6604635 kdb ldap integration removed rev/recurse kdb5_util dumps

6620943 ktadd fails for principal with history when using ldap plugin
author: willf <none@none> 2008-01-25 15:24:54 -0800
committer: willf <none@none> 2008-01-25 15:24:54 -0800
commit: 2dd2efa5a06a9befe46075cf41e16f57533c9f98 (patch)
tree: 4e5d24900f04f88c52b537dfbdfd5450991422c4 /usr/src
parent: 047a013371e22a733316649e2bb30a7aa6976e8b (diff)
download: illumos-gate-2dd2efa5a06a9befe46075cf41e16f57533c9f98.tar.gz
17 files changed, 143 insertions, 43 deletions
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/dump.c b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
index 42b21f17a7..d3fc353757 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/dump.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1355,6 +1355,9 @@ dump_db(argc, argv)
     char		*new_mkey_file = 0;
     bool_t		dump_sno = FALSE;
     kdb_log_context	*log_ctx;
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    int			db_arg_index = 0;
+    char		*db_args[3] = {NULL, NULL, NULL};
 	
     /*
      * Parse the arguments.
@@ -1406,11 +1409,14 @@ dump_db(argc, argv)
 	else if (!strcmp(argv[aindex], "-new_mkey_file")) {
 	    new_mkey_file = argv[++aindex];
 	    mkey_convert = 1;
-        } else if (!strcmp(argv[aindex], "-rev"))
-	    backwards = 1;
-	else if (!strcmp(argv[aindex], "-recurse"))
-	    recursive = 1;
-	else
+        } else if (!strcmp(argv[aindex], "-rev")) {
+	    /* Solaris Kerberos: adding support for -rev/recurse flags */
+	    /* hack to pass args to db specific plugin */
+	    db_args[db_arg_index++] = "rev";
+	} else if (!strcmp(argv[aindex], "-recurse")) {
+	    /* hack to pass args to db specific plugin */
+	    db_args[db_arg_index++] = "recurse";
+	} else
 	    break;
     }
 
@@ -1546,10 +1552,13 @@ dump_db(argc, argv)
 	if (dump->header[strlen(dump->header)-1] != '\n')
 	     fputc('\n', arglist.ofile);
 	
+	/* Solaris Kerberos: adding support for -rev/recurse flags */
+	/* don't pass in db_args if there aren't any */
 	if ((kret = krb5_db_iterate(util_context,
 				    NULL,
 				    dump->dump_princ,
-				    (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */
+				    (krb5_pointer) &arglist,
+				    db_arg_index > 0 ? (char **)&db_args : NULL))) {
 	     fprintf(stderr, dumprec_err,
 		     programname, dump->name, error_message(kret));
 	     exit_status++;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
index 12cacc6da8..a54eef98bd 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -277,10 +277,12 @@ krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
 					   krb5_principal search_for,
 					   int *nentries );
+/* Solaris Kerberos: adding support for db_args */
 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
 				  char *match_entry,
 				  int (*func) (krb5_pointer, krb5_db_entry *),
-				  krb5_pointer func_arg );
+				  krb5_pointer func_arg,
+				  char **db_args );
 krb5_error_code krb5_supported_realms ( krb5_context kcontext,
 					char **realms );
 krb5_error_code krb5_free_supported_realms ( krb5_context kcontext,
diff --git a/usr/src/lib/krb5/kadm5/admin.h b/usr/src/lib/krb5/kadm5/admin.h
index 24b5911430..1494a6a1f6 100644
--- a/usr/src/lib/krb5/kadm5/admin.h
+++ b/usr/src/lib/krb5/kadm5/admin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -132,6 +132,8 @@ typedef unsigned int rpc_u_int32;
 #define KADM5_RANDKEY_USED      0x100000
 #endif
 #define KADM5_LOAD		0x200000
+/* Solaris Kerberos: adding support for key history in LDAP KDB */
+#define KADM5_KEY_HIST		0x400000
 
 /* all but KEY_DATA and TL_DATA */
 #define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
diff --git a/usr/src/lib/krb5/kadm5/srv/server_kdb.c b/usr/src/lib/krb5/kadm5/srv/server_kdb.c
index f685f142fd..2ad4f184b4 100644
--- a/usr/src/lib/krb5/kadm5/srv/server_kdb.c
+++ b/usr/src/lib/krb5/kadm5/srv/server_kdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -426,7 +426,8 @@ kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry,
     id.func = iter_fct;
     id.data = data;
 
-    ret = krb5_db_iterate(handle->context, match_entry, kdb_iter_func, &id);
+    /* Solaris Kerberos: added support for db_args */
+    ret = krb5_db_iterate(handle->context, match_entry, kdb_iter_func, &id, NULL);
     if (ret)
 	return(ret);
 
diff --git a/usr/src/lib/krb5/kadm5/srv/svr_principal.c b/usr/src/lib/krb5/kadm5/srv/svr_principal.c
index 8fbd355a08..f4faf5e17f 100644
--- a/usr/src/lib/krb5/kadm5/srv/svr_principal.c
+++ b/usr/src/lib/krb5/kadm5/srv/svr_principal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1357,7 +1357,12 @@ kadm5_chpass_principal_3(void *server_handle,
 	goto done;
 
     /* key data and attributes changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+    /* Solaris Kerberos: adding support for key history in LDAP KDB */
+    if (hist_added == 1)
+	kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_KEY_HIST
+	    /* | KADM5_CPW_FUNCTION */;
+    else
+	kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
 
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;
diff --git a/usr/src/lib/krb5/kdb/kdb5.c b/usr/src/lib/krb5/kdb/kdb5.c
index 050ab7996b..1e81c334b2 100644
--- a/usr/src/lib/krb5/kdb/kdb5.c
+++ b/usr/src/lib/krb5/kdb/kdb5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1103,7 +1103,9 @@ krb5_error_code
 krb5_db_iterate(krb5_context kcontext,
 		char *match_entry,
 		int (*func) (krb5_pointer, krb5_db_entry *),
-		krb5_pointer func_arg)
+		krb5_pointer func_arg,
+		/* Solaris Kerberos: adding support for db_args */
+		char **db_args)
 {
     krb5_error_code status = 0;
     kdb5_dal_handle *dal_handle;
@@ -1121,9 +1123,11 @@ krb5_db_iterate(krb5_context kcontext,
 	goto clean_n_exit;
     }
 
+    /* Solaris Kerberos: adding support for db_args */
     status = dal_handle->lib_handle->vftabl.db_iterate(kcontext,
 						       match_entry,
-						       func, func_arg);
+						       func, func_arg,
+						       db_args);
     get_errmsg(kcontext, status);
     kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
 
diff --git a/usr/src/lib/krb5/kdb/kdb5.h b/usr/src/lib/krb5/kdb/kdb5.h
index 1bf0b22c18..8efc2b18dd 100644
--- a/usr/src/lib/krb5/kdb/kdb5.h
+++ b/usr/src/lib/krb5/kdb/kdb5.h
@@ -86,10 +86,12 @@ typedef struct _kdb_vftabl{
 					    krb5_const_principal search_for,
 					    int *nentries);
 
+    /* Solaris Kerberos: adding support for db_args */
     krb5_error_code (*db_iterate) (krb5_context kcontext,
 				   char *match_entry,
 				   int (*func) (krb5_pointer, krb5_db_entry *),
-				   krb5_pointer func_arg);
+				   krb5_pointer func_arg,
+				   char **db_args);
 
     krb5_error_code (*db_create_policy) (krb5_context kcontext,
 					 osa_policy_ent_t policy);
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com b/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
index b69cbfac03..ba189df3fa 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
+++ b/usr/src/lib/krb5/plugins/kdb/db2/Makefile.com
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -55,7 +55,7 @@ POFILES = generic.po
 #override liblink
 INS.liblink=	-$(RM) $@; $(SYMLINK) $(LIBLINKS)$(VERS) $@
 
-CPPFLAGS += 	-DHAVE_CONFIG_H \
+CPPFLAGS += 	-DHAVE_CONFIG_H -DHAVE_BT_RSEQ \
 		-I$(SRC)/cmd/krb5/iprop \
 		-I$(SRC)/lib/krb5 \
 		-I$(SRC)/lib/krb5/kdb \
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c b/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
index 3e8b977a99..5d3f546b6b 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
+++ b/usr/src/lib/krb5/plugins/kdb/db2/db2_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -152,12 +152,14 @@ WRAP_K (krb5_db2_db_delete_principal,
 	 int *nentries),
 	(context, searchfor, nentries));
 
+/* Solaris Kerberos: adding support for db_args */
 WRAP_K (krb5_db2_db_iterate,
 	(krb5_context ctx, char *s,
 	 krb5_error_code (*f) (krb5_pointer,
 			      krb5_db_entry *),
-	 krb5_pointer p),
-	(ctx, s, f, p));
+	 krb5_pointer p,
+	 char **db_args),
+	(ctx, s, f, p, db_args));
 
 WRAP_K (krb5_db2_create_policy,
 	(krb5_context context, osa_policy_ent_t entry),
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
index 8bb4b3fc47..eeffca020e 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
+++ b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1314,9 +1314,37 @@ krb5_error_code
 krb5_db2_db_iterate(krb5_context context,
 		    char *match_expr,
 		    krb5_error_code(*func) (krb5_pointer, krb5_db_entry *),
-		    krb5_pointer func_arg)
+		    krb5_pointer func_arg, char **db_args)
 {
-    return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0);
+    char  **t_ptr = db_args;
+    int backwards = 0, recursive = 0;
+
+    while (t_ptr && *t_ptr) {
+	char   *opt = NULL, *val = NULL;
+
+	krb5_db2_get_db_opt(*t_ptr, &opt, &val);
+
+	/* Solaris Kerberos: adding support for -rev/recurse flags */
+	if (val && !strcmp(val, "rev"))
+	    backwards = 1;
+	else if (val && !strcmp(val, "recurse"))
+	    recursive = 1;
+	else {
+	    krb5_set_error_message(context, EINVAL,
+				   gettext("Unsupported argument \"%s\" for db2"),
+				   val);
+	    free(opt);
+	    free(val);
+	    return EINVAL;
+	}
+
+	free(opt);
+	free(val);
+	t_ptr++;
+    }
+
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    return krb5_db2_db_iterate_ext(context, func, func_arg, backwards, recursive);
 }
 
 krb5_boolean
diff --git a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
index 5364af1024..c6669e7523 100644
--- a/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
+++ b/usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
@@ -93,11 +93,13 @@ krb5_error_code krb5_db2_db_iterate_ext
 		   krb5_error_code (*) (krb5_pointer,
 					          krb5_db_entry *),
 	           krb5_pointer, int, int );
+/* Solaris Kerberos: adding support for db_args */
 krb5_error_code krb5_db2_db_iterate
 (krb5_context,char *,
 		   krb5_error_code (*) (krb5_pointer,
 					          krb5_db_entry *),
-	           krb5_pointer );
+	           krb5_pointer,
+		   char **db_args );
 krb5_error_code krb5_db2_db_set_nonblocking 
 	(krb5_context,
 		   krb5_boolean,
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 0fe64dd177..30590945fe 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #include <string.h>
@@ -2103,7 +2103,8 @@ populate_krb5_db_entry (krb5_context context,
 	if ((st = krb5_ldap_policydn_to_name (context, pwdpolicydn, &polname)) != 0)
 	    goto cleanup;
 
-	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data)) != 0) {
+	/* Solaris Kerberos: adding support for key history in LDAP KDB */
+	if ((st = krb5_update_tl_kadm_data(polname, &kadm_tl_data, entry->tl_data)) != 0) {
 	    goto cleanup;
 	}
 	krb5_dbe_update_tl_data(context, entry, &kadm_tl_data);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index e1bef8241b..9355fd9d2b 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -140,11 +140,13 @@ krb5_ldap_free_principal(kcontext , entries, nentries)
 }
 
 krb5_error_code
-krb5_ldap_iterate(context, match_expr, func, func_arg)
-    krb5_context           context;
-    char                   *match_expr;
-    krb5_error_code        (*func) (krb5_pointer, krb5_db_entry *);
-    krb5_pointer           func_arg;
+krb5_ldap_iterate(
+    krb5_context           context,
+    char                   *match_expr,
+    krb5_error_code        (*func) (krb5_pointer, krb5_db_entry *),
+    krb5_pointer           func_arg,
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    char                   **db_args)
 {
     krb5_db_entry            entry;
     krb5_principal           principal;
@@ -161,6 +163,15 @@ krb5_ldap_iterate(context, match_expr, func, func_arg)
     /* Clear the global error string */
     krb5_clear_error_message(context);
 
+    /* Solaris Kerberos: adding support for -rev/recurse flags */
+    if (db_args) {
+	/* LDAP does not support db_args DB arguments for krb5_ldap_iterate */
+	krb5_set_error_message(context, EINVAL,
+			       gettext("Unsupported argument \"%s\" for ldap"),
+			       db_args[0]);
+	return EINVAL;
+    }
+
     memset(&entry, 0, sizeof(krb5_db_entry));
     SETUP_CONTEXT();
 
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
index 09d12ea5cb..2f021aee58 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
@@ -99,9 +99,10 @@ krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
 krb5_error_code
 krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int );
 
+/* Solaris Kerberos: adding support for db_args */
 krb5_error_code
 krb5_ldap_iterate(krb5_context, char *, krb5_error_code (*) (krb5_pointer, krb5_db_entry *),
-                  krb5_pointer/*, int */);
+                  krb5_pointer/*, int */, char **);
 
 void
 krb5_dbe_free_contents(krb5_context, krb5_db_entry *);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 8184326ad0..c245f4ff67 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -30,7 +30,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -991,9 +991,13 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 #ifdef SECURID
 		    || ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-		    || ptr->tl_data_type == KRB5_TL_KADM_DATA
 		    || ptr->tl_data_type == KDB_TL_USER_INFO)
 		    continue;
+
+		/* Solaris Kerberos: fix key history issue */
+		if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+		    continue;
+		    
 		count++;
 	    }
 	    if (count != 0) {
@@ -1011,9 +1015,16 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 #ifdef SECURID
 			|| ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
-			|| ptr->tl_data_type == KRB5_TL_KADM_DATA
 			|| ptr->tl_data_type == KDB_TL_USER_INFO)
 			continue;
+
+		    /*
+		     * Solaris Kerberos: key history needs to be stored (it's in
+		     * the KRB5_TL_KADM_DATA).
+		     */
+		    if (ptr->tl_data_type == KRB5_TL_KADM_DATA && ! entries->mask & KADM5_KEY_HIST)
+			continue;
+
 		    if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
 			break;
 		    j++;
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
index 8a48c3a81a..4f9655f5d5 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -212,9 +212,11 @@ krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry)
 }
 
 krb5_error_code
-krb5_update_tl_kadm_data(policy_dn, new_tl_data)
+krb5_update_tl_kadm_data(policy_dn, new_tl_data, old_tl_data)
     char	        * policy_dn;
     krb5_tl_data        * new_tl_data;
+    /* Solaris Kerberos: adding support for key history in LDAP KDB */
+    krb5_tl_data        * old_tl_data;
 {
     XDR xdrs;
     osa_princ_ent_t princ_entry;
@@ -225,8 +227,24 @@ krb5_update_tl_kadm_data(policy_dn, new_tl_data)
 	return ENOMEM;
 
     memset(princ_entry, 0, sizeof(osa_princ_ent_rec));
-    princ_entry->admin_history_kvno = 2;
     princ_entry->aux_attributes = KADM5_POLICY;
+
+    /* Solaris Kerberos: adding support for key history in LDAP KDB */
+    if (old_tl_data != NULL) {
+	/* get the key history from the old tl_data */
+	xdrmem_create(&xdrs, (caddr_t)old_tl_data->tl_data_contents,
+	    old_tl_data->tl_data_length, XDR_DECODE);
+	if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) {
+	    xdr_destroy(&xdrs);
+	    free(princ_entry);
+	    return(KADM5_XDR_FAILURE);
+	}
+	xdr_destroy(&xdrs);
+	/* will set the policy field further down, avoid mem leak */
+	free(princ_entry->policy);
+    } else {
+	princ_entry->admin_history_kvno = 2;
+    }
     princ_entry->policy = policy_dn;
 
     xdralloc_create(&xdrs, XDR_ENCODE);
diff --git a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
index 914aa452e3..68164c0a5f 100644
--- a/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
+++ b/usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -73,7 +73,8 @@ ldap_osa_free_princ_ent(osa_princ_ent_t val);
 krb5_error_code
 krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry);
 
+/* Solaris Kerberos: adding support for key history in LDAP KDB */
 krb5_error_code
-krb5_update_tl_kadm_data(char *, krb5_tl_data *);
+krb5_update_tl_kadm_data(char *, krb5_tl_data *, krb5_tl_data *);
 
 #endif
author	willf <none@none>	2008-01-25 15:24:54 -0800
committer	willf <none@none>	2008-01-25 15:24:54 -0800
commit	2dd2efa5a06a9befe46075cf41e16f57533c9f98 (patch)
tree	4e5d24900f04f88c52b537dfbdfd5450991422c4 /usr/src
parent	047a013371e22a733316649e2bb30a7aa6976e8b (diff)
download	illumos-gate-2dd2efa5a06a9befe46075cf41e16f57533c9f98.tar.gz