mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-02-17 14:00:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Initial implementation of Kerberos password verification for

Browse Source 
simple bind via:
	{KERBEROS}principal
Code is disabled by default (for security reasons).  Use
--enable-kpasswd to enable.  Behind SLAPD_KPASSWD.
Reworked Kerberos detection and split out KBIND as independent
feature (--disable-kbind) (LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND).
KBIND depends upon detection of KRB4 (or KRB425) support.  Detection,
building with eBones (as distributed with FreeBSD 3.4) okay, but
wasn't able to test as I don't have a K4 KDC handy.
--with-kerberos has a number of detection options... most likely
don't work properly.
This commit is contained in:
Kurt Zeilenga 2000-01-08 18:42:11 +00:00
parent 6e11a98d28
commit 6437785a82
42 changed files with 1928 additions and 1402 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
acconfig.h
View File

@ -49,6 +49,7 @@
LDAP_API_FEATURE_X_OPENLDAP_REENTRANT
LDAP_API_FEATURE_X_OPENLDAP_THREAD_SAFE
LDAP_API_FEATURE_X_OPENLDAP_V2_DNS
LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
LDAP_API_FEATURE_X_OPENLDAP_V2_REFERRALS
*/

6
build/top.mk
View File

@ -121,10 +121,12 @@ AC_DEFS = @CPPFLAGS@ # @DEFS@
AC_LDFLAGS = @LDFLAGS@
AC_LIBS = @LIBS@
KRB_LIBS = @KRB_LIBS@
KRB4_LIBS = @KRB4_LIBS@
KRB5_LIBS = @KRB5_LIBS@
KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@
SASL_LIBS = @SASL_LIBS@
TLS_LIBS = @TLS_LIBS@
SECURITY_LIBS = @SASL_LIBS@ @KRB_LIBS@ @TLS_LIBS@
SECURITY_LIBS = @SASL_LIBS@ $(KRB_LIBS) @TLS_LIBS@
MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@

4
clients/tools/ldapdelete.c
View File

@ -50,7 +50,7 @@ main( int argc, char **argv )
while (( i = getopt( argc, argv, "WMnvkKcrh:P:p:D:w:d:f:" )) != EOF ) {
switch( i ) {
case 'k': /* kerberos bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);
@ -59,7 +59,7 @@ main( int argc, char **argv )
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);

4
clients/tools/ldapmodify.c
View File

@ -138,7 +138,7 @@ main( int argc, char **argv )
replace = 1;
break;
case 'k': /* kerberos bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);
@ -147,7 +147,7 @@ main( int argc, char **argv )
#endif
break;
case 'K': /* kerberos bind, part 1 only */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);

4
clients/tools/ldapmodrdn.c
View File

@ -64,7 +64,7 @@ main(int argc, char **argv)
while (( i = getopt( argc, argv, "WkKMcnvrh:P:p:D:w:d:f:s:" )) != EOF ) {
switch( i ) {
case 'k': /* kerberos bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);
@ -72,7 +72,7 @@ main(int argc, char **argv)
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);

6
clients/tools/ldapsearch.c
View File

@ -63,7 +63,7 @@ usage( const char *s )
" -D binddn\tbind dn\n"
" -w passwd\tbind passwd (for simple authentication)\n"
" -W\t\tprompt for bind passwd\n"
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
" -k\t\tuse Kerberos instead of Simple Password authentication\n"
#endif
" -h host\tldap server\n"
@ -143,14 +143,14 @@ main( int argc, char **argv )
debug |= atoi( optarg );
break;
case 'k': /* use kerberos bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);
#endif
break;
case 'K': /* use kerberos bind, 1st part only */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf (stderr, "%s was not compiled with Kerberos support\n", argv[0]);

14
clients/ud/auth.c
View File

@ -37,7 +37,7 @@
#include "ldap_defaults.h"
#include "ud.h"
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
static char tktpath[20]; /* ticket file path */
static int kinit();
static int valid_tgt();
@ -60,7 +60,7 @@ auth( char *who, int implicit )
char *user;
#endif
char uidname[20];
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char **krbnames; /* for kerberos names */
int kinited, ikrb;
char buf[5];
@ -148,7 +148,7 @@ auth( char *who, int implicit )
rdns = ldap_explode_dn(Entry.DN, TRUE);
printf(" Authenticating to the directory as \"%s\"...\n", *rdns );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/*
* First, if the user has a choice of auth methods, ask which
* one they want to use. if they want kerberos, ask which
@ -247,7 +247,7 @@ auth( char *who, int implicit )
(void) ldap_value_free(rdns);
return(0);
}
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
(void) ldap_value_free(krbnames);
#endif
@ -259,13 +259,13 @@ auth( char *who, int implicit )
if (ld_errno == LDAP_NO_SUCH_ATTRIBUTE)
fprintf(stderr, " Entry has no password\n");
else if (ld_errno == LDAP_INVALID_CREDENTIALS)
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if ( authmethod == LDAP_AUTH_KRBV4 ) {
fprintf(stderr, " The Kerberos credentials are invalid.\n");
} else {
#endif
fprintf(stderr, " The password you provided is incorrect.\n");
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
#endif
else
@ -294,7 +294,7 @@ auth( char *who, int implicit )
return(0);
}
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#define FIVEMINS ( 5 * 60 )
#define TGT "krbtgt"

2
clients/ud/globals.c
View File

@ -44,7 +44,7 @@ struct attribute attrlist[] = {
#ifdef UOFM
{ "multiLineDescription", "Description", change_field, ATTR_FLAG_PERSON | ATTR_FLAG_GROUP | ATTR_FLAG_READ | ATTR_FLAG_PERSON_MOD | ATTR_FLAG_GROUP_MOD | ATTR_FLAG_IS_MULTILINE },
#endif
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
{ "krbName", "Kerberos name", 0, ATTR_FLAG_PERSON | ATTR_FLAG_READ },
#endif
{ "description", "Brief description", 0, ATTR_FLAG_PERSON | ATTR_FLAG_GROUP | ATTR_FLAG_READ },

2
clients/ud/main.c
View File

@ -280,7 +280,7 @@ do_commands( void )
printf(" Thank you!\n");
ldap_unbind(ld);
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
destroy_tickets();
#endif
exit( EXIT_SUCCESS );

2
clients/ud/string_to_key.c
View File

@ -5,7 +5,7 @@
*/
#include "portable.h"
#if defined(HAVE_KERBEROS) && !defined(openbsd)
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd)
/*
* Copyright 1985, 1986, 1987, 1988, 1989 by the Massachusetts Institute
* of Technology.

6
clients/ud/ud.h
View File

@ -85,7 +85,7 @@
/*
* Authentication method we will be using.
*/
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#define UD_AUTH_METHOD LDAP_AUTH_KRBV4
#else
#define UD_AUTH_METHOD LDAP_AUTH_SIMPLE
@ -193,7 +193,7 @@ extern char Version[];
/* in auth.c: */
int auth LDAP_P(( char *who, int implicit ));
#if defined(HAVE_KERBEROS) && defined(_AC_KRB_H)
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && defined(_AC_KRB_H)
int krbgetpass LDAP_P(( char *u, char *in, char *re, char *pw, C_Block key ));
void destroy_tickets LDAP_P(( void ));
#endif
@ -264,7 +264,7 @@ void print_URL LDAP_P(( struct attribute A ));
void print_one_URL LDAP_P(( char *s, int l_lead, char *tag, int u_lead ));
/* in string_to_key.c: */
#if defined(HAVE_KERBEROS) && !defined(openbsd) && defined(_AC_KRB_H)
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) && defined(_AC_KRB_H)
#if defined(HAVE_AFS_KERBEROS) || !defined(HAVE_KERBEROS_V)
void des_string_to_key LDAP_P(( char *str, des_cblock *key ));
#endif

2
clients/ud/util.c
View File

@ -104,7 +104,7 @@ fatal( char *s )
{
if (errno != 0)
perror(s);
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
destroy_tickets();
#endif
exit( EXIT_FAILURE );

2695
configure vendored
View File

File diff suppressed because it is too large Load Diff

137
configure.in
View File

@ -1,6 +1,6 @@
dnl $OpenLDAP$
dnl
dnl Copyright 1998,1999 The OpenLDAP Foundation. All Rights Reserved.
dnl Copyright 1998-2000 The OpenLDAP Foundation. All Rights Reserved.
dnl
dnl Redistribution and use in source and binary forms are permitted only
dnl as authorized by the OpenLDAP Public License. A copy of this
@ -15,14 +15,14 @@ define([AC_INIT_BINSH],
# $]OpenLDAP[$
# from] translit([$OpenLDAP$], $")] [
# Copyright 1998,1999 The OpenLDAP Foundation. All Rights Reserved.
# Copyright 1998-2000 The OpenLDAP Foundation. All Rights Reserved.
#
# Redistribution and use in source and binary forms are permitted only
# as authorized by the OpenLDAP Public License. A copy of this
# license is available at http://www.OpenLDAP.org/license.html or
# in file LICENSE in the top-level directory of the distribution.
echo "Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved."
echo "Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved."
echo "Copying restrictions apply, see COPYRIGHT file."
])dnl
dnl ----------------------------------------------------------------
@ -96,6 +96,7 @@ OL_ARG_ENABLE(proctitle,[ --enable-proctitle enable proctitle support], yes)dnl
OL_ARG_ENABLE(cache,[ --enable-cache enable caching], yes)dnl
OL_ARG_ENABLE(dns,[ --enable-dns enable V2 DX Referrals extension], no)dnl
OL_ARG_ENABLE(referrals,[ --enable-referrals enable V2 Referrals extension], yes)dnl
OL_ARG_ENABLE(kbind,[ --enable-kbind enable V2 Kerberos IV bind], auto)dnl
OL_ARG_ENABLE(cldap,[ --enable-cldap enable connectionless ldap], no)dnl
OL_ARG_ENABLE(ldapi,[ --enable-ldapi enable domain socket (PF_LOCAL) ldap], no)dnl
OL_ARG_ENABLE(x_compile,[ --enable-x-compile enable cross compiling],
@ -109,8 +110,8 @@ OL_ARG_WITH(cyrus_sasl,[ --with-cyrus-sasl with Cyrus SASL support],
auto, [auto yes no] )
OL_ARG_WITH(fetch,[ --with-fetch with fetch URL support],
auto, [auto yes no] )
OL_ARG_WITH(kerberos,[ --with-kerberos with Kerberos support],
auto, [auto k5 kth k4 afs yes no])
OL_ARG_WITH(kerberos,[ --with-kerberos with support],
auto, [auto k5 k5only k425 kth k4 afs yes no])
OL_ARG_WITH(readline,[ --with-readline with readline support],
auto, [auto yes no] )
OL_ARG_WITH(threads,[ --with-threads use threads],
@ -133,6 +134,7 @@ AC_ARG_WITH(xxslapdoptions,[SLAPD (Standalone LDAP Daemon) Options:])
OL_ARG_ENABLE(slapd,[ --enable-slapd enable building slapd], yes)dnl
OL_ARG_ENABLE(cleartext,[ --enable-cleartext enable cleartext passwords], yes)dnl
OL_ARG_ENABLE(crypt,[ --enable-crypt enable crypt(3) passwords], auto)dnl
OL_ARG_ENABLE(kpasswd,[ --enable-kpasswd enable kerberos password verification], no)dnl
OL_ARG_ENABLE(modules,[ --enable-modules enable dynamic module support], no)dnl
OL_ARG_ENABLE(multimaster,[ --enable-multimaster enable multimaster replication], no)dnl
OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
@ -380,6 +382,12 @@ if test $ol_enable_slurpd = yes ; then
fi
fi
if test $ol_enable_kbind = yes -o $ol_enable_kpasswd = yes ; then
if test $ol_with_kerberos = no ; then
AC_MSG_ERROR([options require --with-kerberos])
fi
fi
AC_MSG_RESULT(done)
dnl ----------------------------------------------------------------
@ -425,7 +433,8 @@ MOD_PERL_LDFLAGS=
PERL_CPPFLAGS=
MOD_TCL_LIB=
KRB_LIBS=
KRB4_LIBS=
KRB5_LIBS=
READLINE_LIBS=
SASL_LIBS=
TERMCAP_LIBS=
@ -818,28 +827,96 @@ fi
dnl ----------------------------------------------------------------
dnl Kerberos
ol_link_kerberos=no
ol_link_krb5=no
if test $ol_with_kerberos = auto -o $ol_with_kerberos = k5 \
-o $ol_with_kerberos = k5only -o $ol_with_kerberos = k425 ; then
AC_CHECK_HEADERS(krb5.h)
if test $ac_cv_header_krb5_h = yes ; then
dnl lazy check for Heimdal Kerberos
AC_CHECK_HEADERS(heim_err.h)
if test $ac_cv_header_heim_err_h = yes ; then
krb5_impl=heimdal
else
krb5_impl=mit
fi
if test $krb5_impl = mit; then
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -lcrypto -lcom_err"],
[have_krb5=no],
[-lcrypto -lcom_err])
elif test $krb5_impl = heimdal; then
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -ldes -lasn1 -lroken -lcom_err"],
[have_krb5=no],
[-ldes -lasn1 -lroken -lcom_err])
AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1,
[define if you have HEIMDAL Kerberos])
else
have_krb5=no
AC_MSG_WARN([Unrecongized Kerberos5 Implementation])
fi
if test $have_krb5 = yes ; then
ol_link_krb5=yes
AC_DEFINE(HAVE_KRB5, 1,
[define if you have Kerberos V])
if test $ol_with_kerberos = k5only ; then
ol_with_kerberos=found
fi
elif test $ol_with_kerberos != auto ; then
AC_MSG_ERROR([Required Kerberos 5 support not available])
fi
fi
fi
ol_link_krb4=no
if test $ol_link_krb5 = yes -a \
\( $ol_with_kerberos = auto -o $ol_with_kerberos = k425 \) ; then
if test $ol_with_kerberos = auto -o $ol_with_kerberos = k5 ; then
AC_CHECK_HEADERS(kerberosIV/krb.h kerberosIV/des.h)
if test $ac_cv_header_kerberosIV_krb_h = yes ; then
AC_CHECK_LIB(krb4, main, [have_k5=yes], [have_k5=no],
[-lkrb5 -ldes425 -lcrypto -lcom_err])
if test $krb5_impl = mit; then
AC_CHECK_LIB(krb4, main, [have_k425=yes
KRB4_LIBS="-lkrb4 -ldes425"], [have_k425=no],
[-ldes425 -lkrb5 -lcrypto -lcom_err])
if test $have_k5 = yes ; then
elif test $krb5_impl = heimdal; then
AC_CHECK_LIB(krb4, main, [have_k425=yes
KRB4_LIBS="-lkrb4"], [have_k425=no],
[-lkrb5 -ldes -lasn1 -lroken -lcom_err])
else
have_425=no
AC_MSG_WARN([Unrecongized Kerberos5 Implementation])
fi
if test $have_k425 = yes ; then
ol_with_kerberos=found
ol_link_kerberos=yes
ol_link_krb4=yes
KRB_LIBS="-lkrb4 -lkrb5 -ldes425 -lcrypto -lcom_err"
LIBS="$KRB_LIBS $LIBS"
AC_DEFINE(HAVE_KRB425, 1,
[define if you have Kerberos V with IV support])
AC_DEFINE(HAVE_KRB4, 1,
[define if you have Kerberos IV])
AC_CACHE_CHECK([for des_debug in Kerberos libraries],
[ol_cv_var_des_debug], [
dnl save the flags
save_LIBS="$LIBS"
LIBS="$KRB_LIBS $LIBS"
LIBS="$KRB4_LIBS $KRB5_LIBS $LIBS"
AC_TRY_LINK([
#include <kerberosIV/krb.h>
#include <kerberosIV/des.h>
@ -861,6 +938,10 @@ des_debug = 1;
fi
fi
if test $ol_link_krb5 = yes ; then
ol_with_kerberos=found
fi
if test $ol_with_kerberos = auto -o $ol_with_kerberos = k4 \
-o $ol_with_kerberos = kth ; then
@ -871,9 +952,12 @@ if test $ol_with_kerberos = auto -o $ol_with_kerberos = k4 \
if test $have_k4 = yes ; then
ol_with_kerberos=found
ol_link_kerberos=yes
ol_link_krb4=yes
KRB_LIBS="-lkrb -ldes"
AC_DEFINE(HAVE_KRB4, 1,
[define if you have Kerberos IV])
KRB4_LIBS="-lkrb -ldes"
if test $ac_cv_header_krb_archaeology_h = yes ; then
AC_DEFINE(HAVE_KTH_KERBEROS, 1,
@ -883,11 +967,11 @@ if test $ol_with_kerberos = auto -o $ol_with_kerberos = k4 \
fi
fi
if test $ol_link_kerberos = yes ; then
if test $ol_link_krb4 = yes -o $ol_link_krb5 = yes ; then
AC_DEFINE(HAVE_KERBEROS, 1, [define if you have Kerberos])
elif test $ol_with_kerberos != auto -a $ol_with_kerberos != no ; then
AC_ERROR([Kerberos detection failed.])
AC_MSG_ERROR([Kerberos detection failed.])
fi
dnl ----------------------------------------------------------------
@ -2067,6 +2151,9 @@ if test "$ol_enable_cache" = no ; then
AC_DEFINE(LDAP_NOCACHE,1,
[define this to remove -lldap cache support])
fi
if test "$ol_enable_kbind" != no ; then
AC_DEFINE(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND,LDAP_VENDOR_VERSION)
fi
if test "$ol_enable_dns" != no ; then
AC_DEFINE(LDAP_API_FEATURE_X_OPENLDAP_V2_DNS,LDAP_VENDOR_VERSION)
fi
@ -2084,11 +2171,14 @@ if test "$ol_enable_ldapi" != no; then
AC_DEFINE(USE_PF_LOCAL,1,[define to support PF_LOCAL transport])
fi
if test "$ol_enable_cleartext" != no ; then
AC_DEFINE(SLAPD_CLEARTEXT,1,[define to support cleartext passwords])
fi
if test "$ol_enable_crypt" != no ; then
AC_DEFINE(SLAPD_CRYPT,1,[define to support crypt(3) passwords])
fi
if test "$ol_enable_cleartext" != no ; then
AC_DEFINE(SLAPD_CLEARTEXT,1,[define to support cleartext passwords])
if test "$ol_enable_kpasswd" != no ; then
AC_DEFINE(SLAPD_KPASSWD,1,[define to support Kerberos passwords])
fi
if test "$ol_enable_multimaster" != no ; then
AC_DEFINE(SLAPD_MULTIMASTER,1,[define to support multimaster replication])
@ -2276,7 +2366,8 @@ AC_SUBST(PERL_CPPFLAGS)
AC_SUBST(SLAPD_PERL_LDFLAGS)
AC_SUBST(MOD_PERL_LDFLAGS)
AC_SUBST(KRB_LIBS)
AC_SUBST(KRB4_LIBS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(READLINE_LIBS)
AC_SUBST(SASL_LIBS)
AC_SUBST(TERMCAP_LIBS)

6
include/ac/krb.h
View File

@ -10,10 +10,12 @@
* in file LICENSE in the top-level directory of the distribution.
*/
/* Kerberos IV */
#ifndef _AC_KRB_H
#define _AC_KRB_H
#if defined( HAVE_KERBEROS )
#if defined( HAVE_KRB4 )
#if defined( HAVE_KERBEROSIV_KRB_H )
#include <kerberosIV/krb.h>
@ -27,5 +29,5 @@
#include <des.h>
#endif
#endif /* HAVE_KERBEROS */
#endif /* HAVE_KRB4 */
#endif /* _AC_KRB_H */

22
include/ac/krb5.h Normal file
View File

@ -0,0 +1,22 @@
/* Generic krb.h */
/* $OpenLDAP$ */
/*
* Copyright 1998,1999 The OpenLDAP Foundation, Redwood City, California, USA
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only
* as authorized by the OpenLDAP Public License. A copy of this
* license is available at http://www.OpenLDAP.org/license.html or
* in file LICENSE in the top-level directory of the distribution.
*/
/* Kerberos V */
#ifndef _AC_KRB5_H
#define _AC_KRB5_H
#if defined( HAVE_KRB5 )
#include <krb5.h>
#endif /* HAVE_KRB5 */
#endif /* _AC_KRB5_H */

3
include/ldap_features.h.in
View File

@ -50,6 +50,9 @@
/* LDAP v2 DNS */
#undef LDAP_API_FEATURE_X_OPENLDAP_V2_DNS
/* LDAP v2 Kerberos Bind */
#undef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/* LDAP v2 Referrals */
#undef LDAP_API_FEATURE_X_OPENLDAP_V2_REFERRALS

36
include/portable.h.in
View File

@ -124,6 +124,7 @@
LDAP_API_FEATURE_X_OPENLDAP_REENTRANT
LDAP_API_FEATURE_X_OPENLDAP_THREAD_SAFE
LDAP_API_FEATURE_X_OPENLDAP_V2_DNS
LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
LDAP_API_FEATURE_X_OPENLDAP_V2_REFERRALS
*/
@ -381,6 +382,9 @@
/* Define if you have the <grp.h> header file. */
#undef HAVE_GRP_H
/* Define if you have the <heim_err.h> header file. */
#undef HAVE_HEIM_ERR_H
/* Define if you have the <io.h> header file. */
#undef HAVE_IO_H
@ -396,6 +400,9 @@
/* Define if you have the <krb.h> header file. */
#undef HAVE_KRB_H
/* Define if you have the <krb5.h> header file. */
#undef HAVE_KRB5_H
/* Define if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
@ -531,9 +538,6 @@
/* Define if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H
/* Define if you have the <sysexits.h> header file. */
#undef HAVE_SYSEXITS_H
@ -633,9 +637,24 @@
/* define if you have -lpp */
#undef HAVE_PP
/* define if you have HEIMDAL Kerberos */
#undef HAVE_HEIMDAL_KERBEROS
/* define if you have Kerberos V */
#undef HAVE_KRB5
/* define if you have Kerberos V with IV support */
#undef HAVE_KRB425
/* define if you have Kerberos IV */
#undef HAVE_KRB4
/* define if you have Kerberos des_debug */
#undef HAVE_DES_DEBUG
/* define if you have Kerberos IV */
#undef HAVE_KRB4
/* define if you have Kth Kerberos */
#undef HAVE_KTH_KERBEROS
@ -837,14 +856,17 @@
/* define to support CLDAP */
#undef LDAP_CONNECTIONLESS
/* define to support domain sockets */
#undef LDAP_PF_LOCAL
/* define to support PF_LOCAL transport */
#undef USE_PF_LOCAL
/* define to support cleartext passwords */
#undef SLAPD_CLEARTEXT
/* define to support crypt(3) passwords */
#undef SLAPD_CRYPT
/* define to support cleartext passwords */
#undef SLAPD_CLEARTEXT
/* define to support Kerberos passwords */
#undef SLAPD_KPASSWD
/* define to support multimaster replication */
#undef SLAPD_MULTIMASTER

51
libraries/liblber/memory.c
View File

@ -108,6 +108,7 @@ ber_memvfree( void **vec )
void *
ber_memalloc( ber_len_t s )
{
void *new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
#ifdef LDAP_MEMORY_DEBUG
@ -127,21 +128,26 @@ ber_memalloc( ber_len_t s )
mh->bm_junk = BER_MEM_JUNK;
BER_MEM_VALID( &mh[1] );
return &mh[1];
new = &mh[1];
#else
return malloc( s );
new = malloc( s );
#endif
} else {
new = (*ber_int_memory_fns->bmf_malloc)( s );
}
assert( ber_int_memory_fns->bmf_malloc );
if( new == NULL ) {
ber_errno = LBER_ERROR_MEMORY;
}
return (*ber_int_memory_fns->bmf_malloc)( s );
return new;
}
void *
ber_memcalloc( ber_len_t n, ber_len_t s )
{
void *new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
#ifdef LDAP_MEMORY_DEBUG
@ -160,21 +166,27 @@ ber_memcalloc( ber_len_t n, ber_len_t s )
mh->bm_junk = BER_MEM_JUNK;
BER_MEM_VALID( &mh[1] );
return &mh[1];
new = &mh[1];
#else
return calloc( n, s );
new = calloc( n, s );
#endif
} else {
new = (*ber_int_memory_fns->bmf_calloc)( n, s );
}
assert( ber_int_memory_fns->bmf_calloc );
if( new == NULL ) {
ber_errno = LBER_ERROR_MEMORY;
}
return (*ber_int_memory_fns->bmf_calloc)( n, s );
return new;
}
void *
ber_memrealloc( void* p, ber_len_t s )
{
void *new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
/* realloc(NULL,s) -> malloc(s) */
@ -198,22 +210,26 @@ ber_memrealloc( void* p, ber_len_t s )
p = realloc( mh, s + sizeof(struct ber_mem_hdr) );
if( p == NULL ) return NULL;
if( p != NULL ) {
mh = p;
mh = p;
assert( mh->bm_junk == BER_MEM_JUNK );
assert( mh->bm_junk == BER_MEM_JUNK );
BER_MEM_VALID( &mh[1] );
return &mh[1];
BER_MEM_VALID( &mh[1] );
new = &mh[1];
}
#else
return realloc( p, s );
new = realloc( p, s );
#endif
} else {
new = (*ber_int_memory_fns->bmf_realloc)( p, s );
}
assert( ber_int_memory_fns->bmf_realloc );
if( new == NULL ) {
ber_errno = LBER_ERROR_MEMORY;
}
return (*ber_int_memory_fns->bmf_realloc)( p, s );
return new;
}
@ -365,6 +381,7 @@ ber_strdup( LDAP_CONST char *s )
#endif
if( s == NULL ) {
ber_errno = LBER_ERROR_PARAM;
return( NULL );
}

6
libraries/libldap/bind.c
View File

@ -16,7 +16,7 @@
* name DistinguishedName, -- who
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
#endif
@ -66,7 +66,7 @@ ldap_bind( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *passwd, int authmetho
case LDAP_AUTH_SIMPLE:
return( ldap_simple_bind( ld, dn, passwd ) );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case LDAP_AUTH_KRBV41:
return( ldap_kerberos_bind1( ld, dn ) );
@ -111,7 +111,7 @@ ldap_bind_s(
case LDAP_AUTH_SIMPLE:
return( ldap_simple_bind_s( ld, dn, passwd ) );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case LDAP_AUTH_KRBV4:
return( ldap_kerberos_bind_s( ld, dn ) );

6
libraries/libldap/kbind.c
View File

@ -16,7 +16,7 @@
* name DistinguishedName, -- who
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
#endif
@ -33,7 +33,7 @@
#include "portable.h"
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#include <stdio.h>
#include <ac/stdlib.h>
@ -303,4 +303,4 @@ ldap_get_kerberosv4_credentials(
}
#endif /* !AUTHMAN */
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */

8
libraries/libldap/ldap-int.h
View File

@ -349,7 +349,7 @@ LIBLDAP_F (int) ldap_int_put_controls LDAP_P((
LIBLDAP_F (int) next_line_tokens LDAP_P(( char **bufp, ber_len_t *blenp, char ***toksp ));
LIBLDAP_F (void) free_strarray LDAP_P(( char **sap ));
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/*
* in kerberos.c
*/
@ -359,7 +359,7 @@ LIBLDAP_F (char *) ldap_get_kerberosv4_credentials LDAP_P((
LDAP_CONST char *service,
ber_len_t *len ));
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
/*
@ -377,9 +377,9 @@ LIBLDAP_F (int) ldap_connect_to_host( LDAP *ld, Sockbuf *sb, const char *host, u
LIBLDAP_F (void) ldap_close_connection( Sockbuf *sb );
#if defined(HAVE_KERBEROS) || defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL)
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL)
LIBLDAP_F (char *) ldap_host_connected_to( Sockbuf *sb );
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
LIBLDAP_F (void) ldap_int_ip_init( void );
LIBLDAP_F (int) do_ldap_select( LDAP *ld, struct timeval *timeout );

6
libraries/libldap/open.c
View File

@ -321,15 +321,15 @@ open_ldap_connection( LDAP *ld, Sockbuf *sb, LDAPURLDesc *srv,
#endif
if ( krbinstancep != NULL ) {
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char *c;
if (( *krbinstancep = ldap_host_connected_to( sb )) != NULL &&
( c = strchr( *krbinstancep, '.' )) != NULL ) {
*c = '\0';
}
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
*krbinstancep = NULL;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
}
return( 0 );

4
libraries/libldap/os-ip.c
View File

@ -333,7 +333,7 @@ ldap_close_connection( Sockbuf *sb )
}
#if defined( HAVE_KERBEROS ) || defined( HAVE_TLS ) || defined( HAVE_CYRUS_SASL )
#if defined( LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND ) || defined( HAVE_TLS ) || defined( HAVE_CYRUS_SASL )
char *
ldap_host_connected_to( Sockbuf *sb )
{
@ -374,7 +374,7 @@ ldap_host_connected_to( Sockbuf *sb )
}
#undef DO_RETURN
#endif /* HAVE_KERBEROS || HAVE_TLS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND || HAVE_TLS */
/* for UNIX */

2
libraries/libldap/sasl.c
View File

@ -10,7 +10,7 @@
* name DistinguishedName, -- who
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
#endif

2
libraries/libldap/sbind.c
View File

@ -16,7 +16,7 @@
* name DistinguishedName, -- who
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
#endif

18
libraries/libldap/test.c
View File

@ -235,7 +235,7 @@ bind_prompt( LDAP *ld, char **dnp, char **passwdp, int *authmethodp,
static char dn[256], passwd[256];
if ( !freeit ) {
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
getline( dn, sizeof(dn), stdin,
"re-bind method (0->simple, 1->krbv41, 2->krbv42, 3->krbv41&2)? " );
if (( *authmethodp = atoi( dn )) == 3 ) {
@ -243,9 +243,9 @@ bind_prompt( LDAP *ld, char **dnp, char **passwdp, int *authmethodp,
} else {
*authmethodp |= 0x80;
}
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
*authmethodp = LDAP_AUTH_SIMPLE;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
getline( dn, sizeof(dn), stdin, "re-bind dn? " );
strcat( dn, dnsuffix );
@ -413,13 +413,13 @@ main( int argc, char **argv )
break;
case 'b': /* asynch bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
getline( line, sizeof(line), stdin,
"method (0->simple, 1->krbv41, 2->krbv42)? " );
method = atoi( line ) | 0x80;
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
method = LDAP_AUTH_SIMPLE;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
getline( dn, sizeof(dn), stdin, "dn? " );
strcat( dn, dnsuffix );
@ -439,7 +439,7 @@ main( int argc, char **argv )
break;
case 'B': /* synch bind */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
getline( line, sizeof(line), stdin,
"method 0->simple 1->krbv41 2->krbv42 3->krb? " );
method = atoi( line );
@ -447,9 +447,9 @@ main( int argc, char **argv )
method = LDAP_AUTH_KRBV4;
else
method = method | 0x80;
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
method = LDAP_AUTH_SIMPLE;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
getline( dn, sizeof(dn), stdin, "dn? " );
strcat( dn, dnsuffix );

201
libraries/liblutil/passwd.c
View File

@ -17,17 +17,18 @@
#include <stdio.h>
#include <ac/stdlib.h>
#include <ac/string.h>
#ifdef SLAPD_KPASSWD
# include <ac/krb.h>
# include <ac/krb5.h>
#endif
#include <ac/param.h>
#include <ac/unistd.h>
#include <ac/crypt.h>
#include <lber.h>
#include "lutil_md5.h"
#include "lutil_sha1.h"
#include "lutil.h"
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
@ -35,6 +36,12 @@
# include <pwd.h>
#endif
#include <lber.h>
#include "lutil_md5.h"
#include "lutil_sha1.h"
#include "lutil.h"
static const unsigned char crypt64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
@ -76,6 +83,11 @@ static int chk_sha1(
const struct berval *passwd,
const struct berval *cred );
static int chk_kerberos(
const struct pw_scheme *scheme,
const struct berval *passwd,
const struct berval *cred );
static int chk_crypt(
const struct pw_scheme *scheme,
const struct berval *passwd,
@ -117,6 +129,10 @@ static const struct pw_scheme pw_schemes[] =
{ {sizeof("{SMD5}")-1, "{SMD5}"}, chk_smd5, hash_smd5 },
{ {sizeof("{MD5}")-1, "{MD5}"}, chk_md5, hash_md5 },
#ifdef SLAPD_KPASSWD
{ {sizeof("{KERBEROS}")-1, "{KERBEROS}"}, chk_kerberos, NULL },
#endif
#ifdef SLAPD_CRYPT
{ {sizeof("{CRYPT}")-1, "{CRYPT}"}, chk_crypt, hash_crypt },
#endif
@ -522,6 +538,177 @@ static int chk_md5(
return rc;
}
#ifdef SLAPD_KPASSWD
static int chk_kerberos(
const struct pw_scheme *sc,
const struct berval * passwd,
const struct berval * cred )
{
int i;
int rtn;
for( i=0; i<cred->bv_len; i++) {
if(cred->bv_val[i] == '\0') {
return 1; /* NUL character in password */
}
}
if( cred->bv_val[i] != '\0' ) {
return 1; /* cred must behave like a string */
}
for( i=0; i<passwd->bv_len; i++) {
if(passwd->bv_val[i] == '\0') {
return 1; /* NUL character in password */
}
}
if( passwd->bv_val[i] != '\0' ) {
return 1; /* passwd must behave like a string */
}
rtn = 1;
#ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */
{
/* Portions:
* Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
krb5_context context;
krb5_error_code ret;
krb5_creds creds;
krb5_get_init_creds_opt get_options;
krb5_verify_init_creds_opt verify_options;
krb5_principal client, server;
#ifdef notdef
krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
#endif
krb5_init_context( &context );
if (ret) {
return 1;
}
#ifdef notdef
krb5_get_init_creds_opt_set_preauth_list(&get_options,
pre_auth_types, 1);
#endif
krb5_get_init_creds_opt_init( &get_options );
krb5_verify_init_creds_opt_init( &verify_options );
ret = krb5_parse_name( context, passwd->bv_val, &client );
if (ret) {
krb5_free_context( context );
return 1;
}
ret = krb5_get_init_creds_password( context,
&creds, client, cred->bv_val, NULL,
NULL, 0, NULL, &get_options );
if (ret) {
krb5_free_principal( context, client );
krb5_free_context( context );
return 1;
}
{
char host[MAXHOSTNAMELEN];
if( gethostname( host, MAXHOSTNAMELEN ) != 0 ) {
krb5_free_principal( context, client );
krb5_free_context( context );
return 1;
}
ret = krb5_sname_to_principal( context,
host, "ldap", KRB5_NT_SRV_HST, &server );
}
if (ret) {
krb5_free_principal( context, client );
krb5_free_context( context );
return 1;
}
ret = krb5_verify_init_creds( context,
&creds, server, NULL, NULL, &verify_options );
krb5_free_principal( context, client );
krb5_free_principal( context, server );
krb5_free_creds_contents( context, &creds );
krb5_free_context( context );
rtn = !!ret;
}
#elif defined(HAVE_KRB4)
{
/* Borrowed from Heimdal kpopper */
/* Portions:
* Copyright (c) 1989 Regents of the University of California.
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*/
int status;
char lrealm[REALM_SZ];
char tkt[MaxPathLen];
status = krb_get_lrealm(lrealm,1);
if (status == KFAILURE) {
return 1;
}
snprintf(tkt, sizeof(tkt), "%s_popper.%u",
TKT_ROOT, (unsigned)getpid());
krb_set_tkt_string (tkt);
status = krb_verify_user( passwd->bv_val, "", lrealm,
cred->bv_val, KRB_VERIFY_SECURE, "pop");
dest_tkt(); /* no point in keeping the tickets */
return status == KFAILURE;
}
#endif
return rtn;
}
#endif /* SLAPD_KPASSWD */
#ifdef SLAPD_CRYPT
static int chk_crypt(
const struct pw_scheme *sc,

6
servers/ldapd/bind.c
View File

@ -142,7 +142,7 @@ do_bind_real(
struct DSError dse;
char *dn = dsaconn->c_dn;
int err;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
u_long nonce;
#endif
Debug( LDAP_DEBUG_TRACE, "do_bind_real\n", 0, 0, 0 );
@ -175,7 +175,7 @@ do_bind_real(
ba.dba_version = DBA_VERSION_V1988;
break;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#ifdef LDAP_COMPAT20
case OLD_LDAP_AUTH_KRBV4:
#endif
@ -253,7 +253,7 @@ do_bind_real(
Debug( LDAP_DEBUG_TRACE, "dap_bind successful\n", 0, 0, 0 );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/* XXX why doesn't this work??
if ( dsaconn->c_method == LDAP_AUTH_KRBV42 &&
kerberos_check_mutual( &br, nonce ) != 0 ) {

2
servers/ldapd/common.h
View File

@ -92,7 +92,7 @@ extern int do_udp;
extern int idletime;
extern int referral_connection_timeout;
extern struct timeval conn_start_tv;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
extern char *krb_ldap_service;
extern char *krb_x500_service;
extern char *krb_x500_instance;

2
servers/ldapd/kerberos.c
View File

@ -13,7 +13,7 @@
#include "portable.h"
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#include <stdio.h>

8
servers/ldapd/main.c
View File

@ -72,7 +72,7 @@ int do_udp = 0;
int idletime = DEFAULT_TIMEOUT;
int referral_connection_timeout = DEFAULT_REFERRAL_TIMEOUT;
struct timeval conn_start_tv;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char *krb_ldap_service = "ldapserver";
char *krb_x500_service = "x500dsa";
char *krb_x500_instance;
@ -93,7 +93,7 @@ usage( char *name )
fprintf( stderr, " [ -t timeout ]" );
#endif
fprintf( stderr, " [-I]" );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
fprintf( stderr, " [-i dsainstance]" );
#endif
fprintf( stderr, "\n" );
@ -139,7 +139,7 @@ main( int argc, char **argv )
dsapargv[2] = 0;
dsapargv[3] = 0;
dsapargc = 1;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
kerberos_keyfile = "";
#endif
@ -180,7 +180,7 @@ main( int argc, char **argv )
idletime = atoi( optarg );
break;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case 'f': /* kerberos key file */
kerberos_keyfile = strdup( optarg );
break;

4
servers/slapd/back-bdb2/bind.c
View File

@ -31,7 +31,7 @@ bdb2i_back_bind_internal(
Attribute *a;
int rc;
Entry *matched;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char krbname[MAX_K_NAME_SZ + 1];
AUTH_DAT ad;
#endif
@ -200,7 +200,7 @@ bdb2i_back_bind_internal(
rc = 0;
break;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case LDAP_AUTH_KRBV41:
if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,

2
servers/slapd/back-bdb2/proto-back-bdb2.h
View File

@ -152,7 +152,7 @@ int bdb2i_index_add_values LDAP_P(( BackendDB *be, char *type, struct berval **v
* kerberos.c
*/
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/* bdb2i_krbv4_ldap_auth LDAP_P(( BackendDB *be, struct berval *cred, AUTH_DAT *ad )); */
#endif

4
servers/slapd/back-ldbm/bind.c
View File

@ -36,7 +36,7 @@ ldbm_back_bind(
Attribute *a;
int rc;
Entry *matched;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char krbname[MAX_K_NAME_SZ + 1];
AUTH_DAT ad;
#endif
@ -212,7 +212,7 @@ ldbm_back_bind(
rc = 0;
break;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case LDAP_AUTH_KRBV41:
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )

2
servers/slapd/kerberos.c
View File

@ -7,7 +7,7 @@
#include "portable.h"
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#include <stdio.h>

2
servers/slapd/proto-slap.h
View File

@ -552,7 +552,7 @@ LIBSLAPD_F (int) slap_passwd_parse(
/*
* kerberos.c
*/
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
LIBSLAPD_F (int) krbv4_ldap_auth();
#endif

12
servers/slurpd/args.c
View File

@ -36,11 +36,11 @@ usage( char *name )
{
fprintf( stderr, "usage: %s\t[-d debug-level] [-s syslog-level]\n", name );
fprintf( stderr, "\t\t[-f slapd-config-file] [-r replication-log-file]\n" );
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
fprintf( stderr, "\t\t[-t tmp-dir] [-o] [-k srvtab-file]\n" );
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
fprintf( stderr, "\t\t[-t tmp-dir] [-o]\n" );
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
}
@ -114,11 +114,11 @@ doargs(
g->slurpd_rdir = strdup( optarg );
break;
case 'k': /* name of kerberos srvtab file */
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
g->default_srvtab = strdup( optarg );
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
fprintf( stderr, "must compile with KERBEROS to use -k option\n" );
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
break;
case 'h':
usage( g->myname );

6
servers/slurpd/config.c
View File

@ -355,13 +355,13 @@ parse_replica_line(
strlen( BINDMETHSTR ))) {
val = cargv[ i ] + strlen( BINDMETHSTR ) + 1;
if ( !strcasecmp( val, KERBEROSSTR )) {
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
ri->ri_bind_method = AUTH_KERBEROS;
if ( ri->ri_srvtab == NULL ) {
ri->ri_srvtab = strdup( sglob->default_srvtab );
}
gots |= GOT_METHOD;
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
fprintf( stderr, "Error: a bind method of \"kerberos\" was\n" );
fprintf( stderr, "specified in the slapd configuration file,\n" );
fprintf( stderr, "but slurpd was not built with kerberos.\n" );
@ -369,7 +369,7 @@ parse_replica_line(
fprintf( stderr, "kerberos support if you wish to use\n" );
fprintf( stderr, "bindmethod=kerberos\n" );
exit( EXIT_FAILURE );
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
} else if ( !strcasecmp( val, SIMPLESTR )) {
ri->ri_bind_method = AUTH_SIMPLE;
gots |= GOT_METHOD;

4
servers/slurpd/globals.c
View File

@ -68,9 +68,9 @@ init_globals( void )
fprintf( stderr, "Cannot initialize queue\n" );
exit( EXIT_FAILURE );
}
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
g->default_srvtab = SRVTAB;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
return g;
}

4
servers/slurpd/globals.h
View File

@ -57,10 +57,10 @@ typedef struct globals {
St *st;
/* Pointer to replication queue */
Rq *rq;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/* Default name of kerberos srvtab file */
char *default_srvtab;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
} Globals;

16
servers/slurpd/ldap_op.c
View File

@ -51,7 +51,7 @@ static void free_ldmarr LDAP_P(( LDAPMod ** ));
static int getmodtype LDAP_P(( char * ));
static void dump_ldm_array LDAP_P(( LDAPMod ** ));
static char **read_krbnames LDAP_P(( Ri * ));
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
static void upcase LDAP_P(( char * ));
#endif
static int do_bind LDAP_P(( Ri *, int * ));
@ -627,7 +627,7 @@ do_bind(
)
{
int ldrc;
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
int rc;
int retval = 0;
int kni, got_tgt;
@ -636,7 +636,7 @@ do_bind(
char realm[ REALM_SZ ];
char name[ ANAME_SZ ];
char instance[ INST_SZ ];
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
*lderr = 0;
@ -682,12 +682,12 @@ do_bind(
switch ( ri->ri_bind_method ) {
case AUTH_KERBEROS:
#ifndef HAVE_KERBEROS
#ifndef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
Debug( LDAP_DEBUG_ANY,
"Error: Kerberos bind for %s:%d, but not compiled w/kerberos\n",
ri->ri_hostname, ri->ri_port, 0 );
return( BIND_ERR_KERBEROS_FAILED );
#else /* HAVE_KERBEROS */
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
/*
* Bind using kerberos.
* If "bindprincipal" was given in the config file, then attempt
@ -763,7 +763,7 @@ kexit: if ( krbnames != NULL ) {
}
return( retval);
break;
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
case AUTH_SIMPLE:
/*
* Bind with a plaintext password.
@ -890,7 +890,7 @@ read_krbnames(
}
#ifdef HAVE_KERBEROS
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
/*
* upcase a string
@ -907,4 +907,4 @@ upcase(
}
}
#endif /* HAVE_KERBEROS */
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */