154925bf6Swillf /*
254925bf6Swillf * lib/kdb/kdb_ldap/ldap_service_rights.c
354925bf6Swillf *
454925bf6Swillf * Copyright (c) 2004-2005, Novell, Inc.
554925bf6Swillf * All rights reserved.
654925bf6Swillf *
754925bf6Swillf * Redistribution and use in source and binary forms, with or without
854925bf6Swillf * modification, are permitted provided that the following conditions are met:
954925bf6Swillf *
1054925bf6Swillf * * Redistributions of source code must retain the above copyright notice,
1154925bf6Swillf * this list of conditions and the following disclaimer.
1254925bf6Swillf * * Redistributions in binary form must reproduce the above copyright
1354925bf6Swillf * notice, this list of conditions and the following disclaimer in the
1454925bf6Swillf * documentation and/or other materials provided with the distribution.
1554925bf6Swillf * * The copyright holder's name is not used to endorse or promote products
1654925bf6Swillf * derived from this software without specific prior written permission.
1754925bf6Swillf *
1854925bf6Swillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
1954925bf6Swillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2054925bf6Swillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2154925bf6Swillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
2254925bf6Swillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
2354925bf6Swillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
2454925bf6Swillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
2554925bf6Swillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
2654925bf6Swillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2754925bf6Swillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
2854925bf6Swillf * POSSIBILITY OF SUCH DAMAGE.
2954925bf6Swillf */
3054925bf6Swillf
3154925bf6Swillf #include "ldap_main.h"
3254925bf6Swillf #include "ldap_services.h"
3354925bf6Swillf #include "ldap_err.h"
3454925bf6Swillf
3554925bf6Swillf /* NOTE: add appropriate rights for krbpasswordexpiration attribute */
3654925bf6Swillf
3754925bf6Swillf #ifdef HAVE_EDIRECTORY
3854925bf6Swillf
3954925bf6Swillf static char *kdcrights_subtree[][2] = {
4054925bf6Swillf {"1#subtree#","#[Entry Rights]"},
4154925bf6Swillf {"2#subtree#","#CN"},
4254925bf6Swillf {"6#subtree#","#ObjectClass"},
4354925bf6Swillf {"2#subtree#","#krbTicketPolicyReference"},
4454925bf6Swillf {"2#subtree#","#krbUPEnabled"},
4554925bf6Swillf {"2#subtree#","#krbHostServer"},
4654925bf6Swillf {"2#subtree#","#krbServiceFlags"},
4754925bf6Swillf {"2#subtree#","#krbRealmReferences"},
4854925bf6Swillf {"2#subtree#","#krbTicketFlags"},
4954925bf6Swillf {"2#subtree#","#krbMaxTicketLife"},
5054925bf6Swillf {"2#subtree#","#krbMaxRenewableAge"},
5154925bf6Swillf {"2#subtree#","#krbPrincipalName"},
5254925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
5354925bf6Swillf {"2#subtree#","#krbPrincipalExpiration"},
5454925bf6Swillf {"2#subtree#","#krbPwdPolicyReference"},
5554925bf6Swillf {"2#subtree#","#krbMaxPwdLife"},
5654925bf6Swillf {"6#subtree#","#ModifiersName"},
5754925bf6Swillf {"2#subtree#","#PasswordExpirationTime"},
5854925bf6Swillf {"2#subtree#","#PasswordExpirationInterval"},
5954925bf6Swillf {"2#subtree#","#PasswordMinimumLength"},
6054925bf6Swillf {"2#subtree#","#PasswordAllowChange"},
6154925bf6Swillf {"2#subtree#","#LoginDisabled"},
6254925bf6Swillf {"6#subtree#","#LastLoginTime"},
6354925bf6Swillf {"2#subtree#","#LoginExpirationTime"},
6454925bf6Swillf {"6#subtree#","#LoginIntruderAttempts"},
6554925bf6Swillf {"2#subtree#","#IntruderAttemptResetInterval"},
6654925bf6Swillf {"2#subtree#","#LoginIntruderLimit"},
6754925bf6Swillf {"6#subtree#","#LoginIntruderResetTime"},
6854925bf6Swillf {"2#subtree#","#DetectIntruder"},
6954925bf6Swillf {"2#subtree#","#LockoutAfterDetection"},
7054925bf6Swillf {"6#subtree#","#LockedByIntruder"},
7154925bf6Swillf {"2#subtree#","#krbPrincipalReferences"},
7254925bf6Swillf { "", "" }
7354925bf6Swillf };
7454925bf6Swillf
7554925bf6Swillf static char *adminrights_subtree[][2]={
7654925bf6Swillf {"15#subtree#","#[Entry Rights]"},
7754925bf6Swillf {"6#subtree#","#CN"},
7854925bf6Swillf {"6#subtree#","#ObjectClass"},
7954925bf6Swillf {"6#subtree#","#krbTicketPolicyReference"},
8054925bf6Swillf {"6#subtree#","#krbUPEnabled"},
8154925bf6Swillf {"2#subtree#","#krbHostServer"},
8254925bf6Swillf {"2#subtree#","#krbServiceFlags"},
8354925bf6Swillf {"2#subtree#","#krbRealmReferences"},
8454925bf6Swillf {"6#subtree#","#krbTicketFlags"},
8554925bf6Swillf {"6#subtree#","#krbMaxTicketLife"},
8654925bf6Swillf {"6#subtree#","#krbMaxRenewableAge"},
8754925bf6Swillf {"6#subtree#","#krbPrincipalName"},
8854925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
8954925bf6Swillf {"6#subtree#","#krbPrincipalExpiration"},
9054925bf6Swillf {"6#subtree#","#ModifiersName"},
9154925bf6Swillf {"6#subtree#","#PasswordExpirationTime"},
9254925bf6Swillf {"2#subtree#","#PasswordExpirationInterval"},
9354925bf6Swillf {"6#subtree#","#PasswordMinimumLength"},
9454925bf6Swillf {"6#subtree#","#PasswordAllowChange"},
9554925bf6Swillf {"6#subtree#","#LoginDisabled"},
9654925bf6Swillf {"2#subtree#","#LastLoginTime"},
9754925bf6Swillf {"2#subtree#","#LoginExpirationTime"},
9854925bf6Swillf {"2#subtree#","#LoginIntruderAttempts"},
9954925bf6Swillf {"6#subtree#","#IntruderAttemptResetInterval"},
10054925bf6Swillf {"6#subtree#","#LoginIntruderLimit"},
10154925bf6Swillf {"6#subtree#","#LoginIntruderResetTime"},
10254925bf6Swillf {"6#subtree#","#DetectIntruder"},
10354925bf6Swillf {"6#subtree#","#LockoutAfterDetection"},
10454925bf6Swillf {"2#subtree#","#LockedByIntruder"},
10554925bf6Swillf {"2#subtree#","#krbPrincipalReferences"},
10654925bf6Swillf {"6#subtree#","#Surname"},
10754925bf6Swillf {"4#subtree#","#passwordManagement"},
10854925bf6Swillf {"6#subtree#","#krbPwdHistoryLength"},
10954925bf6Swillf {"6#subtree#","#krbMinPwdLife"},
11054925bf6Swillf {"6#subtree#","#krbMaxPwdLife"},
11154925bf6Swillf {"6#subtree#","#krbPwdMinDiffChars"},
11254925bf6Swillf {"6#subtree#","#krbPwdMinLength"},
11354925bf6Swillf {"6#subtree#","#krbPwdPolicyReference"},
11454925bf6Swillf { "","" }
11554925bf6Swillf };
11654925bf6Swillf
11754925bf6Swillf static char *pwdrights_subtree[][2] = {
11854925bf6Swillf {"1#subtree#","#[Entry Rights]"},
11954925bf6Swillf {"2#subtree#","#CN"},
12054925bf6Swillf {"2#subtree#","#ObjectClass"},
12154925bf6Swillf {"2#subtree#","#krbTicketPolicyReference"},
12254925bf6Swillf {"2#subtree#","#krbUPEnabled"},
12354925bf6Swillf {"2#subtree#","#krbHostServer"},
12454925bf6Swillf {"2#subtree#","#krbServiceFlags"},
12554925bf6Swillf {"2#subtree#","#krbRealmReferences"},
12654925bf6Swillf {"6#subtree#","#krbTicketFlags"},
12754925bf6Swillf {"2#subtree#","#krbMaxTicketLife"},
12854925bf6Swillf {"2#subtree#","#krbMaxRenewableAge"},
12954925bf6Swillf {"2#subtree#","#krbPrincipalName"},
13054925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
13154925bf6Swillf {"2#subtree#","#krbPrincipalExpiration"},
13254925bf6Swillf {"4#subtree#","#passwordManagement"},
13354925bf6Swillf {"6#subtree#","#ModifiersName"},
13454925bf6Swillf {"2#subtree#","#krbPwdHistoryLength"},
13554925bf6Swillf {"2#subtree#","#krbMinPwdLife"},
13654925bf6Swillf {"2#subtree#","#krbMaxPwdLife"},
13754925bf6Swillf {"2#subtree#","#krbPwdMinDiffChars"},
13854925bf6Swillf {"2#subtree#","#krbPwdMinLength"},
13954925bf6Swillf {"2#subtree#","#krbPwdPolicyReference"},
14054925bf6Swillf { "", "" }
14154925bf6Swillf };
14254925bf6Swillf
14354925bf6Swillf static char *kdcrights_realmcontainer[][2]={
14454925bf6Swillf {"1#subtree#","#[Entry Rights]"},
14554925bf6Swillf {"2#subtree#","#CN"},
14654925bf6Swillf {"6#subtree#","#ObjectClass"},
14754925bf6Swillf {"2#subtree#","#krbTicketPolicyReference"},
14854925bf6Swillf {"2#subtree#","#krbMKey"},
14954925bf6Swillf {"2#subtree#","#krbUPEnabled"},
15054925bf6Swillf {"2#subtree#","#krbSubTrees"},
151*1da57d55SToomas Soome {"2#subtree#","#krbPrincContainerRef"},
15254925bf6Swillf {"2#subtree#","#krbSearchScope"},
15354925bf6Swillf {"2#subtree#","#krbLdapServers"},
15454925bf6Swillf {"2#subtree#","#krbSupportedEncSaltTypes"},
15554925bf6Swillf {"2#subtree#","#krbDefaultEncSaltTypes"},
15654925bf6Swillf {"2#subtree#","#krbKdcServers"},
15754925bf6Swillf {"2#subtree#","#krbPwdServers"},
15854925bf6Swillf {"2#subtree#","#krbTicketFlags"},
15954925bf6Swillf {"2#subtree#","#krbMaxTicketLife"},
16054925bf6Swillf {"2#subtree#","#krbMaxRenewableAge"},
16154925bf6Swillf {"2#subtree#","#krbPrincipalName"},
16254925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
16354925bf6Swillf {"2#subtree#","#krbPrincipalExpiration"},
16454925bf6Swillf {"2#subtree#","#krbPwdPolicyReference"},
16554925bf6Swillf {"2#subtree#","#krbMaxPwdLife"},
16654925bf6Swillf {"6#subtree#","#ModifiersName"},
16754925bf6Swillf {"2#subtree#","#PasswordExpirationTime"},
16854925bf6Swillf {"2#subtree#","#PasswordExpirationInterval"},
16954925bf6Swillf {"2#subtree#","#PasswordMinimumLength"},
17054925bf6Swillf {"2#subtree#","#PasswordAllowChange"},
17154925bf6Swillf {"2#subtree#","#LoginDisabled"},
17254925bf6Swillf {"6#subtree#","#LastLoginTime"},
17354925bf6Swillf {"2#subtree#","#LoginExpirationTime"},
17454925bf6Swillf {"6#subtree#","#LoginIntruderAttempts"},
17554925bf6Swillf {"2#subtree#","#IntruderAttemptResetInterval"},
17654925bf6Swillf {"2#subtree#","#LoginIntruderLimit"},
17754925bf6Swillf {"6#subtree#","#LoginIntruderResetTime"},
17854925bf6Swillf {"2#subtree#","#DetectIntruder"},
17954925bf6Swillf {"2#subtree#","#LockoutAfterDetection"},
18054925bf6Swillf {"6#subtree#","#LockedByIntruder"},
18154925bf6Swillf { "", "" }
18254925bf6Swillf };
18354925bf6Swillf
18454925bf6Swillf
18554925bf6Swillf static char *adminrights_realmcontainer[][2]={
18654925bf6Swillf {"15#subtree#","#[Entry Rights]"},
18754925bf6Swillf {"6#subtree#","#CN"},
18854925bf6Swillf {"6#subtree#","#ObjectClass"},
18954925bf6Swillf {"6#subtree#","#krbTicketPolicyReference"},
19054925bf6Swillf {"2#subtree#","#krbMKey"},
19154925bf6Swillf {"6#subtree#","#krbUPEnabled"},
19254925bf6Swillf {"2#subtree#","#krbSubTrees"},
193*1da57d55SToomas Soome {"2#subtree#","#krbPrincContainerRef"},
19454925bf6Swillf {"2#subtree#","#krbSearchScope"},
19554925bf6Swillf {"2#subtree#","#krbLdapServers"},
19654925bf6Swillf {"2#subtree#","#krbSupportedEncSaltTypes"},
19754925bf6Swillf {"2#subtree#","#krbDefaultEncSaltTypes"},
19854925bf6Swillf {"2#subtree#","#krbKdcServers"},
19954925bf6Swillf {"2#subtree#","#krbPwdServers"},
20054925bf6Swillf {"6#subtree#","#krbTicketFlags"},
20154925bf6Swillf {"6#subtree#","#krbMaxTicketLife"},
20254925bf6Swillf {"6#subtree#","#krbMaxRenewableAge"},
20354925bf6Swillf {"6#subtree#","#krbPrincipalName"},
20454925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
20554925bf6Swillf {"6#subtree#","#krbPrincipalExpiration"},
20654925bf6Swillf {"6#subtree#","#ModifiersName"},
20754925bf6Swillf {"6#subtree#","#PasswordExpirationTime"},
20854925bf6Swillf {"2#subtree#","#PasswordExpirationInterval"},
20954925bf6Swillf {"6#subtree#","#PasswordMinimumLength"},
21054925bf6Swillf {"6#subtree#","#PasswordAllowChange"},
21154925bf6Swillf {"6#subtree#","#LoginDisabled"},
21254925bf6Swillf {"2#subtree#","#LastLoginTime"},
21354925bf6Swillf {"2#subtree#","#LoginExpirationTime"},
21454925bf6Swillf {"2#subtree#","#LoginIntruderAttempts"},
21554925bf6Swillf {"6#subtree#","#IntruderAttemptResetInterval"},
21654925bf6Swillf {"6#subtree#","#LoginIntruderLimit"},
21754925bf6Swillf {"6#subtree#","#LoginIntruderResetTime"},
21854925bf6Swillf {"6#subtree#","#DetectIntruder"},
21954925bf6Swillf {"6#subtree#","#LockoutAfterDetection"},
22054925bf6Swillf {"2#subtree#","#LockedByIntruder"},
22154925bf6Swillf {"6#subtree#","#Surname"},
22254925bf6Swillf {"6#subtree#","#krbPwdHistoryLength"},
22354925bf6Swillf {"6#subtree#","#krbMinPwdLife"},
22454925bf6Swillf {"6#subtree#","#krbMaxPwdLife"},
22554925bf6Swillf {"6#subtree#","#krbPwdMinDiffChars"},
22654925bf6Swillf {"6#subtree#","#krbPwdMinLength"},
22754925bf6Swillf {"6#subtree#","#krbPwdPolicyReference"},
22854925bf6Swillf { "","" }
22954925bf6Swillf };
23054925bf6Swillf
23154925bf6Swillf
23254925bf6Swillf static char *pwdrights_realmcontainer[][2]={
23354925bf6Swillf {"1#subtree#","#[Entry Rights]"},
23454925bf6Swillf {"2#subtree#","#CN"},
23554925bf6Swillf {"2#subtree#","#ObjectClass"},
23654925bf6Swillf {"2#subtree#","#krbTicketPolicyReference"},
23754925bf6Swillf {"2#subtree#","#krbMKey"},
23854925bf6Swillf {"2#subtree#","#krbUPEnabled"},
23954925bf6Swillf {"2#subtree#","#krbSubTrees"},
240*1da57d55SToomas Soome {"2#subtree#","#krbPrincContainerRef"},
24154925bf6Swillf {"2#subtree#","#krbSearchScope"},
24254925bf6Swillf {"2#subtree#","#krbLdapServers"},
24354925bf6Swillf {"2#subtree#","#krbSupportedEncSaltTypes"},
24454925bf6Swillf {"2#subtree#","#krbDefaultEncSaltTypes"},
24554925bf6Swillf {"2#subtree#","#krbKdcServers"},
24654925bf6Swillf {"2#subtree#","#krbPwdServers"},
24754925bf6Swillf {"6#subtree#","#krbTicketFlags"},
24854925bf6Swillf {"2#subtree#","#krbMaxTicketLife"},
24954925bf6Swillf {"2#subtree#","#krbMaxRenewableAge"},
25054925bf6Swillf {"2#subtree#","#krbPrincipalName"},
25154925bf6Swillf {"6#subtree#","#krbPrincipalKey"},
25254925bf6Swillf {"2#subtree#","#krbPrincipalExpiration"},
25354925bf6Swillf {"6#subtree#","#ModifiersName"},
25454925bf6Swillf {"2#subtree#","#krbPwdHistoryLength"},
25554925bf6Swillf {"2#subtree#","#krbMinPwdLife"},
25654925bf6Swillf {"2#subtree#","#krbMaxPwdLife"},
25754925bf6Swillf {"2#subtree#","#krbPwdMinDiffChars"},
25854925bf6Swillf {"2#subtree#","#krbPwdMinLength"},
25954925bf6Swillf {"2#subtree#","#krbPwdPolicyReference"},
26054925bf6Swillf { "", "" }
26154925bf6Swillf };
26254925bf6Swillf
26354925bf6Swillf static char *security_container[][2] = {
26454925bf6Swillf {"1#subtree#","#[Entry Rights]"},
26554925bf6Swillf {"2#subtree#","#krbContainerReference"},
26654925bf6Swillf { "", "" }
26754925bf6Swillf };
26854925bf6Swillf
26954925bf6Swillf static char *kerberos_container[][2] = {
27054925bf6Swillf {"1#subtree#","#[Entry Rights]"},
27154925bf6Swillf {"2#subtree#","#krbTicketPolicyReference"},
27254925bf6Swillf { "", "" }
27354925bf6Swillf };
27454925bf6Swillf
27554925bf6Swillf
27654925bf6Swillf /*
27754925bf6Swillf * This will set the rights for the Kerberos service objects.
27854925bf6Swillf * The function will read the subtree attribute from the specified
27954925bf6Swillf * realm name and will the appropriate rights on both the realm
28054925bf6Swillf * container and the subtree. The kerberos context passed should
28154925bf6Swillf * have a valid ldap handle, with appropriate rights to write acl
28254925bf6Swillf * attributes.
28354925bf6Swillf *
28454925bf6Swillf * krb5_context - IN The Kerberos context with valid ldap handle
28554925bf6Swillf *
28654925bf6Swillf */
28754925bf6Swillf
28854925bf6Swillf krb5_error_code
krb5_ldap_add_service_rights(context,servicetype,serviceobjdn,realmname,subtreeparam,mask)28954925bf6Swillf krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
29054925bf6Swillf krb5_context context;
29154925bf6Swillf int servicetype;
29254925bf6Swillf char *serviceobjdn;
29354925bf6Swillf char *realmname;
294*1da57d55SToomas Soome char **subtreeparam;
29554925bf6Swillf int mask;
29654925bf6Swillf {
29754925bf6Swillf
29854925bf6Swillf int st=0,i=0;
29954925bf6Swillf char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
30054925bf6Swillf LDAP *ld;
30154925bf6Swillf LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
30254925bf6Swillf LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
30354925bf6Swillf char *realmdn=NULL, **subtree=NULL;
30454925bf6Swillf kdb5_dal_handle *dal_handle=NULL;
30554925bf6Swillf krb5_ldap_context *ldap_context=NULL;
30654925bf6Swillf krb5_ldap_server_handle *ldap_server_handle=NULL;
30754925bf6Swillf int subtreecount=0;
30854925bf6Swillf
30954925bf6Swillf SETUP_CONTEXT();
31054925bf6Swillf GET_HANDLE();
31154925bf6Swillf
31254925bf6Swillf if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
31354925bf6Swillf || (ldap_context->krbcontainer->DN == NULL)) {
31454925bf6Swillf st=-1;
31554925bf6Swillf goto cleanup;
31654925bf6Swillf }
31754925bf6Swillf
31854925bf6Swillf subtreecount=ldap_context->lrparams->subtreecount;
31954925bf6Swillf subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
32054925bf6Swillf if(subtree == NULL) {
32154925bf6Swillf st = ENOMEM;
32254925bf6Swillf goto cleanup;
32354925bf6Swillf }
32454925bf6Swillf
32554925bf6Swillf /* If the subtree is null, set the value to root */
32654925bf6Swillf if(subtreeparam == NULL) {
32754925bf6Swillf subtree[0] = strdup("");
32854925bf6Swillf if(subtree[0] == NULL) {
32954925bf6Swillf st = ENOMEM;
33054925bf6Swillf goto cleanup;
33154925bf6Swillf }
33254925bf6Swillf }
33354925bf6Swillf else {
33454925bf6Swillf for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
33554925bf6Swillf subtree[i] = strdup(subtreeparam[i]);
33654925bf6Swillf if(subtree[i] == NULL) {
33754925bf6Swillf st = ENOMEM;
33854925bf6Swillf goto cleanup;
33954925bf6Swillf }
34054925bf6Swillf }
34154925bf6Swillf }
34254925bf6Swillf
34354925bf6Swillf /* Set the rights for the service object on the security container */
34454925bf6Swillf seccontclass.mod_op = LDAP_MOD_ADD;
34554925bf6Swillf seccontclass.mod_type = "ACL";
34654925bf6Swillf
34754925bf6Swillf for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
34854925bf6Swillf
34954925bf6Swillf seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
35054925bf6Swillf strlen(serviceobjdn) +
35154925bf6Swillf strlen(security_container[i][1]) + 1);
35254925bf6Swillf if (seccontacls[0] == NULL) {
35354925bf6Swillf st = ENOMEM;
35454925bf6Swillf goto cleanup;
35554925bf6Swillf }
35654925bf6Swillf
35754925bf6Swillf sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
35854925bf6Swillf security_container[i][1]);
35954925bf6Swillf seccontclass.mod_values = seccontacls;
36054925bf6Swillf
36154925bf6Swillf seccontarr[0] = &seccontclass;
36254925bf6Swillf
36354925bf6Swillf st = ldap_modify_ext_s(ld,
36454925bf6Swillf SECURITY_CONTAINER,
36554925bf6Swillf seccontarr,
36654925bf6Swillf NULL,
36754925bf6Swillf NULL);
36854925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
36954925bf6Swillf free(seccontacls[0]);
37054925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
37154925bf6Swillf goto cleanup;
37254925bf6Swillf }
37354925bf6Swillf free(seccontacls[0]);
37454925bf6Swillf }
37554925bf6Swillf
37654925bf6Swillf
37754925bf6Swillf /* Set the rights for the service object on the kerberos container */
37854925bf6Swillf krbcontclass.mod_op = LDAP_MOD_ADD;
37954925bf6Swillf krbcontclass.mod_type = "ACL";
38054925bf6Swillf
38154925bf6Swillf for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
38254925bf6Swillf krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
38354925bf6Swillf + strlen(kerberos_container[i][1]) + 1);
38454925bf6Swillf if (krbcontacls[0] == NULL) {
38554925bf6Swillf st = ENOMEM;
38654925bf6Swillf goto cleanup;
38754925bf6Swillf }
38854925bf6Swillf sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
38954925bf6Swillf kerberos_container[i][1]);
39054925bf6Swillf krbcontclass.mod_values = krbcontacls;
39154925bf6Swillf
39254925bf6Swillf krbcontarr[0] = &krbcontclass;
39354925bf6Swillf
39454925bf6Swillf st = ldap_modify_ext_s(ld,
39554925bf6Swillf ldap_context->krbcontainer->DN,
39654925bf6Swillf krbcontarr,
39754925bf6Swillf NULL,
39854925bf6Swillf NULL);
39954925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
40054925bf6Swillf free(krbcontacls[0]);
40154925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
40254925bf6Swillf goto cleanup;
40354925bf6Swillf }
40454925bf6Swillf free(krbcontacls[0]);
40554925bf6Swillf }
40654925bf6Swillf
40754925bf6Swillf /* Set the rights for the realm */
40854925bf6Swillf if (mask & LDAP_REALM_RIGHTS) {
40954925bf6Swillf
41054925bf6Swillf /* Construct the realm dn from realm name */
41154925bf6Swillf realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
41254925bf6Swillf strlen(ldap_context->krbcontainer->DN) + 2);
41354925bf6Swillf if (realmdn == NULL) {
41454925bf6Swillf st = ENOMEM;
41554925bf6Swillf goto cleanup;
41654925bf6Swillf }
41754925bf6Swillf sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
41854925bf6Swillf
41954925bf6Swillf realmclass.mod_op = LDAP_MOD_ADD;
42054925bf6Swillf realmclass.mod_type = "ACL";
42154925bf6Swillf
42254925bf6Swillf if (servicetype == LDAP_KDC_SERVICE) {
42354925bf6Swillf for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
42454925bf6Swillf realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
42554925bf6Swillf + strlen(serviceobjdn) +
42654925bf6Swillf strlen(kdcrights_realmcontainer[i][1]) + 1);
42754925bf6Swillf if (realmacls[0] == NULL) {
42854925bf6Swillf st = ENOMEM;
42954925bf6Swillf goto cleanup;
43054925bf6Swillf }
43154925bf6Swillf sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
43254925bf6Swillf kdcrights_realmcontainer[i][1]);
43354925bf6Swillf realmclass.mod_values = realmacls;
43454925bf6Swillf
43554925bf6Swillf realmarr[0] = &realmclass;
43654925bf6Swillf
43754925bf6Swillf st = ldap_modify_ext_s(ld,
43854925bf6Swillf realmdn,
43954925bf6Swillf realmarr,
44054925bf6Swillf NULL,
44154925bf6Swillf NULL);
44254925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
44354925bf6Swillf free(realmacls[0]);
44454925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
44554925bf6Swillf goto cleanup;
44654925bf6Swillf }
44754925bf6Swillf free(realmacls[0]);
44854925bf6Swillf }
44954925bf6Swillf } else if (servicetype == LDAP_ADMIN_SERVICE) {
45054925bf6Swillf for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
45154925bf6Swillf realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
45254925bf6Swillf strlen(serviceobjdn) +
45354925bf6Swillf strlen(adminrights_realmcontainer[i][1]) + 1);
45454925bf6Swillf if (realmacls[0] == NULL) {
45554925bf6Swillf st = ENOMEM;
45654925bf6Swillf goto cleanup;
45754925bf6Swillf }
45854925bf6Swillf sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
45954925bf6Swillf adminrights_realmcontainer[i][1]);
46054925bf6Swillf realmclass.mod_values = realmacls;
46154925bf6Swillf
46254925bf6Swillf realmarr[0] = &realmclass;
46354925bf6Swillf
46454925bf6Swillf st = ldap_modify_ext_s(ld,
46554925bf6Swillf realmdn,
46654925bf6Swillf realmarr,
46754925bf6Swillf NULL,
46854925bf6Swillf NULL);
46954925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
47054925bf6Swillf free(realmacls[0]);
47154925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
47254925bf6Swillf goto cleanup;
47354925bf6Swillf }
47454925bf6Swillf free(realmacls[0]);
47554925bf6Swillf }
47654925bf6Swillf } else if (servicetype == LDAP_PASSWD_SERVICE) {
47754925bf6Swillf for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
47854925bf6Swillf realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
47954925bf6Swillf strlen(serviceobjdn) +
48054925bf6Swillf strlen(pwdrights_realmcontainer[i][1]) + 1);
48154925bf6Swillf if (realmacls[0] == NULL) {
48254925bf6Swillf st = ENOMEM;
48354925bf6Swillf goto cleanup;
48454925bf6Swillf }
48554925bf6Swillf sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
48654925bf6Swillf pwdrights_realmcontainer[i][1]);
48754925bf6Swillf realmclass.mod_values = realmacls;
48854925bf6Swillf
48954925bf6Swillf realmarr[0] = &realmclass;
49054925bf6Swillf
49154925bf6Swillf
49254925bf6Swillf st = ldap_modify_ext_s(ld,
49354925bf6Swillf realmdn,
49454925bf6Swillf realmarr,
49554925bf6Swillf NULL,
49654925bf6Swillf NULL);
49754925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
49854925bf6Swillf free(realmacls[0]);
49954925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
50054925bf6Swillf goto cleanup;
50154925bf6Swillf }
50254925bf6Swillf free(realmacls[0]);
50354925bf6Swillf }
50454925bf6Swillf }
50554925bf6Swillf } /* Realm rights settings ends here */
50654925bf6Swillf
50754925bf6Swillf
50854925bf6Swillf /* Subtree rights to be set */
50954925bf6Swillf if (mask & LDAP_SUBTREE_RIGHTS) {
51054925bf6Swillf /* Populate the acl data to be added to the subtree */
51154925bf6Swillf subtreeclass.mod_op = LDAP_MOD_ADD;
51254925bf6Swillf subtreeclass.mod_type = "ACL";
51354925bf6Swillf
51454925bf6Swillf if (servicetype == LDAP_KDC_SERVICE) {
51554925bf6Swillf for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
51654925bf6Swillf subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
51754925bf6Swillf strlen(serviceobjdn) +
51854925bf6Swillf strlen(kdcrights_subtree[i][1]) + 1);
51954925bf6Swillf if (subtreeacls[0] == NULL) {
52054925bf6Swillf st = ENOMEM;
52154925bf6Swillf goto cleanup;
52254925bf6Swillf }
52354925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
52454925bf6Swillf kdcrights_subtree[i][1]);
52554925bf6Swillf subtreeclass.mod_values = subtreeacls;
52654925bf6Swillf
52754925bf6Swillf subtreearr[0] = &subtreeclass;
52854925bf6Swillf
52954925bf6Swillf /* set rights to a list of subtrees */
53054925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
53154925bf6Swillf st = ldap_modify_ext_s(ld,
53254925bf6Swillf subtree[i],
53354925bf6Swillf subtreearr,
53454925bf6Swillf NULL,
53554925bf6Swillf NULL);
53654925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
53754925bf6Swillf free(subtreeacls[0]);
53854925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
53954925bf6Swillf goto cleanup;
54054925bf6Swillf }
54154925bf6Swillf }
54254925bf6Swillf free(subtreeacls[0]);
54354925bf6Swillf }
54454925bf6Swillf } else if (servicetype == LDAP_ADMIN_SERVICE) {
54554925bf6Swillf for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
54654925bf6Swillf subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
54754925bf6Swillf + strlen(serviceobjdn)
54854925bf6Swillf + strlen(adminrights_subtree[i][1]) + 1);
54954925bf6Swillf if (subtreeacls[0] == NULL) {
55054925bf6Swillf st = ENOMEM;
55154925bf6Swillf goto cleanup;
55254925bf6Swillf }
55354925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
55454925bf6Swillf adminrights_subtree[i][1]);
55554925bf6Swillf subtreeclass.mod_values = subtreeacls;
55654925bf6Swillf
55754925bf6Swillf subtreearr[0] = &subtreeclass;
55854925bf6Swillf
55954925bf6Swillf /* set rights to a list of subtrees */
56054925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
56154925bf6Swillf st = ldap_modify_ext_s(ld,
56254925bf6Swillf subtree[i],
56354925bf6Swillf subtreearr,
56454925bf6Swillf NULL,
56554925bf6Swillf NULL);
56654925bf6Swillf if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
56754925bf6Swillf free(subtreeacls[0]);
56854925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
56954925bf6Swillf goto cleanup;
57054925bf6Swillf }
57154925bf6Swillf }
57254925bf6Swillf free(subtreeacls[0]);
57354925bf6Swillf }
57454925bf6Swillf } else if (servicetype == LDAP_PASSWD_SERVICE) {
57554925bf6Swillf for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
57654925bf6Swillf subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
57754925bf6Swillf + strlen(serviceobjdn)
57854925bf6Swillf + strlen(pwdrights_subtree[i][1]) + 1);
57954925bf6Swillf if (subtreeacls[0] == NULL) {
58054925bf6Swillf st = ENOMEM;
58154925bf6Swillf goto cleanup;
58254925bf6Swillf }
58354925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
58454925bf6Swillf pwdrights_subtree[i][1]);
58554925bf6Swillf subtreeclass.mod_values = subtreeacls;
58654925bf6Swillf
58754925bf6Swillf subtreearr[0] = &subtreeclass;
58854925bf6Swillf
58954925bf6Swillf /* set rights to a list of subtrees */
59054925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
59154925bf6Swillf st = ldap_modify_ext_s(ld,
59254925bf6Swillf subtree[i],
59354925bf6Swillf subtreearr,
59454925bf6Swillf NULL,
59554925bf6Swillf NULL);
59654925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
59754925bf6Swillf free(subtreeacls[0]);
59854925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
59954925bf6Swillf goto cleanup;
60054925bf6Swillf }
60154925bf6Swillf }
60254925bf6Swillf free(subtreeacls[0]);
60354925bf6Swillf }
60454925bf6Swillf }
60554925bf6Swillf } /* Subtree rights settings ends here */
60654925bf6Swillf st = 0;
60754925bf6Swillf
60854925bf6Swillf cleanup:
60954925bf6Swillf
61054925bf6Swillf if (realmdn)
61154925bf6Swillf free(realmdn);
61254925bf6Swillf
61354925bf6Swillf if (subtree)
61454925bf6Swillf free(subtree);
61554925bf6Swillf
61654925bf6Swillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
61754925bf6Swillf return st;
61854925bf6Swillf }
61954925bf6Swillf
62054925bf6Swillf
62154925bf6Swillf /*
62254925bf6Swillf This will set the rights for the Kerberos service objects.
62354925bf6Swillf The function will read the subtree attribute from the specified
62454925bf6Swillf realm name and will the appropriate rights on both the realm
62554925bf6Swillf container and the subtree. The kerberos context passed should
62654925bf6Swillf have a valid ldap handle, with appropriate rights to write acl
62754925bf6Swillf attributes.
62854925bf6Swillf
62954925bf6Swillf krb5_context - IN The Kerberos context with valid ldap handle
63054925bf6Swillf
63154925bf6Swillf */
63254925bf6Swillf
63354925bf6Swillf krb5_error_code
krb5_ldap_delete_service_rights(context,servicetype,serviceobjdn,realmname,subtreeparam,mask)63454925bf6Swillf krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
63554925bf6Swillf krb5_context context;
63654925bf6Swillf int servicetype;
63754925bf6Swillf char *serviceobjdn;
63854925bf6Swillf char *realmname;
639*1da57d55SToomas Soome char **subtreeparam;
64054925bf6Swillf int mask;
64154925bf6Swillf {
64254925bf6Swillf
64354925bf6Swillf int st=0,i=0;
64454925bf6Swillf char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
64554925bf6Swillf LDAP *ld;
64654925bf6Swillf LDAPMod realmclass, subtreeclass;
64754925bf6Swillf LDAPMod *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
64854925bf6Swillf char *realmdn=NULL;
64954925bf6Swillf char **subtree=NULL;
65054925bf6Swillf kdb5_dal_handle *dal_handle=NULL;
65154925bf6Swillf krb5_ldap_context *ldap_context=NULL;
65254925bf6Swillf krb5_ldap_server_handle *ldap_server_handle=NULL;
653*1da57d55SToomas Soome int subtreecount = 0;
65454925bf6Swillf
65554925bf6Swillf SETUP_CONTEXT();
65654925bf6Swillf GET_HANDLE();
65754925bf6Swillf
65854925bf6Swillf if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
65954925bf6Swillf || (ldap_context->krbcontainer->DN == NULL)) {
66054925bf6Swillf st = -1;
66154925bf6Swillf goto cleanup;
66254925bf6Swillf }
66354925bf6Swillf
66454925bf6Swillf subtreecount = 1;
66554925bf6Swillf while(subtreeparam[subtreecount])
66654925bf6Swillf subtreecount++;
66754925bf6Swillf subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
66854925bf6Swillf if(subtree == NULL) {
66954925bf6Swillf st = ENOMEM;
67054925bf6Swillf goto cleanup;
67154925bf6Swillf }
67254925bf6Swillf
67354925bf6Swillf /* If the subtree is null, set the value to root */
67454925bf6Swillf if(subtreeparam == NULL) {
67554925bf6Swillf subtree[0] = strdup("");
67654925bf6Swillf if(subtree[0] == NULL) {
67754925bf6Swillf st = ENOMEM;
67854925bf6Swillf goto cleanup;
67954925bf6Swillf }
68054925bf6Swillf }
68154925bf6Swillf else {
68254925bf6Swillf for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
68354925bf6Swillf subtree[i] = strdup(subtreeparam[i]);
68454925bf6Swillf if(subtree[i] == NULL) {
68554925bf6Swillf st = ENOMEM;
68654925bf6Swillf goto cleanup;
68754925bf6Swillf }
68854925bf6Swillf }
68954925bf6Swillf
69054925bf6Swillf
69154925bf6Swillf /* Set the rights for the realm */
69254925bf6Swillf if (mask & LDAP_REALM_RIGHTS) {
69354925bf6Swillf
69454925bf6Swillf /* Construct the realm dn from realm name */
69554925bf6Swillf realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
69654925bf6Swillf strlen(ldap_context->krbcontainer->DN) + 2);
69754925bf6Swillf if (realmdn == NULL) {
69854925bf6Swillf st = ENOMEM;
69954925bf6Swillf goto cleanup;
70054925bf6Swillf }
70154925bf6Swillf sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
70254925bf6Swillf
70354925bf6Swillf realmclass.mod_op=LDAP_MOD_DELETE;
70454925bf6Swillf realmclass.mod_type="ACL";
70554925bf6Swillf
70654925bf6Swillf if (servicetype == LDAP_KDC_SERVICE) {
70754925bf6Swillf for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
70854925bf6Swillf realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
70954925bf6Swillf + strlen(serviceobjdn) +
71054925bf6Swillf strlen(kdcrights_realmcontainer[i][1]) + 1);
71154925bf6Swillf if (realmacls[0] == NULL) {
71254925bf6Swillf st = ENOMEM;
71354925bf6Swillf goto cleanup;
71454925bf6Swillf }
71554925bf6Swillf sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
71654925bf6Swillf kdcrights_realmcontainer[i][1]);
71754925bf6Swillf realmclass.mod_values= realmacls;
71854925bf6Swillf
71954925bf6Swillf realmarr[0]=&realmclass;
72054925bf6Swillf
72154925bf6Swillf st = ldap_modify_ext_s(ld,
72254925bf6Swillf realmdn,
72354925bf6Swillf realmarr,
72454925bf6Swillf NULL,
72554925bf6Swillf NULL);
72654925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
72754925bf6Swillf free(realmacls[0]);
72854925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
72954925bf6Swillf goto cleanup;
73054925bf6Swillf }
73154925bf6Swillf free(realmacls[0]);
73254925bf6Swillf }
73354925bf6Swillf } else if (servicetype == LDAP_ADMIN_SERVICE) {
73454925bf6Swillf for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
73554925bf6Swillf realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
73654925bf6Swillf strlen(serviceobjdn) +
73754925bf6Swillf strlen(adminrights_realmcontainer[i][1]) + 1);
73854925bf6Swillf if (realmacls[0] == NULL) {
73954925bf6Swillf st = ENOMEM;
74054925bf6Swillf goto cleanup;
74154925bf6Swillf }
74254925bf6Swillf sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
74354925bf6Swillf adminrights_realmcontainer[i][1]);
74454925bf6Swillf realmclass.mod_values= realmacls;
74554925bf6Swillf
74654925bf6Swillf realmarr[0]=&realmclass;
74754925bf6Swillf
74854925bf6Swillf st = ldap_modify_ext_s(ld,
74954925bf6Swillf realmdn,
75054925bf6Swillf realmarr,
75154925bf6Swillf NULL,
75254925bf6Swillf NULL);
75354925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
75454925bf6Swillf free(realmacls[0]);
75554925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
75654925bf6Swillf goto cleanup;
75754925bf6Swillf }
75854925bf6Swillf free(realmacls[0]);
75954925bf6Swillf }
76054925bf6Swillf } else if (servicetype == LDAP_PASSWD_SERVICE) {
76154925bf6Swillf for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
76254925bf6Swillf realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
76354925bf6Swillf + strlen(serviceobjdn)
76454925bf6Swillf + strlen(pwdrights_realmcontainer[i][1]) + 1);
76554925bf6Swillf if (realmacls[0] == NULL) {
76654925bf6Swillf st = ENOMEM;
76754925bf6Swillf goto cleanup;
76854925bf6Swillf }
76954925bf6Swillf sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
77054925bf6Swillf pwdrights_realmcontainer[i][1]);
77154925bf6Swillf realmclass.mod_values= realmacls;
77254925bf6Swillf
77354925bf6Swillf realmarr[0]=&realmclass;
77454925bf6Swillf
77554925bf6Swillf st = ldap_modify_ext_s(ld,
77654925bf6Swillf realmdn,
77754925bf6Swillf realmarr,
77854925bf6Swillf NULL,
77954925bf6Swillf NULL);
78054925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
78154925bf6Swillf free(realmacls[0]);
78254925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
78354925bf6Swillf goto cleanup;
78454925bf6Swillf }
78554925bf6Swillf free(realmacls[0]);
78654925bf6Swillf }
78754925bf6Swillf }
78854925bf6Swillf
78954925bf6Swillf } /* Realm rights setting ends here */
79054925bf6Swillf
79154925bf6Swillf
79254925bf6Swillf /* Set the rights for the subtree */
79354925bf6Swillf if (mask & LDAP_SUBTREE_RIGHTS) {
79454925bf6Swillf
79554925bf6Swillf /* Populate the acl data to be added to the subtree */
79654925bf6Swillf subtreeclass.mod_op=LDAP_MOD_DELETE;
79754925bf6Swillf subtreeclass.mod_type="ACL";
79854925bf6Swillf
79954925bf6Swillf if (servicetype == LDAP_KDC_SERVICE) {
80054925bf6Swillf for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
80154925bf6Swillf subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
80254925bf6Swillf + strlen(serviceobjdn)
80354925bf6Swillf + strlen(kdcrights_subtree[i][1]) + 1);
80454925bf6Swillf if (subtreeacls[0] == NULL) {
80554925bf6Swillf st = ENOMEM;
80654925bf6Swillf goto cleanup;
80754925bf6Swillf }
80854925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
80954925bf6Swillf kdcrights_subtree[i][1]);
81054925bf6Swillf subtreeclass.mod_values= subtreeacls;
81154925bf6Swillf
81254925bf6Swillf subtreearr[0]=&subtreeclass;
81354925bf6Swillf
81454925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
81554925bf6Swillf st = ldap_modify_ext_s(ld,
81654925bf6Swillf subtree[i],
81754925bf6Swillf subtreearr,
81854925bf6Swillf NULL,
81954925bf6Swillf NULL);
82054925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
82154925bf6Swillf free(subtreeacls[0]);
82254925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
82354925bf6Swillf goto cleanup;
82454925bf6Swillf }
82554925bf6Swillf }
82654925bf6Swillf free(subtreeacls[0]);
82754925bf6Swillf }
82854925bf6Swillf } else if (servicetype == LDAP_ADMIN_SERVICE) {
82954925bf6Swillf for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
83054925bf6Swillf subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
83154925bf6Swillf + strlen(serviceobjdn)
83254925bf6Swillf + strlen(adminrights_subtree[i][1]) + 1);
83354925bf6Swillf if (subtreeacls[0] == NULL) {
83454925bf6Swillf st = ENOMEM;
83554925bf6Swillf goto cleanup;
83654925bf6Swillf }
83754925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
83854925bf6Swillf adminrights_subtree[i][1]);
83954925bf6Swillf subtreeclass.mod_values= subtreeacls;
84054925bf6Swillf
84154925bf6Swillf subtreearr[0]=&subtreeclass;
84254925bf6Swillf
84354925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
84454925bf6Swillf st = ldap_modify_ext_s(ld,
84554925bf6Swillf subtree[i],
84654925bf6Swillf subtreearr,
84754925bf6Swillf NULL,
84854925bf6Swillf NULL);
84954925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
85054925bf6Swillf free(subtreeacls[0]);
85154925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
85254925bf6Swillf goto cleanup;
85354925bf6Swillf }
85454925bf6Swillf }
85554925bf6Swillf free(subtreeacls[0]);
85654925bf6Swillf }
85754925bf6Swillf } else if (servicetype == LDAP_PASSWD_SERVICE) {
85854925bf6Swillf for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
85954925bf6Swillf subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
86054925bf6Swillf + strlen(serviceobjdn)
86154925bf6Swillf + strlen(pwdrights_subtree[i][1]) + 1);
86254925bf6Swillf if (subtreeacls[0] == NULL) {
86354925bf6Swillf st = ENOMEM;
86454925bf6Swillf goto cleanup;
86554925bf6Swillf }
86654925bf6Swillf sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
86754925bf6Swillf pwdrights_subtree[i][1]);
86854925bf6Swillf subtreeclass.mod_values= subtreeacls;
86954925bf6Swillf
87054925bf6Swillf subtreearr[0]=&subtreeclass;
87154925bf6Swillf
87254925bf6Swillf for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
87354925bf6Swillf st = ldap_modify_ext_s(ld,
87454925bf6Swillf subtree[i],
87554925bf6Swillf subtreearr,
87654925bf6Swillf NULL,
87754925bf6Swillf NULL);
87854925bf6Swillf if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
87954925bf6Swillf free(subtreeacls[0]);
88054925bf6Swillf st = set_ldap_error (context, st, OP_MOD);
88154925bf6Swillf goto cleanup;
88254925bf6Swillf }
88354925bf6Swillf }
88454925bf6Swillf free(subtreeacls[0]);
88554925bf6Swillf }
88654925bf6Swillf }
88754925bf6Swillf } /* Subtree rights setting ends here */
88854925bf6Swillf
88954925bf6Swillf st = 0;
89054925bf6Swillf
89154925bf6Swillf cleanup:
89254925bf6Swillf
89354925bf6Swillf if (realmdn)
89454925bf6Swillf free(realmdn);
89554925bf6Swillf
89654925bf6Swillf if (subtree)
89754925bf6Swillf free(subtree);
89854925bf6Swillf
89954925bf6Swillf krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
90054925bf6Swillf return st;
90154925bf6Swillf }
90254925bf6Swillf
90354925bf6Swillf #endif
904