2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004, Andrew Bartlett <abartlet@samba.org>.
4 * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 #include "lib/ldb/include/ldb.h"
40 #include "system/iconv.h"
43 { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
44 HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
46 static const char * const krb5_attrs[] = {
51 "servicePrincipalName",
65 "msDS-KeyVersionNumber",
69 static const char *realm_ref_attrs[] = {
75 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
81 gentime = ldb_msg_find_string(msg, attr, NULL);
85 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
93 static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_ldb_ent_type ent_type)
95 HDBFlags flags = int2HDBFlags(0);
97 krb5_warnx(context, "uf2HDBFlags: userAccountControl: %08x\n", userAccountControl);
99 /* we don't allow kadmin deletes */
102 /* mark the principal as invalid to start with */
107 /* All accounts are servers, but this may be disabled again in the caller */
110 /* Account types - clear the invalid bit if it turns out to be valid */
111 if (userAccountControl & UF_NORMAL_ACCOUNT) {
112 if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
118 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
119 if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
124 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
125 if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
130 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
131 if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
137 /* Not permitted to act as a client if disabled */
138 if (userAccountControl & UF_ACCOUNTDISABLE) {
141 if (userAccountControl & UF_LOCKOUT) {
145 if (userAccountControl & UF_PASSWORD_NOTREQD) {
150 if (userAccountControl & UF_PASSWORD_CANT_CHANGE) {
155 if (userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED) {
159 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
163 /* UF_DONT_EXPIRE_PASSWD handled in LDB_message2entry() */
166 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
170 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
171 flags.require_hwauth = 1;
173 if (flags.server && (userAccountControl & UF_TRUSTED_FOR_DELEGATION)) {
174 flags.forwardable = 1;
176 } else if (flags.client && (userAccountControl & UF_NOT_DELEGATED)) {
177 flags.forwardable = 0;
180 flags.forwardable = 1;
185 if (userAccountControl & UF_SMARTCARD_USE_DES_KEY_ONLY) {
189 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
190 flags.require_preauth = 0;
192 flags.require_preauth = 1;
196 krb5_warnx(context, "uf2HDBFlags: HDBFlags: %08x\n", HDBFlags2int(flags));
202 * Construct an hdb_entry from a directory entry.
204 static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
205 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
206 enum hdb_ldb_ent_type ent_type,
207 struct ldb_message *msg,
208 struct ldb_message *realm_ref_msg,
211 const char *unicodePwd;
212 int userAccountControl;
214 krb5_error_code ret = 0;
215 const char *dnsdomain = ldb_msg_find_string(realm_ref_msg, "dnsRoot", NULL);
216 char *realm = strupper_talloc(mem_ctx, dnsdomain);
219 memset(ent, 0, sizeof(*ent));
221 krb5_warnx(context, "LDB_message2entry:\n");
224 krb5_set_error_string(context, "talloc_strdup: out of memory");
229 userAccountControl = ldb_msg_find_int(msg, "userAccountControl", 0);
231 ent->principal = malloc(sizeof(*(ent->principal)));
232 if (ent_type == HDB_LDB_ENT_TYPE_ANY && principal == NULL) {
233 const char *samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
234 if (!samAccountName) {
235 krb5_set_error_string(context, "LDB_message2entry: no samAccountName present");
239 samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
240 krb5_make_principal(context, &ent->principal, realm, samAccountName, NULL);
243 ret = copy_Principal(principal, ent->principal);
245 krb5_clear_error_string(context);
249 /* While we have copied the client principal, tests
250 * show that Win2k3 returns the 'corrected' realm, not
251 * the client-specified realm. This code attempts to
252 * replace the client principal's realm with the one
253 * we determine from our records */
256 free(*krb5_princ_realm(context, ent->principal));
258 /* this has to be with malloc() */
259 strdup_realm = strdup(realm);
262 krb5_clear_error_string(context);
265 krb5_princ_set_realm(context, ent->principal, &strdup_realm);
268 ent->kvno = ldb_msg_find_int(msg, "msDS-KeyVersionNumber", 0);
270 ent->flags = uf2HDBFlags(context, userAccountControl, ent_type);
272 if (ent_type == HDB_LDB_ENT_TYPE_KRBTGT) {
273 ent->flags.invalid = 0;
274 ent->flags.server = 1;
277 if (lp_parm_bool(-1, "kdc", "require spn for service", True)) {
278 if (!ldb_msg_find_string(msg, "servicePrincipalName", NULL)) {
279 ent->flags.server = 0;
283 /* use 'whenCreated' */
284 ent->created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
286 ent->created_by.principal = NULL;
288 ent->modified_by = (Event *) malloc(sizeof(Event));
289 if (ent->modified_by == NULL) {
290 krb5_set_error_string(context, "malloc: out of memory");
295 /* use 'whenChanged' */
296 ent->modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
298 ent->modified_by->principal = NULL;
300 ent->valid_start = NULL;
302 ent->valid_end = NULL;
305 ent->max_life = NULL;
307 ent->max_renew = NULL;
309 ent->generation = NULL;
311 /* create the keys and enctypes */
312 unicodePwd = ldb_msg_find_string(msg, "unicodePwd", NULL);
314 /* Many, many thanks to lukeh@padl.com for this
315 * algorithm, described in his Nov 10 2004 mail to
316 * samba-technical@samba.org */
318 Principal *salt_principal;
319 const char *user_principal_name = ldb_msg_find_string(msg, "userPrincipalName", NULL);
320 struct ldb_message_element *objectclasses;
321 struct ldb_val computer_val;
322 computer_val.data = discard_const_p(uint8_t,"computer");
323 computer_val.length = strlen((const char *)computer_val.data);
325 objectclasses = ldb_msg_find_element(msg, "objectClass");
327 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
328 /* Determine a salting principal */
329 char *samAccountName = talloc_strdup(mem_ctx, ldb_msg_find_string(msg, "samAccountName", NULL));
331 if (!samAccountName) {
332 krb5_set_error_string(context, "LDB_message2entry: no samAccountName present");
336 if (samAccountName[strlen(samAccountName)-1] == '$') {
337 samAccountName[strlen(samAccountName)-1] = '\0';
339 saltbody = talloc_asprintf(mem_ctx, "%s.%s", samAccountName, dnsdomain);
341 ret = krb5_make_principal(context, &salt_principal, realm, "host", saltbody, NULL);
342 } else if (user_principal_name) {
344 user_principal_name = talloc_strdup(mem_ctx, user_principal_name);
345 if (!user_principal_name) {
349 p = strchr(user_principal_name, '@');
353 ret = krb5_make_principal(context, &salt_principal, realm, user_principal_name, NULL);
356 const char *samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
357 ret = krb5_make_principal(context, &salt_principal, realm, samAccountName, NULL);
361 size_t num_keys = ent->keys.len;
363 * create keys from unicodePwd
365 ret = hdb_generate_key_set_password(context, salt_principal,
367 &ent->keys.val, &num_keys);
368 ent->keys.len = num_keys;
369 krb5_free_principal(context, salt_principal);
373 krb5_warnx(context, "could not generate keys from unicodePwd\n");
374 ent->keys.val = NULL;
379 const struct ldb_val *val;
382 val = ldb_msg_find_ldb_val(msg, "ntPwdHash");
384 krb5_warnx(context, "neither type of key available for this account\n");
385 ent->keys.val = NULL;
387 } else if (val->length < 16) {
388 ent->keys.val = NULL;
390 krb5_warnx(context, "ntPwdHash has invalid length: %d\n",
393 ret = krb5_data_alloc (&keyvalue, 16);
395 krb5_set_error_string(context, "malloc: out of memory");
400 memcpy(keyvalue.data, val->data, 16);
402 ent->keys.val = malloc(sizeof(ent->keys.val[0]));
403 if (ent->keys.val == NULL) {
404 krb5_data_free(&keyvalue);
405 krb5_set_error_string(context, "malloc: out of memory");
410 memset(&ent->keys.val[0], 0, sizeof(Key));
411 ent->keys.val[0].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
412 ent->keys.val[0].key.keyvalue = keyvalue;
419 ent->etypes = malloc(sizeof(*(ent->etypes)));
420 if (ent->etypes == NULL) {
421 krb5_set_error_string(context, "malloc: out of memory");
425 ent->etypes->len = ent->keys.len;
426 ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
427 if (ent->etypes->val == NULL) {
428 krb5_set_error_string(context, "malloc: out of memory");
432 for (i=0; i < ent->etypes->len; i++) {
433 ent->etypes->val[i] = ent->keys.val[i].key.keytype;
438 /* I don't think this frees ent itself. */
439 hdb_free_entry(context, ent);
445 static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_context *ldb_ctx,
447 krb5_const_principal principal,
448 enum hdb_ldb_ent_type ent_type,
449 const struct ldb_dn *realm_dn,
450 struct ldb_message ***pmsg)
455 const char * const *princ_attrs = krb5_attrs;
458 char *princ_str_talloc;
460 char *short_princ_talloc;
464 struct ldb_message **msg = NULL;
466 ret = krb5_unparse_name(context, principal, &princ_str);
469 krb5_set_error_string(context, "LDB_lookup_principal: could not parse principal");
470 krb5_warnx(context, "LDB_lookup_principal: could not parse principal");
474 ret = krb5_unparse_name_norealm(context, principal, &short_princ);
478 krb5_set_error_string(context, "LDB_lookup_principal: could not parse principal");
479 krb5_warnx(context, "LDB_lookup_principal: could not parse principal");
483 princ_str_talloc = talloc_strdup(mem_ctx, princ_str);
484 short_princ_talloc = talloc_strdup(mem_ctx, short_princ);
487 if (!short_princ || !princ_str_talloc) {
488 krb5_set_error_string(context, "LDB_lookup_principal: talloc_strdup() failed!");
493 case HDB_LDB_ENT_TYPE_CLIENT:
497 case HDB_LDB_ENT_TYPE_KRBTGT:
498 filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
501 case HDB_LDB_ENT_TYPE_SERVER:
502 filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
505 case HDB_LDB_ENT_TYPE_ANY:
506 filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(|(samAccountName=%s)(servicePrincipalName=%s))(userPrincipalName=%s)))",
507 short_princ_talloc, short_princ_talloc, princ_str_talloc);
512 krb5_set_error_string(context, "talloc_asprintf: out of memory");
516 count = ldb_search(ldb_ctx, realm_dn, LDB_SCOPE_SUBTREE, filter,
519 realm_dn_str = ldb_dn_linearize(mem_ctx, realm_dn);
522 krb5_warnx(context, "ldb_search: basedn: '%s' filter: '%s' failed: %d",
523 realm_dn_str, filter, count);
524 krb5_set_error_string(context, "ldb_search: basedn: '%s' filter: '%s' failed: %d",
525 realm_dn_str, filter, count);
526 return HDB_ERR_NOENTRY;
527 } else if (count > 1) {
529 krb5_warnx(context, "ldb_search: basedn: '%s' filter: '%s' more than 1 entry: %d",
530 realm_dn_str, filter, count);
531 krb5_set_error_string(context, "ldb_search: basedn: '%s' filter: '%s' more than 1 entry: %d",
532 realm_dn_str, filter, count);
533 return HDB_ERR_NOENTRY;
535 *pmsg = talloc_steal(mem_ctx, msg);
539 static krb5_error_code LDB_lookup_realm(krb5_context context, struct ldb_context *ldb_ctx,
542 struct ldb_message ***pmsg)
545 char *cross_ref_filter;
546 struct ldb_message **cross_ref_msg;
548 cross_ref_filter = talloc_asprintf(mem_ctx,
549 "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
551 if (!cross_ref_filter) {
552 krb5_set_error_string(context, "asprintf: out of memory");
556 count = ldb_search(ldb_ctx, NULL, LDB_SCOPE_SUBTREE, cross_ref_filter,
557 realm_ref_attrs, &cross_ref_msg);
560 krb5_warnx(context, "ldb_search: filter: '%s' failed: %d", cross_ref_filter, count);
561 krb5_set_error_string(context, "ldb_search: filter: '%s' failed: %d", cross_ref_filter, count);
563 talloc_free(cross_ref_msg);
564 return HDB_ERR_NOENTRY;
565 } else if (count > 1) {
566 krb5_warnx(context, "ldb_search: filter: '%s' more than 1 entry: %d", cross_ref_filter, count);
567 krb5_set_error_string(context, "ldb_search: filter: '%s' more than 1 entry: %d", cross_ref_filter, count);
569 talloc_free(cross_ref_msg);
570 return HDB_ERR_NOENTRY;
574 *pmsg = talloc_steal(mem_ctx, cross_ref_msg);
576 talloc_free(cross_ref_msg);
583 static krb5_error_code LDB_open(krb5_context context, HDB *db, int flags, mode_t mode)
585 if (db->hdb_master_key_set) {
586 krb5_warnx(context, "LDB_open: use of a master key incompatible with LDB\n");
587 krb5_set_error_string(context, "LDB_open: use of a master key incompatible with LDB\n");
588 return HDB_ERR_NOENTRY;
594 static krb5_error_code LDB_close(krb5_context context, HDB *db)
599 static krb5_error_code LDB_lock(krb5_context context, HDB *db, int operation)
604 static krb5_error_code LDB_unlock(krb5_context context, HDB *db)
609 static krb5_error_code LDB_rename(krb5_context context, HDB *db, const char *new_name)
611 return HDB_ERR_DB_INUSE;
614 static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
615 krb5_const_principal principal,
616 enum hdb_ent_type ent_type,
619 struct ldb_message **msg = NULL;
620 struct ldb_message **realm_ref_msg = NULL;
621 struct ldb_message **realm_fixed_msg = NULL;
622 enum hdb_ldb_ent_type ldb_ent_type;
626 const struct ldb_dn *realm_dn;
627 TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "LDB_fetch context");
630 krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
634 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
635 * is in our db, then direct the caller at our primary
639 case HDB_ENT_TYPE_CLIENT:
642 char *principal_string;
643 ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT;
645 ret = krb5_unparse_name(context, principal, &principal_string);
648 talloc_free(mem_ctx);
652 nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
653 mem_ctx, principal_string,
654 &msg, &realm_ref_msg);
655 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
656 return HDB_ERR_NOENTRY;
657 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
659 } else if (!NT_STATUS_IS_OK(nt_status)) {
663 ret = LDB_message2entry(context, db, mem_ctx,
664 principal, ldb_ent_type,
665 msg[0], realm_ref_msg[0], entry);
666 talloc_free(mem_ctx);
669 case HDB_ENT_TYPE_SERVER:
670 if (principal->name.name_string.len == 2
671 && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)) {
672 /* krbtgt case. Either us or a trusted realm */
673 if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
674 mem_ctx, principal->name.name_string.val[1], &realm_fixed_msg) == 0)) {
676 const char *dnsdomain = ldb_msg_find_string(realm_fixed_msg[0], "dnsRoot", NULL);
677 char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
679 krb5_set_error_string(context, "strupper_talloc: out of memory");
680 talloc_free(mem_ctx);
684 free(principal->name.name_string.val[1]);
685 principal->name.name_string.val[1] = strdup(realm_fixed);
686 talloc_free(realm_fixed);
687 if (!principal->name.name_string.val[1]) {
688 krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
689 talloc_free(mem_ctx);
692 ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT;
695 /* we should lookup trusted domains */
696 return HDB_ERR_NOENTRY;
699 } else if (principal->name.name_string.len >= 2) {
700 /* 'normal server' case */
703 struct ldb_dn *user_dn, *domain_dn;
704 char *principal_string;
705 ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
707 ret = krb5_unparse_name_norealm(context, principal, &principal_string);
710 talloc_free(mem_ctx);
714 /* At this point we may find the host is known to be
715 * in a different realm, so we should generate a
716 * referral instead */
717 nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
718 mem_ctx, principal_string,
719 &user_dn, &domain_dn);
720 free(principal_string);
722 if (!NT_STATUS_IS_OK(nt_status)) {
723 talloc_free(mem_ctx);
724 return HDB_ERR_NOENTRY;
727 ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
728 mem_ctx, user_dn, &msg, krb5_attrs);
731 return HDB_ERR_NOENTRY;
734 ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
735 mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs,
736 "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
739 return HDB_ERR_NOENTRY;
742 ret = LDB_message2entry(context, db, mem_ctx,
743 principal, ldb_ent_type,
744 msg[0], realm_ref_msg[0], entry);
745 talloc_free(mem_ctx);
749 ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
750 /* server as client principal case, but we must not lookup userPrincipalNames */
753 case HDB_ENT_TYPE_ANY:
754 ldb_ent_type = HDB_LDB_ENT_TYPE_ANY;
757 krb5_warnx(context, "LDB_fetch: invalid ent_type specified!");
758 talloc_free(mem_ctx);
759 return HDB_ERR_NOENTRY;
763 realm = krb5_principal_get_realm(context, principal);
765 ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
766 mem_ctx, realm, &realm_ref_msg);
768 krb5_warnx(context, "LDB_fetch: could not find realm");
769 talloc_free(mem_ctx);
770 return HDB_ERR_NOENTRY;
773 realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
775 ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
777 principal, ldb_ent_type, realm_dn, &msg);
780 krb5_warnx(context, "LDB_fetch: could not find principal in DB");
781 krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
782 talloc_free(mem_ctx);
785 ret = LDB_message2entry(context, db, mem_ctx,
786 principal, ldb_ent_type,
787 msg[0], realm_ref_msg[0], entry);
789 krb5_warnx(context, "LDB_fetch: message2entry failed\n");
793 talloc_free(mem_ctx);
797 static krb5_error_code LDB_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
799 return HDB_ERR_DB_INUSE;
802 static krb5_error_code LDB_remove(krb5_context context, HDB *db, hdb_entry *entry)
804 return HDB_ERR_DB_INUSE;
808 struct ldb_context *ctx;
811 struct ldb_message **msgs;
812 struct ldb_message **realm_ref_msgs;
815 static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
818 struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_openp;
821 return HDB_ERR_NOENTRY;
824 mem_ctx = talloc_named(priv, 0, "LDB_seq context");
827 krb5_set_error_string(context, "LDB_seq: talloc_named() failed!");
831 if (priv->index < priv->count) {
832 ret = LDB_message2entry(context, db, mem_ctx,
833 NULL, HDB_LDB_ENT_TYPE_ANY,
834 priv->msgs[priv->index++],
835 priv->realm_ref_msgs[0], entry);
837 ret = HDB_ERR_NOENTRY;
842 db->hdb_openp = NULL;
844 talloc_free(mem_ctx);
850 static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flags,
853 struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
854 struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_openp;
856 struct ldb_dn *realm_dn = NULL;
857 struct ldb_message **msgs = NULL;
858 struct ldb_message **realm_ref_msgs = NULL;
867 priv = (struct hdb_ldb_seq *) talloc(db, struct hdb_ldb_seq);
869 krb5_set_error_string(context, "talloc: out of memory");
876 priv->realm_ref_msgs = NULL;
879 mem_ctx = talloc_named(priv, 0, "LDB_firstkey context");
882 krb5_set_error_string(context, "LDB_firstkey: talloc_named() failed!");
886 ret = krb5_get_default_realm(context, &realm);
892 ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
893 mem_ctx, realm, &realm_ref_msgs);
899 krb5_warnx(context, "LDB_firstkey: could not find realm\n");
900 return HDB_ERR_NOENTRY;
903 realm_dn = samdb_result_dn(mem_ctx, realm_ref_msgs[0], "nCName", NULL);
905 priv->realm_ref_msgs = talloc_steal(priv, realm_ref_msgs);
907 krb5_warnx(context, "LDB_firstkey: realm ok\n");
909 priv->count = ldb_search(ldb_ctx, realm_dn,
910 LDB_SCOPE_SUBTREE, "(objectClass=user)",
913 priv->msgs = talloc_steal(priv, msgs);
915 if (priv->count <= 0) {
917 return HDB_ERR_NOENTRY;
920 db->hdb_openp = priv;
922 ret = LDB_seq(context, db, flags, entry);
926 db->hdb_openp = NULL;
928 talloc_free(mem_ctx);
933 static krb5_error_code LDB_nextkey(krb5_context context, HDB *db, unsigned flags,
936 return LDB_seq(context, db, flags, entry);
939 static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
945 krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
946 krb5_context context, struct HDB **db, const char *arg)
948 *db = talloc(mem_ctx, HDB);
950 krb5_set_error_string(context, "malloc: out of memory");
954 (*db)->hdb_master_key_set = 0;
955 (*db)->hdb_db = NULL;
957 /* Setup the link to LDB */
958 (*db)->hdb_db = samdb_connect(*db, system_session(db));
959 if ((*db)->hdb_db == NULL) {
960 krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
961 krb5_set_error_string(context, "samdb_connect failed!");
963 return HDB_ERR_NOENTRY;
966 (*db)->hdb_openp = 0;
967 (*db)->hdb_open = LDB_open;
968 (*db)->hdb_close = LDB_close;
969 (*db)->hdb_fetch = LDB_fetch;
970 (*db)->hdb_store = LDB_store;
971 (*db)->hdb_remove = LDB_remove;
972 (*db)->hdb_firstkey = LDB_firstkey;
973 (*db)->hdb_nextkey = LDB_nextkey;
974 (*db)->hdb_lock = LDB_lock;
975 (*db)->hdb_unlock = LDB_unlock;
976 (*db)->hdb_rename = LDB_rename;
977 /* we don't implement these, as we are not a lockable database */
978 (*db)->hdb__get = NULL;
979 (*db)->hdb__put = NULL;
980 /* kadmin should not be used for deletes - use other tools instead */
981 (*db)->hdb__del = NULL;
982 (*db)->hdb_destroy = LDB_destroy;