1 2 /* 3 * kadmin/ldap_util/kdb5_ldap_policy.c 4 */ 5 6 /* 7 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 8 * Use is subject to license terms. 9 */ 10 11 /* Copyright (c) 2004-2005, Novell, Inc. 12 * All rights reserved. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions are met: 16 * 17 * * Redistributions of source code must retain the above copyright notice, 18 * this list of conditions and the following disclaimer. 19 * * Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * * The copyright holder's name is not used to endorse or promote products 23 * derived from this software without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 26 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 29 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 /* 39 * Create / Delete / Modify / View / List policy objects. 40 */ 41 42 #include <stdio.h> 43 #include <time.h> 44 #include <k5-int.h> 45 #include <kadm5/admin.h> 46 #include <libintl.h> 47 #include <locale.h> 48 #include "kdb5_ldap_util.h" 49 #include "kdb5_ldap_list.h" 50 #include "ldap_tkt_policy.h" 51 extern time_t get_date(char *); /* kadmin/cli/getdate.o */ 52 53 static void print_policy_params(krb5_ldap_policy_params *policyparams, int mask); 54 static char *strdur(time_t duration); 55 56 extern char *yes; 57 extern kadm5_config_params global_params; 58 59 static krb5_error_code init_ldap_realm (int argc, char *argv[]) { 60 /* This operation is being performed in the context of a realm. So, 61 * initialize the realm */ 62 int mask = 0; 63 krb5_error_code retval = 0; 64 kdb5_dal_handle *dal_handle = NULL; 65 krb5_ldap_context *ldap_context=NULL; 66 67 dal_handle = (kdb5_dal_handle *) util_context->db_context; 68 ldap_context = (krb5_ldap_context *) dal_handle->db_context; 69 if (!ldap_context) { 70 retval = EINVAL; 71 goto cleanup; 72 } 73 74 if (ldap_context->krbcontainer == NULL) { 75 retval = krb5_ldap_read_krbcontainer_params (util_context, 76 &(ldap_context->krbcontainer)); 77 if (retval != 0) { 78 /* Solaris Kerberos */ 79 com_err(progname, retval, gettext("while reading kerberos container information")); 80 goto cleanup; 81 } 82 } 83 84 if (ldap_context->lrparams == NULL) { 85 retval = krb5_ldap_read_realm_params(util_context, 86 global_params.realm, 87 &(ldap_context->lrparams), 88 &mask); 89 90 if (retval != 0) { 91 goto cleanup; 92 } 93 } 94 cleanup: 95 return retval; 96 } 97 98 /* 99 * This function will create a ticket policy object with the 100 * specified attributes. 101 */ 102 void 103 kdb5_ldap_create_policy(argc, argv) 104 int argc; 105 char *argv[]; 106 { 107 /* Solaris Kerberos */ 108 char *me = progname; 109 110 krb5_error_code retval = 0; 111 krb5_ldap_policy_params *policyparams = NULL; 112 krb5_boolean print_usage = FALSE; 113 krb5_boolean no_msg = FALSE; 114 int mask = 0; 115 time_t date = 0; 116 time_t now = 0; 117 int i = 0; 118 119 /* Check for number of arguments */ 120 if ((argc < 2) || (argc > 16)) { 121 goto err_usage; 122 } 123 124 /* Allocate memory for policy parameters structure */ 125 policyparams = (krb5_ldap_policy_params*) calloc(1, sizeof(krb5_ldap_policy_params)); 126 if (policyparams == NULL) { 127 retval = ENOMEM; 128 goto cleanup; 129 } 130 131 /* Get current time */ 132 time (&now); 133 134 /* Parse all arguments */ 135 for (i = 1; i < argc; i++) { 136 if (!strcmp(argv[i], "-maxtktlife")) { 137 if (++i > argc - 1) 138 goto err_usage; 139 140 date = get_date(argv[i]); 141 if (date == (time_t)(-1)) { 142 retval = EINVAL; 143 com_err (me, retval, gettext("while providing time specification")); 144 goto err_nomsg; 145 } 146 147 policyparams->maxtktlife = date - now; 148 149 mask |= LDAP_POLICY_MAXTKTLIFE; 150 } else if (!strcmp(argv[i], "-maxrenewlife")) { 151 if (++i > argc - 1) 152 goto err_usage; 153 154 date = get_date(argv[i]); 155 if (date == (time_t)(-1)) { 156 retval = EINVAL; 157 com_err (me, retval, gettext("while providing time specification")); 158 goto err_nomsg; 159 } 160 161 policyparams->maxrenewlife = date - now; 162 163 mask |= LDAP_POLICY_MAXRENEWLIFE; 164 } else if (!strcmp((argv[i] + 1), "allow_postdated")) { 165 if (*(argv[i]) == '+') 166 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); 167 else if (*(argv[i]) == '-') 168 policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; 169 else 170 goto err_usage; 171 172 mask |= LDAP_POLICY_TKTFLAGS; 173 } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { 174 if (*(argv[i]) == '+') 175 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); 176 else if (*(argv[i]) == '-') 177 policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; 178 else 179 goto err_usage; 180 181 mask |= LDAP_POLICY_TKTFLAGS; 182 } else if (!strcmp((argv[i] + 1), "allow_renewable")) { 183 if (*(argv[i]) == '+') 184 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); 185 else if (*(argv[i]) == '-') 186 policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; 187 else 188 goto err_usage; 189 190 mask |= LDAP_POLICY_TKTFLAGS; 191 } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { 192 if (*(argv[i]) == '+') 193 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); 194 else if (*(argv[i]) == '-') 195 policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; 196 else 197 goto err_usage; 198 199 mask |= LDAP_POLICY_TKTFLAGS; 200 } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { 201 if (*(argv[i]) == '+') 202 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); 203 else if (*(argv[i]) == '-') 204 policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; 205 else 206 goto err_usage; 207 208 mask |= LDAP_POLICY_TKTFLAGS; 209 } else if (!strcmp((argv[i] + 1), "requires_preauth")) { 210 if (*(argv[i]) == '+') 211 policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; 212 else if (*(argv[i]) == '-') 213 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); 214 else 215 goto err_usage; 216 217 mask |= LDAP_POLICY_TKTFLAGS; 218 } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { 219 if (*(argv[i]) == '+') 220 policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; 221 else if (*(argv[i]) == '-') 222 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); 223 else 224 goto err_usage; 225 226 mask |= LDAP_POLICY_TKTFLAGS; 227 } else if (!strcmp((argv[i] + 1), "allow_svr")) { 228 if (*(argv[i]) == '+') 229 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); 230 else if (*(argv[i]) == '-') 231 policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; 232 else 233 goto err_usage; 234 235 mask |= LDAP_POLICY_TKTFLAGS; 236 } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { 237 if (*(argv[i]) == '+') 238 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); 239 else if (*(argv[i]) == '-') 240 policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; 241 else 242 goto err_usage; 243 244 mask |= LDAP_POLICY_TKTFLAGS; 245 } else if (!strcmp((argv[i] + 1), "allow_tix")) { 246 if (*(argv[i]) == '+') 247 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); 248 else if (*(argv[i]) == '-') 249 policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; 250 else 251 goto err_usage; 252 253 mask |= LDAP_POLICY_TKTFLAGS; 254 } else if (!strcmp((argv[i] + 1), "needchange")) { 255 if (*(argv[i]) == '+') 256 policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; 257 else if (*(argv[i]) == '-') 258 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); 259 else 260 goto err_usage; 261 262 mask |= LDAP_POLICY_TKTFLAGS; 263 } else if (!strcmp((argv[i] + 1), "password_changing_service")) { 264 if (*(argv[i]) == '+') 265 policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; 266 else if (*(argv[i]) == '-') 267 policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); 268 else 269 goto err_usage; 270 271 mask |= LDAP_POLICY_TKTFLAGS; 272 } else { /* Any other argument must be policy DN */ 273 /* First check if policy DN is already provided -- 274 if so, there's a usage error */ 275 if (policyparams->policy != NULL) 276 goto err_usage; 277 278 /* If not present already, fill up policy DN */ 279 policyparams->policy = strdup(argv[i]); 280 if (policyparams->policy == NULL) { 281 retval = ENOMEM; 282 com_err(me, retval, gettext("while creating policy object")); 283 goto err_nomsg; 284 } 285 } 286 } 287 288 /* policy DN is a mandatory argument. If not provided, print usage */ 289 if (policyparams->policy == NULL) 290 goto err_usage; 291 292 if ((retval = init_ldap_realm (argc, argv))) { 293 com_err(me, retval, gettext("while reading realm information")); 294 goto err_nomsg; 295 } 296 297 /* Create object with all attributes provided */ 298 if ((retval = krb5_ldap_create_policy(util_context, policyparams, mask)) != 0) 299 goto cleanup; 300 301 goto cleanup; 302 303 err_usage: 304 print_usage = TRUE; 305 306 err_nomsg: 307 no_msg = TRUE; 308 309 cleanup: 310 /* Clean-up structure */ 311 krb5_ldap_free_policy (util_context, policyparams); 312 313 if (print_usage) 314 db_usage(CREATE_POLICY); 315 316 if (retval) { 317 if (!no_msg) 318 com_err(me, retval, gettext("while creating policy object")); 319 320 exit_status++; 321 } 322 323 return; 324 } 325 326 327 /* 328 * This function will destroy the specified ticket policy 329 * object interactively, unless forced through an option. 330 */ 331 void 332 kdb5_ldap_destroy_policy(argc, argv) 333 int argc; 334 char *argv[]; 335 { 336 /* Solaris Kerberos */ 337 char *me = progname; 338 339 krb5_error_code retval = 0; 340 krb5_ldap_policy_params *policyparams = NULL; 341 krb5_boolean print_usage = FALSE; 342 krb5_boolean no_msg = FALSE; 343 char *policy = NULL; 344 unsigned int mask = 0; 345 int force = 0; 346 char buf[5] = {0}; 347 int i = 0; 348 349 if ((argc < 2) || (argc > 3)) { 350 goto err_usage; 351 } 352 353 for (i = 1; i < argc; i++) { 354 if (strcmp(argv[i], "-force") == 0) { 355 force++; 356 } else { /* Any other argument must be policy DN */ 357 /* First check if policy DN is already provided -- 358 if so, there's a usage error */ 359 if (policy != NULL) 360 goto err_usage; 361 362 /* If not present already, fill up policy DN */ 363 policy = strdup(argv[i]); 364 if (policy == NULL) { 365 retval = ENOMEM; 366 com_err(me, retval, gettext("while destroying policy object")); 367 goto err_nomsg; 368 } 369 } 370 } 371 372 if (policy == NULL) 373 goto err_usage; 374 375 if (!force) { 376 printf(gettext("This will delete the policy object '%s', are you sure?\n"), policy); 377 printf(gettext("(type 'yes' to confirm)? ")); 378 379 if (fgets(buf, sizeof(buf), stdin) == NULL) { 380 retval = EINVAL; 381 goto cleanup; 382 } 383 384 if (strcmp(buf, yes)) { 385 exit_status++; 386 goto cleanup; 387 } 388 } 389 390 if ((retval = init_ldap_realm (argc, argv))) 391 goto err_nomsg; 392 393 if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) 394 goto cleanup; 395 396 397 if ((retval = krb5_ldap_delete_policy(util_context, policy))) 398 goto cleanup; 399 400 printf(gettext("** policy object '%s' deleted.\n"), policy); 401 goto cleanup; 402 403 404 err_usage: 405 print_usage = TRUE; 406 407 err_nomsg: 408 no_msg = TRUE; 409 410 cleanup: 411 /* Clean-up structure */ 412 krb5_ldap_free_policy (util_context, policyparams); 413 414 if (policy) { 415 free (policy); 416 } 417 418 if (print_usage) { 419 db_usage(DESTROY_POLICY); 420 } 421 422 if (retval) { 423 if (!no_msg) 424 com_err(me, retval, gettext("while destroying policy object")); 425 426 exit_status++; 427 } 428 429 return; 430 } 431 432 433 /* 434 * This function will modify the attributes of a given ticket 435 * policy object. 436 */ 437 void 438 kdb5_ldap_modify_policy(argc, argv) 439 int argc; 440 char *argv[]; 441 { 442 /* Solaris Kerberos */ 443 char *me = progname; 444 445 krb5_error_code retval = 0; 446 krb5_ldap_policy_params *policyparams = NULL; 447 krb5_boolean print_usage = FALSE; 448 krb5_boolean no_msg = FALSE; 449 char *policy = NULL; 450 unsigned int in_mask = 0, out_mask = 0; 451 time_t date = 0; 452 time_t now = 0; 453 int i = 0; 454 455 /* Check for number of arguments -- minimum is 3 456 since atleast one parameter should be given in 457 addition to 'modify_policy' and policy DN */ 458 if ((argc < 3) || (argc > 16)) { 459 goto err_usage; 460 } 461 462 /* Parse all arguments, only to pick up policy DN (Pass 1) */ 463 for (i = 1; i < argc; i++) { 464 /* Skip arguments next to 'maxtktlife' 465 and 'maxrenewlife' arguments */ 466 if (!strcmp(argv[i], "-maxtktlife")) { 467 ++i; 468 } else if (!strcmp(argv[i], "-maxrenewlife")) { 469 ++i; 470 } 471 /* Do nothing for ticket flag arguments */ 472 else if (!strcmp((argv[i] + 1), "allow_postdated") || 473 !strcmp((argv[i] + 1), "allow_forwardable") || 474 !strcmp((argv[i] + 1), "allow_renewable") || 475 !strcmp((argv[i] + 1), "allow_proxiable") || 476 !strcmp((argv[i] + 1), "allow_dup_skey") || 477 !strcmp((argv[i] + 1), "requires_preauth") || 478 !strcmp((argv[i] + 1), "requires_hwauth") || 479 !strcmp((argv[i] + 1), "allow_svr") || 480 !strcmp((argv[i] + 1), "allow_tgs_req") || 481 !strcmp((argv[i] + 1), "allow_tix") || 482 !strcmp((argv[i] + 1), "needchange") || 483 !strcmp((argv[i] + 1), "password_changing_service")) { 484 } else { /* Any other argument must be policy DN */ 485 /* First check if policy DN is already provided -- 486 if so, there's a usage error */ 487 if (policy != NULL) 488 goto err_usage; 489 490 /* If not present already, fill up policy DN */ 491 policy = strdup(argv[i]); 492 if (policy == NULL) { 493 retval = ENOMEM; 494 com_err(me, retval, gettext("while modifying policy object")); 495 goto err_nomsg; 496 } 497 } 498 } 499 500 if (policy == NULL) 501 goto err_usage; 502 503 if ((retval = init_ldap_realm (argc, argv))) 504 goto cleanup; 505 506 retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &in_mask); 507 if (retval) { 508 com_err(me, retval, gettext("while reading information of policy '%s'"), policy); 509 goto err_nomsg; 510 } 511 512 /* Get current time */ 513 time (&now); 514 515 /* Parse all arguments, but skip policy DN (Pass 2) */ 516 for (i = 1; i < argc; i++) { 517 if (!strcmp(argv[i], "-maxtktlife")) { 518 if (++i > argc - 1) 519 goto err_usage; 520 521 date = get_date(argv[i]); 522 if (date == (time_t)(-1)) { 523 retval = EINVAL; 524 com_err (me, retval, gettext("while providing time specification")); 525 goto err_nomsg; 526 } 527 528 policyparams->maxtktlife = date - now; 529 530 out_mask |= LDAP_POLICY_MAXTKTLIFE; 531 } else if (!strcmp(argv[i], "-maxrenewlife")) { 532 if (++i > argc - 1) 533 goto err_usage; 534 535 date = get_date(argv[i]); 536 if (date == (time_t)(-1)) { 537 retval = EINVAL; 538 com_err (me, retval, gettext("while providing time specification")); 539 goto err_nomsg; 540 } 541 542 policyparams->maxrenewlife = date - now; 543 544 out_mask |= LDAP_POLICY_MAXRENEWLIFE; 545 } else if (!strcmp((argv[i] + 1), "allow_postdated")) { 546 if (*(argv[i]) == '+') 547 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); 548 else if (*(argv[i]) == '-') 549 policyparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; 550 else 551 goto err_usage; 552 553 out_mask |= LDAP_POLICY_TKTFLAGS; 554 } else if (!strcmp((argv[i] + 1), "allow_forwardable")) { 555 if (*(argv[i]) == '+') 556 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); 557 else if (*(argv[i]) == '-') 558 policyparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; 559 else 560 goto err_usage; 561 562 out_mask |= LDAP_POLICY_TKTFLAGS; 563 } else if (!strcmp((argv[i] + 1), "allow_renewable")) { 564 if (*(argv[i]) == '+') 565 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); 566 else if (*(argv[i]) == '-') 567 policyparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; 568 else 569 goto err_usage; 570 571 out_mask |= LDAP_POLICY_TKTFLAGS; 572 } else if (!strcmp((argv[i] + 1), "allow_proxiable")) { 573 if (*(argv[i]) == '+') 574 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); 575 else if (*(argv[i]) == '-') 576 policyparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; 577 else 578 goto err_usage; 579 580 out_mask |= LDAP_POLICY_TKTFLAGS; 581 } else if (!strcmp((argv[i] + 1), "allow_dup_skey")) { 582 if (*(argv[i]) == '+') 583 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); 584 else if (*(argv[i]) == '-') 585 policyparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; 586 else 587 goto err_usage; 588 589 out_mask |= LDAP_POLICY_TKTFLAGS; 590 } else if (!strcmp((argv[i] + 1), "requires_preauth")) { 591 if (*(argv[i]) == '+') 592 policyparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; 593 else if (*(argv[i]) == '-') 594 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); 595 else 596 goto err_usage; 597 598 out_mask |= LDAP_POLICY_TKTFLAGS; 599 } else if (!strcmp((argv[i] + 1), "requires_hwauth")) { 600 if (*(argv[i]) == '+') 601 policyparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; 602 else if (*(argv[i]) == '-') 603 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); 604 else 605 goto err_usage; 606 607 out_mask |= LDAP_POLICY_TKTFLAGS; 608 } else if (!strcmp((argv[i] + 1), "allow_svr")) { 609 if (*(argv[i]) == '+') 610 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); 611 else if (*(argv[i]) == '-') 612 policyparams->tktflags |= KRB5_KDB_DISALLOW_SVR; 613 else 614 goto err_usage; 615 616 out_mask |= LDAP_POLICY_TKTFLAGS; 617 } else if (!strcmp((argv[i] + 1), "allow_tgs_req")) { 618 if (*(argv[i]) == '+') 619 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); 620 else if (*(argv[i]) == '-') 621 policyparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; 622 else 623 goto err_usage; 624 625 out_mask |= LDAP_POLICY_TKTFLAGS; 626 } else if (!strcmp((argv[i] + 1), "allow_tix")) { 627 if (*(argv[i]) == '+') 628 policyparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); 629 else if (*(argv[i]) == '-') 630 policyparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; 631 else 632 goto err_usage; 633 634 out_mask |= LDAP_POLICY_TKTFLAGS; 635 } else if (!strcmp((argv[i] + 1), "needchange")) { 636 if (*(argv[i]) == '+') 637 policyparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; 638 else if (*(argv[i]) == '-') 639 policyparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); 640 else 641 goto err_usage; 642 643 out_mask |= LDAP_POLICY_TKTFLAGS; 644 } else if (!strcmp((argv[i] + 1), "password_changing_service")) { 645 if (*(argv[i]) == '+') 646 policyparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; 647 else if (*(argv[i]) == '-') 648 policyparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); 649 else 650 goto err_usage; 651 652 out_mask |= LDAP_POLICY_TKTFLAGS; 653 } else { 654 /* Any other argument must be policy DN 655 -- skip it */ 656 } 657 } 658 659 /* Modify attributes of object */ 660 if ((retval = krb5_ldap_modify_policy(util_context, policyparams, out_mask))) 661 goto cleanup; 662 663 goto cleanup; 664 665 err_usage: 666 print_usage = TRUE; 667 668 err_nomsg: 669 no_msg = TRUE; 670 671 cleanup: 672 /* Clean-up structure */ 673 krb5_ldap_free_policy (util_context, policyparams); 674 675 if (policy) 676 free (policy); 677 678 if (print_usage) 679 db_usage(MODIFY_POLICY); 680 681 if (retval) { 682 if (!no_msg) 683 com_err(me, retval, gettext("while modifying policy object")); 684 685 exit_status++; 686 } 687 688 return; 689 } 690 691 692 /* 693 * This function will display information about the given policy object, 694 * fetching the information from the LDAP Server. 695 */ 696 void 697 kdb5_ldap_view_policy(argc, argv) 698 int argc; 699 char *argv[]; 700 { 701 /* Solaris Kerberos */ 702 char *me = progname; 703 704 krb5_ldap_policy_params *policyparams = NULL; 705 krb5_error_code retval = 0; 706 krb5_boolean print_usage = FALSE; 707 char *policy = NULL; 708 unsigned int mask = 0; 709 710 if (argc != 2) { 711 goto err_usage; 712 } 713 714 policy = strdup(argv[1]); 715 if (policy == NULL) { 716 com_err(me, ENOMEM, gettext("while viewing policy")); 717 exit_status++; 718 goto cleanup; 719 } 720 721 if ((retval = init_ldap_realm (argc, argv))) 722 goto cleanup; 723 724 if ((retval = krb5_ldap_read_policy(util_context, policy, &policyparams, &mask))) { 725 com_err(me, retval, gettext("while viewing policy '%s'"), policy); 726 exit_status++; 727 goto cleanup; 728 } 729 730 print_policy_params (policyparams, mask); 731 732 goto cleanup; 733 734 err_usage: 735 print_usage = TRUE; 736 737 cleanup: 738 krb5_ldap_free_policy (util_context, policyparams); 739 740 if (policy) 741 free (policy); 742 743 if (print_usage) { 744 db_usage(VIEW_POLICY); 745 } 746 747 return; 748 } 749 750 751 /* 752 * This function will print the policy object information to the 753 * standard output. 754 */ 755 static void 756 print_policy_params(policyparams, mask) 757 krb5_ldap_policy_params *policyparams; 758 int mask; 759 { 760 /* Print the policy DN */ 761 printf("%25s: %s\n", gettext("Ticket policy"), policyparams->policy); 762 763 /* Print max. ticket life and max. renewable life, if present */ 764 if (mask & LDAP_POLICY_MAXTKTLIFE) 765 printf("%25s: %s\n", gettext("Maximum ticket life"), strdur(policyparams->maxtktlife)); 766 if (mask & LDAP_POLICY_MAXRENEWLIFE) 767 printf("%25s: %s\n", gettext("Maximum renewable life"), strdur(policyparams->maxrenewlife)); 768 769 /* Service flags are printed */ 770 printf("%25s: ", gettext("Ticket flags")); 771 if (mask & LDAP_POLICY_TKTFLAGS) { 772 int ticketflags = policyparams->tktflags; 773 774 if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) 775 printf("%s ","DISALLOW_POSTDATED"); 776 777 if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) 778 printf("%s ","DISALLOW_FORWARDABLE"); 779 780 if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) 781 printf("%s ","DISALLOW_RENEWABLE"); 782 783 if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) 784 printf("%s ","DISALLOW_PROXIABLE"); 785 786 if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) 787 printf("%s ","DISALLOW_DUP_SKEY"); 788 789 if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) 790 printf("%s ","REQUIRES_PRE_AUTH"); 791 792 if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) 793 printf("%s ","REQUIRES_HW_AUTH"); 794 795 if (ticketflags & KRB5_KDB_DISALLOW_SVR) 796 printf("%s ","DISALLOW_SVR"); 797 798 if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) 799 printf("%s ","DISALLOW_TGT_BASED"); 800 801 if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) 802 printf("%s ","DISALLOW_ALL_TIX"); 803 804 if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) 805 printf("%s ","REQUIRES_PWCHANGE"); 806 807 if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) 808 printf("%s ","PWCHANGE_SERVICE"); 809 } 810 printf("\n"); 811 812 return; 813 } 814 815 816 /* 817 * This function will list the DNs of policy objects under a specific 818 * sub-tree (entire tree by default) 819 */ 820 void kdb5_ldap_list_policies(argc, argv) 821 int argc; 822 char *argv[]; 823 { 824 /* Solaris Kerberos */ 825 char *me = progname; 826 827 krb5_error_code retval = 0; 828 krb5_boolean print_usage = FALSE; 829 char *basedn = NULL; 830 char **list = NULL; 831 char **plist = NULL; 832 833 /* Check for number of arguments */ 834 if ((argc != 1) && (argc != 3)) { 835 goto err_usage; 836 } 837 838 if ((retval = init_ldap_realm (argc, argv))) 839 goto cleanup; 840 841 retval = krb5_ldap_list_policy(util_context, basedn, &list); 842 if ((retval != 0) || (list == NULL)) 843 goto cleanup; 844 845 for (plist = list; *plist != NULL; plist++) { 846 printf("%s\n", *plist); 847 } 848 849 goto cleanup; 850 851 err_usage: 852 print_usage = TRUE; 853 854 cleanup: 855 if (list != NULL) { 856 krb5_free_list_entries (list); 857 free (list); 858 } 859 860 if (basedn) 861 free (basedn); 862 863 if (print_usage) { 864 db_usage(LIST_POLICY); 865 } 866 867 if (retval) { 868 com_err(me, retval, gettext("while listing policy objects")); 869 exit_status++; 870 } 871 872 return; 873 } 874 875 876 /* Reproduced from kadmin.c, instead of linking 877 the entire kadmin.o */ 878 static char *strdur(duration) 879 time_t duration; 880 { 881 static char out[50]; 882 int neg, days, hours, minutes, seconds; 883 884 if (duration < 0) { 885 duration *= -1; 886 neg = 1; 887 } else 888 neg = 0; 889 days = duration / (24 * 3600); 890 duration %= 24 * 3600; 891 hours = duration / 3600; 892 duration %= 3600; 893 minutes = duration / 60; 894 duration %= 60; 895 seconds = duration; 896 snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", 897 days, days == 1 ? gettext("day") : gettext("days"), 898 hours, minutes, seconds); 899 return out; 900 } 901