not determine stash file name for '%s'"),
2640                 global_params.realm);
2641             exit_status++;
2642             return;
2643         }
2644         stash_file = stashbuf;
2645     } else {
2646         stash_file = global_params.stash_file;
2647     }
2648     /* Make sure stash_file is a regular file before unlinking */
2649     if (stat(stash_file, &stb) == 0) {
2650         if ((stb.st_mode & S_IFMT) == S_IFREG) {
2651             (void)unlink(stash_file);
2652         } else {
2653             /* Solaris Kerberos */
2654             com_err(progname, EINVAL,
2655                 gettext("stash file '%s' not a regular file, can not delete"),
2656                 stash_file);
2657             exit_status++;
2658             return;
2659         }
2660     } else if (errno != ENOENT) {
2661         /*
2662          * If the error is something other than the file doesn't exist set an
2663          * error.
2664          */
2665         /* Solaris Kerberos */
2666         com_err(progname, EINVAL,
2667             gettext("could not stat stash file '%s', could not delete"),
2668             stash_file);
2669         exit_status++;
2670         return;
2671     }
2672 
2673     printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm);
2674 
2675     return;
2676 }