summaryrefslogtreecommitdiff
path: root/src/plugins/kdb/ldap/libkdb_ldap
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/kdb/ldap/libkdb_ldap')
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c6
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h16
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c1
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif68
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c68
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c98
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c2
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c2
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/lockout.c8
9 files changed, 98 insertions, 171 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index 7ba8075cb849..4fbf898965c2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -277,8 +277,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code)
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code)
{
(void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 06b477537d5a..535a1f309e29 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -171,7 +171,6 @@ typedef struct _krb5_ldap_server_info krb5_ldap_server_info;
typedef struct _krb5_ldap_server_handle {
int msgid;
LDAP *ldap_handle;
- krb5_boolean server_info_update_pending;
krb5_ldap_server_info *server_info;
struct _krb5_ldap_server_handle *next;
} krb5_ldap_server_handle;
@@ -282,8 +281,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
void
krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_timestamp authtime, krb5_error_code error_code);
+ const krb5_address *local_addr,
+ const krb5_address *remote_addr, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code);
krb5_error_code
krb5_ldap_check_allowed_to_delegate(krb5_context context,
@@ -300,15 +301,6 @@ krb5_ldap_lock( krb5_context, int );
krb5_error_code
krb5_ldap_unlock( krb5_context );
-#ifndef HAVE_LDAP_INITIALIZE
-int
-ldap_initialize(LDAP **, char *);
-#endif
-#ifndef HAVE_LDAP_UNBIND_EXT_S
-int
-ldap_unbind_ext_s(LDAP *, LDAPControl **, LDAPControl **);
-#endif
-
/* lockout.c */
krb5_error_code
krb5_ldap_lockout_check_policy(krb5_context context,
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index d904c9933b2e..cee4b7b8d30e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -193,7 +193,6 @@ initialize_server(krb5_ldap_context *ldap_context, krb5_ldap_server_info *info)
return ret;
}
- server->server_info_update_pending = FALSE;
server->next = info->ldap_server_handles;
info->ldap_server_handles = server;
info->num_conns++;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
new file mode 100644
index 000000000000..830277d738ca
--- /dev/null
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
@@ -0,0 +1,68 @@
+# This LDIF version of the Kerberos schema can be loaded into an
+# OpenLDAP database. It was originally converted semi-automatically
+# from kerberos.schema using slaptest.
+
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn )
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
index 77d8f810dbad..2f5d3d9e03d2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
@@ -30,62 +30,6 @@
#include "ldap_main.h"
-
-#ifdef ASYNC_BIND
-
-/*
- * Update the server info structure. In case of an asynchronous bind,
- * this function is called to check the bind status. A flag
- * server_info_upate_pending is refered before calling this function.
- * This function sets the server_status to either ON or OFF and
- * sets the server_info_udpate_pending to OFF.
- * Do not lock the mutex here. The caller should lock it
- */
-
-static krb5_error_code
-krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle,
- krb5_ldap_server_info *server_info)
-{
- krb5_error_code st=0;
- struct timeval ztime={0, 0};
- LDAPMessage *result=NULL;
-
- if (ldap_server_handle == NULL || server_info == NULL)
- return -1;
-
- while (st == 0) {
- st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid,
- LDAP_MSG_ALL, &ztime, &result);
- switch (st) {
- case -1:
- server_info->server_status = OFF;
- time(&server_info->downtime);
- break;
-
- case 0:
- continue;
- break;
-
- case LDAP_RES_BIND:
- if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
- server_info->server_status = ON;
- } else {
- server_info->server_status = OFF;
- time(&server_info->downtime);
- }
- ldap_msgfree(result);
- break;
- default:
- ldap_msgfree(result);
- continue;
- break;
- }
- }
- ldap_server_handle->server_info_update_pending = FALSE;
- return 0;
-}
-#endif
-
/*
* Return ldap server handle from the pool. If the pool is exhausted return NULL.
* Do not lock the mutex, caller should lock it
@@ -105,18 +49,6 @@ krb5_get_ldap_handle(krb5_ldap_context *ldap_context)
ldap_server_handle = ldap_server_info->ldap_server_handles;
ldap_server_info->ldap_server_handles = ldap_server_handle->next;
break;
-#ifdef ASYNC_BIND
- if (ldap_server_handle->server_info_update_pending == TRUE) {
- krb5_update_server_info(context, ldap_server_handle,
- ldap_server_info);
- }
-
- if (ldap_server_info->server_status == ON) {
- ldap_server_info->ldap_server_handles = ldap_server_handle->next;
- break;
- } else
- ldap_server_handle = NULL;
-#endif
}
}
++cnt;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 32efc4f54ad0..5b9d1e9fa67c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1231,6 +1231,8 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn,
kdb5_dal_handle *dal_handle;
krb5_ldap_context *ldap_context;
const char *realmdn;
+ char *rdn;
+ LDAPDN dn;
*name_out = NULL;
SETUP_CONTEXT();
@@ -1248,46 +1250,22 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn,
if (policy_dn[plen] != ',' || strcmp(realmdn, policy_dn + plen + 1) != 0)
return EINVAL;
-#if defined HAVE_LDAP_STR2DN
- {
- char *rdn;
- LDAPDN dn;
-
- rdn = k5memdup0(policy_dn, plen, &ret);
- if (rdn == NULL)
- return ret;
- ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC);
- free(rdn);
- if (ret)
- return EINVAL;
- if (dn[0] == NULL || dn[1] != NULL ||
- dn[0][0]->la_attr.bv_len != 2 ||
- strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) {
- ret = EINVAL;
- } else {
- *name_out = k5memdup0(dn[0][0]->la_value.bv_val,
- dn[0][0]->la_value.bv_len, &ret);
- }
- ldap_dnfree(dn);
+ rdn = k5memdup0(policy_dn, plen, &ret);
+ if (rdn == NULL)
return ret;
+ ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC);
+ free(rdn);
+ if (ret)
+ return EINVAL;
+ if (dn[0] == NULL || dn[1] != NULL || dn[0][0]->la_attr.bv_len != 2 ||
+ strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) {
+ ret = EINVAL;
+ } else {
+ *name_out = k5memdup0(dn[0][0]->la_value.bv_val,
+ dn[0][0]->la_value.bv_len, &ret);
}
-#elif defined HAVE_LDAP_EXPLODE_DN
- {
- char **parsed_dn;
-
- /* 1 = return DN components without type prefix */
- parsed_dn = ldap_explode_dn(policy_dn, 1);
- if (parsed_dn == NULL)
- return EINVAL;
- *name_out = strdup(parsed_dn[0]);
- if (*name_out == NULL)
- return ENOMEM;
- ldap_value_free(parsed_dn);
- return 0;
- }
-#else
- return EINVAL;
-#endif
+ ldap_dnfree(dn);
+ return ret;
}
/* Compute the policy DN for the given policy name. */
@@ -1699,47 +1677,3 @@ cleanup:
free_princ_ent_contents(&princ_ent);
return ret;
}
-
-/* Solaris libldap does not provide the following functions which are in
- * OpenLDAP. */
-#ifndef HAVE_LDAP_INITIALIZE
-int
-ldap_initialize(LDAP **ldp, char *url)
-{
- int rc = 0;
- LDAP *ld = NULL;
- LDAPURLDesc *ludp = NULL;
-
- /*
- * For now, we don't use any DN that may be provided. And on Solaris
- * (based on Mozilla's LDAP client code), we need the _nodn form to parse
- * "ldap://host" without a trailing slash.
- *
- * Also, this version won't handle an input string which contains multiple
- * URLs, unlike the OpenLDAP ldap_initialize. See
- * https://bugzilla.mozilla.org/show_bug.cgi?id=353336#c1 .
- */
-#ifdef HAVE_LDAP_URL_PARSE_NODN
- rc = ldap_url_parse_nodn(url, &ludp);
-#else
- rc = ldap_url_parse(url, &ludp);
-#endif
- if (rc == 0) {
- ld = ldap_init(ludp->lud_host, ludp->lud_port);
- if (ld != NULL)
- *ldp = ld;
- else
- rc = KRB5_KDB_ACCESS_ERROR;
- ldap_free_urldesc(ludp);
- }
- return rc;
-}
-#endif /* HAVE_LDAP_INITIALIZE */
-
-#ifndef HAVE_LDAP_UNBIND_EXT_S
-int
-ldap_unbind_ext_s(LDAP *ld, LDAPControl **sctrls, LDAPControl **cctrls)
-{
- return ldap_unbind_ext(ld, sctrls, cctrls);
-}
-#endif /* HAVE_LDAP_UNBIND_EXT_S */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 7ba53f959ce4..88a17049503e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -1734,7 +1734,7 @@ getstringtime(krb5_timestamp epochtime)
{
struct tm tme;
char *strtime=NULL;
- time_t posixtime = epochtime;
+ time_t posixtime = ts2tt(epochtime);
strtime = calloc (50, 1);
if (strtime == NULL)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
index f5c6ab8cd376..4193b4adccae 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
@@ -431,7 +431,7 @@ krb5_ldap_list(krb5_context context, char ***list, char *objectclass,
{
char *filter=NULL, *dn=NULL;
krb5_error_code st=0, tempst=0;
- int i=0, count=0, filterlen=0;
+ int count=0, filterlen=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL,*ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
index 0fc56c2fe7bd..1088ecc5ad0b 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
@@ -93,7 +93,7 @@ locked_check_p(krb5_context context,
/* If the entry was unlocked since the last failure, it's not locked. */
if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
- entry->last_failed <= unlock_time)
+ !ts_after(entry->last_failed, unlock_time))
return FALSE;
if (max_fail == 0 || entry->fail_auth_count < max_fail)
@@ -102,7 +102,7 @@ locked_check_p(krb5_context context,
if (lockout_duration == 0)
return TRUE; /* principal permanently locked */
- return (stamp < entry->last_failed + lockout_duration);
+ return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
}
krb5_error_code
@@ -196,14 +196,14 @@ krb5_ldap_lockout_audit(krb5_context context,
status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
if (krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time) == 0 &&
- entry->last_failed <= unlock_time) {
+ !ts_after(entry->last_failed, unlock_time)) {
/* Reset fail_auth_count after administrative unlock. */
entry->fail_auth_count = 0;
entry->mask |= KADM5_FAIL_AUTH_COUNT;
}
if (failcnt_interval != 0 &&
- stamp > entry->last_failed + failcnt_interval) {
+ ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) {
/* Reset fail_auth_count after failcnt_interval */
entry->fail_auth_count = 0;
entry->mask |= KADM5_FAIL_AUTH_COUNT;
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 18:13:42 +0000