summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c113
1 files changed, 66 insertions, 47 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index ff15772f73..3ac45fe801 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -196,6 +196,66 @@ static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
talloc_free(entry_ex->ctx);
}
+static krb5_error_code LDB_message2entry_keys(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ unsigned int userAccountControl,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret = 0;
+ struct ldb_message_element *ldb_keys;
+ int i;
+
+ /* Get krb5Key from the db */
+
+ ldb_keys = ldb_msg_find_element(msg, "krb5Key");
+
+ if (!ldb_keys) {
+ /* oh, no password. Apparently (comment in
+ * hdb-ldap.c) this violates the ASN.1, but this
+ * allows an entry with no keys (yet). */
+ entry_ex->entry.keys.val = NULL;
+ entry_ex->entry.keys.len = 0;
+ } else {
+ /* allocate space to decode into */
+ entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key));
+ if (entry_ex->entry.keys.val == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ entry_ex->entry.keys.len = 0;
+
+ /* Decode Kerberos keys into the hdb structure */
+ for (i=0; i < ldb_keys->num_values; i++) {
+ size_t decode_len;
+ Key key;
+ ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length,
+ &key, &decode_len);
+ if (ret) {
+ /* Could be bougus data in the entry, or out of memory */
+ goto out;
+ }
+
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ switch (key.key.keytype) {
+ case KEYTYPE_DES:
+ entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+ entry_ex->entry.keys.len++;
+ default:
+ /* We must use DES keys only */
+ break;
+ }
+ } else {
+ entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+ entry_ex->entry.keys.len++;
+ }
+ }
+ }
+
+out:
+ return ret;
+}
+
/*
* Construct an hdb_entry from a directory entry.
*/
@@ -220,7 +280,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
struct hdb_ldb_private *private;
NTTIME acct_expiry;
- struct ldb_message_element *ldb_keys;
struct ldb_message_element *objectclasses;
struct ldb_val computer_val;
@@ -365,52 +424,12 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
entry_ex->entry.generation = NULL;
- /* Get krb5Key from the db */
-
- ldb_keys = ldb_msg_find_element(msg, "krb5Key");
-
- if (!ldb_keys) {
- /* oh, no password. Apparently (comment in
- * hdb-ldap.c) this violates the ASN.1, but this
- * allows an entry with no keys (yet). */
- entry_ex->entry.keys.val = NULL;
- entry_ex->entry.keys.len = 0;
- } else {
- /* allocate space to decode into */
- entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key));
- if (entry_ex->entry.keys.val == NULL) {
- ret = ENOMEM;
- goto out;
- }
-
- entry_ex->entry.keys.len = 0;
-
- /* Decode Kerberos keys into the hdb structure */
- for (i=0; i < ldb_keys->num_values; i++) {
- size_t decode_len;
- Key key;
- ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length,
- &key, &decode_len);
- if (ret) {
- /* Could be bougus data in the entry, or out of memory */
- goto out;
- }
-
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- switch (key.key.keytype) {
- case KEYTYPE_DES:
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
- default:
- /* We must use DES keys only */
- break;
- }
- } else {
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
- }
- }
- }
+ /* Get keys from the db */
+ ret = LDB_message2entry_keys(mem_ctx, msg, userAccountControl, entry_ex);
+ if (ret) {
+ /* Could be bougus data in the entry, or out of memory */
+ goto out;
+ }
entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
if (entry_ex->entry.etypes == NULL) {