6604635 kdb ldap integration removed rev/recurse kdb5_util dumps

6620943 ktadd fails for principal with history when using ldap plugin

10 files changed, 100 insertions, 25 deletions

diff --git a/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com b/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
index b69cbfac03..ba189df3fa 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
+++ b/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -55,7 +55,7 @@ POFILES = generic.po
 #override liblink
 INS.liblink=	-$(RM) $@; $(SYMLINK) $(LIBLINKS)$(VERS) $@
 
-CPPFLAGS += 	-DHAVE_CONFIG_H \
+CPPFLAGS += 	-DHAVE_CONFIG_H -DHAVE_BT_RSEQ \
 		-I$(SRC)/cmd/krb5/iprop \
 		-I$(SRC)/lib/krb5 \
 		-I$(SRC)/lib/krb5/kdb \
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c b/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
index 3e8b977a99..5d3f546b6b 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
+++ b/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -152,12 +152,14 @@ WRAP_K (krb5_db2_db_delete_principal,
 	 int *nentries),
 	(context, searchfor, nentries));
 
+/* Solaris Kerberos: adding support for db_args */
 WRAP_K (krb5_db2_db_iterate,
 	(krb5_context ctx, char *s,
 	 krb5_error_code (*f) (krb5_pointer,
 			      krb5_db_entry *),
-	 krb5_pointer p),
-	(ctx, s, f, p));
+	 krb5_pointer p,
+	 char **db_args),
+	(ctx, s, f, p, db_args));
 
 WRAP_K (krb5_db2_create_policy,
 	(krb5_context context, osa_policy_ent_t entry),
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
index 8bb4b3fc47..eeffca020e 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
+++ b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1314,9 +1314,37 @@ krb5_error_code
 krb5_db2_db_iterate(krb5_context context,
 		    char *match_expr,
 		    krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
-		    krb5_pointer func_arg)
+		    krb5_pointer func_arg, char **db_args)
 {
-    return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0);
+    char  **t_ptr = db_args;
+    int backwards = 0, recursive = 0;
+
+    while (t_ptr && *t_ptr) {
+	char   *opt = NULL, *val = NULL;
+
+	krb5_db2_get_db_opt(*t_ptr, &opt, &val);
+
+	/* Solaris Kerberos: adding support for -rev/recurse flags */
+	if (val && !strcmp(val, "rev"))
+	    backwards = 1;
+	else if (val && !strcmp(val, "recurse"))
+	    recursive = 1;
+	else {
+	    krb5_set_error_message(context, EINVAL,
+				   gettext("Unsupported argument \"%s\" for db2"),
+				   val);
+	    free(opt);
+	    free(val);
+	    return EINVAL;
+	}
+
+	free(opt);
+	free(val);
+	t_ptr++;
+    }
+
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    return krb5_db2_db_iterate_ext(context, func, func_arg, backwards, recursive);
 }
 
 krb5_boolean
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
index 5364af1024..c6669e7523 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
+++ b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
@@ -93,11 +93,13 @@ krb5_error_code krb5_db2_db_iterate_ext
 		   krb5_error_code (*) (krb5_pointer,
 					          krb5_db_entry *),
 	           krb5_pointer, int, int );
+/* Solaris Kerberos: adding support for db_args */
 krb5_error_code krb5_db2_db_iterate
 (krb5_context,char *,
 		   krb5_error_code (*) (krb5_pointer,
 					          krb5_db_entry *),
-	           krb5_pointer );
+	           krb5_pointer,
+		   char **db_args );
 krb5_error_code krb5_db2_db_set_nonblocking 
 	(krb5_context,
 		   krb5_boolean,
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 0fe64dd177..30590945fe 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #include <string.h>
@@ -2103,7 +2103,8 @@ populate_krb5_db_entry (krb5_context context,
 	if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
 	    goto cleanup;
 
-	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+	/* Solaris Kerberos: adding support for key history in LDAP KDB */
+	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
 	    goto cleanup;
 	}
 	krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index e1bef8241b..9355fd9d2b 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -140,11 +140,13 @@ krb5_ldap_free_principal(kcontext , entries, nentries)
 }
 
 krb5_error_code
-krb5_ldap_iterate(context, match_expr, func, func_arg)
-    krb5_context           context;
-    char                   *match_expr;
-    krb5_error_code        (*func) (krb5_pointer, krb5_db_entry *);
-    krb5_pointer           func_arg;
+krb5_ldap_iterate(
+    krb5_context           context,
+    char                   *match_expr,
+    krb5_error_code        (*func) (krb5_pointer, krb5_db_entry *),
+    krb5_pointer           func_arg,
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    char                   **db_args)
 {
     krb5_db_entry            entry;
     krb5_principal           principal;
@@ -161,6 +163,15 @@ krb5_ldap_iterate(context, match_expr, func, func_arg)
     /* Clear the global error string */
     krb5_clear_error_message(context);
 
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    if (db_args) {
+	/* LDAP does not support db_args DB arguments for krb5_ldap_iterate */
+	krb5_set_error_message(context, EINVAL,
+			       gettext("Unsupported argument \"%s\" for ldap"),
+			       db_args[0]);
+	return EINVAL;
+    }
+
     memset(&entry, 0, sizeof(krb5_db_entry));
     SETUP_CONTEXT();
 
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
index 09d12ea5cb..2f021aee58 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
@@ -99,9 +99,10 @@ krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
 krb5_error_code
 krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int );
 
+/* Solaris Kerberos: adding support for db_args */
 krb5_error_code
 krb5_ldap_iterate(krb5_context, char *, krb5_error_code (*) (krb5_pointer, krb5_db_entry *),
-                  krb5_pointer/*, int */);
+                  krb5_pointer/*, int */, char **);
 
 void
 krb5_dbe_free_contents(krb5_context, krb5_db_entry *);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 8184326ad0..c245f4ff67 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -30,7 +30,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -991,9 +991,13 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 #ifdef SECURID
 		    || ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-		    || ptr->tl_data_type == KRB5_TL_KADM_DATA
 		    || ptr->tl_data_type == KDB_TL_USER_INFO)
 		    continue;
+
+		/* Solaris Kerberos: fix key history issue */
+		if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+		    continue;
+		    
 		count++;
 	    }
 	    if (count != 0) {
@@ -1011,9 +1015,16 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 #ifdef SECURID
 			|| ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-			|| ptr->tl_data_type == KRB5_TL_KADM_DATA
 			|| ptr->tl_data_type == KDB_TL_USER_INFO)
 			continue;
+
+		    /*
+		     * Solaris Kerberos: key history needs to be stored (it's in
+		     * the KRB5_TL_KADM_DATA).
+		     */
+		    if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+			continue;
+
 		    if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
 			break;
 		    j++;
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
index 8a48c3a81a..4f9655f5d5 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -212,9 +212,11 @@ krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry)
 }
 
 krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
     char	        * policy_dn;
     krb5_tl_data        * new_tl_data;
+    /* Solaris Kerberos: adding support for key history in LDAP KDB */
+    krb5_tl_data        * old_tl_data;
 {
     XDR xdrs;
     osa_princ_ent_t princ_entry;
@@ -225,8 +227,24 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data)
 	return ENOMEM;
 
     memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
-    princ_entry->admin_history_kvno = 2;
     princ_entry->aux_attributes = KADM5_POLICY;
+
+    /* Solaris Kerberos: adding support for key history in LDAP KDB */
+    if (old_tl_data != NULL) {
+	/* get the key history from the old tl_data */
+	xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+	    old_tl_data->tl_data_length, XDR_DECODE);
+	if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+	    xdr_destroy(&xdrs);
+	    free(princ_entry);
+	    return(KADM5_XDR_FAILURE);
+	}
+	xdr_destroy(&xdrs);
+	/* will set the policy field further down, avoid mem leak */
+	free(princ_entry->policy);
+    } else {
+	princ_entry->admin_history_kvno = 2;
+    }
     princ_entry->policy = policy_dn;
 
     xdralloc_create(&xdrs, XDR_ENCODE);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
index 914aa452e3..68164c0a5f 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -73,7 +73,8 @@ ldap_osa_free_princ_ent(osa_princ_ent_t val);
 krb5_error_code
 krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);
 
+/* Solaris Kerberos: adding support for key history in LDAP KDB */
 krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);
 
 #endif