Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base: master
...
compare: krbldap
Checking mergeability… Don't worry, you can still create the pull request.
  • 16 commits
  • 8 files changed
  • 0 commit comments
  • 1 contributor
View
13 src/aclocal.m4
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_AC_ENABLE_KRBLDAP
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1268,6 +1269,18 @@ ns_initparse ns_name_uncompress dn_skipname res_search)
fi
fi
])
+dnl
+dnl The following was written by aleksander.adamowski@gmail.com
+dnl
+dnl This test ensures propagation of KRBLDAP defines.
+AC_DEFUN(KRB5_AC_ENABLE_KRBLDAP, [
+AC_ARG_ENABLE([krbldap],
+[ --enable-krbldap enable KrbLDAP transport in addition to TCP and UDP], ,
+[enable_krbldap=no])
+ if test "$enable_krbldap" = yes; then
+ ENABLE_KRBLDAP=yes
+ fi
+])
AC_DEFUN([_KRB5_AC_CHECK_RES_FUNCS],
[AC_FOREACH([AC_Func], [$1],
[AH_TEMPLATE(AS_TR_CPP(HAVE_[]AC_Func),
View
28 src/configure.in
@@ -1116,7 +1116,7 @@ fi
ldap_plugin_dir=""
ldap_lib=""
-if test -n "$OPENLDAP_PLUGIN"; then
+if test -n "$OPENLDAP_PLUGIN" -o -n "$ENABLE_KRBLDAP"; then
AC_CHECK_HEADERS(ldap.h lber.h, :, [AC_MSG_ERROR($ac_header not found)])
AC_CHECK_LIB(ldap, ldap_init, :, [AC_MSG_ERROR(libldap not found or missing ldap_init)])
old_LIBS="$LIBS"
@@ -1136,16 +1136,24 @@ if test -n "$OPENLDAP_PLUGIN"; then
AC_ERROR("BER library missing - cannot build LDAP database module")
fi
fi
- AC_DEFINE([ENABLE_LDAP], 1, [Define if LDAP KDB support within the Kerberos library (mainly ASN.1 code) should be enabled.])
+ if test -n "$ENABLE_KRBLDAP"; then
+ AC_DEFINE(KRB5_KRBLDAP, 1,[Define for support for KrbLDAP protocol])
+ KRBLDAP=yes
+ else
+ KRBLDAP=no
+ fi
+ if test -n "$OPENLDAP_PLUGIN"; then
+ AC_DEFINE([ENABLE_LDAP], 1, [Define if LDAP KDB support within the Kerberos library (mainly ASN.1 code) should be enabled.])
+
+ K5_GEN_MAKEFILE(plugins/kdb/ldap)
+ K5_GEN_MAKEFILE(plugins/kdb/ldap/ldap_util)
+ K5_GEN_MAKEFILE(plugins/kdb/ldap/libkdb_ldap)
+ ldap_plugin_dir='plugins/kdb/ldap plugins/kdb/ldap/ldap_util'
+ LDAP=yes
+ else
+ LDAP=no
+ fi
AC_SUBST(LDAP_LIBS)
-
- K5_GEN_MAKEFILE(plugins/kdb/ldap)
- K5_GEN_MAKEFILE(plugins/kdb/ldap/ldap_util)
- K5_GEN_MAKEFILE(plugins/kdb/ldap/libkdb_ldap)
- ldap_plugin_dir='plugins/kdb/ldap plugins/kdb/ldap/ldap_util'
- LDAP=yes
-else
- LDAP=no
fi
AC_SUBST(ldap_plugin_dir)
AC_SUBST(LDAP)
View
12 src/include/k5-int.h
@@ -379,6 +379,12 @@ typedef INT64_TYPE krb5_int64;
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
to the IAKERB proxy */
+#ifdef KRB5_KRBLDAP
+#define KRBLDAP_OID_EXOP_BASE "1.3.6.1.4.1.38261.1"
+#define KRBLDAP_OID_EXOP_AS_REQ KRBLDAP_OID_EXOP_BASE ".1"
+#define KRBLDAP_OID_EXOP_TGS_REQ KRBLDAP_OID_EXOP_BASE ".2"
+#endif
+
/*
* A null-terminated array of this structure is returned by the KDC as
* the data part of the ETYPE_INFO preauth type. It informs the
@@ -1348,7 +1354,11 @@ struct _krb5_context {
#ifdef KRB5_DNS_LOOKUP
krb5_boolean profile_in_memory;
#endif /* KRB5_DNS_LOOKUP */
-
+
+#ifdef KRB5_KRBLDAP
+ krb5_boolean use_krbldap;
+#endif /* KRB5_DNS_LOOKUP */
+
/* locate_kdc module stuff */
struct plugin_dir_handle libkrb5_plugins;
struct krb5plugin_service_locate_ftable *vtbl;
View
2  src/lib/krb5/Makefile.in
@@ -56,7 +56,7 @@ RELDIR=krb5
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
+SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LDAP_LIBS) $(LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
View
2  src/lib/krb5/os/Makefile.in
@@ -4,7 +4,7 @@ KRB5_RUN_ENV = @KRB5_RUN_ENV@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
-DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\"
+DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DDEBUG
LOCALINCLUDES=-I$(top_srcdir)/util/profile
##DOS##BUILDTOP = ..\..\..
View
2  src/lib/krb5/os/locate_kdc.c
@@ -113,7 +113,7 @@ k5_free_serverlist (struct serverlist *list)
static inline void
Tprintf(const char *fmt, ...)
{
-#ifdef TEST
+#ifdef DEBUG
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
View
12 src/lib/krb5/os/os-proto.h
@@ -100,6 +100,18 @@ krb5_error_code k5_sendto(krb5_context context, const krb5_data *message,
void *),
void *msg_handler_data);
+#ifdef KRB5_KRBLDAP
+krb5_error_code krbldap_sendto(krb5_context context, const krb5_data *message,
+ const struct serverlist *addrs,
+ int socktype1, int socktype2,
+ struct sendto_callback_info *callback_info,
+ krb5_data *reply, struct sockaddr *remoteaddr,
+ socklen_t *remoteaddrlen, int *server_used,
+ int (*msg_handler)(krb5_context, const krb5_data *,
+ void *),
+ void *msg_handler_data);
+#endif
+
krb5_error_code krb5int_get_fq_local_hostname(char *, size_t);
/* The io vector is *not* const here, unlike writev()! */
View
102 src/lib/krb5/os/sendto_kdc.c
@@ -51,14 +51,19 @@
#endif
#endif
+#ifdef KRB5_KRBLDAP
+#include <lber.h>
+#include <ldap.h>
+#endif
+
#define MAX_PASS 3
#define DEFAULT_UDP_PREF_LIMIT 1465
#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */
-#undef DEBUG
+/*#undef DEBUG*/
#ifdef DEBUG
-int krb5int_debug_sendto_kdc = 0;
+int krb5int_debug_sendto_kdc = 1;
#define debug krb5int_debug_sendto_kdc
static void
@@ -333,12 +338,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
retval = k5_locate_kdc(context, realm, &servers, *use_master,
tcp_only ? SOCK_STREAM : 0);
- if (retval)
+ dprint("k5_locate_kdc retval: [%d]\n", retval);
+
+ if (retval) {
+ dprint("Error [%d], message: [%s]\n", context->err.code, context->err.msg);
return retval;
-
+ }
+#ifdef KRB5_KRBLDAP
+ dprint("using krbldap protocol to send kerberos message.\n");
+ retval = krbldap_sendto(context, message, &servers, socktype1, socktype2,
+ NULL, reply, NULL, NULL, &server_used,
+ check_for_svc_unavailable, &err);
+#else
+ dprint("using kerberos v5 protocol to send kerberos message.\n");
retval = k5_sendto(context, message, &servers, socktype1, socktype2,
NULL, reply, NULL, NULL, &server_used,
check_for_svc_unavailable, &err);
+#endif
if (retval == KRB5_KDC_UNREACH) {
if (err == KDC_ERR_SVC_UNAVAILABLE) {
retval = KRB5KDC_ERR_SVC_UNAVAILABLE;
@@ -1352,3 +1368,81 @@ k5_sendto(krb5_context context, const krb5_data *message,
free(sel_state);
return retval;
}
+#ifdef KRB5_KRBLDAP
+krb5_error_code
+krbldap_sendto(krb5_context context, const krb5_data *message,
+ const struct serverlist *servers, int socktype1, int socktype2,
+ struct sendto_callback_info* callback_info, krb5_data *reply,
+ struct sockaddr *remoteaddr, socklen_t *remoteaddrlen,
+ int *server_used,
+ /* return 0 -> keep going, 1 -> quit */
+ int (*msg_handler)(krb5_context, const krb5_data *, void *),
+ void *msg_handler_data)
+{
+ LDAP *ldap;
+ krb5_boolean done = FALSE;
+ struct server_entry *entry;
+ int ldap_version = LDAP_VERSION3;
+ struct berval berval;
+ struct berval *retdata = NULL;
+ char *retoid = NULL;
+ char *hostname = NULL;
+ char ldap_url[max(NI_MAXHOST + NI_MAXSERV + 30, 200)];
+ int s;
+ int port = 0;
+ int debug = 0xffffff;
+ int rc;
+ int retval = 0;
+
+ /* TODO: use *servers */
+ for (s = 0; s < servers->nservers && !done; s++) {
+ entry = &servers->servers[s];
+ hostname = entry->hostname;
+ port = 1389;
+ dprint("Trying server [%s] on port [%d].\n", hostname, port);
+ if (snprintf(ldap_url, sizeof (ldap_url), "ldap://%s:%d", hostname, port) >= sizeof (ldap_url)) {
+ /* Error, size limit hit */
+ retval = ENOMEM;
+ dprint("LDAP URL size greater than limit\n");
+ goto cleanup;
+ }
+ dprint("LDAP URL: [%s]\n", ldap_url);
+
+ rc = ldap_initialize(&ldap, ldap_url);
+ dprint("rc: [%d], LDAP_SUCCESS: [%d]\n", rc, LDAP_SUCCESS);
+
+ ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+
+ berval.bv_len = message->length;
+ berval.bv_val = message->data;
+
+ reply->length = 0;
+ reply->data = NULL;
+
+ ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug);
+ dprint("Before ldap_extended_operation_s:\n");
+ rc = ldap_extended_operation_s(ldap, KRBLDAP_OID_EXOP_AS_REQ, &berval, NULL, NULL, &retoid, &retdata);
+ dprint("After ldap_extended_operation_s.\n");
+ dprint("exop rc: [%d]\n", rc);
+ if (rc == 0) {
+ *server_used = s;
+ done = TRUE;
+ dprint("Finished processing on server index [%d]. Ending loop.\n", s);
+
+ reply->length = retdata->bv_len;
+ reply->data = malloc(reply->length);
+ if (reply->data == NULL) {
+ /* allocation failure */
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ memcpy(reply->data, retdata->bv_val, retdata->bv_len);
+ }
+ }
+
+cleanup:
+ ber_memfree(retoid);
+ ber_bvfree(retdata);
+ return retval;
+}
+#endif

No commit comments for this range

Something went wrong with that request. Please try again.