oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Allow LDAP modifications for entry creation

Browse Source 
Heimdal will refuse to create new entries when an entry already exists even
if said entry has no kerberos info and is a new entry.

This patch fixes this issue by allowing object modifications even if the
flags disallow them when we are inserting a new principal on the database.

Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
This commit is contained in:
Francisco Blas (klondike) Izquierdo Riera
2014-12-16 07:12:26 +01:00
committed by Nico Williams
parent f4bb4df4a6
commit d6979fcc40
1 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/hdb/hdb-ldap.c
View File

@@ -389,10 +389,10 @@ bervalstrcmp(struct berval *v, const char *str)
static krb5_error_code
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
LDAPMessage * msg, LDAPMod *** pmods)
LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry)
{
krb5_error_code ret;
krb5_boolean is_new_entry;
krb5_boolean is_new_entry = FALSE;
char *tmp = NULL;
LDAPMod **mods = NULL;
hdb_entry_ex orig;
@@ -414,8 +414,6 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
if (ret)
goto out;
is_new_entry = FALSE;
vals = ldap_get_values_len(HDB2LDAP(db), msg, "objectClass");
if (vals) {
int num_objectclasses = ldap_count_values_len(vals);
@@ -454,12 +452,12 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
* orig being intiialized to zero */
memset(&orig, 0, sizeof(orig));
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
if (ret)
goto out;
/* account is the structural object class */
if (is_account == FALSE) {
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
if (ret)
goto out;
ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
structural_object);
is_account = TRUE;
@@ -759,6 +757,8 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
out:
*pis_new_entry = is_new_entry;
if (ret == 0)
*pmods = mods;
else if (mods != NULL) {
@@ -1737,6 +1737,7 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
int rc;
LDAPMessage *msg = NULL, *e = NULL;
char *dn = NULL, *name = NULL;
krb5_boolean is_new_entry;
if ((flags & HDB_F_PRECHECK))
return 0; /* we can't guarantee whether we'll be able to perform it */
@@ -1756,7 +1757,7 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
goto out;
/* turn new entry into LDAPMod array */
ret = LDAP_entry2mods(context, db, entry, e, &mods);
ret = LDAP_entry2mods(context, db, entry, e, &mods, &is_new_entry);
if (ret)
goto out;
@@ -1767,8 +1768,9 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
krb5_set_error_message(context, ret, "asprintf: out of memory");
goto out;
}
} else if (flags & HDB_F_REPLACE) {
} else if ((flags & HDB_F_REPLACE) || (is_new_entry)) {
/* Entry exists, and we're allowed to replace it. */
/* Entry may also exist but need to be modified to create a new principal. */
dn = ldap_get_dn(HDB2LDAP(db), e);
} else {
/* Entry exists, but we're not allowed to replace it. Bail. */
@@ -1847,6 +1849,8 @@ LDAP_remove(krb5_context context, HDB *db,
goto out;
}
/* HACK: This should check if we need to delete the object or just some attributes */
rc = ldap_delete_ext_s(HDB2LDAP(db), dn, NULL, NULL );
if (check_ldap(context, db, rc)) {
ret = HDB_ERR_CANT_LOCK_DB;