11869fce | 2015-09-29 00:35:24 | Timothy Pearson |
Move keytab export to native Heimdal API |
||
M src/libtdeldap.cpp M src/libtdeldap.h |
||
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 93ec360..19812d5 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -1140,13 +1140,19 @@ return result; } -int LDAPManager::bindKAdmin(TQString *errstr) { +int LDAPManager::bindKAdmin(LDAPCredentials *administrativeCredentials, TQString *errstr) { int retcode = 1; kadm5_ret_t krb5adm_ret; kadm5_config_params params; - LDAPCredentials admincreds = currentLDAPCredentials(); + LDAPCredentials admincreds; + if (administrativeCredentials) { + admincreds = *administrativeCredentials; + } + else { + admincreds = currentLDAPCredentials(); + } if (admincreds.use_gssapi) { // FIXME // Heimdal has issues parsing the keytab file, so for now just prompt for password @@ -1291,7 +1297,14 @@ int retcode; kadm5_ret_t krb5adm_ret; - retcode = bindKAdmin(errstr); + bool kadmin_unbind_needed = false; + if (m_krb5admHandle) { + retcode = 0; + } + else { + retcode = bindKAdmin(NULL, errstr); + kadmin_unbind_needed = true; + } if (retcode == 0) { retcode = 1; krb5_principal user_kadm5_principal; @@ -1313,8 +1326,10 @@ krb5_free_principal(m_krb5admContext, user_kadm5_principal); } - unbindKAdmin(); - unbind(true); // Using kadmin can disrupt our LDAP connection + if (kadmin_unbind_needed) { + unbindKAdmin(); + unbind(true); // Using kadmin can disrupt our LDAP connection + } } return retcode; @@ -1843,147 +1858,151 @@ } int LDAPManager::kAdminAddNewPrincipal(TQString principalName, TQString newPassword, TQString *errstr) { - if (bind() < 0) { - return -1; + int retcode; + kadm5_ret_t krb5adm_ret; + int i; + char* password = NULL; + + bool kadmin_unbind_needed = false; + if (m_krb5admHandle) { + retcode = 0; } else { - int retcode; - kadm5_ret_t krb5adm_ret; - int i; - char* password = NULL; + retcode = bindKAdmin(NULL, errstr); + kadmin_unbind_needed = true; + } + if (retcode == 0) { + retcode = 1; + bool generate_password; + if (newPassword == "") { + generate_password = true; + } + else { + generate_password = false; + password = strdup(newPassword.ascii()); + } - retcode = bindKAdmin(errstr); - if (retcode == 0) { - retcode = 1; - bool generate_password; - if (newPassword == "") { - generate_password = true; - } - else { - generate_password = false; - password = strdup(newPassword.ascii()); - } + // Construct and add new principal record + kadm5_principal_ent_rec principal_record; + kadm5_principal_ent_rec default_record; + kadm5_principal_ent_rec *default_entry = NULL; + krb5_principal principal_entry = NULL; + int mask = 0; - // Construct and add new principal record - kadm5_principal_ent_rec principal_record; - kadm5_principal_ent_rec default_record; - kadm5_principal_ent_rec *default_entry = NULL; - krb5_principal principal_entry = NULL; - int mask = 0; + memset(&principal_record, 0, sizeof(principal_record)); + krb5adm_ret = krb5_parse_name(m_krb5admContext, principalName.ascii(), &principal_entry); + if (krb5adm_ret) { + if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute krb5_parse_name (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); + } + principal_record.principal = principal_entry; + mask |= KADM5_PRINCIPAL; - memset(&principal_record, 0, sizeof(principal_record)); - krb5adm_ret = krb5_parse_name(m_krb5admContext, principalName.ascii(), &principal_entry); - if (krb5adm_ret) { - if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute krb5_parse_name (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); - } - principal_record.principal = principal_entry; - mask |= KADM5_PRINCIPAL; + default_entry = &default_record; + krb5adm_ret = kadm5_get_default_principal_info(m_krb5admContext, m_krb5admHandle, principal_entry, default_entry); + if (krb5adm_ret) { + default_entry = NULL; + if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute kadm5_get_default_principal_info (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); + } + else { + // Use defaults + principal_record.max_life = default_entry->max_life; + principal_record.max_renewable_life = default_entry->max_renewable_life; + principal_record.princ_expire_time = default_entry->princ_expire_time; + principal_record.pw_expiration = default_entry->pw_expiration; + principal_record.attributes = default_entry->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX; + principal_record.policy = strdup(default_entry->policy); - default_entry = &default_record; - krb5adm_ret = kadm5_get_default_principal_info(m_krb5admContext, m_krb5admHandle, principal_entry, default_entry); - if (krb5adm_ret) { - default_entry = NULL; - if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute kadm5_get_default_principal_info (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); - } - else { - // Use defaults - principal_record.max_life = default_entry->max_life; - principal_record.max_renewable_life = default_entry->max_renewable_life; - principal_record.princ_expire_time = default_entry->princ_expire_time; - principal_record.pw_expiration = default_entry->pw_expiration; - principal_record.attributes = default_entry->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX; - principal_record.policy = strdup(default_entry->policy); + if (generate_password) { + const char charset[] = + "@$%&*()-+=:,/<>?0123456789" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz"; + const size_t max_index = (sizeof(charset) - 2); - if (generate_password) { - const char charset[] = - "@$%&*()-+=:,/<>?0123456789" - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz"; - const size_t max_index = (sizeof(charset) - 2); - - TQFile randomNode("/dev/urandom"); - if (randomNode.open(IO_ReadOnly)) { - password = (char*)malloc(sizeof(char) * KRB5_ANK_RANDOM_PASSWORD_LENGTH); - if (password) { - if (randomNode.readBlock(password, KRB5_ANK_RANDOM_PASSWORD_LENGTH) < KRB5_ANK_RANDOM_PASSWORD_LENGTH) { - free(password); - password = NULL; - } - else { - for (i = 0; i < KRB5_ANK_RANDOM_PASSWORD_LENGTH - 1; i++) { - while ((unsigned char)password[i] > max_index) { - password[i] -= max_index; - } - password[i] = charset[(int)password[i]]; - } - password[i] = 0; - } - } - randomNode.close(); - } + TQFile randomNode("/dev/urandom"); + if (randomNode.open(IO_ReadOnly)) { + password = (char*)malloc(sizeof(char) * KRB5_ANK_RANDOM_PASSWORD_LENGTH); if (password) { - principal_record.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; + if (randomNode.readBlock(password, KRB5_ANK_RANDOM_PASSWORD_LENGTH) < KRB5_ANK_RANDOM_PASSWORD_LENGTH) { + free(password); + password = NULL; + } + else { + for (i = 0; i < KRB5_ANK_RANDOM_PASSWORD_LENGTH - 1; i++) { + while ((unsigned char)password[i] > max_index) { + password[i] -= max_index; + } + password[i] = charset[(int)password[i]]; + } + password[i] = 0; + } } - else { - if (errstr) *errstr = i18n("Unable to generate random password"); - } + randomNode.close(); } - if (password) { - krb5adm_ret = kadm5_create_principal(m_krb5admHandle, &principal_record, mask, password); - if (krb5adm_ret) { - if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute kadm5_create_principal (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); - } - else { - if (generate_password) { - krb5_keyblock *new_keys; - int key_count; - krb5adm_ret = kadm5_randkey_principal(m_krb5admHandle, principal_entry, &new_keys, &key_count); - if (krb5adm_ret) { - key_count = 0; - } - for (i = 0; i < key_count; i++) { - krb5_free_keyblock_contents(m_krb5admContext, &new_keys[i]); - } - if (key_count > 0) { - free(new_keys); - } - kadm5_get_principal(m_krb5admHandle, principal_entry, &principal_record, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); - krb5_free_principal(m_krb5admContext, principal_entry); - principal_entry = principal_record.principal; - principal_record.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); - principal_record.kvno = 1; - krb5adm_ret = kadm5_modify_principal(m_krb5admHandle, &principal_record, KADM5_ATTRIBUTES | KADM5_KVNO); - if (krb5adm_ret) { - if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute kadm5_modify_principal (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); - } - else { - retcode = 0; - } + principal_record.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + mask |= KADM5_ATTRIBUTES; ** Diff limit reached (max: 250 lines) ** |