r11536: Add a hook for client-principal access control to hdb-ldb, re-using

the code in auth/auth_sam.c for consistancy.  This will also allow us
to have one place for a backend directory hook.

I will use a very similar hook to add the PAC.

Andrew Bartlett
(This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)

1 files changed, 56 insertions, 0 deletions

diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 5a251607b6..b14bb50ea5 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -82,3 +82,59 @@ _kdc_free_ent(krb5_context context, hdb_entry *ent)
     free (ent);
 }
 
+krb5_error_code
+_kdc_db_fetch_ex(krb5_context context,
+		 krb5_kdc_configuration *config,
+		 krb5_principal principal, enum hdb_ent_type ent_type, 
+		 hdb_entry_ex **h)
+{
+    hdb_entry_ex *ent;
+    krb5_error_code ret = HDB_ERR_NOENTRY;
+    int i;
+
+    ent = malloc (sizeof (*ent));
+    if (ent == NULL)
+	return ENOMEM;
+    memset(ent, '\0', sizeof(*ent));
+
+    ent->entry.principal = principal;
+
+    for(i = 0; i < config->num_db; i++) {
+	ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
+	if (ret) {
+	    kdc_log(context, config, 0, "Failed to open database: %s", 
+		    krb5_get_err_text(context, ret));
+	    continue;
+	}
+	if (config->db[i]->hdb_fetch_ex) {
+		ret = config->db[i]->hdb_fetch_ex(context, 
+						  config->db[i],
+						  HDB_F_DECRYPT, 
+						  principal, 
+						  ent_type,
+						  ent);
+	} else {
+		ret = config->db[i]->hdb_fetch(context, 
+					       config->db[i],
+					       HDB_F_DECRYPT, 
+					       principal, 
+					       ent_type,
+					       &ent->entry);
+	}
+	config->db[i]->hdb_close(context, config->db[i]);
+	if(ret == 0) {
+	    *h = ent;
+	    return 0;
+	}
+    }
+    free(ent);
+    return ret;
+}
+
+void
+_kdc_free_ent_ex(krb5_context context, hdb_entry_ex *ent)
+{
+    hdb_free_entry_ex (context, ent);
+    free (ent);
+}
+