1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * kadmin/ldap_util/kdb5_ldap_realm.c
8 *
9 * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
10 * All Rights Reserved.
11 *
12 * Export of this software from the United States of America may
13 * require a specific license from the United States Government.
14 * It is the responsibility of any person or organization contemplating
15 * export to obtain such a license before exporting.
16 *
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 * distribute this software and its documentation for any purpose and
19 * without fee is hereby granted, provided that the above copyright
20 * notice appear in all copies and that both that copyright notice and
21 * this permission notice appear in supporting documentation, and that
139
140
141 static char *strdur(time_t duration);
142 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
143 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
144 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
145
146 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
147 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
148
149 static int get_ticket_policy(rparams,i,argv,argc)
150 krb5_ldap_realm_params *rparams;
151 int *i;
152 char *argv[];
153 int argc;
154 {
155 time_t date;
156 time_t now;
157 int mask = 0;
158 krb5_error_code retval = 0;
159 krb5_boolean no_msg = FALSE;
160
161 krb5_boolean print_usage = FALSE;
162 /* Solaris Kerberos */
163 char *me = progname;
164
165 time(&now);
166 if (!strcmp(argv[*i], "-maxtktlife")) {
167 if (++(*i) > argc-1)
168 goto err_usage;
169 date = get_date(argv[*i]);
170 if (date == (time_t)(-1)) {
171 retval = EINVAL;
172 com_err (me, retval, gettext("while providing time specification"));
173 goto err_nomsg;
174 }
175 rparams->max_life = date-now;
176 mask |= LDAP_REALM_MAXTICKETLIFE;
177 }
178
179
180 else if (!strcmp(argv[*i], "-maxrenewlife")) {
181 if (++(*i) > argc-1)
182 goto err_usage;
183
184 date = get_date(argv[*i]);
185 if (date == (time_t)(-1)) {
186 retval = EINVAL;
187 com_err (me, retval, gettext("while providing time specification"));
188 goto err_nomsg;
189 }
190 rparams->max_renewable_life = date-now;
191 mask |= LDAP_REALM_MAXRENEWLIFE;
192 } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
193 if (*(argv[*i]) == '+')
194 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
195 else if (*(argv[*i]) == '-')
196 rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
197 else
198 goto err_usage;
199
200 mask |= LDAP_REALM_KRBTICKETFLAGS;
201 } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
202 if (*(argv[*i]) == '+')
203 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
204
205 else if (*(argv[*i]) == '-')
206 rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
207 else
208 goto err_usage;
209
210 mask |= LDAP_REALM_KRBTICKETFLAGS;
211 } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
212 if (*(argv[*i]) == '+')
213 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
214 else if (*(argv[*i]) == '-')
215 rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
216 else
217 goto err_usage;
218
219 mask |= LDAP_REALM_KRBTICKETFLAGS;
220 } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
221 if (*(argv[*i]) == '+')
222 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
223 else if (*(argv[*i]) == '-')
224 rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
225 else
226 goto err_usage;
227
228 mask |= LDAP_REALM_KRBTICKETFLAGS;
229 } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
230 if (*(argv[*i]) == '+')
231 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
232 else if (*(argv[*i]) == '-')
233 rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
234 else
235 goto err_usage;
236
237 mask |= LDAP_REALM_KRBTICKETFLAGS;
238 }
239
240 else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
241 if (*(argv[*i]) == '+')
242 rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
243 else if (*(argv[*i]) == '-')
244 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
245 else
246 goto err_usage;
247
248 mask |= LDAP_REALM_KRBTICKETFLAGS;
249 } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
250 if (*(argv[*i]) == '+')
251 rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
252 else if (*(argv[*i]) == '-')
253 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
254 else
255 goto err_usage;
256
257 mask |= LDAP_REALM_KRBTICKETFLAGS;
258 } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
259 if (*(argv[*i]) == '+')
260 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
261 else if (*(argv[*i]) == '-')
262 rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
263 else
264 goto err_usage;
265
266 mask |= LDAP_REALM_KRBTICKETFLAGS;
267 } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
268 if (*(argv[*i]) == '+')
269 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
270 else if (*(argv[*i]) == '-')
271 rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
272 else
273 goto err_usage;
274
275 mask |= LDAP_REALM_KRBTICKETFLAGS;
276 } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
277 if (*(argv[*i]) == '+')
278 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
279 else if (*(argv[*i]) == '-')
280 rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
281 else
282 goto err_usage;
283
284 mask |= LDAP_REALM_KRBTICKETFLAGS;
285 } else if (!strcmp((argv[*i] + 1), "needchange")) {
286 if (*(argv[*i]) == '+')
287 rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
288 else if (*(argv[*i]) == '-')
289 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
290 else
291 goto err_usage;
292
293 mask |= LDAP_REALM_KRBTICKETFLAGS;
294 } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
295 if (*(argv[*i]) == '+')
296 rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
297 else if (*(argv[*i]) == '-')
298 rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
299 else
300 goto err_usage;
301
302 mask |=LDAP_REALM_KRBTICKETFLAGS;
303 }
304 err_usage:
305 print_usage = TRUE;
306
307 err_nomsg:
308 no_msg = TRUE;
309
310 return mask;
311 }
312
313 /*
314 * This function will create a realm on the LDAP Server, with
315 * the specified attributes.
316 */
317 void kdb5_ldap_create(argc, argv)
318 int argc;
319 char *argv[];
320 {
321 krb5_error_code retval = 0;
322 krb5_keyblock master_keyblock;
323 krb5_ldap_realm_params *rparams = NULL;
324 krb5_principal master_princ = NULL;
325 kdb5_dal_handle *dal_handle = NULL;
326 krb5_ldap_context *ldap_context=NULL;
327 krb5_boolean realm_obj_created = FALSE;
328 krb5_boolean create_complete = FALSE;
|
1 /*
2 * Copyright 2017 Gary Mills
3 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
4 * Use is subject to license terms.
5 */
6
7 /*
8 * kadmin/ldap_util/kdb5_ldap_realm.c
9 *
10 * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
11 * All Rights Reserved.
12 *
13 * Export of this software from the United States of America may
14 * require a specific license from the United States Government.
15 * It is the responsibility of any person or organization contemplating
16 * export to obtain such a license before exporting.
17 *
18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19 * distribute this software and its documentation for any purpose and
20 * without fee is hereby granted, provided that the above copyright
21 * notice appear in all copies and that both that copyright notice and
22 * this permission notice appear in supporting documentation, and that
140
141
142 static char *strdur(time_t duration);
143 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
144 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
145 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
146
147 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
148 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
149
150 static int get_ticket_policy(rparams,i,argv,argc)
151 krb5_ldap_realm_params *rparams;
152 int *i;
153 char *argv[];
154 int argc;
155 {
156 time_t date;
157 time_t now;
158 int mask = 0;
159 krb5_error_code retval = 0;
160
161 /* Solaris Kerberos */
162 char *me = progname;
163
164 time(&now);
165 if (!strcmp(argv[*i], "-maxtktlife")) {
166 if (++(*i) > argc-1)
167 goto err_nomsg;
168 date = get_date(argv[*i]);
169 if (date == (time_t)(-1)) {
170 retval = EINVAL;
171 com_err (me, retval, gettext("while providing time specification"));
172 goto err_nomsg;
173 }
174 rparams->max_life = date-now;
175 mask |= LDAP_REALM_MAXTICKETLIFE;
176 }
177
178
179 else if (!strcmp(argv[*i], "-maxrenewlife")) {
180 if (++(*i) > argc-1)
181 goto err_nomsg;
182
183 date = get_date(argv[*i]);
184 if (date == (time_t)(-1)) {
185 retval = EINVAL;
186 com_err (me, retval, gettext("while providing time specification"));
187 goto err_nomsg;
188 }
189 rparams->max_renewable_life = date-now;
190 mask |= LDAP_REALM_MAXRENEWLIFE;
191 } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
192 if (*(argv[*i]) == '+')
193 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
194 else if (*(argv[*i]) == '-')
195 rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
196 else
197 goto err_nomsg;
198
199 mask |= LDAP_REALM_KRBTICKETFLAGS;
200 } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
201 if (*(argv[*i]) == '+')
202 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
203
204 else if (*(argv[*i]) == '-')
205 rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
206 else
207 goto err_nomsg;
208
209 mask |= LDAP_REALM_KRBTICKETFLAGS;
210 } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
211 if (*(argv[*i]) == '+')
212 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
213 else if (*(argv[*i]) == '-')
214 rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
215 else
216 goto err_nomsg;
217
218 mask |= LDAP_REALM_KRBTICKETFLAGS;
219 } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
220 if (*(argv[*i]) == '+')
221 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
222 else if (*(argv[*i]) == '-')
223 rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
224 else
225 goto err_nomsg;
226
227 mask |= LDAP_REALM_KRBTICKETFLAGS;
228 } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
229 if (*(argv[*i]) == '+')
230 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
231 else if (*(argv[*i]) == '-')
232 rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
233 else
234 goto err_nomsg;
235
236 mask |= LDAP_REALM_KRBTICKETFLAGS;
237 }
238
239 else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
240 if (*(argv[*i]) == '+')
241 rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
242 else if (*(argv[*i]) == '-')
243 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
244 else
245 goto err_nomsg;
246
247 mask |= LDAP_REALM_KRBTICKETFLAGS;
248 } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
249 if (*(argv[*i]) == '+')
250 rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
251 else if (*(argv[*i]) == '-')
252 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
253 else
254 goto err_nomsg;
255
256 mask |= LDAP_REALM_KRBTICKETFLAGS;
257 } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
258 if (*(argv[*i]) == '+')
259 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
260 else if (*(argv[*i]) == '-')
261 rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
262 else
263 goto err_nomsg;
264
265 mask |= LDAP_REALM_KRBTICKETFLAGS;
266 } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
267 if (*(argv[*i]) == '+')
268 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
269 else if (*(argv[*i]) == '-')
270 rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
271 else
272 goto err_nomsg;
273
274 mask |= LDAP_REALM_KRBTICKETFLAGS;
275 } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
276 if (*(argv[*i]) == '+')
277 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
278 else if (*(argv[*i]) == '-')
279 rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
280 else
281 goto err_nomsg;
282
283 mask |= LDAP_REALM_KRBTICKETFLAGS;
284 } else if (!strcmp((argv[*i] + 1), "needchange")) {
285 if (*(argv[*i]) == '+')
286 rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
287 else if (*(argv[*i]) == '-')
288 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
289 else
290 goto err_nomsg;
291
292 mask |= LDAP_REALM_KRBTICKETFLAGS;
293 } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
294 if (*(argv[*i]) == '+')
295 rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
296 else if (*(argv[*i]) == '-')
297 rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
298 else
299 goto err_nomsg;
300
301 mask |=LDAP_REALM_KRBTICKETFLAGS;
302 }
303
304 err_nomsg:
305
306 return mask;
307 }
308
309 /*
310 * This function will create a realm on the LDAP Server, with
311 * the specified attributes.
312 */
313 void kdb5_ldap_create(argc, argv)
314 int argc;
315 char *argv[];
316 {
317 krb5_error_code retval = 0;
318 krb5_keyblock master_keyblock;
319 krb5_ldap_realm_params *rparams = NULL;
320 krb5_principal master_princ = NULL;
321 kdb5_dal_handle *dal_handle = NULL;
322 krb5_ldap_context *ldap_context=NULL;
323 krb5_boolean realm_obj_created = FALSE;
324 krb5_boolean create_complete = FALSE;
|