From a2e299eb2293614c137c7874ff9930220af2f22c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 10 Jan 2007 00:23:28 +0000
Subject: [PATCH] ITS#4799 remove kerberos / kbind

---
 servers/slapd/Makefile.in     |  4 +--
 servers/slapd/back-bdb/bind.c | 51 +---------------------------
 servers/slapd/bconfig.c       | 11 +------
 servers/slapd/bind.c          | 31 ++----------------
 servers/slapd/cancel.c        |  1 -
 servers/slapd/config.c        |  1 -
 servers/slapd/kerberos.c      | 62 -----------------------------------
 servers/slapd/passwd.c        |  1 -
 servers/slapd/proto-slap.h    |  8 -----
 servers/slapd/schema_prep.c   | 12 -------
 servers/slapd/slap.h          |  4 ---
 servers/slapd/txn.c           |  1 -
 12 files changed, 6 insertions(+), 181 deletions(-)
 delete mode 100644 servers/slapd/kerberos.c

diff --git a/servers/slapd/Makefile.in b/servers/slapd/Makefile.in
index 9ae25b26a1..1a61ae23c9 100644
--- a/servers/slapd/Makefile.in
+++ b/servers/slapd/Makefile.in
@@ -29,7 +29,7 @@ SRCS	= main.c globals.c bconfig.c config.c daemon.c \
 		dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \
 		value.c ava.c bind.c unbind.c abandon.c filterentry.c \
 		phonetic.c acl.c str2filter.c aclparse.c init.c user.c \
-		repl.c lock.c controls.c extended.c kerberos.c passwd.c \
+		repl.c lock.c controls.c extended.c passwd.c \
 		schema.c schema_check.c schema_init.c schema_prep.c \
 		schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \
 		oidm.c starttls.c index.c sets.c referral.c root_dse.c \
@@ -47,7 +47,7 @@ OBJS	= main.o globals.o bconfig.o config.o daemon.o \
 		dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \
 		value.o ava.o bind.o unbind.o abandon.o filterentry.o \
 		phonetic.o acl.o str2filter.o aclparse.o init.o user.o \
-		repl.o lock.o controls.o extended.o kerberos.o passwd.o \
+		repl.o lock.o controls.o extended.o passwd.o \
 		schema.o schema_check.o schema_init.o schema_prep.o \
 		schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \
 		oidm.o starttls.o index.o sets.o referral.o root_dse.o \
diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c
index 3179c29855..84f3a38a0e 100644
--- a/servers/slapd/back-bdb/bind.c
+++ b/servers/slapd/back-bdb/bind.c
@@ -17,7 +17,6 @@
 #include "portable.h"
 
 #include <stdio.h>
-#include <ac/krb.h>
 #include <ac/string.h>
 #include <ac/unistd.h>
 
@@ -30,12 +29,6 @@ bdb_bind( Operation *op, SlapReply *rs )
 	Entry		*e;
 	Attribute	*a;
 	EntryInfo	*ei;
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	char		krbname[MAX_K_NAME_SZ + 1];
-	AttributeDescription *krbattr = slap_schema.si_ad_krbName;
-	struct berval	krbval;
-	AUTH_DAT	ad;
-#endif
 
 	AttributeDescription *password = slap_schema.si_ad_userPassword;
 
@@ -144,50 +137,8 @@ dn2entry_retry:
 		rs->sr_err = 0;
 		break;
 
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	case LDAP_AUTH_KRBV41:
-		if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
-			!= LDAP_SUCCESS )
-		{
-			rs->sr_err = LDAP_INVALID_CREDENTIALS,
-			goto done;
-		}
-
-		rs->sr_err = access_allowed( op, e,
-			krbattr, NULL, ACL_AUTH, NULL );
-		if ( ! rs->sr_err ) {
-			rs->sr_err = LDAP_INSUFFICIENT_ACCESS,
-			goto done;
-		}
-
-		krbval.bv_len = sprintf( krbname, "%s%s%s@%s", ad.pname,
-			*ad.pinst ? "." : "", ad.pinst, ad.prealm );
-
-		if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
-			/*
-			 * no krbname values present: check against DN
-			 */
-			if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
-				rs->sr_err = 0;
-				break;
-			}
-			rs->sr_err = LDAP_INAPPROPRIATE_AUTH,
-			goto done;
-
-		} else {	/* look for krbname match */
-			krbval.bv_val = krbname;
-
-			if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
-				rs->sr_err = LDAP_INVALID_CREDENTIALS;
-				goto done;
-			}
-		}
-		rs->sr_err = 0;
-		break;
-#endif
-
 	default:
-		assert( 0 ); /* should not be unreachable */
+		assert( 0 ); /* should not be reachable */
 		rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED;
 		rs->sr_text = "authentication method not supported";
 	}
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 4899bc3dfe..9f4f1c936c 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -536,14 +536,6 @@ static ConfigTable config_back_cf_table[] = {
 	{ "sockbuf_max_incoming_auth", "max", 2, 2, 0, ARG_BER_LEN_T,
 		&sockbuf_max_incoming_auth, "( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' "
 			"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
-	{ "srvtab", "file", 2, 2, 0,
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-		ARG_STRING, &ldap_srvtab,
-#else
-		ARG_IGNORED, NULL,
-#endif
-		"( OLcfgGlAt:63 NAME 'olcSrvtab' "
-			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "subordinate", "[advertise]", 1, 2, 0, ARG_DB|ARG_MAGIC,
 		&config_subordinate, "( OLcfgDbAt:0.15 NAME 'olcSubordinate' "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
@@ -693,7 +685,7 @@ static ConfigOCs cf_ocs[] = {
 		 "olcRootDSE $ "
 		 "olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
 		 "olcSecurity $ olcSizeLimit $ "
-		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ "
+		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
 		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
 		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
 		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
@@ -2272,7 +2264,6 @@ config_disallows(ConfigArgs *c) {
 	slap_verbmasks disallowable_ops[] = {
 		{ BER_BVC("bind_anon"),		SLAP_DISALLOW_BIND_ANON },
 		{ BER_BVC("bind_simple"),	SLAP_DISALLOW_BIND_SIMPLE },
-		{ BER_BVC("bind_krb4"),		SLAP_DISALLOW_BIND_KRBV4 },
 		{ BER_BVC("tls_2_anon"),		SLAP_DISALLOW_TLS_2_ANON },
 		{ BER_BVC("tls_authc"),		SLAP_DISALLOW_TLS_AUTHC },
 		{ BER_BVNULL, 0 }
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index bb5f501529..706cc43559 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -86,8 +86,8 @@ do_bind(
 	 *		name		DistinguishedName,	 -- dn
 	 *		authentication	CHOICE {
 	 *			simple		[0] OCTET STRING -- passwd
-	 *			krbv42ldap	[1] OCTET STRING
-	 *			krbv42dsa	[2] OCTET STRING
+	 *			krbv42ldap	[1] OCTET STRING -- OBSOLETE
+	 *			krbv42dsa	[2] OCTET STRING -- OBSOLETE
 	 *			SASL		[3] SaslCredentials
 	 *		}
 	 *	}
@@ -340,33 +340,6 @@ fe_op_bind( Operation *op, SlapReply *rs )
 			goto cleanup;
 		}
 
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	} else if ( op->orb_method == LDAP_AUTH_KRBV41 ) {
-		if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
-			/* disallow krbv4 authentication */
-			rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
-			rs->sr_text = "unwilling to perform Kerberos V4 bind";
-
-			send_ldap_result( op, rs );
-
-			Debug( LDAP_DEBUG_TRACE,
-				"do_bind: v%d Kerberos V4 (step 1) bind refused\n",
-				op->o_protocol, 0, 0 );
-			goto cleanup;
-		}
-		BER_BVSTR( &op->orb_tmp_mech, "KRBV4" );
-
-	} else if ( op->orb_method == LDAP_AUTH_KRBV42 ) {
-		rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
-		rs->sr_text = "Kerberos V4 (step 2) bind not supported";
-		send_ldap_result( op, rs );
-
-		Debug( LDAP_DEBUG_TRACE,
-			"do_bind: v%d Kerberos V4 (step 2) bind refused\n",
-			op->o_protocol, 0, 0 );
-		goto cleanup;
-#endif
-
 	} else {
 		rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 		rs->sr_text = "unknown authentication method";
diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c
index 1f8ee7b9ee..08115f45ed 100644
--- a/servers/slapd/cancel.c
+++ b/servers/slapd/cancel.c
@@ -18,7 +18,6 @@
 
 #include <stdio.h>
 
-#include <ac/krb.h>
 #include <ac/socket.h>
 #include <ac/string.h>
 #include <ac/unistd.h>
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 4c7f84f6a0..e69a32c4ab 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -68,7 +68,6 @@ int		global_gentlehup = 0;
 int		global_idletimeout = 0;
 char	*global_host = NULL;
 char	*global_realm = NULL;
-char		*ldap_srvtab = "";
 char		**default_passwd_hash = NULL;
 struct berval default_search_base = BER_BVNULL;
 struct berval default_search_nbase = BER_BVNULL;
diff --git a/servers/slapd/kerberos.c b/servers/slapd/kerberos.c
deleted file mode 100644
index e0f0b4cf0f..0000000000
--- a/servers/slapd/kerberos.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* kerberos.c - kerberos bind routines */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2007 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#include "portable.h"
-
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-
-#include <stdio.h>
-
-#include <ac/krb.h>
-#include <ac/socket.h>
-#include <ac/string.h>
-
-#include "slap.h"
-
-#define LDAP_KRB_PRINCIPAL	"ldapserver"
-
-krbv4_ldap_auth(
-    Backend		*be,
-    struct berval	*cred,
-    AUTH_DAT		*ad
-)
-{
-	KTEXT_ST        k;
-	KTEXT           ktxt = &k;
-	char            instance[INST_SZ];
-	int             err;
-
-	Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );
-
-	if( cred->len > sizeof(ktxt->dat) ) {
-		return LDAP_OTHER;
-	}
-
-	AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );
-	ktxt->length = cred->bv_len;
-
-	strcpy( instance, "*" );
-	if ( (err = krb_rd_req( ktxt, LDAP_KRB_PRINCIPAL, instance, 0L, ad,
-	    ldap_srvtab )) != KSUCCESS ) {
-		Debug( LDAP_DEBUG_ANY, "krb_rd_req failed (%s)\n",
-		    krb_err_txt[err], 0, 0 );
-		return( LDAP_INVALID_CREDENTIALS );
-	}
-
-	return( LDAP_SUCCESS );
-}
-
-#endif /* kerberos */
diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index 8b6755b092..327de020e0 100644
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -18,7 +18,6 @@
 
 #include <stdio.h>
 
-#include <ac/krb.h>
 #include <ac/socket.h>
 #include <ac/string.h>
 #include <ac/unistd.h>
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 1017c8cf46..806265bbc5 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1009,14 +1009,6 @@ LDAP_SLAPD_F (int)	slap_destroy LDAP_P((void));
 
 LDAP_SLAPD_V (char *)	slap_known_controls[];
 
-/*
- * kerberos.c
- */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-LDAP_SLAPD_V (char *)	ldap_srvtab;
-LDAP_SLAPD_V (int)	krbv4_ldap_auth();
-#endif
-
 /*
  * ldapsync.c
  */
diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c
index ddd08327a3..cad035f1bf 100644
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@@ -986,18 +986,6 @@ static struct slap_schema_ad_map {
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_authPasswordSchemes) },
 #endif
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	{ "krbName", "( 1.3.6.1.4.1.250.1.32 "
-			"NAME ( 'krbName' 'kerberosName' ) "
-			"DESC 'Kerberos principal associated with object' "
-			"EQUALITY caseIgnoreIA5Match "
-			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 "
-			"SINGLE-VALUE )",
-		NULL, 0,
-		NULL, NULL,
-		NULL, NULL, NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_krbName) },
-#endif
 
 	{ "description", "( 2.5.4.13 NAME 'description' "
 			"DESC 'RFC4519: descriptive information' "
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 53a066b675..930e9fd822 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -900,9 +900,6 @@ struct slap_internal_schema {
 #ifdef SLAPD_AUTHPASSWD
 	AttributeDescription *si_ad_authPassword;
 	AttributeDescription *si_ad_authPasswordSchemes;
-#endif
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	AttributeDescription *si_ad_krbName;
 #endif
 	AttributeDescription *si_ad_description;
 	AttributeDescription *si_ad_seeAlso;
@@ -1815,7 +1812,6 @@ struct slap_backend_db {
 
 #define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */
-#define SLAP_DISALLOW_BIND_KRBV4	0x0004U /* Kerberos V4 authentication */
 
 #define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */
diff --git a/servers/slapd/txn.c b/servers/slapd/txn.c
index 2c934266dc..84d7997b13 100644
--- a/servers/slapd/txn.c
+++ b/servers/slapd/txn.c
@@ -18,7 +18,6 @@
 
 #include <stdio.h>
 
-#include <ac/krb.h>
 #include <ac/socket.h>
 #include <ac/string.h>
 #include <ac/unistd.h>
-- 
2.39.5