# $OpenLDAP$
SRCS= main.c find.c mod.c print.c auth.c util.c help.c \
- string_to_key.c group.c edit.c globals.c
+ group.c edit.c globals.c
XSRCS= version.c
OBJS= main.o find.o mod.o print.o auth.o util.o help.o \
- string_to_key.o group.o globals.o edit.o
+ group.o globals.o edit.o
HDRS= ud.h
PROGRAMS= ud
+++ /dev/null
-Users
------
-For users, see the man page on ud.
-
-Installers
-----------
-For installers, see the header file. Anything that is configurable is
-listed in there as a #define, and the file is pretty well commented.
-
-Kerberos users
---------------
-If you're going to use Kerberos, be sure that you have a Kerberos config file
-in /etc/krb.conf of the form:
-
- <realm>
- <realm> <server-for-realm> [ admin server ]
-
-This should be the realm in which users are going to authenticate, which
-is not necessarily your realm.
-
-You can certainly have other entries in this file, but you'll need at least
-these two.
-
-Also be sure that you have the necessary entries in /etc/services so that
-your client knows on which port to find a Kerberos authentication server.
-An pair of entries like this:
-
- kerberos 750/udp kdc # Kerberos authentication
- kerberos 750/tcp kdc # Kerberos authentication
-
-is fairly typical.
#include "ldap_defaults.h"
#include "ud.h"
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-static char tktpath[20]; /* ticket file path */
-static int kinit();
-static int valid_tgt();
-#endif
-
static void set_bound_dn(char *s);
char *user;
#endif
char uidname[20];
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- char **krbnames; /* for kerberos names */
- int kinited, ikrb;
- char buf[5];
- extern int krb_debug;
-#endif
LDAPMessage *mp; /* returned from find() */
static char prompt[MED_BUF_SIZE]; /* place for us to sprintf the prompt */
static char name[MED_BUF_SIZE]; /* place to store the user's name */
*/
if ( (krbnames = ldap_get_values( ld, mp, "krbName" )) != NULL ) {
- int choice, hassimple;
-
- hassimple = (ldap_compare_s( ld, Entry.DN,
- "userPassword", "x" ) == LDAP_COMPARE_FALSE);
- (void) ldap_msgfree(mp);
-
- /* if we're running as a server (e.g., out of inetd) */
- if ( ! isatty( 1 ) ) {
- strcpy( tktpath, LDAP_TMPDIR LDAP_DIRSEP "ud_tktXXXXXX" );
- mktemp( tktpath );
- krb_set_tkt_string( tktpath );
- }
-
- kinited = valid_tgt( krbnames );
-
- if ( hassimple && !kinited ) {
- printf(" Which password would you like to use?\n");
- printf(" 1 -> LDAP password\n");
-#ifdef UOFM
- printf(" 2 -> UMICH password (aka Uniqname or Kerberos password)\n");
-#else
- printf(" 2 -> Kerberos password\n");
-#endif
-
- do {
- printf(" Enter 1 or 2: ");
- fflush(stdout);
-
- fetch_buffer(buf, sizeof(buf), stdin);
- choice = atoi(buf);
- } while (choice != 1 && choice != 2);
-
- authmethod = (choice == 1 ? LDAP_AUTH_SIMPLE :
- LDAP_AUTH_KRBV4);
- } else {
- authmethod = LDAP_AUTH_KRBV4;
- }
+ authmethod = LDAP_AUTH_KRBV4;
+ (void) ldap_value_free(krbnames);
} else {
authmethod = LDAP_AUTH_SIMPLE;
- (void) ldap_msgfree(mp);
}
+ (void) ldap_msgfree(mp);
/*
* if they are already kinited, we don't need to ask for a
* password.
*/
- if ( authmethod == LDAP_AUTH_KRBV4 ) {
- if ( ! kinited ) {
- if ( krbnames[1] != NULL ) {
- int i;
-
- /* ask which one to use */
-#ifdef UOFM
- printf(" Which UMICH (aka Kerberos or uniqname) name would you like to use?\n");
-#else
- printf(" Which Kerberos name would you like to use?\n");
-#endif
- for ( i = 0; krbnames[i] != NULL; i++ ) {
- printf( " %d -> %s\n", i + 1,
- krbnames[i] );
- }
- do {
- printf(" Enter a number between 1 and %d: ", i );
- fflush( stdout );
-
- fetch_buffer(buf, sizeof(buf), stdin);
- ikrb = atoi(buf) - 1;
- } while ( ikrb > i - 1 || ikrb < 0 );
- } else {
- ikrb = 0;
- }
-
- /* kinit */
- if ( kinit( krbnames[ikrb] ) != 0 ) {
- (void) ldap_value_free(rdns);
- (void) ldap_value_free(krbnames);
- return(-1);
- }
- }
- } else {
+ if ( authmethod != LDAP_AUTH_KRBV4 )
#endif
+ {
authmethod = LDAP_AUTH_SIMPLE;
sprintf(prompt, " Enter your LDAP password: ");
do {
(void) ldap_value_free(rdns);
return(0);
}
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
- (void) ldap_value_free(krbnames);
-#endif
+
ldap_flush_cache( ld );
rc = ldap_bind_s(ld, Entry.DN, passwd, authmethod);
if (rc != LDAP_SUCCESS) {
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if ( authmethod == LDAP_AUTH_KRBV4 ) {
fprintf(stderr, " The Kerberos credentials are invalid.\n");
- } else {
+ } else
#endif
+ {
fprintf(stderr, " The password you provided is incorrect.\n");
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
-#endif
else
ldap_perror(ld, "ldap_bind_s" );
(void) ldap_bind_s(ld, default_bind_object,
return(0);
}
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-
-#define FIVEMINS ( 5 * 60 )
-#define TGT "krbtgt"
-
-static int
-valid_tgt( char **names )
-{
- int i;
- char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
- CREDENTIALS cred;
-
- for ( i = 0; names[i] != NULL; i++ ) {
- if ( kname_parse( name, inst, realm, names[i] ) != KSUCCESS ) {
- fprintf( stderr, "Bad format for krbName %s\n",
- names[i] );
- fprintf( stderr, "Contact x500@umich.edu\n" );
- return( 0 );
- }
-
-#ifdef HAVE_AFS_KERBEROS
- /*
- * realm must be uppercase for krb_ routines
- */
- ldap_pvt_str2upper( realm );
-#endif /* HAVE_AFS_KERBEROS */
-
- /*
- * check ticket file for a valid ticket granting ticket
- * my check is: have ticket granting ticket and it is good for
- * at least 5 more minutes
- */
- if ( krb_get_cred( TGT, realm, realm,
- &cred ) == KSUCCESS && time( 0 ) + FIVEMINS <
- cred.issue_date + (u_char)cred.lifetime * FIVEMINS ) {
- return( 1 );
- }
- }
-
- return( 0 );
-}
-
-static char *kauth_name;
-
-#ifndef HAVE_KTH_KERBEROS
-
-/*ARGSUSED*/
-int
-krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key )
-{
- char *p, lcrealm[ REALM_SZ ], prompt[256], *passwd;
-
-#ifdef UOFM
- sprintf(prompt, " Enter the UMICH password (same as Uniqname or Kerberos password)\n for %s: ", kauth_name );
-#else
- sprintf(prompt, " Enter Kerberos password for %s: ", kauth_name );
-#endif
- do {
- passwd = getpassphrase(prompt);
- } while (passwd != NULL && *passwd == '\0');
- if (passwd == NULL) {
- return(-1);
- }
-
-#ifdef HAVE_AFS_KERBEROS
- strcpy( lcrealm, realm );
- for ( p = lcrealm; *p != '\0'; ++p ) {
- *p = TOLOWER( (unsigned char) *p );
- }
-
- ka_StringToKey( passwd, lcrealm, key );
-#else /* HAVE_AFS_KERBEROS */
- string_to_key( passwd, key );
-#endif /* HAVE_AFS_KERBEROS */
-
- return( 0 );
-}
-#endif /* HAVE_KTH_KERBEROS */
-
-static int
-kinit( char *kname )
-{
- int rc;
- char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
-
- kauth_name = kname;
-
- if ( kname_parse( name, inst, realm, kname ) != KSUCCESS ) {
- fprintf( stderr, "Bad format for krbName %s\n",
- kname );
- fprintf( stderr, "Contact x500@umich.edu\n" );
- return( -1 );
- }
-
-#ifdef HAVE_AFS_KERBEROS
- /* realm must be uppercase for AFS krb_ routines */
- ldap_pvt_str2upper( realm );
-#endif /* HAVE_AFS_KERBEROS */
-
-#ifdef HAVE_KTH_KERBEROS
- /* Kth kerberos knows how to do both string to keys */
- rc = krb_get_pw_in_tkt( name, inst, realm, TGT, realm,
- DEFAULT_TKT_LIFE, 0 );
-#else
- rc = krb_get_in_tkt( name, inst, realm, TGT, realm,
- DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL );
-#endif
-
- if ( rc != KSUCCESS ) {
- switch ( rc ) {
- case SKDC_CANT:
- fprintf( stderr, "Can't contact Kerberos server for %s\n", realm );
- break;
- default:
- fprintf( stderr, "%s: %s\n", name, krb_err_txt[ rc ] );
- break;
- }
- return( -1 );
- }
-
- return( 0 );
-}
-
-void
-destroy_tickets( void )
-{
- if ( *tktpath != '\0' ) {
- unlink( tktpath );
- }
-}
-#endif
-
static void
set_bound_dn( char *s )
{
+++ /dev/null
-server <your ldap server host name here>
-base <your X.500 default search base here>
printf(" Thank you!\n");
ldap_unbind(ld);
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- destroy_tickets();
-#endif
exit( EXIT_SUCCESS );
/* NOTREACHED */
}
+++ /dev/null
-/* $OpenLDAP$ */
-/*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-#include "portable.h"
-
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd)
-/*
- * Copyright 1985, 1986, 1987, 1988, 1989 by the Massachusetts Institute
- * of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * These routines perform encryption and decryption using the DES
- * private key algorithm, or else a subset of it-- fewer inner loops.
- * (AUTH_DES_ITER defaults to 16, may be less.)
- *
- * Under U.S. law, this software may not be exported outside the US
- * without license from the U.S. Commerce department.
- *
- * The key schedule is passed as an arg, as well as the cleartext or
- * ciphertext. The cleartext and ciphertext should be in host order.
- *
- * These routines form the library interface to the DES facilities.
- *
- * spm 8/85 MIT project athena
- */
-
-#include <stdio.h>
-#include <ac/krb.h>
-
-#if defined( DEBUG ) && defined( HAVE_DES_DEBUG )
-#define USE_DES_DEBUG
-extern int des_debug;
-#endif
-
-extern void des_fixup_key_parity();
-
-#ifndef HAVE_AFS_KERBEROS
-#define WORLDPEACEINOURTIME
-#endif
-
-#if defined(WORLDPEACEINOURTIME) /* Use original, not ifs version */
-#ifndef HAVE_KERBEROS_V
-/*
- * convert an arbitrary length string to a DES key
- */
-void
-des_string_to_key( char *str, register des_cblock *key )
-{
- register char *in_str;
- register unsigned temp,i;
- register int j;
- register long length;
- static unsigned char *k_p;
- static int forward;
- register char *p_char;
- static char k_char[64];
- static des_key_schedule key_sked;
- extern unsigned long des_cbc_cksum();
-
- in_str = str;
- forward = 1;
- p_char = k_char;
- length = strlen(str);
-
- /* init key array for bits */
- memset(k_char, '\0', sizeof(k_char));
-
-#ifdef USE_DES_DEBUG
- if (des_debug)
- fprintf(stdout,
- "\n\ninput str length = %d string = %s\nstring = 0x ",
- length,str);
-#endif
-
- /* get next 8 bytes, strip parity, xor */
- for (i = 1; i <= length; i++) {
- /* get next input key byte */
- temp = (unsigned int) *str++;
-#ifdef USE_DES_DEBUG
- if (des_debug)
- fprintf(stdout,"%02x ",temp & 0xff);
-#endif
- /* loop through bits within byte, ignore parity */
- for (j = 0; j <= 6; j++) {
- if (forward)
- *p_char++ ^= (int) temp & 01;
- else
- *--p_char ^= (int) temp & 01;
- temp = temp >> 1;
- } while (--j > 0);
-
- /* check and flip direction */
- if ((i%8) == 0)
- forward = !forward;
- }
-
- /* now stuff into the key des_cblock, and force odd parity */
- p_char = k_char;
- k_p = (unsigned char *) key;
-
- for (i = 0; i <= 7; i++) {
- temp = 0;
- for (j = 0; j <= 6; j++)
- temp |= *p_char++ << (1+j);
- *k_p++ = (unsigned char) temp;
- }
-
- /* fix key parity */
- des_fixup_key_parity(key);
-
- /* Now one-way encrypt it with the folded key */
- (void) des_key_sched(key,key_sked);
- (void) des_cbc_cksum((des_cblock *)in_str,key,length,key_sked,key);
- /* erase key_sked */
- memset((char *)key_sked, '\0', sizeof(key_sked));
-
- /* now fix up key parity again */
- des_fixup_key_parity(key);
-
-#ifdef USE_DES_DEBUG
- if (des_debug)
- fprintf(stdout,
- "\nResulting string_to_key = 0x%lx 0x%lx\n",
- *((unsigned long *) key),
- *((unsigned long *) key+1));
-#endif
-}
-
-#endif /* HAVE_KERBEROS_V */
-#else /* Use ifs version */
-
-#if 0
-#include <stdio.h>
- /* These two needed for rxgen output to work */
-#include <sys/types.h>
-#include <rx/xdr.h>
-#include <afs/cellconfig.h>
-#include <afs/auth.h>
-
-#include "/usr/andy/kauth/kauth.h"
-#include "/usr/andy/kauth/kautils.h"
-#endif
-
-/* This defines the Andrew string_to_key function. It accepts a password
- string as input and converts its via a one-way encryption algorithm to a DES
- encryption key. It is compatible with the original Andrew authentication
- service password database. */
-
-static void
-Andrew_StringToKey(
- char *str,
- char *cell, /* cell for password */
- des_cblock *key
-)
-{ char password[8+1]; /* crypt is limited to 8 chars anyway */
- int i;
- int passlen;
-
- memset(key, '\0', sizeof(des_cblock));
- memset(password, '\0', sizeof(password));
-
- strncpy (password, cell, 8);
- passlen = strlen (str);
- if (passlen > 8) passlen = 8;
-
- for (i=0; i<passlen; i++)
- password[i] = str[i] ^ cell[i];
-
- for (i=0;i<8;i++)
- if (password[i] == '\0') password[i] = 'X';
-
- /* crypt only considers the first 8 characters of password but for some
- reason returns eleven characters of result (plus the two salt chars). */
- strncpy(key, crypt(password, "#~") + 2, sizeof(des_cblock));
-
- /* parity is inserted into the LSB so leftshift each byte up one bit. This
- allows ascii characters with a zero MSB to retain as much significance
- as possible. */
- { char *keybytes = (char *)key;
- unsigned int temp;
-
- for (i = 0; i < 8; i++) {
- temp = (unsigned int) keybytes[i];
- keybytes[i] = (unsigned char) (temp << 1);
- }
- }
- des_fixup_key_parity (key);
-}
-
-static void
-StringToKey(
- char *str,
- char *cell, /* cell for password */
- des_cblock *key
-)
-{ des_key_schedule schedule;
- char temp_key[8];
- char ivec[8];
- char password[BUFSIZ];
- int passlen;
-
- strncpy (password, str, sizeof(password));
- if ((passlen = strlen (password)) < sizeof(password)-1)
- strncat (password, cell, sizeof(password)-passlen);
- if ((passlen = strlen(password)) > sizeof(password)) passlen = sizeof(password);
-
- AC_MEMCPY(ivec, "kerberos", 8);
- AC_MEMCPY(temp_key, "kerberos", 8);
- des_fixup_key_parity (temp_key);
- des_key_sched (temp_key, schedule);
- des_cbc_cksum (password, ivec, passlen, schedule, ivec);
-
- AC_MEMCPY(temp_key, ivec, 8);
- des_fixup_key_parity (temp_key);
- des_key_sched (temp_key, schedule);
- des_cbc_cksum (password, key, passlen, schedule, ivec);
-
- des_fixup_key_parity (key);
-}
-
-void
-ka_StringToKey (
- char *str,
- char *cell, /* cell for password */
- des_cblock *key
-)
-{ char realm[REALM_SZ];
-
-#if NOWAYOUTTODAY
- long code;
-#if 0
- code = ka_CellToRealm (cell, realm, 0/*local*/);
-#endif
- if (code) strcpy (realm, "");
- else lcstring (realm, realm, sizeof(realm)); /* for backward compatibility */
-#else
- (void)strcpy(realm, cell);
-#endif
-
- if (strlen(str) > 8) StringToKey (str, realm, key);
- else Andrew_StringToKey (str, realm, key);
-}
-
-/*
- * convert an arbitrary length string to a DES key
- */
-int
-des_string_to_key( char *str, register des_cblock *key )
-{
- /* NB: i should probably call routine to get local cell here */
- ka_StringToKey(str, "umich.edu", key);
- return 0;
-}
-
-#endif /* Use IFS Version */
-
-#endif /* kerberos */
#define G_JOIN 0
#define G_RESIGN 1
-/*
- * Authentication method we will be using.
- */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-#define UD_AUTH_METHOD LDAP_AUTH_KRBV4
-#else
-#define UD_AUTH_METHOD LDAP_AUTH_SIMPLE
-#endif
-
/*
* TRUE and FALSE - just in case we need them.
*/
/* in auth.c: */
int auth LDAP_P(( char *who, int implicit ));
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && defined(_AC_KRB_H)
-int krbgetpass LDAP_P(( char *u, char *in, char *re, char *pw, C_Block key ));
-void destroy_tickets LDAP_P(( void ));
-#endif
/* in edit.c: */
void edit LDAP_P(( char *who ));
void print_URL LDAP_P(( struct attribute A ));
void print_one_URL LDAP_P(( char *s, int l_lead, char *tag, int u_lead ));
-/* in string_to_key.c: */
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) && defined(_AC_KRB_H)
-#if defined(HAVE_AFS_KERBEROS) || !defined(HAVE_KERBEROS_V)
-void des_string_to_key LDAP_P(( char *str, des_cblock *key ));
-#endif
-#if defined(HAVE_AFS_KERBEROS)
-void ka_StringToKey LDAP_P(( char *str, char *cell, des_cblock *key ));
-#endif
-#endif
-
/* in util.c: */
void printbase LDAP_P(( char *lead, char *s ));
void fetch_buffer LDAP_P(( char *buffer, int length, FILE *where ));
{
if (errno != 0)
perror(s);
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- destroy_tickets();
-#endif
exit( EXIT_FAILURE );
}
projects / openldap / commitdiff