Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

ad.c@ 4

Last change on this file since 4 was 1, checked in by Paul Smedley, 10 years ago
Initial commit of Heimdal 1.5.3
File size: 32.7 KB

Line
1	/*
2	* Copyright (c) 2004 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#define HAVE_TSASL 1
35
36	#include "kadm5_locl.h"
37	#if 1
38	#undef OPENLDAP
39	#undef HAVE_TSASL
40	#endif
41	#ifdef OPENLDAP
42	#include <ldap.h>
43	#ifdef HAVE_TSASL
44	#include <tsasl.h>
45	#endif
46	#include <resolve.h>
47	#include <base64.h>
48	#endif
49
50	RCSID("$Id$");
51
52	#ifdef OPENLDAP
53
54	#define CTX2LP(context) ((LDAP *)((context)->ldap_conn))
55	#define CTX2BASE(context) ((context)->base_dn)
56
57	/*
58	* userAccountControl
59	*/
60
61	#define UF_SCRIPT 0x00000001
62	#define UF_ACCOUNTDISABLE 0x00000002
63	#define UF_UNUSED_0 0x00000004
64	#define UF_HOMEDIR_REQUIRED 0x00000008
65	#define UF_LOCKOUT 0x00000010
66	#define UF_PASSWD_NOTREQD 0x00000020
67	#define UF_PASSWD_CANT_CHANGE 0x00000040
68	#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080
69	#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100
70	#define UF_NORMAL_ACCOUNT 0x00000200
71	#define UF_UNUSED_1 0x00000400
72	#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800
73	#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000
74	#define UF_SERVER_TRUST_ACCOUNT 0x00002000
75	#define UF_UNUSED_2 0x00004000
76	#define UF_UNUSED_3 0x00008000
77	#define UF_PASSWD_NOT_EXPIRE 0x00010000
78	#define UF_MNS_LOGON_ACCOUNT 0x00020000
79	#define UF_SMARTCARD_REQUIRED 0x00040000
80	#define UF_TRUSTED_FOR_DELEGATION 0x00080000
81	#define UF_NOT_DELEGATED 0x00100000
82	#define UF_USE_DES_KEY_ONLY 0x00200000
83	#define UF_DONT_REQUIRE_PREAUTH 0x00400000
84	#define UF_UNUSED_4 0x00800000
85	#define UF_UNUSED_5 0x01000000
86	#define UF_UNUSED_6 0x02000000
87	#define UF_UNUSED_7 0x04000000
88	#define UF_UNUSED_8 0x08000000
89	#define UF_UNUSED_9 0x10000000
90	#define UF_UNUSED_10 0x20000000
91	#define UF_UNUSED_11 0x40000000
92	#define UF_UNUSED_12 0x80000000
93
94	/*
95	*
96	*/
97
98	#ifndef HAVE_TSASL
99	static int
100	sasl_interact(LDAP ld, unsigned flags, void defaults, void *interact)
101	{
102	return LDAP_SUCCESS;
103	}
104	#endif
105
106	#if 0
107	static Sockbuf_IO ldap_tsasl_io = {
108	NULL, /* sbi_setup */
109	NULL, /* sbi_remove */
110	NULL, /* sbi_ctrl */
111	NULL, /* sbi_read */
112	NULL, /* sbi_write */
113	NULL /* sbi_close */
114	};
115	#endif
116
117	#ifdef HAVE_TSASL
118	static int
119	ldap_tsasl_bind_s(LDAP *ld,
120	LDAP_CONST char *dn,
121	LDAPControl **serverControls,
122	LDAPControl **clientControls,
123	const char *host)
124	{
125	char *attrs[] = { "supportedSASLMechanisms", NULL };
126	struct tsasl_peer *peer = NULL;
127	struct tsasl_buffer in, out;
128	struct berval ccred, *scred;
129	LDAPMessage m, m0;
130	const char *mech;
131	char **vals;
132	int ret, rc;
133
134	ret = tsasl_peer_init(TSASL_FLAGS_INITIATOR \| TSASL_FLAGS_CLEAR,
135	"ldap", host, &peer);
136	if (ret != TSASL_DONE) {
137	rc = LDAP_LOCAL_ERROR;
138	goto out;
139	}
140
141	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &m0);
142	if (rc != LDAP_SUCCESS)
143	goto out;
144
145	m = ldap_first_entry(ld, m0);
146	if (m == NULL) {
147	ldap_msgfree(m0);
148	goto out;
149	}
150
151	vals = ldap_get_values(ld, m, "supportedSASLMechanisms");
152	if (vals == NULL) {
153	ldap_msgfree(m0);
154	goto out;
155	}
156
157	ret = tsasl_find_best_mech(peer, vals, &mech);
158	if (ret) {
159	ldap_msgfree(m0);
160	goto out;
161	}
162
163	ldap_msgfree(m0);
164
165	ret = tsasl_select_mech(peer, mech);
166	if (ret != TSASL_DONE) {
167	rc = LDAP_LOCAL_ERROR;
168	goto out;
169	}
170
171	in.tb_data = NULL;
172	in.tb_size = 0;
173
174	do {
175	ret = tsasl_request(peer, &in, &out);
176	if (in.tb_size != 0) {
177	free(in.tb_data);
178	in.tb_data = NULL;
179	in.tb_size = 0;
180	}
181	if (ret != TSASL_DONE && ret != TSASL_CONTINUE) {
182	rc = LDAP_AUTH_UNKNOWN;
183	goto out;
184	}
185
186	ccred.bv_val = out.tb_data;
187	ccred.bv_len = out.tb_size;
188
189	rc = ldap_sasl_bind_s(ld, dn, mech, &ccred,
190	serverControls, clientControls, &scred);
191	tsasl_buffer_free(&out);
192
193	if (rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS) {
194	if(scred && scred->bv_len)
195	ber_bvfree(scred);
196	goto out;
197	}
198
199	in.tb_data = malloc(scred->bv_len);
200	if (in.tb_data == NULL) {
201	rc = LDAP_LOCAL_ERROR;
202	goto out;
203	}
204	memcpy(in.tb_data, scred->bv_val, scred->bv_len);
205	in.tb_size = scred->bv_len;
206	ber_bvfree(scred);
207
208	} while (rc == LDAP_SASL_BIND_IN_PROGRESS);
209
210	out:
211	if (rc == LDAP_SUCCESS) {
212	#if 0
213	ber_sockbuf_add_io(ld->ld_conns->lconn_sb, &ldap_tsasl_io,
214	LBER_SBIOD_LEVEL_APPLICATION, peer);
215
216	#endif
217	} else if (peer != NULL)
218	tsasl_peer_free(peer);
219
220	return rc;
221	}
222	#endif /* HAVE_TSASL */
223
224
225	static int
226	check_ldap(kadm5_ad_context *context, int ret)
227	{
228	switch (ret) {
229	case LDAP_SUCCESS:
230	return 0;
231	case LDAP_SERVER_DOWN: {
232	LDAP *lp = CTX2LP(context);
233	ldap_unbind(lp);
234	context->ldap_conn = NULL;
235	free(context->base_dn);
236	context->base_dn = NULL;
237	return 1;
238	}
239	default:
240	return 1;
241	}
242	}
243
244	/*
245	*
246	*/
247
248	static void
249	laddattr(char **al, int attrlen, char *attr)
250	{
251	char **a;
252	a = realloc(al, (attrlen + 2) * sizeof(**al));
253	if (a == NULL)
254	return;
255	a[*attrlen] = attr;
256	a[*attrlen + 1] = NULL;
257	(*attrlen)++;
258	*al = a;
259	}
260
261	static kadm5_ret_t
262	_kadm5_ad_connect(void *server_handle)
263	{
264	kadm5_ad_context *context = server_handle;
265	struct {
266	char *server;
267	int port;
268	} s, servers = NULL;
269	int i, num_servers = 0;
270
271	if (context->ldap_conn)
272	return 0;
273
274	{
275	struct dns_reply *r;
276	struct resource_record *rr;
277	char *domain;
278
279	asprintf(&domain, "_ldap._tcp.%s", context->realm);
280	if (domain == NULL) {
281	krb5_set_error_message(context->context, KADM5_NO_SRV, "malloc");
282	return KADM5_NO_SRV;
283	}
284
285	r = dns_lookup(domain, "SRV");
286	free(domain);
287	if (r == NULL) {
288	krb5_set_error_message(context->context, KADM5_NO_SRV, "Didn't find ldap dns");
289	return KADM5_NO_SRV;
290	}
291
292	for (rr = r->head ; rr != NULL; rr = rr->next) {
293	if (rr->type != rk_ns_t_srv)
294	continue;
295	s = realloc(servers, sizeof(servers) (num_servers + 1));
296	if (s == NULL) {
297	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "malloc");
298	dns_free_data(r);
299	goto fail;
300	}
301	servers = s;
302	num_servers++;
303	servers[num_servers - 1].port = rr->u.srv->port;
304	servers[num_servers - 1].server = strdup(rr->u.srv->target);
305	}
306	dns_free_data(r);
307	}
308
309	if (num_servers == 0) {
310	krb5_set_error_message(context->context, KADM5_NO_SRV, "No AD server found in DNS");
311	return KADM5_NO_SRV;
312	}
313
314	for (i = 0; i < num_servers; i++) {
315	int lret, version = LDAP_VERSION3;
316	LDAP *lp;
317
318	lp = ldap_init(servers[i].server, servers[i].port);
319	if (lp == NULL)
320	continue;
321
322	if (ldap_set_option(lp, LDAP_OPT_PROTOCOL_VERSION, &version)) {
323	ldap_unbind(lp);
324	continue;
325	}
326
327	if (ldap_set_option(lp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) {
328	ldap_unbind(lp);
329	continue;
330	}
331
332	#ifdef HAVE_TSASL
333	lret = ldap_tsasl_bind_s(lp, NULL, NULL, NULL, servers[i].server);
334
335	#else
336	lret = ldap_sasl_interactive_bind_s(lp, NULL, NULL, NULL, NULL,
337	LDAP_SASL_QUIET,
338	sasl_interact, NULL);
339	#endif
340	if (lret != LDAP_SUCCESS) {
341	krb5_set_error_message(context->context, 0,
342	"Couldn't contact any AD servers: %s",
343	ldap_err2string(lret));
344	ldap_unbind(lp);
345	continue;
346	}
347
348	context->ldap_conn = lp;
349	break;
350	}
351	if (i >= num_servers) {
352	goto fail;
353	}
354
355	{
356	LDAPMessage m, m0;
357	char **attr = NULL;
358	int attrlen = 0;
359	char **vals;
360	int ret;
361
362	laddattr(&attr, &attrlen, "defaultNamingContext");
363
364	ret = ldap_search_s(CTX2LP(context), "", LDAP_SCOPE_BASE,
365	"objectclass=*", attr, 0, &m);
366	free(attr);
367	if (check_ldap(context, ret))
368	goto fail;
369
370	if (ldap_count_entries(CTX2LP(context), m) > 0) {
371	m0 = ldap_first_entry(CTX2LP(context), m);
372	if (m0 == NULL) {
373	krb5_set_error_message(context->context, KADM5_RPC_ERROR,
374	"Error in AD ldap responce");
375	ldap_msgfree(m);
376	goto fail;
377	}
378	vals = ldap_get_values(CTX2LP(context),
379	m0, "defaultNamingContext");
380	if (vals == NULL) {
381	krb5_set_error_message(context->context, KADM5_RPC_ERROR,
382	"No naming context found");
383	goto fail;
384	}
385	context->base_dn = strdup(vals[0]);
386	} else
387	goto fail;
388	ldap_msgfree(m);
389	}
390
391	for (i = 0; i < num_servers; i++)
392	free(servers[i].server);
393	free(servers);
394
395	return 0;
396
397	fail:
398	for (i = 0; i < num_servers; i++)
399	free(servers[i].server);
400	free(servers);
401
402	if (context->ldap_conn) {
403	ldap_unbind(CTX2LP(context));
404	context->ldap_conn = NULL;
405	}
406	return KADM5_RPC_ERROR;
407	}
408
409	#define NTTIME_EPOCH 0x019DB1DED53E8000LL
410
411	static time_t
412	nt2unixtime(const char *str)
413	{
414	unsigned long long t;
415	t = strtoll(str, NULL, 10);
416	t = ((t - NTTIME_EPOCH) / (long long)10000000);
417	if (t > (((time_t)(~(long long)0)) >> 1))
418	return 0;
419	return (time_t)t;
420	}
421
422	static long long
423	unix2nttime(time_t unix_time)
424	{
425	long long wt;
426	wt = unix_time * (long long)10000000 + (long long)NTTIME_EPOCH;
427	return wt;
428	}
429
430	/* XXX create filter in a better way */
431
432	static int
433	ad_find_entry(kadm5_ad_context *context,
434	const char *fqdn,
435	const char *pn,
436	char **name)
437	{
438	LDAPMessage m, m0;
439	char *attr[] = { "distinguishedName", NULL };
440	char *filter;
441	int ret;
442
443	if (name)
444	*name = NULL;
445
446	if (fqdn)
447	asprintf(&filter,
448	"(&(objectClass=computer)(\|(dNSHostName=%s)(servicePrincipalName=%s)))",
449	fqdn, pn);
450	else if(pn)
451	asprintf(&filter, "(&(objectClass=account)(userPrincipalName=%s))", pn);
452	else
453	return KADM5_RPC_ERROR;
454
455	ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
456	LDAP_SCOPE_SUBTREE,
457	filter, attr, 0, &m);
458	free(filter);
459	if (check_ldap(context, ret))
460	return KADM5_RPC_ERROR;
461
462	if (ldap_count_entries(CTX2LP(context), m) > 0) {
463	char **vals;
464	m0 = ldap_first_entry(CTX2LP(context), m);
465	vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName");
466	if (vals == NULL \|\| vals[0] == NULL) {
467	ldap_msgfree(m);
468	return KADM5_RPC_ERROR;
469	}
470	if (name)
471	*name = strdup(vals[0]);
472	ldap_msgfree(m);
473	} else
474	return KADM5_UNK_PRINC;
475
476	return 0;
477	}
478
479	#endif /* OPENLDAP */
480
481	static kadm5_ret_t
482	ad_get_cred(kadm5_ad_context context, const char password)
483	{
484	kadm5_ret_t ret;
485	krb5_ccache cc;
486	char *service;
487
488	if (context->ccache)
489	return 0;
490
491	asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
492	context->realm, context->realm);
493	if (service == NULL)
494	return ENOMEM;
495
496	ret = _kadm5_c_get_cred_cache(context->context,
497	context->client_name,
498	service,
499	password, krb5_prompter_posix,
500	NULL, NULL, &cc);
501	free(service);
502	if(ret)
503	return ret; /* XXX */
504	context->ccache = cc;
505	return 0;
506	}
507
508	static kadm5_ret_t
509	kadm5_ad_chpass_principal(void *server_handle,
510	krb5_principal principal,
511	const char *password)
512	{
513	kadm5_ad_context *context = server_handle;
514	krb5_data result_code_string, result_string;
515	int result_code;
516	kadm5_ret_t ret;
517
518	ret = ad_get_cred(context, NULL);
519	if (ret)
520	return ret;
521
522	krb5_data_zero (&result_code_string);
523	krb5_data_zero (&result_string);
524
525	ret = krb5_set_password_using_ccache (context->context,
526	context->ccache,
527	password,
528	principal,
529	&result_code,
530	&result_code_string,
531	&result_string);
532
533	krb5_data_free (&result_code_string);
534	krb5_data_free (&result_string);
535
536	/* XXX do mapping here on error codes */
537
538	return ret;
539	}
540
541	#ifdef OPENLDAP
542	static const char *
543	get_fqdn(krb5_context context, const krb5_principal p)
544	{
545	const char s, hosttypes[] = { "host", "ldap", "gc", "cifs", "dns" };
546	int i;
547
548	s = krb5_principal_get_comp_string(context, p, 0);
549	if (p == NULL)
550	return NULL;
551
552	for (i = 0; i < sizeof(hosttypes)/sizeof(hosttypes[0]); i++) {
553	if (strcasecmp(s, hosttypes[i]) == 0)
554	return krb5_principal_get_comp_string(context, p, 1);
555	}
556	return 0;
557	}
558	#endif
559
560
561	static kadm5_ret_t
562	kadm5_ad_create_principal(void *server_handle,
563	kadm5_principal_ent_t entry,
564	uint32_t mask,
565	const char *password)
566	{
567	kadm5_ad_context *context = server_handle;
568
569	/*
570	* KADM5_PRINC_EXPIRE_TIME
571	*
572	* return 0 \|\| KADM5_DUP;
573	*/
574
575	#ifdef OPENLDAP
576	LDAPMod attrs[8], rattrs[7], a;
577	char *useraccvals[2] = { NULL, NULL },
578	samvals[2], dnsvals[2], spnvals[5], upnvals[2], *tv[2];
579	char *ocvals_spn[] = { "top", "person", "organizationalPerson",
580	"user", "computer", NULL};
581	char p, realmless_p, p_msrealm = NULL, dn = NULL;
582	const char *fqdn;
583	char s, samname = NULL, *short_spn = NULL;
584	int ret, i;
585	int32_t uf_flags = 0;
586
587	if ((mask & KADM5_PRINCIPAL) == 0)
588	return KADM5_BAD_MASK;
589
590	for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++)
591	attrs[i] = &rattrs[i];
592	attrs[i] = NULL;
593
594	ret = ad_get_cred(context, NULL);
595	if (ret)
596	return ret;
597
598	ret = _kadm5_ad_connect(server_handle);
599	if (ret)
600	return ret;
601
602	fqdn = get_fqdn(context->context, entry->principal);
603
604	ret = krb5_unparse_name(context->context, entry->principal, &p);
605	if (ret)
606	return ret;
607
608	if (ad_find_entry(context, fqdn, p, NULL) == 0) {
609	free(p);
610	return KADM5_DUP;
611	}
612
613	if (mask & KADM5_ATTRIBUTES) {
614	if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)
615	uf_flags \|= UF_ACCOUNTDISABLE\|UF_LOCKOUT;
616	if ((entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) == 0)
617	uf_flags \|= UF_DONT_REQUIRE_PREAUTH;
618	if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH)
619	uf_flags \|= UF_SMARTCARD_REQUIRED;
620	}
621
622	realmless_p = strdup(p);
623	if (realmless_p == NULL) {
624	ret = ENOMEM;
625	goto out;
626	}
627	s = strrchr(realmless_p, '@');
628	if (s)
629	*s = '\0';
630
631	if (fqdn) {
632	/* create computer account */
633	asprintf(&samname, "%s$", fqdn);
634	if (samname == NULL) {
635	ret = ENOMEM;
636	goto out;
637	}
638	s = strchr(samname, '.');
639	if (s) {
640	s[0] = '$';
641	s[1] = '\0';
642	}
643
644	short_spn = strdup(p);
645	if (short_spn == NULL) {
646	errno = ENOMEM;
647	goto out;
648	}
649	s = strchr(short_spn, '.');
650	if (s) {
651	*s = '\0';
652	} else {
653	free(short_spn);
654	short_spn = NULL;
655	}
656
657	p_msrealm = strdup(p);
658	if (p_msrealm == NULL) {
659	errno = ENOMEM;
660	goto out;
661	}
662	s = strrchr(p_msrealm, '@');
663	if (s) {
664	*s = '/';
665	} else {
666	free(p_msrealm);
667	p_msrealm = NULL;
668	}
669
670	asprintf(&dn, "cn=%s, cn=Computers, %s", fqdn, CTX2BASE(context));
671	if (dn == NULL) {
672	ret = ENOMEM;
673	goto out;
674	}
675
676	a = &rattrs[0];
677	a->mod_op = LDAP_MOD_ADD;
678	a->mod_type = "objectClass";
679	a->mod_values = ocvals_spn;
680	a++;
681
682	a->mod_op = LDAP_MOD_ADD;
683	a->mod_type = "userAccountControl";
684	a->mod_values = useraccvals;
685	asprintf(&useraccvals[0], "%d",
686	uf_flags \|
687	UF_PASSWD_NOT_EXPIRE \|
688	UF_WORKSTATION_TRUST_ACCOUNT);
689	useraccvals[1] = NULL;
690	a++;
691
692	a->mod_op = LDAP_MOD_ADD;
693	a->mod_type = "sAMAccountName";
694	a->mod_values = samvals;
695	samvals[0] = samname;
696	samvals[1] = NULL;
697	a++;
698
699	a->mod_op = LDAP_MOD_ADD;
700	a->mod_type = "dNSHostName";
701	a->mod_values = dnsvals;
702	dnsvals[0] = (char *)fqdn;
703	dnsvals[1] = NULL;
704	a++;
705
706	/* XXX add even more spn's */
707	a->mod_op = LDAP_MOD_ADD;
708	a->mod_type = "servicePrincipalName";
709	a->mod_values = spnvals;
710	i = 0;
711	spnvals[i++] = p;
712	spnvals[i++] = realmless_p;
713	if (short_spn)
714	spnvals[i++] = short_spn;
715	if (p_msrealm)
716	spnvals[i++] = p_msrealm;
717	spnvals[i++] = NULL;
718	a++;
719
720	a->mod_op = LDAP_MOD_ADD;
721	a->mod_type = "userPrincipalName";
722	a->mod_values = upnvals;
723	upnvals[0] = p;
724	upnvals[1] = NULL;
725	a++;
726
727	a->mod_op = LDAP_MOD_ADD;
728	a->mod_type = "accountExpires";
729	a->mod_values = tv;
730	tv[0] = "9223372036854775807"; /* "never" */
731	tv[1] = NULL;
732	a++;
733
734	} else {
735	/* create user account */
736
737	a = &rattrs[0];
738	a->mod_op = LDAP_MOD_ADD;
739	a->mod_type = "userAccountControl";
740	a->mod_values = useraccvals;
741	asprintf(&useraccvals[0], "%d",
742	uf_flags \|
743	UF_PASSWD_NOT_EXPIRE);
744	useraccvals[1] = NULL;
745	a++;
746
747	a->mod_op = LDAP_MOD_ADD;
748	a->mod_type = "sAMAccountName";
749	a->mod_values = samvals;
750	samvals[0] = realmless_p;
751	samvals[1] = NULL;
752	a++;
753
754	a->mod_op = LDAP_MOD_ADD;
755	a->mod_type = "userPrincipalName";
756	a->mod_values = upnvals;
757	upnvals[0] = p;
758	upnvals[1] = NULL;
759	a++;
760
761	a->mod_op = LDAP_MOD_ADD;
762	a->mod_type = "accountExpires";
763	a->mod_values = tv;
764	tv[0] = "9223372036854775807"; /* "never" */
765	tv[1] = NULL;
766	a++;
767	}
768
769	attrs[a - &rattrs[0]] = NULL;
770
771	ret = ldap_add_s(CTX2LP(context), dn, attrs);
772
773	out:
774	if (useraccvals[0])
775	free(useraccvals[0]);
776	if (realmless_p)
777	free(realmless_p);
778	if (samname)
779	free(samname);
780	if (short_spn)
781	free(short_spn);
782	if (p_msrealm)
783	free(p_msrealm);
784	free(p);
785
786	if (check_ldap(context, ret))
787	return KADM5_RPC_ERROR;
788
789	return 0;
790	#else
791	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
792	return KADM5_RPC_ERROR;
793	#endif
794	}
795
796	static kadm5_ret_t
797	kadm5_ad_delete_principal(void *server_handle, krb5_principal principal)
798	{
799	kadm5_ad_context *context = server_handle;
800	#ifdef OPENLDAP
801	char p, dn = NULL;
802	const char *fqdn;
803	int ret;
804
805	ret = ad_get_cred(context, NULL);
806	if (ret)
807	return ret;
808
809	ret = _kadm5_ad_connect(server_handle);
810	if (ret)
811	return ret;
812
813	fqdn = get_fqdn(context->context, principal);
814
815	ret = krb5_unparse_name(context->context, principal, &p);
816	if (ret)
817	return ret;
818
819	if (ad_find_entry(context, fqdn, p, &dn) != 0) {
820	free(p);
821	return KADM5_UNK_PRINC;
822	}
823
824	ret = ldap_delete_s(CTX2LP(context), dn);
825
826	free(dn);
827	free(p);
828
829	if (check_ldap(context, ret))
830	return KADM5_RPC_ERROR;
831	return 0;
832	#else
833	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
834	return KADM5_RPC_ERROR;
835	#endif
836	}
837
838	static kadm5_ret_t
839	kadm5_ad_destroy(void *server_handle)
840	{
841	kadm5_ad_context *context = server_handle;
842
843	if (context->ccache)
844	krb5_cc_destroy(context->context, context->ccache);
845
846	#ifdef OPENLDAP
847	{
848	LDAP *lp = CTX2LP(context);
849	if (lp)
850	ldap_unbind(lp);
851	if (context->base_dn)
852	free(context->base_dn);
853	}
854	#endif
855	free(context->realm);
856	free(context->client_name);
857	krb5_free_principal(context->context, context->caller);
858	if(context->my_context)
859	krb5_free_context(context->context);
860	return 0;
861	}
862
863	static kadm5_ret_t
864	kadm5_ad_flush(void *server_handle)
865	{
866	kadm5_ad_context *context = server_handle;
867	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
868	return KADM5_RPC_ERROR;
869	}
870
871	static kadm5_ret_t
872	kadm5_ad_get_principal(void *server_handle,
873	krb5_principal principal,
874	kadm5_principal_ent_t entry,
875	uint32_t mask)
876	{
877	kadm5_ad_context *context = server_handle;
878	#ifdef OPENLDAP
879	LDAPMessage m, m0;
880	char **attr = NULL;
881	int attrlen = 0;
882	char filter, p, q, u;
883	int ret;
884
885	/*
886	* principal
887	* KADM5_PRINCIPAL \| KADM5_KVNO \| KADM5_ATTRIBUTES
888	*/
889
890	/*
891	* return 0 \|\| KADM5_DUP;
892	*/
893
894	memset(entry, 0, sizeof(*entry));
895
896	if (mask & KADM5_KVNO)
897	laddattr(&attr, &attrlen, "msDS-KeyVersionNumber");
898
899	if (mask & KADM5_PRINCIPAL) {
900	laddattr(&attr, &attrlen, "userPrincipalName");
901	laddattr(&attr, &attrlen, "servicePrincipalName");
902	}
903	laddattr(&attr, &attrlen, "objectClass");
904	laddattr(&attr, &attrlen, "lastLogon");
905	laddattr(&attr, &attrlen, "badPwdCount");
906	laddattr(&attr, &attrlen, "badPasswordTime");
907	laddattr(&attr, &attrlen, "pwdLastSet");
908	laddattr(&attr, &attrlen, "accountExpires");
909	laddattr(&attr, &attrlen, "userAccountControl");
910
911	krb5_unparse_name_short(context->context, principal, &p);
912	krb5_unparse_name(context->context, principal, &u);
913
914	/* replace @ in domain part with a / */
915	q = strrchr(p, '@');
916	if (q && (p != q && *(q - 1) != '\\'))
917	*q = '/';
918
919	asprintf(&filter,
920	"(\|(userPrincipalName=%s)(servicePrincipalName=%s)(servicePrincipalName=%s))",
921	u, p, u);
922	free(p);
923	free(u);
924
925	ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
926	LDAP_SCOPE_SUBTREE,
927	filter, attr, 0, &m);
928	free(attr);
929	if (check_ldap(context, ret))
930	return KADM5_RPC_ERROR;
931
932	if (ldap_count_entries(CTX2LP(context), m) > 0) {
933	char **vals;
934	m0 = ldap_first_entry(CTX2LP(context), m);
935	if (m0 == NULL) {
936	ldap_msgfree(m);
937	goto fail;
938	}
939	#if 0
940	vals = ldap_get_values(CTX2LP(context), m0, "servicePrincipalName");
941	if (vals)
942	printf("servicePrincipalName %s\n", vals[0]);
943	vals = ldap_get_values(CTX2LP(context), m0, "userPrincipalName");
944	if (vals)
945	printf("userPrincipalName %s\n", vals[0]);
946	vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
947	if (vals)
948	printf("userAccountControl %s\n", vals[0]);
949	#endif
950	entry->princ_expire_time = 0;
951	if (mask & KADM5_PRINC_EXPIRE_TIME) {
952	vals = ldap_get_values(CTX2LP(context), m0, "accountExpires");
953	if (vals)
954	entry->princ_expire_time = nt2unixtime(vals[0]);
955	}
956	entry->last_success = 0;
957	if (mask & KADM5_LAST_SUCCESS) {
958	vals = ldap_get_values(CTX2LP(context), m0, "lastLogon");
959	if (vals)
960	entry->last_success = nt2unixtime(vals[0]);
961	}
962	if (mask & KADM5_LAST_FAILED) {
963	vals = ldap_get_values(CTX2LP(context), m0, "badPasswordTime");
964	if (vals)
965	entry->last_failed = nt2unixtime(vals[0]);
966	}
967	if (mask & KADM5_LAST_PWD_CHANGE) {
968	vals = ldap_get_values(CTX2LP(context), m0, "pwdLastSet");
969	if (vals)
970	entry->last_pwd_change = nt2unixtime(vals[0]);
971	}
972	if (mask & KADM5_FAIL_AUTH_COUNT) {
973	vals = ldap_get_values(CTX2LP(context), m0, "badPwdCount");
974	if (vals)
975	entry->fail_auth_count = atoi(vals[0]);
976	}
977	if (mask & KADM5_ATTRIBUTES) {
978	vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
979	if (vals) {
980	uint32_t i;
981	i = atoi(vals[0]);
982	if (i & (UF_ACCOUNTDISABLE\|UF_LOCKOUT))
983	entry->attributes \|= KRB5_KDB_DISALLOW_ALL_TIX;
984	if ((i & UF_DONT_REQUIRE_PREAUTH) == 0)
985	entry->attributes \|= KRB5_KDB_REQUIRES_PRE_AUTH;
986	if (i & UF_SMARTCARD_REQUIRED)
987	entry->attributes \|= KRB5_KDB_REQUIRES_HW_AUTH;
988	if ((i & UF_WORKSTATION_TRUST_ACCOUNT) == 0)
989	entry->attributes \|= KRB5_KDB_DISALLOW_SVR;
990	}
991	}
992	if (mask & KADM5_KVNO) {
993	vals = ldap_get_values(CTX2LP(context), m0,
994	"msDS-KeyVersionNumber");
995	if (vals)
996	entry->kvno = atoi(vals[0]);
997	else
998	entry->kvno = 0;
999	}
1000	ldap_msgfree(m);
1001	} else {
1002	return KADM5_UNK_PRINC;
1003	}
1004
1005	if (mask & KADM5_PRINCIPAL)
1006	krb5_copy_principal(context->context, principal, &entry->principal);
1007
1008	return 0;
1009	fail:
1010	return KADM5_RPC_ERROR;
1011	#else
1012	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1013	return KADM5_RPC_ERROR;
1014	#endif
1015	}
1016
1017	static kadm5_ret_t
1018	kadm5_ad_get_principals(void *server_handle,
1019	const char *expression,
1020	char ***principals,
1021	int *count)
1022	{
1023	kadm5_ad_context *context = server_handle;
1024
1025	/*
1026	* KADM5_PRINCIPAL \| KADM5_KVNO \| KADM5_ATTRIBUTES
1027	*/
1028
1029	#ifdef OPENLDAP
1030	kadm5_ret_t ret;
1031
1032	ret = ad_get_cred(context, NULL);
1033	if (ret)
1034	return ret;
1035
1036	ret = _kadm5_ad_connect(server_handle);
1037	if (ret)
1038	return ret;
1039
1040	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1041	return KADM5_RPC_ERROR;
1042	#else
1043	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1044	return KADM5_RPC_ERROR;
1045	#endif
1046	}
1047
1048	static kadm5_ret_t
1049	kadm5_ad_get_privs(void server_handle, uint32_tprivs)
1050	{
1051	kadm5_ad_context *context = server_handle;
1052	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1053	return KADM5_RPC_ERROR;
1054	}
1055
1056	static kadm5_ret_t
1057	kadm5_ad_modify_principal(void *server_handle,
1058	kadm5_principal_ent_t entry,
1059	uint32_t mask)
1060	{
1061	kadm5_ad_context *context = server_handle;
1062
1063	/*
1064	* KADM5_ATTRIBUTES
1065	* KRB5_KDB_DISALLOW_ALL_TIX (\| KADM5_KVNO)
1066	*/
1067
1068	#ifdef OPENLDAP
1069	LDAPMessage m = NULL, m0;
1070	kadm5_ret_t ret;
1071	char **attr = NULL;
1072	int attrlen = 0;
1073	char p = NULL, s = NULL, *q;
1074	char **vals;
1075	LDAPMod attrs[4], rattrs[3], a;
1076	char *uaf[2] = { NULL, NULL };
1077	char *kvno[2] = { NULL, NULL };
1078	char *tv[2] = { NULL, NULL };
1079	char filter, dn;
1080	int i;
1081
1082	for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++)
1083	attrs[i] = &rattrs[i];
1084	attrs[i] = NULL;
1085	a = &rattrs[0];
1086
1087	ret = _kadm5_ad_connect(server_handle);
1088	if (ret)
1089	return ret;
1090
1091	if (mask & KADM5_KVNO)
1092	laddattr(&attr, &attrlen, "msDS-KeyVersionNumber");
1093	if (mask & KADM5_PRINC_EXPIRE_TIME)
1094	laddattr(&attr, &attrlen, "accountExpires");
1095	if (mask & KADM5_ATTRIBUTES)
1096	laddattr(&attr, &attrlen, "userAccountControl");
1097	laddattr(&attr, &attrlen, "distinguishedName");
1098
1099	krb5_unparse_name(context->context, entry->principal, &p);
1100
1101	s = strdup(p);
1102
1103	q = strrchr(s, '@');
1104	if (q && (p != q && *(q - 1) != '\\'))
1105	*q = '\0';
1106
1107	asprintf(&filter,
1108	"(\|(userPrincipalName=%s)(servicePrincipalName=%s))",
1109	s, s);
1110	free(p);
1111	free(s);
1112
1113	ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
1114	LDAP_SCOPE_SUBTREE,
1115	filter, attr, 0, &m);
1116	free(attr);
1117	free(filter);
1118	if (check_ldap(context, ret))
1119	return KADM5_RPC_ERROR;
1120
1121	if (ldap_count_entries(CTX2LP(context), m) <= 0) {
1122	ret = KADM5_RPC_ERROR;
1123	goto out;
1124	}
1125
1126	m0 = ldap_first_entry(CTX2LP(context), m);
1127
1128	if (mask & KADM5_ATTRIBUTES) {
1129	int32_t i;
1130
1131	vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
1132	if (vals == NULL) {
1133	ret = KADM5_RPC_ERROR;
1134	goto out;
1135	}
1136
1137	i = atoi(vals[0]);
1138	if (i == 0)
1139	return KADM5_RPC_ERROR;
1140
1141	if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)
1142	i \|= (UF_ACCOUNTDISABLE\|UF_LOCKOUT);
1143	else
1144	i &= ~(UF_ACCOUNTDISABLE\|UF_LOCKOUT);
1145	if (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)
1146	i &= ~UF_DONT_REQUIRE_PREAUTH;
1147	else
1148	i \|= UF_DONT_REQUIRE_PREAUTH;
1149	if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH)
1150	i \|= UF_SMARTCARD_REQUIRED;
1151	else
1152	i &= UF_SMARTCARD_REQUIRED;
1153	if (entry->attributes & KRB5_KDB_DISALLOW_SVR)
1154	i &= ~UF_WORKSTATION_TRUST_ACCOUNT;
1155	else
1156	i \|= UF_WORKSTATION_TRUST_ACCOUNT;
1157
1158	asprintf(&uaf[0], "%d", i);
1159
1160	a->mod_op = LDAP_MOD_REPLACE;
1161	a->mod_type = "userAccountControl";
1162	a->mod_values = uaf;
1163	a++;
1164	}
1165
1166	if (mask & KADM5_KVNO) {
1167	vals = ldap_get_values(CTX2LP(context), m0, "msDS-KeyVersionNumber");
1168	if (vals == NULL) {
1169	entry->kvno = 0;
1170	} else {
1171	asprintf(&kvno[0], "%d", entry->kvno);
1172
1173	a->mod_op = LDAP_MOD_REPLACE;
1174	a->mod_type = "msDS-KeyVersionNumber";
1175	a->mod_values = kvno;
1176	a++;
1177	}
1178	}
1179
1180	if (mask & KADM5_PRINC_EXPIRE_TIME) {
1181	long long wt;
1182	vals = ldap_get_values(CTX2LP(context), m0, "accountExpires");
1183	if (vals == NULL) {
1184	ret = KADM5_RPC_ERROR;
1185	goto out;
1186	}
1187
1188	wt = unix2nttime(entry->princ_expire_time);
1189
1190	asprintf(&tv[0], "%llu", wt);
1191
1192	a->mod_op = LDAP_MOD_REPLACE;
1193	a->mod_type = "accountExpires";
1194	a->mod_values = tv;
1195	a++;
1196	}
1197
1198	vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName");
1199	if (vals == NULL) {
1200	ret = KADM5_RPC_ERROR;
1201	goto out;
1202	}
1203	dn = vals[0];
1204
1205	attrs[a - &rattrs[0]] = NULL;
1206
1207	ret = ldap_modify_s(CTX2LP(context), dn, attrs);
1208	if (check_ldap(context, ret))
1209	return KADM5_RPC_ERROR;
1210
1211	out:
1212	if (m)
1213	ldap_msgfree(m);
1214	if (uaf[0])
1215	free(uaf[0]);
1216	if (kvno[0])
1217	free(kvno[0]);
1218	if (tv[0])
1219	free(tv[0]);
1220	return ret;
1221	#else
1222	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1223	return KADM5_RPC_ERROR;
1224	#endif
1225	}
1226
1227	static kadm5_ret_t
1228	kadm5_ad_randkey_principal(void *server_handle,
1229	krb5_principal principal,
1230	krb5_keyblock **keys,
1231	int *n_keys)
1232	{
1233	kadm5_ad_context *context = server_handle;
1234
1235	/*
1236	* random key
1237	*/
1238
1239	#ifdef OPENLDAP
1240	krb5_data result_code_string, result_string;
1241	int result_code, plen;
1242	kadm5_ret_t ret;
1243	char *password;
1244
1245	*keys = NULL;
1246	*n_keys = 0;
1247
1248	{
1249	char p[64];
1250	krb5_generate_random_block(p, sizeof(p));
1251	plen = base64_encode(p, sizeof(p), &password);
1252	if (plen < 0)
1253	return ENOMEM;
1254	}
1255
1256	ret = ad_get_cred(context, NULL);
1257	if (ret) {
1258	free(password);
1259	return ret;
1260	}
1261
1262	krb5_data_zero (&result_code_string);
1263	krb5_data_zero (&result_string);
1264
1265	ret = krb5_set_password_using_ccache (context->context,
1266	context->ccache,
1267	password,
1268	principal,
1269	&result_code,
1270	&result_code_string,
1271	&result_string);
1272
1273	krb5_data_free (&result_code_string);
1274	krb5_data_free (&result_string);
1275
1276	if (ret == 0) {
1277
1278	keys = malloc(sizeof(keys) 1);
1279	if (*keys == NULL) {
1280	ret = ENOMEM;
1281	goto out;
1282	}
1283	*n_keys = 1;
1284
1285	ret = krb5_string_to_key(context->context,
1286	ENCTYPE_ARCFOUR_HMAC_MD5,
1287	password,
1288	principal,
1289	&(*keys)[0]);
1290	memset(password, 0, sizeof(password));
1291	if (ret) {
1292	free(*keys);
1293	*keys = NULL;
1294	*n_keys = 0;
1295	goto out;
1296	}
1297	}
1298	memset(password, 0, plen);
1299	free(password);
1300	out:
1301	return ret;
1302	#else
1303	*keys = NULL;
1304	*n_keys = 0;
1305
1306	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1307	return KADM5_RPC_ERROR;
1308	#endif
1309	}
1310
1311	static kadm5_ret_t
1312	kadm5_ad_rename_principal(void *server_handle,
1313	krb5_principal from,
1314	krb5_principal to)
1315	{
1316	kadm5_ad_context *context = server_handle;
1317	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1318	return KADM5_RPC_ERROR;
1319	}
1320
1321	static kadm5_ret_t
1322	kadm5_ad_chpass_principal_with_key(void *server_handle,
1323	krb5_principal princ,
1324	int n_key_data,
1325	krb5_key_data *key_data)
1326	{
1327	kadm5_ad_context *context = server_handle;
1328	krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented");
1329	return KADM5_RPC_ERROR;
1330	}
1331
1332	static void
1333	set_funcs(kadm5_ad_context *c)
1334	{
1335	#define SET(C, F) (C)->funcs.F = kadm5_ad_ ## F
1336	SET(c, chpass_principal);
1337	SET(c, chpass_principal_with_key);
1338	SET(c, create_principal);
1339	SET(c, delete_principal);
1340	SET(c, destroy);
1341	SET(c, flush);
1342	SET(c, get_principal);
1343	SET(c, get_principals);
1344	SET(c, get_privs);
1345	SET(c, modify_principal);
1346	SET(c, randkey_principal);
1347	SET(c, rename_principal);
1348	}
1349
1350	kadm5_ret_t
1351	kadm5_ad_init_with_password_ctx(krb5_context context,
1352	const char *client_name,
1353	const char *password,
1354	const char *service_name,
1355	kadm5_config_params *realm_params,
1356	unsigned long struct_version,
1357	unsigned long api_version,
1358	void **server_handle)
1359	{
1360	kadm5_ret_t ret;
1361	kadm5_ad_context *ctx;
1362
1363	ctx = malloc(sizeof(*ctx));
1364	if(ctx == NULL)
1365	return ENOMEM;
1366	memset(ctx, 0, sizeof(*ctx));
1367	set_funcs(ctx);
1368
1369	ctx->context = context;
1370	krb5_add_et_list (context, initialize_kadm5_error_table_r);
1371
1372	ret = krb5_parse_name(ctx->context, client_name, &ctx->caller);
1373	if(ret) {
1374	free(ctx);
1375	return ret;
1376	}
1377
1378	if(realm_params->mask & KADM5_CONFIG_REALM) {
1379	ret = 0;
1380	ctx->realm = strdup(realm_params->realm);
1381	if (ctx->realm == NULL)
1382	ret = ENOMEM;
1383	} else
1384	ret = krb5_get_default_realm(ctx->context, &ctx->realm);
1385	if (ret) {
1386	free(ctx);
1387	return ret;
1388	}
1389
1390	ctx->client_name = strdup(client_name);
1391
1392	if(password != NULL && *password != '\0')
1393	ret = ad_get_cred(ctx, password);
1394	else
1395	ret = ad_get_cred(ctx, NULL);
1396	if(ret) {
1397	kadm5_ad_destroy(ctx);
1398	return ret;
1399	}
1400
1401	#ifdef OPENLDAP
1402	ret = _kadm5_ad_connect(ctx);
1403	if (ret) {
1404	kadm5_ad_destroy(ctx);
1405	return ret;
1406	}
1407	#endif
1408
1409	*server_handle = ctx;
1410	return 0;
1411	}
1412
1413	kadm5_ret_t
1414	kadm5_ad_init_with_password(const char *client_name,
1415	const char *password,
1416	const char *service_name,
1417	kadm5_config_params *realm_params,
1418	unsigned long struct_version,
1419	unsigned long api_version,
1420	void **server_handle)
1421	{
1422	krb5_context context;
1423	kadm5_ret_t ret;
1424	kadm5_ad_context *ctx;
1425
1426	ret = krb5_init_context(&context);
1427	if (ret)
1428	return ret;
1429	ret = kadm5_ad_init_with_password_ctx(context,
1430	client_name,
1431	password,
1432	service_name,
1433	realm_params,
1434	struct_version,
1435	api_version,
1436	server_handle);
1437	if(ret) {
1438	krb5_free_context(context);
1439	return ret;
1440	}
1441	ctx = *server_handle;
1442	ctx->my_context = 1;
1443	return 0;
1444	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: heimdal/trunk/lib/kadm5/ad.c@ 4

Download in other formats: