ldap_service_rights.c [plain text]
#include "ldap_main.h"
#include "ldap_services.h"
#include "ldap_err.h"
#ifdef HAVE_EDIRECTORY
static char *kdcrights_subtree[][2] = {
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#CN"},
{"6#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
{"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"2#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"2#subtree#","#krbPwdPolicyReference"},
{"2#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#ModifiersName"},
{"2#subtree#","#PasswordExpirationTime"},
{"2#subtree#","#PasswordExpirationInterval"},
{"2#subtree#","#PasswordMinimumLength"},
{"2#subtree#","#PasswordAllowChange"},
{"2#subtree#","#LoginDisabled"},
{"6#subtree#","#LastLoginTime"},
{"2#subtree#","#LoginExpirationTime"},
{"6#subtree#","#LoginIntruderAttempts"},
{"2#subtree#","#IntruderAttemptResetInterval"},
{"2#subtree#","#LoginIntruderLimit"},
{"6#subtree#","#LoginIntruderResetTime"},
{"2#subtree#","#DetectIntruder"},
{"2#subtree#","#LockoutAfterDetection"},
{"6#subtree#","#LockedByIntruder"},
{"2#subtree#","#krbPrincipalReferences"},
{ "", "" }
};
static char *adminrights_subtree[][2]={
{"15#subtree#","#[Entry Rights]"},
{"6#subtree#","#CN"},
{"6#subtree#","#ObjectClass"},
{"6#subtree#","#krbTicketPolicyReference"},
{"6#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
{"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"6#subtree#","#krbTicketFlags"},
{"6#subtree#","#krbMaxTicketLife"},
{"6#subtree#","#krbMaxRenewableAge"},
{"6#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"6#subtree#","#krbPrincipalExpiration"},
{"6#subtree#","#ModifiersName"},
{"6#subtree#","#PasswordExpirationTime"},
{"2#subtree#","#PasswordExpirationInterval"},
{"6#subtree#","#PasswordMinimumLength"},
{"6#subtree#","#PasswordAllowChange"},
{"6#subtree#","#LoginDisabled"},
{"2#subtree#","#LastLoginTime"},
{"2#subtree#","#LoginExpirationTime"},
{"2#subtree#","#LoginIntruderAttempts"},
{"6#subtree#","#IntruderAttemptResetInterval"},
{"6#subtree#","#LoginIntruderLimit"},
{"6#subtree#","#LoginIntruderResetTime"},
{"6#subtree#","#DetectIntruder"},
{"6#subtree#","#LockoutAfterDetection"},
{"2#subtree#","#LockedByIntruder"},
{"2#subtree#","#krbPrincipalReferences"},
{"6#subtree#","#Surname"},
{"4#subtree#","#passwordManagement"},
{"6#subtree#","#krbPwdHistoryLength"},
{"6#subtree#","#krbMinPwdLife"},
{"6#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#krbPwdMinDiffChars"},
{"6#subtree#","#krbPwdMinLength"},
{"6#subtree#","#krbPwdPolicyReference"},
{ "","" }
};
static char *pwdrights_subtree[][2] = {
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#CN"},
{"2#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbHostServer"},
{"2#subtree#","#krbServiceFlags"},
{"2#subtree#","#krbRealmReferences"},
{"6#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"4#subtree#","#passwordManagement"},
{"6#subtree#","#ModifiersName"},
{"2#subtree#","#krbPwdHistoryLength"},
{"2#subtree#","#krbMinPwdLife"},
{"2#subtree#","#krbMaxPwdLife"},
{"2#subtree#","#krbPwdMinDiffChars"},
{"2#subtree#","#krbPwdMinLength"},
{"2#subtree#","#krbPwdPolicyReference"},
{ "", "" }
};
static char *kdcrights_realmcontainer[][2]={
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#CN"},
{"6#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbMKey"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbSubTrees"},
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
{"2#subtree#","#krbSupportedEncSaltTypes"},
{"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
{"2#subtree#","#krbPwdServers"},
{"2#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"2#subtree#","#krbPwdPolicyReference"},
{"2#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#ModifiersName"},
{"2#subtree#","#PasswordExpirationTime"},
{"2#subtree#","#PasswordExpirationInterval"},
{"2#subtree#","#PasswordMinimumLength"},
{"2#subtree#","#PasswordAllowChange"},
{"2#subtree#","#LoginDisabled"},
{"6#subtree#","#LastLoginTime"},
{"2#subtree#","#LoginExpirationTime"},
{"6#subtree#","#LoginIntruderAttempts"},
{"2#subtree#","#IntruderAttemptResetInterval"},
{"2#subtree#","#LoginIntruderLimit"},
{"6#subtree#","#LoginIntruderResetTime"},
{"2#subtree#","#DetectIntruder"},
{"2#subtree#","#LockoutAfterDetection"},
{"6#subtree#","#LockedByIntruder"},
{ "", "" }
};
static char *adminrights_realmcontainer[][2]={
{"15#subtree#","#[Entry Rights]"},
{"6#subtree#","#CN"},
{"6#subtree#","#ObjectClass"},
{"6#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbMKey"},
{"6#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbSubTrees"},
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
{"2#subtree#","#krbSupportedEncSaltTypes"},
{"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
{"2#subtree#","#krbPwdServers"},
{"6#subtree#","#krbTicketFlags"},
{"6#subtree#","#krbMaxTicketLife"},
{"6#subtree#","#krbMaxRenewableAge"},
{"6#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"6#subtree#","#krbPrincipalExpiration"},
{"6#subtree#","#ModifiersName"},
{"6#subtree#","#PasswordExpirationTime"},
{"2#subtree#","#PasswordExpirationInterval"},
{"6#subtree#","#PasswordMinimumLength"},
{"6#subtree#","#PasswordAllowChange"},
{"6#subtree#","#LoginDisabled"},
{"2#subtree#","#LastLoginTime"},
{"2#subtree#","#LoginExpirationTime"},
{"2#subtree#","#LoginIntruderAttempts"},
{"6#subtree#","#IntruderAttemptResetInterval"},
{"6#subtree#","#LoginIntruderLimit"},
{"6#subtree#","#LoginIntruderResetTime"},
{"6#subtree#","#DetectIntruder"},
{"6#subtree#","#LockoutAfterDetection"},
{"2#subtree#","#LockedByIntruder"},
{"6#subtree#","#Surname"},
{"6#subtree#","#krbPwdHistoryLength"},
{"6#subtree#","#krbMinPwdLife"},
{"6#subtree#","#krbMaxPwdLife"},
{"6#subtree#","#krbPwdMinDiffChars"},
{"6#subtree#","#krbPwdMinLength"},
{"6#subtree#","#krbPwdPolicyReference"},
{ "","" }
};
static char *pwdrights_realmcontainer[][2]={
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#CN"},
{"2#subtree#","#ObjectClass"},
{"2#subtree#","#krbTicketPolicyReference"},
{"2#subtree#","#krbMKey"},
{"2#subtree#","#krbUPEnabled"},
{"2#subtree#","#krbSubTrees"},
{"2#subtree#","#krbPrincContainerRef"},
{"2#subtree#","#krbSearchScope"},
{"2#subtree#","#krbLdapServers"},
{"2#subtree#","#krbSupportedEncSaltTypes"},
{"2#subtree#","#krbDefaultEncSaltTypes"},
{"2#subtree#","#krbKdcServers"},
{"2#subtree#","#krbPwdServers"},
{"6#subtree#","#krbTicketFlags"},
{"2#subtree#","#krbMaxTicketLife"},
{"2#subtree#","#krbMaxRenewableAge"},
{"2#subtree#","#krbPrincipalName"},
{"6#subtree#","#krbPrincipalKey"},
{"2#subtree#","#krbPrincipalExpiration"},
{"6#subtree#","#ModifiersName"},
{"2#subtree#","#krbPwdHistoryLength"},
{"2#subtree#","#krbMinPwdLife"},
{"2#subtree#","#krbMaxPwdLife"},
{"2#subtree#","#krbPwdMinDiffChars"},
{"2#subtree#","#krbPwdMinLength"},
{"2#subtree#","#krbPwdPolicyReference"},
{ "", "" }
};
static char *security_container[][2] = {
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#krbContainerReference"},
{ "", "" }
};
static char *kerberos_container[][2] = {
{"1#subtree#","#[Entry Rights]"},
{"2#subtree#","#krbTicketPolicyReference"},
{ "", "" }
};
krb5_error_code
krb5_ldap_add_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
char *realmname;
char **subtreeparam;
int mask;
{
int st=0,i=0;
char *realmacls[2]={NULL}, *subtreeacls[2]={NULL}, *seccontacls[2]={NULL}, *krbcontacls[2]={NULL};
LDAP *ld;
LDAPMod realmclass, subtreeclass, seccontclass, krbcontclass;
LDAPMod *realmarr[3]={NULL}, *subtreearr[3]={NULL}, *seccontarr[3]={NULL}, *krbcontarr[3]={NULL};
char *realmdn=NULL, **subtree=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
int subtreecount=0;
SETUP_CONTEXT();
GET_HANDLE();
if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
|| (ldap_context->krbcontainer->DN == NULL)) {
st=-1;
goto cleanup;
}
subtreecount=ldap_context->lrparams->subtreecount;
subtree = (char **) malloc(sizeof(char *) * (subtreecount + 1));
if(subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
if(subtreeparam == NULL) {
subtree[0] = strdup("");
if(subtree[0] == NULL) {
st = ENOMEM;
goto cleanup;
}
}
else {
for (i=0; subtree[i] != NULL && i<subtreecount; i++) {
subtree[i] = strdup(subtreeparam[i]);
if(subtree[i] == NULL) {
st = ENOMEM;
goto cleanup;
}
}
}
seccontclass.mod_op = LDAP_MOD_ADD;
seccontclass.mod_type = "ACL";
for (i=0; strcmp(security_container[i][0], "") != 0; i++) {
seccontacls[0] = (char *)malloc(strlen(security_container[i][0]) +
strlen(serviceobjdn) +
strlen(security_container[i][1]) + 1);
sprintf(seccontacls[0], "%s%s%s", security_container[i][0], serviceobjdn,
security_container[i][1]);
seccontclass.mod_values = seccontacls;
seccontarr[0] = &seccontclass;
st = ldap_modify_ext_s(ld,
SECURITY_CONTAINER,
seccontarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(seccontacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(seccontacls[0]);
}
krbcontclass.mod_op = LDAP_MOD_ADD;
krbcontclass.mod_type = "ACL";
for (i=0; strcmp(kerberos_container[i][0], "") != 0; i++) {
krbcontacls[0] = (char *)malloc(strlen(kerberos_container[i][0]) + strlen(serviceobjdn)
+ strlen(kerberos_container[i][1]) + 1);
sprintf(krbcontacls[0], "%s%s%s", kerberos_container[i][0], serviceobjdn,
kerberos_container[i][1]);
krbcontclass.mod_values = krbcontacls;
krbcontarr[0] = &krbcontclass;
st = ldap_modify_ext_s(ld,
ldap_context->krbcontainer->DN,
krbcontarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(krbcontacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(krbcontacls[0]);
}
if (mask & LDAP_REALM_RIGHTS) {
realmdn = (char *)malloc(strlen("cn=") + strlen(realmname) +
strlen(ldap_context->krbcontainer->DN) + 2);
sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op = LDAP_MOD_ADD;
realmclass.mod_type = "ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
realmacls[0] = (char *)malloc(strlen(kdcrights_realmcontainer[i][0])
+ strlen(serviceobjdn) +
strlen(kdcrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
kdcrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
strlen(serviceobjdn) +
strlen(adminrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
adminrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "")!=0; i++) {
realmacls[0] = (char *) malloc(strlen(pwdrights_realmcontainer[i][0]) +
strlen(serviceobjdn) +
strlen(pwdrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
pwdrights_realmcontainer[i][1]);
realmclass.mod_values = realmacls;
realmarr[0] = &realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
}
}
if (mask & LDAP_SUBTREE_RIGHTS) {
subtreeclass.mod_op = LDAP_MOD_ADD;
subtreeclass.mod_type = "ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0]) +
strlen(serviceobjdn) +
strlen(kdcrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
kdcrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "")!=0; i++) {
subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
+ strlen(serviceobjdn)
+ strlen(adminrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
adminrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st !=LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
subtreeacls[0] = (char *)malloc(strlen(pwdrights_subtree[i][0])
+ strlen(serviceobjdn)
+ strlen(pwdrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
pwdrights_subtree[i][1]);
subtreeclass.mod_values = subtreeacls;
subtreearr[0] = &subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount;i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_TYPE_OR_VALUE_EXISTS && st != LDAP_OTHER) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
}
}
st = 0;
cleanup:
if (realmdn)
free(realmdn);
if (subtree)
free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
krb5_error_code
krb5_ldap_delete_service_rights(context, servicetype, serviceobjdn, realmname, subtreeparam, mask)
krb5_context context;
int servicetype;
char *serviceobjdn;
char *realmname;
char **subtreeparam;
int mask;
{
int st=0,i=0;
char *realmacls[2] = { NULL }, *subtreeacls[2] = { NULL };
LDAP *ld;
LDAPMod realmclass, subtreeclass;
LDAPMod *realmarr[3] = { NULL }, *subtreearr[3] = { NULL };
char *realmdn=NULL;
char **subtree=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
int subtreecount = 0;
SETUP_CONTEXT();
GET_HANDLE();
if ((serviceobjdn == NULL) || (realmname == NULL) || (servicetype < 0) || (servicetype > 4)
|| (ldap_context->krbcontainer->DN == NULL)) {
st = -1;
goto cleanup;
}
subtreecount = 1;
while(subtreeparam[subtreecount])
subtreecount++;
subtree = (char **) malloc(sizeof(char *) * subtreecount + 1);
if(subtree == NULL) {
st = ENOMEM;
goto cleanup;
}
if(subtreeparam == NULL) {
subtree[0] = strdup("");
if(subtree[0] == NULL) {
st = ENOMEM;
goto cleanup;
}
}
else {
for(i=0; subtreeparam[i]!=NULL && i<subtreecount; i++)
subtree[i] = strdup(subtreeparam[i]);
if(subtree[i] == NULL) {
st = ENOMEM;
goto cleanup;
}
}
if (mask & LDAP_REALM_RIGHTS) {
realmdn = (char *) malloc(strlen("cn=") + strlen(realmname) +
strlen(ldap_context->krbcontainer->DN) + 2);
sprintf(realmdn,"cn=%s,%s", realmname, ldap_context->krbcontainer->DN);
realmclass.mod_op=LDAP_MOD_DELETE;
realmclass.mod_type="ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_realmcontainer[i][0], "") != 0; i++) {
realmacls[0] = (char *) malloc(strlen(kdcrights_realmcontainer[i][0])
+ strlen(serviceobjdn) +
strlen(kdcrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", kdcrights_realmcontainer[i][0], serviceobjdn,
kdcrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_realmcontainer[i][0], "") != 0; i++) {
realmacls[0] = (char *) malloc(strlen(adminrights_realmcontainer[i][0]) +
strlen(serviceobjdn) +
strlen(adminrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", adminrights_realmcontainer[i][0], serviceobjdn,
adminrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_realmcontainer[i][0], "") != 0; i++) {
realmacls[0]=(char *)malloc(strlen(pwdrights_realmcontainer[i][0])
+ strlen(serviceobjdn)
+ strlen(pwdrights_realmcontainer[i][1]) + 1);
sprintf(realmacls[0], "%s%s%s", pwdrights_realmcontainer[i][0], serviceobjdn,
pwdrights_realmcontainer[i][1]);
realmclass.mod_values= realmacls;
realmarr[0]=&realmclass;
st = ldap_modify_ext_s(ld,
realmdn,
realmarr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(realmacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
free(realmacls[0]);
}
}
}
if (mask & LDAP_SUBTREE_RIGHTS) {
subtreeclass.mod_op=LDAP_MOD_DELETE;
subtreeclass.mod_type="ACL";
if (servicetype == LDAP_KDC_SERVICE) {
for (i=0; strcmp(kdcrights_subtree[i][0], "")!=0; i++) {
subtreeacls[0] = (char *) malloc(strlen(kdcrights_subtree[i][0])
+ strlen(serviceobjdn)
+ strlen(kdcrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", kdcrights_subtree[i][0], serviceobjdn,
kdcrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_ADMIN_SERVICE) {
for (i=0; strcmp(adminrights_subtree[i][0], "") != 0; i++) {
subtreeacls[0] = (char *) malloc(strlen(adminrights_subtree[i][0])
+ strlen(serviceobjdn)
+ strlen(adminrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", adminrights_subtree[i][0], serviceobjdn,
adminrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
} else if (servicetype == LDAP_PASSWD_SERVICE) {
for (i=0; strcmp(pwdrights_subtree[i][0], "") != 0; i++) {
subtreeacls[0] = (char *) malloc(strlen(pwdrights_subtree[i][0])
+ strlen(serviceobjdn)
+ strlen(pwdrights_subtree[i][1]) + 1);
sprintf(subtreeacls[0], "%s%s%s", pwdrights_subtree[i][0], serviceobjdn,
pwdrights_subtree[i][1]);
subtreeclass.mod_values= subtreeacls;
subtreearr[0]=&subtreeclass;
for(i=0; subtree[i]!=NULL && i<subtreecount; i++) {
st = ldap_modify_ext_s(ld,
subtree[i],
subtreearr,
NULL,
NULL);
if (st != LDAP_SUCCESS && st != LDAP_NO_SUCH_ATTRIBUTE) {
free(subtreeacls[0]);
st = set_ldap_error (context, st, OP_MOD);
goto cleanup;
}
}
free(subtreeacls[0]);
}
}
}
st = 0;
cleanup:
if (realmdn)
free(realmdn);
if (subtree)
free(subtree);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
#endif