diff options
-rw-r--r-- | source4/kdc/hdb-ldb.c | 113 |
1 files changed, 66 insertions, 47 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index ff15772f73..3ac45fe801 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -196,6 +196,66 @@ static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex) talloc_free(entry_ex->ctx); } +static krb5_error_code LDB_message2entry_keys(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + unsigned int userAccountControl, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret = 0; + struct ldb_message_element *ldb_keys; + int i; + + /* Get krb5Key from the db */ + + ldb_keys = ldb_msg_find_element(msg, "krb5Key"); + + if (!ldb_keys) { + /* oh, no password. Apparently (comment in + * hdb-ldap.c) this violates the ASN.1, but this + * allows an entry with no keys (yet). */ + entry_ex->entry.keys.val = NULL; + entry_ex->entry.keys.len = 0; + } else { + /* allocate space to decode into */ + entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key)); + if (entry_ex->entry.keys.val == NULL) { + ret = ENOMEM; + goto out; + } + + entry_ex->entry.keys.len = 0; + + /* Decode Kerberos keys into the hdb structure */ + for (i=0; i < ldb_keys->num_values; i++) { + size_t decode_len; + Key key; + ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length, + &key, &decode_len); + if (ret) { + /* Could be bougus data in the entry, or out of memory */ + goto out; + } + + if (userAccountControl & UF_USE_DES_KEY_ONLY) { + switch (key.key.keytype) { + case KEYTYPE_DES: + entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; + entry_ex->entry.keys.len++; + default: + /* We must use DES keys only */ + break; + } + } else { + entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; + entry_ex->entry.keys.len++; + } + } + } + +out: + return ret; +} + /* * Construct an hdb_entry from a directory entry. */ @@ -220,7 +280,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, struct hdb_ldb_private *private; NTTIME acct_expiry; - struct ldb_message_element *ldb_keys; struct ldb_message_element *objectclasses; struct ldb_val computer_val; @@ -365,52 +424,12 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.generation = NULL; - /* Get krb5Key from the db */ - - ldb_keys = ldb_msg_find_element(msg, "krb5Key"); - - if (!ldb_keys) { - /* oh, no password. Apparently (comment in - * hdb-ldap.c) this violates the ASN.1, but this - * allows an entry with no keys (yet). */ - entry_ex->entry.keys.val = NULL; - entry_ex->entry.keys.len = 0; - } else { - /* allocate space to decode into */ - entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key)); - if (entry_ex->entry.keys.val == NULL) { - ret = ENOMEM; - goto out; - } - - entry_ex->entry.keys.len = 0; - - /* Decode Kerberos keys into the hdb structure */ - for (i=0; i < ldb_keys->num_values; i++) { - size_t decode_len; - Key key; - ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length, - &key, &decode_len); - if (ret) { - /* Could be bougus data in the entry, or out of memory */ - goto out; - } - - if (userAccountControl & UF_USE_DES_KEY_ONLY) { - switch (key.key.keytype) { - case KEYTYPE_DES: - entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; - entry_ex->entry.keys.len++; - default: - /* We must use DES keys only */ - break; - } - } else { - entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; - entry_ex->entry.keys.len++; - } - } - } + /* Get keys from the db */ + ret = LDB_message2entry_keys(mem_ctx, msg, userAccountControl, entry_ex); + if (ret) { + /* Could be bougus data in the entry, or out of memory */ + goto out; + } entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes))); if (entry_ex->entry.etypes == NULL) { |