2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
49 #define DBGC_CLASS DBGC_PASSDB
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
81 #define SAM_ACCOUNT struct sam_passwd
84 #define MODIFY_TIMESTAMP_STRING "modifyTimestamp"
88 struct ldapsam_privates
{
89 struct smbldap_state
*smbldap_state
;
96 const char *domain_name
;
99 /* configuration items */
103 /**********************************************************************
104 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
105 **********************************************************************/
107 static void private_data_free_fn(void **result
)
109 ldap_msgfree(*result
);
113 /**********************************************************************
114 Get the attribute name given a user schame version.
115 **********************************************************************/
117 static const char* get_userattr_key2string( int schema_ver
, int key
)
119 switch ( schema_ver
) {
120 case SCHEMAVER_SAMBAACCOUNT
:
121 return get_attr_key2string( attrib_map_v22
, key
);
123 case SCHEMAVER_SAMBASAMACCOUNT
:
124 return get_attr_key2string( attrib_map_v30
, key
);
127 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
133 /**********************************************************************
134 Return the list of attribute names given a user schema version.
135 **********************************************************************/
137 static char** get_userattr_list( int schema_ver
)
139 switch ( schema_ver
) {
140 case SCHEMAVER_SAMBAACCOUNT
:
141 return get_attr_list( attrib_map_v22
);
143 case SCHEMAVER_SAMBASAMACCOUNT
:
144 return get_attr_list( attrib_map_v30
);
146 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
153 /*******************************************************************
154 Generate the LDAP search filter for the objectclass based on the
155 version of the schema we are using.
156 ******************************************************************/
158 static const char* get_objclass_filter( int schema_ver
)
160 static fstring objclass_filter
;
162 switch( schema_ver
) {
163 case SCHEMAVER_SAMBAACCOUNT
:
164 fstr_sprintf( objclass_filter
, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT
);
166 case SCHEMAVER_SAMBASAMACCOUNT
:
167 fstr_sprintf( objclass_filter
, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT
);
170 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174 return objclass_filter
;
177 /*******************************************************************
178 Run the search by name.
179 ******************************************************************/
181 static int ldapsam_search_suffix_by_name (struct ldapsam_privates
*ldap_state
,
183 LDAPMessage
** result
, char **attr
)
186 char *escape_user
= escape_ldap_string_alloc(user
);
189 return LDAP_NO_MEMORY
;
193 * in the filter expression, replace %u with the real name
194 * so in ldap filter, %u MUST exist :-)
196 pstr_sprintf(filter
, "(&%s%s)", lp_ldap_filter(),
197 get_objclass_filter(ldap_state
->schema_ver
));
200 * have to use this here because $ is filtered out
205 all_string_sub(filter
, "%u", escape_user
, sizeof(pstring
));
206 SAFE_FREE(escape_user
);
208 return smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
211 /*******************************************************************
212 Run the search by rid.
213 ******************************************************************/
215 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates
*ldap_state
,
216 uint32 rid
, LDAPMessage
** result
,
222 pstr_sprintf(filter
, "(&(rid=%i)%s)", rid
,
223 get_objclass_filter(ldap_state
->schema_ver
));
225 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
230 /*******************************************************************
231 Run the search by SID.
232 ******************************************************************/
234 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates
*ldap_state
,
235 const DOM_SID
*sid
, LDAPMessage
** result
,
242 pstr_sprintf(filter
, "(&(%s=%s)%s)",
243 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
244 sid_to_string(sid_string
, sid
),
245 get_objclass_filter(ldap_state
->schema_ver
));
247 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
252 /*******************************************************************
253 Delete complete object or objectclass and attrs from
254 object found in search_result depending on lp_ldap_delete_dn
255 ******************************************************************/
257 static NTSTATUS
ldapsam_delete_entry(struct ldapsam_privates
*ldap_state
,
259 const char *objectclass
,
263 LDAPMessage
*entry
= NULL
;
264 LDAPMod
**mods
= NULL
;
266 BerElement
*ptr
= NULL
;
268 rc
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
271 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
272 return NT_STATUS_UNSUCCESSFUL
;
275 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
276 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
278 return NT_STATUS_UNSUCCESSFUL
;
281 if (lp_ldap_delete_dn()) {
282 NTSTATUS ret
= NT_STATUS_OK
;
283 rc
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
285 if (rc
!= LDAP_SUCCESS
) {
286 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn
));
287 ret
= NT_STATUS_UNSUCCESSFUL
;
293 /* Ok, delete only the SAM attributes */
295 for (name
= ldap_first_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
, &ptr
);
297 name
= ldap_next_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
, ptr
)) {
300 /* We are only allowed to delete the attributes that
303 for (attrib
= attrs
; *attrib
!= NULL
; attrib
++) {
304 if (StrCaseCmp(*attrib
, name
) == 0) {
305 DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name
));
306 smbldap_set_mod(&mods
, LDAP_MOD_DELETE
, name
, NULL
);
317 smbldap_set_mod(&mods
, LDAP_MOD_DELETE
, "objectClass", objectclass
);
319 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
320 ldap_mods_free(mods
, True
);
322 if (rc
!= LDAP_SUCCESS
) {
323 char *ld_error
= NULL
;
324 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
327 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
328 dn
, ldap_err2string(rc
), ld_error
?ld_error
:"unknown"));
331 return NT_STATUS_UNSUCCESSFUL
;
338 /* New Interface is being implemented here */
340 #if 0 /* JERRY - not uesed anymore */
342 /**********************************************************************
343 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
344 *********************************************************************/
345 static BOOL
get_unix_attributes (struct ldapsam_privates
*ldap_state
,
346 SAM_ACCOUNT
* sampass
,
355 if ((ldap_values
= ldap_get_values (ldap_state
->smbldap_state
->ldap_struct
, entry
, "objectClass")) == NULL
) {
356 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
360 for (values
=ldap_values
;*values
;values
++) {
361 if (strequal(*values
, LDAP_OBJ_POSIXACCOUNT
)) {
366 if (!*values
) { /*end of array, no posixAccount */
367 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT
));
368 ldap_value_free(ldap_values
);
371 ldap_value_free(ldap_values
);
373 if ( !smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
374 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_UNIX_HOME
), homedir
) )
379 if ( !smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
380 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_GIDNUMBER
), temp
) )
385 *gid
= (gid_t
)atol(temp
);
387 pdb_set_unix_homedir(sampass
, homedir
, PDB_SET
);
389 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT
));
396 static time_t ldapsam_get_entry_timestamp(
397 struct ldapsam_privates
*ldap_state
,
403 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
,
404 entry
, MODIFY_TIMESTAMP_STRING
, temp
))
407 strptime(temp
, "%Y%m%d%H%M%SZ", &tm
);
412 /**********************************************************************
413 Initialize SAM_ACCOUNT from an LDAP query.
414 (Based on init_sam_from_buffer in pdb_tdb.c)
415 *********************************************************************/
417 static BOOL
init_sam_from_ldap (struct ldapsam_privates
*ldap_state
,
418 SAM_ACCOUNT
* sampass
,
425 pass_can_change_time
,
426 pass_must_change_time
,
439 char munged_dial
[2048];
441 uint8 smblmpwd
[LM_HASH_LEN
],
442 smbntpwd
[NT_HASH_LEN
];
443 uint16 acct_ctrl
= 0,
445 uint16 bad_password_count
= 0,
448 uint8 hours
[MAX_HOURS_LEN
];
450 LOGIN_CACHE
*cache_entry
= NULL
;
453 * do a little initialization
457 nt_username
[0] = '\0';
461 logon_script
[0] = '\0';
462 profile_path
[0] = '\0';
464 munged_dial
[0] = '\0';
465 workstations
[0] = '\0';
468 if (sampass
== NULL
|| ldap_state
== NULL
|| entry
== NULL
) {
469 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
473 if (ldap_state
->smbldap_state
->ldap_struct
== NULL
) {
474 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
478 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
, "uid", username
)) {
479 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
483 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username
));
485 pstrcpy(nt_username
, username
);
487 pstrcpy(domain
, ldap_state
->domain_name
);
489 pdb_set_username(sampass
, username
, PDB_SET
);
491 pdb_set_domain(sampass
, domain
, PDB_DEFAULT
);
492 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
494 /* deal with different attributes between the schema first */
496 if ( ldap_state
->schema_ver
== SCHEMAVER_SAMBASAMACCOUNT
) {
497 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
498 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
), temp
)) {
499 pdb_set_user_sid_from_string(sampass
, temp
, PDB_SET
);
502 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
503 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PRIMARY_GROUP_SID
), temp
)) {
504 pdb_set_group_sid_from_string(sampass
, temp
, PDB_SET
);
506 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
509 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
510 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
), temp
)) {
511 user_rid
= (uint32
)atol(temp
);
512 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
515 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
516 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PRIMARY_GROUP_RID
), temp
)) {
517 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
521 group_rid
= (uint32
)atol(temp
);
523 /* for some reason, we often have 0 as a primary group RID.
524 Make sure that we treat this just as a 'default' value */
527 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
529 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
533 if (pdb_get_init_flags(sampass
,PDB_USERSID
) == PDB_DEFAULT
) {
534 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
535 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
536 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
),
541 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
542 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_LAST_SET
), temp
)) {
543 /* leave as default */
545 pass_last_set_time
= (time_t) atol(temp
);
546 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
549 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
550 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_TIME
), temp
)) {
551 /* leave as default */
553 logon_time
= (time_t) atol(temp
);
554 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
557 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
558 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGOFF_TIME
), temp
)) {
559 /* leave as default */
561 logoff_time
= (time_t) atol(temp
);
562 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
565 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
566 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_KICKOFF_TIME
), temp
)) {
567 /* leave as default */
569 kickoff_time
= (time_t) atol(temp
);
570 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
573 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
574 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_CAN_CHANGE
), temp
)) {
575 /* leave as default */
577 pass_can_change_time
= (time_t) atol(temp
);
578 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
581 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
582 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_MUST_CHANGE
), temp
)) {
583 /* leave as default */
585 pass_must_change_time
= (time_t) atol(temp
);
586 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
589 /* recommend that 'gecos' and 'displayName' should refer to the same
590 * attribute OID. userFullName depreciated, only used by Samba
591 * primary rules of LDAP: don't make a new attribute when one is already defined
592 * that fits your needs; using cn then displayName rather than 'userFullName'
595 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
596 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DISPLAY_NAME
), fullname
)) {
597 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
598 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_CN
), fullname
)) {
599 /* leave as default */
601 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
604 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
607 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
608 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_DRIVE
), dir_drive
))
610 pdb_set_dir_drive( sampass
,
611 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
614 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
617 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
618 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_PATH
), homedir
))
620 pdb_set_homedir( sampass
,
621 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
624 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
627 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
628 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_SCRIPT
), logon_script
))
630 pdb_set_logon_script( sampass
,
631 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
634 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
637 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
638 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PROFILE_PATH
), profile_path
))
640 pdb_set_profile_path( sampass
,
641 talloc_sub_basic( sampass
->mem_ctx
, username
, lp_logon_path()),
644 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
647 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
648 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DESC
), acct_desc
))
650 /* leave as default */
652 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
655 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
656 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_WKS
), workstations
)) {
657 /* leave as default */;
659 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
662 if (!smbldap_get_single_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
,
663 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_MUNGED_DIAL
), munged_dial
, sizeof(munged_dial
))) {
664 /* leave as default */;
666 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
669 /* FIXME: hours stuff should be cleaner */
673 memset(hours
, 0xff, hours_len
);
675 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
676 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
), temp
)) {
677 /* leave as default */
679 pdb_gethexpwd(temp
, smblmpwd
);
680 memset((char *)temp
, '\0', strlen(temp
)+1);
681 if (!pdb_set_lanman_passwd(sampass
, smblmpwd
, PDB_SET
))
683 ZERO_STRUCT(smblmpwd
);
686 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
687 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
), temp
)) {
688 /* leave as default */
690 pdb_gethexpwd(temp
, smbntpwd
);
691 memset((char *)temp
, '\0', strlen(temp
)+1);
692 if (!pdb_set_nt_passwd(sampass
, smbntpwd
, PDB_SET
))
694 ZERO_STRUCT(smbntpwd
);
697 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
698 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ACB_INFO
), temp
)) {
699 acct_ctrl
|= ACB_NORMAL
;
701 acct_ctrl
= pdb_decode_acct_ctrl(temp
);
704 acct_ctrl
|= ACB_NORMAL
;
706 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
709 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
710 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
712 /* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
714 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
715 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_BAD_PASSWORD_COUNT
), temp
)) {
716 /* leave as default */
718 bad_password_count
= (uint32
) atol(temp
);
719 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
722 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
723 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_BAD_PASSWORD_TIME
), temp
)) {
724 /* leave as default */
726 bad_password_time
= (time_t) atol(temp
);
727 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
731 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
732 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_COUNT
), temp
)) {
733 /* leave as default */
735 logon_count
= (uint32
) atol(temp
);
736 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
739 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
741 pdb_set_hours(sampass
, hours
, PDB_SET
);
743 /* check the timestamp of the cache vs ldap entry */
744 if (!(ldap_entry_time
= ldapsam_get_entry_timestamp(ldap_state
,
748 /* see if we have newer updates */
749 if (!(cache_entry
= login_cache_read(sampass
))) {
750 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
751 (unsigned int)pdb_get_bad_password_count(sampass
),
752 (unsigned int)pdb_get_bad_password_time(sampass
)));
756 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
757 (unsigned int)ldap_entry_time
, (unsigned int)cache_entry
->entry_timestamp
,
758 (unsigned int)cache_entry
->bad_password_time
));
760 if (ldap_entry_time
> cache_entry
->entry_timestamp
) {
761 /* cache is older than directory , so
762 we need to delete the entry but allow the
763 fields to be written out */
764 login_cache_delentry(sampass
);
767 pdb_set_acct_ctrl(sampass
,
768 pdb_get_acct_ctrl(sampass
) |
769 (cache_entry
->acct_ctrl
& ACB_AUTOLOCK
),
771 pdb_set_bad_password_count(sampass
,
772 cache_entry
->bad_password_count
,
774 pdb_set_bad_password_time(sampass
,
775 cache_entry
->bad_password_time
,
779 SAFE_FREE(cache_entry
);
783 /**********************************************************************
784 Initialize SAM_ACCOUNT from an LDAP query.
785 (Based on init_buffer_from_sam in pdb_tdb.c)
786 *********************************************************************/
788 static BOOL
init_ldap_from_sam (struct ldapsam_privates
*ldap_state
,
789 LDAPMessage
*existing
,
790 LDAPMod
*** mods
, SAM_ACCOUNT
* sampass
,
791 BOOL (*need_update
)(const SAM_ACCOUNT
*,
797 if (mods
== NULL
|| sampass
== NULL
) {
798 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
805 * took out adding "objectclass: sambaAccount"
806 * do this on a per-mod basis
808 if (need_update(sampass
, PDB_USERNAME
))
809 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
810 "uid", pdb_get_username(sampass
));
812 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass
)));
814 /* only update the RID if we actually need to */
815 if (need_update(sampass
, PDB_USERSID
)) {
817 fstring dom_sid_string
;
818 const DOM_SID
*user_sid
= pdb_get_user_sid(sampass
);
820 switch ( ldap_state
->schema_ver
) {
821 case SCHEMAVER_SAMBAACCOUNT
:
822 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, user_sid
, &rid
)) {
823 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
824 sid_to_string(sid_string
, user_sid
),
825 sid_to_string(dom_sid_string
, &ldap_state
->domain_sid
)));
828 slprintf(temp
, sizeof(temp
) - 1, "%i", rid
);
829 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
830 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
),
834 case SCHEMAVER_SAMBASAMACCOUNT
:
835 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
836 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
837 sid_to_string(sid_string
, user_sid
));
841 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
846 /* we don't need to store the primary group RID - so leaving it
847 'free' to hang off the unix primary group makes life easier */
849 if (need_update(sampass
, PDB_GROUPSID
)) {
851 fstring dom_sid_string
;
852 const DOM_SID
*group_sid
= pdb_get_group_sid(sampass
);
854 switch ( ldap_state
->schema_ver
) {
855 case SCHEMAVER_SAMBAACCOUNT
:
856 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, group_sid
, &rid
)) {
857 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
858 sid_to_string(sid_string
, group_sid
),
859 sid_to_string(dom_sid_string
, &ldap_state
->domain_sid
)));
863 slprintf(temp
, sizeof(temp
) - 1, "%i", rid
);
864 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
865 get_userattr_key2string(ldap_state
->schema_ver
,
866 LDAP_ATTR_PRIMARY_GROUP_RID
), temp
);
869 case SCHEMAVER_SAMBASAMACCOUNT
:
870 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
871 get_userattr_key2string(ldap_state
->schema_ver
,
872 LDAP_ATTR_PRIMARY_GROUP_SID
), sid_to_string(sid_string
, group_sid
));
876 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
882 /* displayName, cn, and gecos should all be the same
883 * most easily accomplished by giving them the same OID
884 * gecos isn't set here b/c it should be handled by the
886 * We change displayName only and fall back to cn if
890 if (need_update(sampass
, PDB_FULLNAME
))
891 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
892 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DISPLAY_NAME
),
893 pdb_get_fullname(sampass
));
895 if (need_update(sampass
, PDB_ACCTDESC
))
896 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
897 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DESC
),
898 pdb_get_acct_desc(sampass
));
900 if (need_update(sampass
, PDB_WORKSTATIONS
))
901 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
902 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_WKS
),
903 pdb_get_workstations(sampass
));
905 if (need_update(sampass
, PDB_MUNGEDDIAL
))
906 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
907 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_MUNGED_DIAL
),
908 pdb_get_munged_dial(sampass
));
910 if (need_update(sampass
, PDB_SMBHOME
))
911 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
912 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_PATH
),
913 pdb_get_homedir(sampass
));
915 if (need_update(sampass
, PDB_DRIVE
))
916 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
917 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_DRIVE
),
918 pdb_get_dir_drive(sampass
));
920 if (need_update(sampass
, PDB_LOGONSCRIPT
))
921 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
922 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_SCRIPT
),
923 pdb_get_logon_script(sampass
));
925 if (need_update(sampass
, PDB_PROFILE
))
926 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
927 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PROFILE_PATH
),
928 pdb_get_profile_path(sampass
));
930 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logon_time(sampass
));
931 if (need_update(sampass
, PDB_LOGONTIME
))
932 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
933 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_TIME
), temp
);
935 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logoff_time(sampass
));
936 if (need_update(sampass
, PDB_LOGOFFTIME
))
937 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
938 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGOFF_TIME
), temp
);
940 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_kickoff_time(sampass
));
941 if (need_update(sampass
, PDB_KICKOFFTIME
))
942 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
943 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_KICKOFF_TIME
), temp
);
945 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_can_change_time(sampass
));
946 if (need_update(sampass
, PDB_CANCHANGETIME
))
947 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
948 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_CAN_CHANGE
), temp
);
950 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_must_change_time(sampass
));
951 if (need_update(sampass
, PDB_MUSTCHANGETIME
))
952 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
953 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_MUST_CHANGE
), temp
);
956 if ((pdb_get_acct_ctrl(sampass
)&(ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
))
957 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY
)) {
959 if (need_update(sampass
, PDB_LMPASSWD
)) {
960 const uchar
*lm_pw
= pdb_get_lanman_passwd(sampass
);
962 pdb_sethexpwd(temp
, lm_pw
,
963 pdb_get_acct_ctrl(sampass
));
964 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
965 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
),
968 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
969 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
),
973 if (need_update(sampass
, PDB_NTPASSWD
)) {
974 const uchar
*nt_pw
= pdb_get_nt_passwd(sampass
);
976 pdb_sethexpwd(temp
, nt_pw
,
977 pdb_get_acct_ctrl(sampass
));
978 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
979 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
),
982 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
983 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
),
988 if (need_update(sampass
, PDB_PASSLASTSET
)) {
989 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_last_set_time(sampass
));
990 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
991 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_LAST_SET
),
996 /* FIXME: Hours stuff goes in LDAP */
998 if (need_update(sampass
, PDB_ACCTCTRL
))
999 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
1000 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ACB_INFO
),
1001 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass
), NEW_PW_FORMAT_SPACE_PADDED_LEN
));
1003 /* password lockout cache:
1004 - If we are now autolocking or clearing, we write to ldap
1005 - If we are clearing, we delete the cache entry
1006 - If the count is > 0, we update the cache
1008 This even means when autolocking, we cache, just in case the
1009 update doesn't work, and we have to cache the autolock flag */
1011 if (need_update(sampass
, PDB_BAD_PASSWORD_COUNT
)) /* &&
1012 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1013 uint16 badcount
= pdb_get_bad_password_count(sampass
);
1014 time_t badtime
= pdb_get_bad_password_time(sampass
);
1016 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
, &pol
);
1018 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1019 (unsigned int)pol
, (unsigned int)badcount
, (unsigned int)badtime
));
1021 if ((badcount
>= pol
) || (badcount
== 0)) {
1022 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1023 (unsigned int)badcount
, (unsigned int)badtime
));
1024 slprintf (temp
, sizeof (temp
) - 1, "%li", (long)badcount
);
1026 ldap_state
->smbldap_state
->ldap_struct
,
1028 get_userattr_key2string(
1029 ldap_state
->schema_ver
,
1030 LDAP_ATTR_BAD_PASSWORD_COUNT
),
1033 slprintf (temp
, sizeof (temp
) - 1, "%li", badtime
);
1035 ldap_state
->smbldap_state
->ldap_struct
,
1037 get_userattr_key2string(
1038 ldap_state
->schema_ver
,
1039 LDAP_ATTR_BAD_PASSWORD_TIME
),
1042 if (badcount
== 0) {
1043 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass
)));
1044 login_cache_delentry(sampass
);
1046 LOGIN_CACHE cache_entry
;
1048 cache_entry
.entry_timestamp
= time(NULL
);
1049 cache_entry
.acct_ctrl
= pdb_get_acct_ctrl(sampass
);
1050 cache_entry
.bad_password_count
= badcount
;
1051 cache_entry
.bad_password_time
= badtime
;
1053 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1054 login_cache_write(sampass
, cache_entry
);
1061 /**********************************************************************
1062 Connect to LDAP server for password enumeration.
1063 *********************************************************************/
1065 static NTSTATUS
ldapsam_setsampwent(struct pdb_methods
*my_methods
, BOOL update
)
1067 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1072 pstr_sprintf( filter
, "(&%s%s)", lp_ldap_filter(),
1073 get_objclass_filter(ldap_state
->schema_ver
));
1074 all_string_sub(filter
, "%u", "*", sizeof(pstring
));
1076 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1077 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
,
1078 attr_list
, &ldap_state
->result
);
1079 free_attr_list( attr_list
);
1081 if (rc
!= LDAP_SUCCESS
) {
1082 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc
)));
1083 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter
));
1084 ldap_msgfree(ldap_state
->result
);
1085 ldap_state
->result
= NULL
;
1086 return NT_STATUS_UNSUCCESSFUL
;
1089 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1090 ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
1091 ldap_state
->result
)));
1093 ldap_state
->entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
,
1094 ldap_state
->result
);
1095 ldap_state
->index
= 0;
1097 return NT_STATUS_OK
;
1100 /**********************************************************************
1101 End enumeration of the LDAP password list.
1102 *********************************************************************/
1104 static void ldapsam_endsampwent(struct pdb_methods
*my_methods
)
1106 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1107 if (ldap_state
->result
) {
1108 ldap_msgfree(ldap_state
->result
);
1109 ldap_state
->result
= NULL
;
1113 /**********************************************************************
1114 Get the next entry in the LDAP password database.
1115 *********************************************************************/
1117 static NTSTATUS
ldapsam_getsampwent(struct pdb_methods
*my_methods
, SAM_ACCOUNT
*user
)
1119 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1120 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1124 if (!ldap_state
->entry
)
1127 ldap_state
->index
++;
1128 bret
= init_sam_from_ldap(ldap_state
, user
, ldap_state
->entry
);
1130 ldap_state
->entry
= ldap_next_entry(ldap_state
->smbldap_state
->ldap_struct
,
1134 return NT_STATUS_OK
;
1137 static void append_attr(char ***attr_list
, const char *new_attr
)
1141 for (i
=0; (*attr_list
)[i
] != NULL
; i
++)
1144 (*attr_list
) = Realloc((*attr_list
), sizeof(**attr_list
) * (i
+2));
1145 SMB_ASSERT((*attr_list
) != NULL
);
1146 (*attr_list
)[i
] = strdup(new_attr
);
1147 (*attr_list
)[i
+1] = NULL
;
1150 /**********************************************************************
1151 Get SAM_ACCOUNT entry from LDAP by username.
1152 *********************************************************************/
1154 static NTSTATUS
ldapsam_getsampwnam(struct pdb_methods
*my_methods
, SAM_ACCOUNT
*user
, const char *sname
)
1156 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1157 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1158 LDAPMessage
*result
= NULL
;
1159 LDAPMessage
*entry
= NULL
;
1164 attr_list
= get_userattr_list( ldap_state
->schema_ver
);
1165 append_attr(&attr_list
, MODIFY_TIMESTAMP_STRING
);
1166 rc
= ldapsam_search_suffix_by_name(ldap_state
, sname
, &result
, attr_list
);
1167 free_attr_list( attr_list
);
1169 if ( rc
!= LDAP_SUCCESS
)
1170 return NT_STATUS_NO_SUCH_USER
;
1172 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1175 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname
, count
));
1176 ldap_msgfree(result
);
1177 return NT_STATUS_NO_SUCH_USER
;
1178 } else if (count
> 1) {
1179 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname
, count
));
1180 ldap_msgfree(result
);
1181 return NT_STATUS_NO_SUCH_USER
;
1184 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1186 if (!init_sam_from_ldap(ldap_state
, user
, entry
)) {
1187 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname
));
1188 ldap_msgfree(result
);
1189 return NT_STATUS_NO_SUCH_USER
;
1191 pdb_set_backend_private_data(user
, result
,
1192 private_data_free_fn
,
1193 my_methods
, PDB_CHANGED
);
1196 ldap_msgfree(result
);
1201 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates
*ldap_state
,
1202 const DOM_SID
*sid
, LDAPMessage
**result
)
1208 switch ( ldap_state
->schema_ver
) {
1209 case SCHEMAVER_SAMBASAMACCOUNT
:
1210 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1211 append_attr(&attr_list
, MODIFY_TIMESTAMP_STRING
);
1212 rc
= ldapsam_search_suffix_by_sid(ldap_state
, sid
, result
, attr_list
);
1213 free_attr_list( attr_list
);
1215 if ( rc
!= LDAP_SUCCESS
)
1219 case SCHEMAVER_SAMBAACCOUNT
:
1220 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, sid
, &rid
)) {
1224 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1225 rc
= ldapsam_search_suffix_by_rid(ldap_state
, rid
, result
, attr_list
);
1226 free_attr_list( attr_list
);
1228 if ( rc
!= LDAP_SUCCESS
)
1235 /**********************************************************************
1236 Get SAM_ACCOUNT entry from LDAP by SID.
1237 *********************************************************************/
1239 static NTSTATUS
ldapsam_getsampwsid(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* user
, const DOM_SID
*sid
)
1241 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1242 LDAPMessage
*result
= NULL
;
1243 LDAPMessage
*entry
= NULL
;
1248 rc
= ldapsam_get_ldap_user_by_sid(ldap_state
,
1250 if (rc
!= LDAP_SUCCESS
)
1251 return NT_STATUS_NO_SUCH_USER
;
1253 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1256 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string
, sid
),
1258 ldap_msgfree(result
);
1259 return NT_STATUS_NO_SUCH_USER
;
1260 } else if (count
> 1) {
1261 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string
, sid
),
1263 ldap_msgfree(result
);
1264 return NT_STATUS_NO_SUCH_USER
;
1267 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1269 ldap_msgfree(result
);
1270 return NT_STATUS_NO_SUCH_USER
;
1273 if (!init_sam_from_ldap(ldap_state
, user
, entry
)) {
1274 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1275 ldap_msgfree(result
);
1276 return NT_STATUS_NO_SUCH_USER
;
1279 pdb_set_backend_private_data(user
, result
,
1280 private_data_free_fn
,
1281 my_methods
, PDB_CHANGED
);
1282 return NT_STATUS_OK
;
1285 /********************************************************************
1286 Do the actual modification - also change a plaintext passord if
1288 **********************************************************************/
1290 static NTSTATUS
ldapsam_modify_entry(struct pdb_methods
*my_methods
,
1291 SAM_ACCOUNT
*newpwd
, char *dn
,
1292 LDAPMod
**mods
, int ldap_op
,
1293 BOOL (*need_update
)(const SAM_ACCOUNT
*, enum pdb_elements
))
1295 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1298 if (!my_methods
|| !newpwd
|| !dn
) {
1299 return NT_STATUS_INVALID_PARAMETER
;
1303 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1304 /* may be password change below however */
1308 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1311 rc
= smbldap_add(ldap_state
->smbldap_state
,
1314 case LDAP_MOD_REPLACE
:
1315 rc
= smbldap_modify(ldap_state
->smbldap_state
,
1319 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1321 return NT_STATUS_INVALID_PARAMETER
;
1324 if (rc
!=LDAP_SUCCESS
) {
1325 char *ld_error
= NULL
;
1326 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1328 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1329 ldap_op
== LDAP_MOD_ADD
? "add" : "modify",
1330 dn
, ldap_err2string(rc
),
1331 ld_error
?ld_error
:"unknown"));
1332 SAFE_FREE(ld_error
);
1333 return NT_STATUS_UNSUCCESSFUL
;
1337 if (!(pdb_get_acct_ctrl(newpwd
)&(ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) &&
1338 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF
) &&
1339 need_update(newpwd
, PDB_PLAINTEXT_PW
) &&
1340 (pdb_get_plaintext_passwd(newpwd
)!=NULL
)) {
1344 struct berval
*retdata
;
1345 char *utf8_password
;
1348 if (push_utf8_allocate(&utf8_password
, pdb_get_plaintext_passwd(newpwd
)) == (size_t)-1) {
1349 return NT_STATUS_NO_MEMORY
;
1352 if (push_utf8_allocate(&utf8_dn
, dn
) == (size_t)-1) {
1353 return NT_STATUS_NO_MEMORY
;
1356 if ((ber
= ber_alloc_t(LBER_USE_DER
))==NULL
) {
1357 DEBUG(0,("ber_alloc_t returns NULL\n"));
1358 SAFE_FREE(utf8_password
);
1359 return NT_STATUS_UNSUCCESSFUL
;
1362 ber_printf (ber
, "{");
1363 ber_printf (ber
, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, utf8_dn
);
1364 ber_printf (ber
, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, utf8_password
);
1365 ber_printf (ber
, "N}");
1367 if ((rc
= ber_flatten (ber
, &bv
))<0) {
1368 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1371 SAFE_FREE(utf8_password
);
1372 return NT_STATUS_UNSUCCESSFUL
;
1376 SAFE_FREE(utf8_password
);
1379 if ((rc
= smbldap_extended_operation(ldap_state
->smbldap_state
,
1380 LDAP_EXOP_MODIFY_PASSWD
,
1381 bv
, NULL
, NULL
, &retoid
,
1382 &retdata
)) != LDAP_SUCCESS
) {
1383 char *ld_error
= NULL
;
1384 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1386 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1387 pdb_get_username(newpwd
), ldap_err2string(rc
), ld_error
?ld_error
:"unknown"));
1388 SAFE_FREE(ld_error
);
1390 return NT_STATUS_UNSUCCESSFUL
;
1392 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd
)));
1393 #ifdef DEBUG_PASSWORD
1394 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd
)));
1396 ber_bvfree(retdata
);
1397 ber_memfree(retoid
);
1401 return NT_STATUS_OK
;
1404 /**********************************************************************
1405 Delete entry from LDAP for username.
1406 *********************************************************************/
1408 static NTSTATUS
ldapsam_delete_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* sam_acct
)
1410 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1413 LDAPMessage
*result
= NULL
;
1419 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1420 return NT_STATUS_INVALID_PARAMETER
;
1423 sname
= pdb_get_username(sam_acct
);
1425 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname
));
1427 attr_list
= get_userattr_list( ldap_state
->schema_ver
);
1428 rc
= ldapsam_search_suffix_by_name(ldap_state
, sname
, &result
, attr_list
);
1430 if (rc
!= LDAP_SUCCESS
) {
1431 free_attr_list( attr_list
);
1432 return NT_STATUS_NO_SUCH_USER
;
1435 switch ( ldap_state
->schema_ver
) {
1436 case SCHEMAVER_SAMBASAMACCOUNT
:
1437 fstrcpy( objclass
, LDAP_OBJ_SAMBASAMACCOUNT
);
1440 case SCHEMAVER_SAMBAACCOUNT
:
1441 fstrcpy( objclass
, LDAP_OBJ_SAMBAACCOUNT
);
1444 fstrcpy( objclass
, "UNKNOWN" );
1445 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1449 ret
= ldapsam_delete_entry(ldap_state
, result
, objclass
, attr_list
);
1450 ldap_msgfree(result
);
1451 free_attr_list( attr_list
);
1456 /**********************************************************************
1457 Helper function to determine for update_sam_account whether
1458 we need LDAP modification.
1459 *********************************************************************/
1461 static BOOL
element_is_changed(const SAM_ACCOUNT
*sampass
,
1462 enum pdb_elements element
)
1464 return IS_SAM_CHANGED(sampass
, element
);
1467 /**********************************************************************
1469 *********************************************************************/
1471 static NTSTATUS
ldapsam_update_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* newpwd
)
1473 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1474 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1477 LDAPMessage
*result
= NULL
;
1478 LDAPMessage
*entry
= NULL
;
1479 LDAPMod
**mods
= NULL
;
1482 result
= pdb_get_backend_private_data(newpwd
, my_methods
);
1484 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1485 rc
= ldapsam_search_suffix_by_name(ldap_state
, pdb_get_username(newpwd
), &result
, attr_list
);
1486 free_attr_list( attr_list
);
1487 if (rc
!= LDAP_SUCCESS
) {
1488 return NT_STATUS_UNSUCCESSFUL
;
1490 pdb_set_backend_private_data(newpwd
, result
, private_data_free_fn
, my_methods
, PDB_CHANGED
);
1493 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) == 0) {
1494 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1495 return NT_STATUS_UNSUCCESSFUL
;
1498 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1499 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
1501 return NT_STATUS_UNSUCCESSFUL
;
1504 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd
), dn
));
1506 if (!init_ldap_from_sam(ldap_state
, entry
, &mods
, newpwd
,
1507 element_is_changed
)) {
1508 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1511 ldap_mods_free(mods
,True
);
1512 return NT_STATUS_UNSUCCESSFUL
;
1516 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1517 pdb_get_username(newpwd
)));
1519 return NT_STATUS_OK
;
1522 ret
= ldapsam_modify_entry(my_methods
,newpwd
,dn
,mods
,LDAP_MOD_REPLACE
, element_is_changed
);
1523 ldap_mods_free(mods
,True
);
1526 if (!NT_STATUS_IS_OK(ret
)) {
1527 char *ld_error
= NULL
;
1528 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1530 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1531 pdb_get_username(newpwd
), ld_error
?ld_error
:"(unknwon)", ldap_err2string(rc
)));
1532 SAFE_FREE(ld_error
);
1536 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1537 pdb_get_username(newpwd
)));
1538 return NT_STATUS_OK
;
1541 /**********************************************************************
1542 Helper function to determine for update_sam_account whether
1543 we need LDAP modification.
1544 *********************************************************************/
1546 static BOOL
element_is_set_or_changed(const SAM_ACCOUNT
*sampass
,
1547 enum pdb_elements element
)
1549 return (IS_SAM_SET(sampass
, element
) ||
1550 IS_SAM_CHANGED(sampass
, element
));
1553 /**********************************************************************
1554 Add SAM_ACCOUNT to LDAP.
1555 *********************************************************************/
1557 static NTSTATUS
ldapsam_add_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* newpwd
)
1559 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1560 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1562 LDAPMessage
*result
= NULL
;
1563 LDAPMessage
*entry
= NULL
;
1565 LDAPMod
**mods
= NULL
;
1566 int ldap_op
= LDAP_MOD_REPLACE
;
1570 const char *username
= pdb_get_username(newpwd
);
1571 const DOM_SID
*sid
= pdb_get_user_sid(newpwd
);
1575 if (!username
|| !*username
) {
1576 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1577 return NT_STATUS_INVALID_PARAMETER
;
1580 /* free this list after the second search or in case we exit on failure */
1581 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1583 rc
= ldapsam_search_suffix_by_name (ldap_state
, username
, &result
, attr_list
);
1585 if (rc
!= LDAP_SUCCESS
) {
1586 free_attr_list( attr_list
);
1587 return NT_STATUS_UNSUCCESSFUL
;
1590 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) != 0) {
1591 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1593 ldap_msgfree(result
);
1594 free_attr_list( attr_list
);
1595 return NT_STATUS_UNSUCCESSFUL
;
1597 ldap_msgfree(result
);
1600 if (element_is_set_or_changed(newpwd
, PDB_USERSID
)) {
1601 rc
= ldapsam_get_ldap_user_by_sid(ldap_state
,
1603 if (rc
== LDAP_SUCCESS
) {
1604 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) != 0) {
1605 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1606 sid_to_string(sid_string
, sid
)));
1607 free_attr_list( attr_list
);
1608 ldap_msgfree(result
);
1609 return NT_STATUS_UNSUCCESSFUL
;
1611 ldap_msgfree(result
);
1615 /* does the entry already exist but without a samba attributes?
1616 we need to return the samba attributes here */
1618 escape_user
= escape_ldap_string_alloc( username
);
1619 pstrcpy( filter
, lp_ldap_filter() );
1620 all_string_sub( filter
, "%u", escape_user
, sizeof(filter
) );
1621 SAFE_FREE( escape_user
);
1623 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
,
1624 filter
, attr_list
, &result
);
1625 if ( rc
!= LDAP_SUCCESS
) {
1626 free_attr_list( attr_list
);
1627 return NT_STATUS_UNSUCCESSFUL
;
1630 num_result
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1632 if (num_result
> 1) {
1633 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1634 free_attr_list( attr_list
);
1635 ldap_msgfree(result
);
1636 return NT_STATUS_UNSUCCESSFUL
;
1639 /* Check if we need to update an existing entry */
1640 if (num_result
== 1) {
1643 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1644 ldap_op
= LDAP_MOD_REPLACE
;
1645 entry
= ldap_first_entry (ldap_state
->smbldap_state
->ldap_struct
, result
);
1646 tmp
= smbldap_get_dn (ldap_state
->smbldap_state
->ldap_struct
, entry
);
1648 free_attr_list( attr_list
);
1649 ldap_msgfree(result
);
1650 return NT_STATUS_UNSUCCESSFUL
;
1652 slprintf (dn
, sizeof (dn
) - 1, "%s", tmp
);
1655 } else if (ldap_state
->schema_ver
== SCHEMAVER_SAMBASAMACCOUNT
) {
1657 /* There might be a SID for this account already - say an idmap entry */
1659 pstr_sprintf(filter
, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1660 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
1661 sid_to_string(sid_string
, sid
),
1662 LDAP_OBJ_IDMAP_ENTRY
,
1663 LDAP_OBJ_SID_ENTRY
);
1665 /* free old result before doing a new search */
1666 if (result
!= NULL
) {
1667 ldap_msgfree(result
);
1670 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
,
1671 filter
, attr_list
, &result
);
1673 if ( rc
!= LDAP_SUCCESS
) {
1674 free_attr_list( attr_list
);
1675 return NT_STATUS_UNSUCCESSFUL
;
1678 num_result
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1680 if (num_result
> 1) {
1681 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1682 free_attr_list( attr_list
);
1683 ldap_msgfree(result
);
1684 return NT_STATUS_UNSUCCESSFUL
;
1687 /* Check if we need to update an existing entry */
1688 if (num_result
== 1) {
1691 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1692 ldap_op
= LDAP_MOD_REPLACE
;
1693 entry
= ldap_first_entry (ldap_state
->smbldap_state
->ldap_struct
, result
);
1694 tmp
= smbldap_get_dn (ldap_state
->smbldap_state
->ldap_struct
, entry
);
1696 free_attr_list( attr_list
);
1697 ldap_msgfree(result
);
1698 return NT_STATUS_UNSUCCESSFUL
;
1700 slprintf (dn
, sizeof (dn
) - 1, "%s", tmp
);
1705 free_attr_list( attr_list
);
1707 if (num_result
== 0) {
1708 /* Check if we need to add an entry */
1709 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1710 ldap_op
= LDAP_MOD_ADD
;
1711 if (username
[strlen(username
)-1] == '$') {
1712 slprintf (dn
, sizeof (dn
) - 1, "uid=%s,%s", username
, lp_ldap_machine_suffix ());
1714 slprintf (dn
, sizeof (dn
) - 1, "uid=%s,%s", username
, lp_ldap_user_suffix ());
1718 if (!init_ldap_from_sam(ldap_state
, entry
, &mods
, newpwd
,
1719 element_is_set_or_changed
)) {
1720 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1721 ldap_msgfree(result
);
1723 ldap_mods_free(mods
,True
);
1724 return NT_STATUS_UNSUCCESSFUL
;
1727 ldap_msgfree(result
);
1730 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd
)));
1731 return NT_STATUS_UNSUCCESSFUL
;
1733 switch ( ldap_state
->schema_ver
) {
1734 case SCHEMAVER_SAMBAACCOUNT
:
1735 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectclass", LDAP_OBJ_SAMBAACCOUNT
);
1737 case SCHEMAVER_SAMBASAMACCOUNT
:
1738 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT
);
1741 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1745 ret
= ldapsam_modify_entry(my_methods
,newpwd
,dn
,mods
,ldap_op
, element_is_set_or_changed
);
1746 if (!NT_STATUS_IS_OK(ret
)) {
1747 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1748 pdb_get_username(newpwd
),dn
));
1749 ldap_mods_free(mods
, True
);
1753 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd
)));
1754 ldap_mods_free(mods
, True
);
1756 return NT_STATUS_OK
;
1759 /**********************************************************************
1760 *********************************************************************/
1762 static int ldapsam_search_one_group (struct ldapsam_privates
*ldap_state
,
1764 LDAPMessage
** result
)
1766 int scope
= LDAP_SCOPE_SUBTREE
;
1770 attr_list
= get_attr_list(groupmap_attr_list
);
1771 rc
= smbldap_search(ldap_state
->smbldap_state
,
1772 lp_ldap_group_suffix (), scope
,
1773 filter
, attr_list
, 0, result
);
1774 free_attr_list( attr_list
);
1776 if (rc
!= LDAP_SUCCESS
) {
1777 char *ld_error
= NULL
;
1778 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1780 DEBUG(0, ("ldapsam_search_one_group: "
1781 "Problem during the LDAP search: LDAP error: %s (%s)\n",
1782 ld_error
?ld_error
:"(unknown)", ldap_err2string(rc
)));
1783 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1784 lp_ldap_group_suffix(), filter
));
1785 SAFE_FREE(ld_error
);
1791 /**********************************************************************
1792 *********************************************************************/
1794 static BOOL
init_group_from_ldap(struct ldapsam_privates
*ldap_state
,
1795 GROUP_MAP
*map
, LDAPMessage
*entry
)
1799 if (ldap_state
== NULL
|| map
== NULL
|| entry
== NULL
||
1800 ldap_state
->smbldap_state
->ldap_struct
== NULL
) {
1801 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
1805 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1806 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
), temp
)) {
1807 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1808 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
)));
1811 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp
));
1813 map
->gid
= (gid_t
)atol(temp
);
1815 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1816 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_SID
), temp
)) {
1817 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1818 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_SID
)));
1822 if (!string_to_sid(&map
->sid
, temp
)) {
1823 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp
));
1827 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1828 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
), temp
)) {
1829 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1830 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
)));
1833 map
->sid_name_use
= (enum SID_NAME_USE
)atol(temp
);
1835 if ((map
->sid_name_use
< SID_NAME_USER
) ||
1836 (map
->sid_name_use
> SID_NAME_UNKNOWN
)) {
1837 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map
->sid_name_use
));
1841 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1842 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), temp
)) {
1844 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1845 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_CN
), temp
))
1847 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
1848 for gidNumber(%lu)\n",(unsigned long)map
->gid
));
1852 fstrcpy(map
->nt_name
, temp
);
1854 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1855 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DESC
), temp
)) {
1858 fstrcpy(map
->comment
, temp
);
1863 /**********************************************************************
1864 *********************************************************************/
1866 static BOOL
init_ldap_from_group(LDAP
*ldap_struct
,
1867 LDAPMessage
*existing
,
1869 const GROUP_MAP
*map
)
1873 if (mods
== NULL
|| map
== NULL
) {
1874 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
1880 sid_to_string(tmp
, &map
->sid
);
1882 smbldap_make_mod(ldap_struct
, existing
, mods
,
1883 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_SID
), tmp
);
1884 pstr_sprintf(tmp
, "%i", map
->sid_name_use
);
1885 smbldap_make_mod(ldap_struct
, existing
, mods
,
1886 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
), tmp
);
1888 smbldap_make_mod(ldap_struct
, existing
, mods
,
1889 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), map
->nt_name
);
1890 smbldap_make_mod(ldap_struct
, existing
, mods
,
1891 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DESC
), map
->comment
);
1896 /**********************************************************************
1897 *********************************************************************/
1899 static NTSTATUS
ldapsam_getgroup(struct pdb_methods
*methods
,
1903 struct ldapsam_privates
*ldap_state
=
1904 (struct ldapsam_privates
*)methods
->private_data
;
1905 LDAPMessage
*result
= NULL
;
1906 LDAPMessage
*entry
= NULL
;
1909 if (ldapsam_search_one_group(ldap_state
, filter
, &result
)
1911 return NT_STATUS_NO_SUCH_GROUP
;
1914 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1917 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
1918 ldap_msgfree(result
);
1919 return NT_STATUS_NO_SUCH_GROUP
;
1923 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
1925 ldap_msgfree(result
);
1926 return NT_STATUS_NO_SUCH_GROUP
;
1929 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1932 ldap_msgfree(result
);
1933 return NT_STATUS_UNSUCCESSFUL
;
1936 if (!init_group_from_ldap(ldap_state
, map
, entry
)) {
1937 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
1939 ldap_msgfree(result
);
1940 return NT_STATUS_NO_SUCH_GROUP
;
1943 ldap_msgfree(result
);
1944 return NT_STATUS_OK
;
1947 /**********************************************************************
1948 *********************************************************************/
1950 static NTSTATUS
ldapsam_getgrsid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1955 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%s))",
1957 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_SID
),
1958 sid_string_static(&sid
));
1960 return ldapsam_getgroup(methods
, filter
, map
);
1963 /**********************************************************************
1964 *********************************************************************/
1966 static NTSTATUS
ldapsam_getgrgid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1971 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%lu))",
1973 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
),
1974 (unsigned long)gid
);
1976 return ldapsam_getgroup(methods
, filter
, map
);
1979 /**********************************************************************
1980 *********************************************************************/
1982 static NTSTATUS
ldapsam_getgrnam(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1986 char *escape_name
= escape_ldap_string_alloc(name
);
1989 return NT_STATUS_NO_MEMORY
;
1992 pstr_sprintf(filter
, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
1994 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), escape_name
,
1995 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_CN
), escape_name
);
1997 SAFE_FREE(escape_name
);
1999 return ldapsam_getgroup(methods
, filter
, map
);
2002 /**********************************************************************
2003 *********************************************************************/
2005 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates
*ldap_state
,
2007 LDAPMessage
**result
)
2011 pstr_sprintf(filter
, "(&(|(objectClass=%s)(objectclass=%s))(%s=%lu))",
2012 LDAP_OBJ_POSIXGROUP
, LDAP_OBJ_IDMAP_ENTRY
,
2013 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
),
2014 (unsigned long)gid
);
2016 return ldapsam_search_one_group(ldap_state
, filter
, result
);
2019 /**********************************************************************
2020 *********************************************************************/
2022 static NTSTATUS
ldapsam_add_group_mapping_entry(struct pdb_methods
*methods
,
2025 struct ldapsam_privates
*ldap_state
=
2026 (struct ldapsam_privates
*)methods
->private_data
;
2027 LDAPMessage
*result
= NULL
;
2028 LDAPMod
**mods
= NULL
;
2039 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods
, &dummy
,
2041 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map
->gid
));
2042 return NT_STATUS_UNSUCCESSFUL
;
2045 rc
= ldapsam_search_one_group_by_gid(ldap_state
, map
->gid
, &result
);
2046 if (rc
!= LDAP_SUCCESS
) {
2047 ldap_msgfree(result
);
2048 return NT_STATUS_UNSUCCESSFUL
;
2051 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
2054 /* There's no posixGroup account, let's try to find an
2055 * appropriate idmap entry for aliases */
2061 ldap_msgfree(result
);
2063 pstrcpy( suffix
, lp_ldap_idmap_suffix() );
2064 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%u))",
2065 LDAP_OBJ_IDMAP_ENTRY
, LDAP_ATTRIBUTE_GIDNUMBER
,
2068 attr_list
= get_attr_list( sidmap_attr_list
);
2069 rc
= smbldap_search(ldap_state
->smbldap_state
, suffix
,
2070 LDAP_SCOPE_SUBTREE
, filter
, attr_list
,
2073 free_attr_list(attr_list
);
2075 if (rc
!= LDAP_SUCCESS
) {
2076 DEBUG(3,("Failure looking up entry (%s)\n",
2077 ldap_err2string(rc
) ));
2078 ldap_msgfree(result
);
2079 return NT_STATUS_UNSUCCESSFUL
;
2083 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
2085 ldap_msgfree(result
);
2086 return NT_STATUS_UNSUCCESSFUL
;
2090 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2091 (unsigned long)map
->gid
));
2092 ldap_msgfree(result
);
2093 return NT_STATUS_UNSUCCESSFUL
;
2096 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2097 tmp
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
2099 ldap_msgfree(result
);
2100 return NT_STATUS_UNSUCCESSFUL
;
2105 if (!init_ldap_from_group(ldap_state
->smbldap_state
->ldap_struct
,
2106 result
, &mods
, map
)) {
2107 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2108 ldap_mods_free(mods
, True
);
2109 ldap_msgfree(result
);
2110 return NT_STATUS_UNSUCCESSFUL
;
2113 ldap_msgfree(result
);
2116 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2117 return NT_STATUS_UNSUCCESSFUL
;
2120 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectClass", LDAP_OBJ_GROUPMAP
);
2122 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
2123 ldap_mods_free(mods
, True
);
2125 if (rc
!= LDAP_SUCCESS
) {
2126 char *ld_error
= NULL
;
2127 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
2129 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map
->gid
,
2130 ld_error
? ld_error
: "(unknown)", ldap_err2string(rc
)));
2131 SAFE_FREE(ld_error
);
2132 return NT_STATUS_UNSUCCESSFUL
;
2135 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map
->gid
));
2136 return NT_STATUS_OK
;
2139 /**********************************************************************
2140 *********************************************************************/
2142 static NTSTATUS
ldapsam_update_group_mapping_entry(struct pdb_methods
*methods
,
2145 struct ldapsam_privates
*ldap_state
=
2146 (struct ldapsam_privates
*)methods
->private_data
;
2149 LDAPMessage
*result
= NULL
;
2150 LDAPMessage
*entry
= NULL
;
2151 LDAPMod
**mods
= NULL
;
2153 rc
= ldapsam_search_one_group_by_gid(ldap_state
, map
->gid
, &result
);
2155 if (rc
!= LDAP_SUCCESS
) {
2156 return NT_STATUS_UNSUCCESSFUL
;
2159 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) == 0) {
2160 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2161 ldap_msgfree(result
);
2162 return NT_STATUS_UNSUCCESSFUL
;
2165 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2167 if (!init_ldap_from_group(ldap_state
->smbldap_state
->ldap_struct
,
2168 result
, &mods
, map
)) {
2169 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2170 ldap_msgfree(result
);
2172 ldap_mods_free(mods
,True
);
2173 return NT_STATUS_UNSUCCESSFUL
;
2177 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2178 ldap_msgfree(result
);
2179 return NT_STATUS_OK
;
2182 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
2184 ldap_msgfree(result
);
2185 return NT_STATUS_UNSUCCESSFUL
;
2187 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
2190 ldap_mods_free(mods
, True
);
2191 ldap_msgfree(result
);
2193 if (rc
!= LDAP_SUCCESS
) {
2194 char *ld_error
= NULL
;
2195 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
2197 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map
->gid
,
2198 ld_error
? ld_error
: "(unknown)", ldap_err2string(rc
)));
2199 SAFE_FREE(ld_error
);
2200 return NT_STATUS_UNSUCCESSFUL
;
2203 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map
->gid
));
2204 return NT_STATUS_OK
;
2207 /**********************************************************************
2208 *********************************************************************/
2210 static NTSTATUS
ldapsam_delete_group_mapping_entry(struct pdb_methods
*methods
,
2213 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)methods
->private_data
;
2214 pstring sidstring
, filter
;
2215 LDAPMessage
*result
= NULL
;
2220 sid_to_string(sidstring
, &sid
);
2222 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%s))",
2223 LDAP_OBJ_GROUPMAP
, LDAP_ATTRIBUTE_SID
, sidstring
);
2225 rc
= ldapsam_search_one_group(ldap_state
, filter
, &result
);
2227 if (rc
!= LDAP_SUCCESS
) {
2228 return NT_STATUS_NO_SUCH_GROUP
;
2231 attr_list
= get_attr_list( groupmap_attr_list_to_delete
);
2232 ret
= ldapsam_delete_entry(ldap_state
, result
, LDAP_OBJ_GROUPMAP
, attr_list
);
2233 free_attr_list ( attr_list
);
2235 ldap_msgfree(result
);
2240 /**********************************************************************
2241 *********************************************************************/
2243 static NTSTATUS
ldapsam_setsamgrent(struct pdb_methods
*my_methods
, BOOL update
)
2245 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
2250 pstr_sprintf( filter
, "(objectclass=%s)", LDAP_OBJ_GROUPMAP
);
2251 attr_list
= get_attr_list( groupmap_attr_list
);
2252 rc
= smbldap_search(ldap_state
->smbldap_state
, lp_ldap_group_suffix(),
2253 LDAP_SCOPE_SUBTREE
, filter
,
2254 attr_list
, 0, &ldap_state
->result
);
2255 free_attr_list( attr_list
);
2257 if (rc
!= LDAP_SUCCESS
) {
2258 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc
)));
2259 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter
));
2260 ldap_msgfree(ldap_state
->result
);
2261 ldap_state
->result
= NULL
;
2262 return NT_STATUS_UNSUCCESSFUL
;
2265 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2266 ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
2267 ldap_state
->result
)));
2269 ldap_state
->entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, ldap_state
->result
);
2270 ldap_state
->index
= 0;
2272 return NT_STATUS_OK
;
2275 /**********************************************************************
2276 *********************************************************************/
2278 static void ldapsam_endsamgrent(struct pdb_methods
*my_methods
)
2280 ldapsam_endsampwent(my_methods
);
2283 /**********************************************************************
2284 *********************************************************************/
2286 static NTSTATUS
ldapsam_getsamgrent(struct pdb_methods
*my_methods
,
2289 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
2290 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
2294 if (!ldap_state
->entry
)
2297 ldap_state
->index
++;
2298 bret
= init_group_from_ldap(ldap_state
, map
, ldap_state
->entry
);
2300 ldap_state
->entry
= ldap_next_entry(ldap_state
->smbldap_state
->ldap_struct
,
2304 return NT_STATUS_OK
;
2307 /**********************************************************************
2308 *********************************************************************/
2310 static NTSTATUS
ldapsam_enum_group_mapping(struct pdb_methods
*methods
,
2311 enum SID_NAME_USE sid_name_use
,
2312 GROUP_MAP
**rmap
, int *num_entries
,
2322 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods
, False
))) {
2323 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2324 return NT_STATUS_ACCESS_DENIED
;
2327 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods
, &map
))) {
2328 if (sid_name_use
!= SID_NAME_UNKNOWN
&&
2329 sid_name_use
!= map
.sid_name_use
) {
2330 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map
.nt_name
));
2333 if (unix_only
==ENUM_ONLY_MAPPED
&& map
.gid
==-1) {
2334 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map
.nt_name
));
2338 mapt
=(GROUP_MAP
*)Realloc((*rmap
), (entries
+1)*sizeof(GROUP_MAP
));
2340 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2342 return NT_STATUS_UNSUCCESSFUL
;
2347 mapt
[entries
] = map
;
2352 ldapsam_endsamgrent(methods
);
2354 *num_entries
= entries
;
2356 return NT_STATUS_OK
;
2359 static NTSTATUS
ldapsam_modify_aliasmem(struct pdb_methods
*methods
,
2360 const DOM_SID
*alias
,
2361 const DOM_SID
*member
,
2364 struct ldapsam_privates
*ldap_state
=
2365 (struct ldapsam_privates
*)methods
->private_data
;
2367 LDAPMessage
*result
= NULL
;
2368 LDAPMessage
*entry
= NULL
;
2370 LDAPMod
**mods
= NULL
;
2375 pstr_sprintf(filter
, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2376 LDAP_OBJ_GROUPMAP
, LDAP_OBJ_IDMAP_ENTRY
,
2377 get_attr_key2string(groupmap_attr_list
,
2378 LDAP_ATTR_GROUP_SID
),
2379 sid_string_static(alias
));
2381 if (ldapsam_search_one_group(ldap_state
, filter
,
2382 &result
) != LDAP_SUCCESS
)
2383 return NT_STATUS_NO_SUCH_ALIAS
;
2385 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
2389 DEBUG(4, ("ldapsam_add_aliasmem: Did not find alias\n"));
2390 ldap_msgfree(result
);
2391 return NT_STATUS_NO_SUCH_ALIAS
;
2395 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2396 "count=%d\n", filter
, count
));
2397 ldap_msgfree(result
);
2398 return NT_STATUS_NO_SUCH_ALIAS
;
2401 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
,
2405 ldap_msgfree(result
);
2406 return NT_STATUS_UNSUCCESSFUL
;
2409 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
2411 ldap_msgfree(result
);
2412 return NT_STATUS_UNSUCCESSFUL
;
2415 smbldap_set_mod(&mods
, modop
,
2416 get_attr_key2string(groupmap_attr_list
,
2417 LDAP_ATTR_SID_LIST
),
2418 sid_string_static(member
));
2420 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
2422 ldap_mods_free(mods
, True
);
2423 ldap_msgfree(result
);
2425 if (rc
!= LDAP_SUCCESS
) {
2426 char *ld_error
= NULL
;
2427 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
,
2428 LDAP_OPT_ERROR_STRING
,&ld_error
);
2430 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes "
2431 "for %s, error: %s (%s)\n", dn
, ldap_err2string(rc
),
2432 ld_error
?ld_error
:"unknown"));
2433 SAFE_FREE(ld_error
);
2435 return NT_STATUS_UNSUCCESSFUL
;
2440 return NT_STATUS_OK
;
2443 static NTSTATUS
ldapsam_add_aliasmem(struct pdb_methods
*methods
,
2444 const DOM_SID
*alias
,
2445 const DOM_SID
*member
)
2447 return ldapsam_modify_aliasmem(methods
, alias
, member
, LDAP_MOD_ADD
);
2450 static NTSTATUS
ldapsam_del_aliasmem(struct pdb_methods
*methods
,
2451 const DOM_SID
*alias
,
2452 const DOM_SID
*member
)
2454 return ldapsam_modify_aliasmem(methods
, alias
, member
,
2458 static NTSTATUS
ldapsam_enum_aliasmem(struct pdb_methods
*methods
,
2459 const DOM_SID
*alias
, DOM_SID
**members
,
2462 struct ldapsam_privates
*ldap_state
=
2463 (struct ldapsam_privates
*)methods
->private_data
;
2464 LDAPMessage
*result
= NULL
;
2465 LDAPMessage
*entry
= NULL
;
2474 pstr_sprintf(filter
, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2475 LDAP_OBJ_GROUPMAP
, LDAP_OBJ_IDMAP_ENTRY
,
2476 get_attr_key2string(groupmap_attr_list
,
2477 LDAP_ATTR_GROUP_SID
),
2478 sid_string_static(alias
));
2480 if (ldapsam_search_one_group(ldap_state
, filter
,
2481 &result
) != LDAP_SUCCESS
)
2482 return NT_STATUS_NO_SUCH_ALIAS
;
2484 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
2488 DEBUG(4, ("ldapsam_add_aliasmem: Did not find alias\n"));
2489 ldap_msgfree(result
);
2490 return NT_STATUS_NO_SUCH_ALIAS
;
2494 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2495 "count=%d\n", filter
, count
));
2496 ldap_msgfree(result
);
2497 return NT_STATUS_NO_SUCH_ALIAS
;
2500 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
,
2504 ldap_msgfree(result
);
2505 return NT_STATUS_UNSUCCESSFUL
;
2508 values
= ldap_get_values(ldap_state
->smbldap_state
->ldap_struct
,
2510 get_attr_key2string(groupmap_attr_list
,
2511 LDAP_ATTR_SID_LIST
));
2513 if (values
== NULL
) {
2514 ldap_msgfree(result
);
2515 return NT_STATUS_OK
;
2518 count
= ldap_count_values(values
);
2520 for (i
=0; i
<count
; i
++) {
2523 if (!string_to_sid(&member
, values
[i
]))
2526 add_sid_to_array(&member
, members
, num_members
);
2529 ldap_value_free(values
);
2530 ldap_msgfree(result
);
2532 return NT_STATUS_OK
;
2535 static NTSTATUS
ldapsam_alias_memberships(struct pdb_methods
*methods
,
2537 DOM_SID
**aliases
, int *num
)
2539 struct ldapsam_privates
*ldap_state
=
2540 (struct ldapsam_privates
*)methods
->private_data
;
2543 const char *attrs
[] = { LDAP_ATTRIBUTE_SID
, NULL
};
2545 LDAPMessage
*result
= NULL
;
2546 LDAPMessage
*entry
= NULL
;
2551 sid_to_string(sid_string
, sid
);
2552 pstr_sprintf(filter
, "(&(|(objectclass=%s)(objectclass=%s))(%s=%s))",
2553 LDAP_OBJ_GROUPMAP
, LDAP_OBJ_IDMAP_ENTRY
,
2554 get_attr_key2string(groupmap_attr_list
,
2555 LDAP_ATTR_SID_LIST
), sid_string
);
2557 rc
= smbldap_search(ldap_state
->smbldap_state
, lp_ldap_group_suffix(),
2558 LDAP_SCOPE_SUBTREE
, filter
, attrs
, 0, &result
);
2560 if (rc
!= LDAP_SUCCESS
)
2561 return NT_STATUS_UNSUCCESSFUL
;
2566 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
2570 ldap_msgfree(result
);
2571 return NT_STATUS_OK
;
2575 for (entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
,
2578 entry
= ldap_next_entry(ldap_state
->smbldap_state
->ldap_struct
,
2583 vals
= ldap_get_values(ldap_state
->smbldap_state
->ldap_struct
,
2584 entry
, LDAP_ATTRIBUTE_SID
);
2589 if (vals
[0] == NULL
) {
2590 ldap_value_free(vals
);
2594 if (!string_to_sid(&alias
, vals
[0])) {
2595 ldap_value_free(vals
);
2599 add_sid_to_array(&alias
, aliases
, num
);
2600 ldap_value_free(vals
);
2603 ldap_msgfree(result
);
2604 return NT_STATUS_OK
;
2607 /**********************************************************************
2609 *********************************************************************/
2611 static void free_private_data(void **vp
)
2613 struct ldapsam_privates
**ldap_state
= (struct ldapsam_privates
**)vp
;
2615 smbldap_free_struct(&(*ldap_state
)->smbldap_state
);
2617 if ((*ldap_state
)->result
!= NULL
) {
2618 ldap_msgfree((*ldap_state
)->result
);
2619 (*ldap_state
)->result
= NULL
;
2624 /* No need to free any further, as it is talloc()ed */
2627 /**********************************************************************
2628 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2629 *********************************************************************/
2631 static NTSTATUS
pdb_init_ldapsam_common(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
,
2632 const char *location
)
2635 struct ldapsam_privates
*ldap_state
;
2637 if (!NT_STATUS_IS_OK(nt_status
= make_pdb_methods(pdb_context
->mem_ctx
, pdb_method
))) {
2641 (*pdb_method
)->name
= "ldapsam";
2643 (*pdb_method
)->setsampwent
= ldapsam_setsampwent
;
2644 (*pdb_method
)->endsampwent
= ldapsam_endsampwent
;
2645 (*pdb_method
)->getsampwent
= ldapsam_getsampwent
;
2646 (*pdb_method
)->getsampwnam
= ldapsam_getsampwnam
;
2647 (*pdb_method
)->getsampwsid
= ldapsam_getsampwsid
;
2648 (*pdb_method
)->add_sam_account
= ldapsam_add_sam_account
;
2649 (*pdb_method
)->update_sam_account
= ldapsam_update_sam_account
;
2650 (*pdb_method
)->delete_sam_account
= ldapsam_delete_sam_account
;
2652 (*pdb_method
)->getgrsid
= ldapsam_getgrsid
;
2653 (*pdb_method
)->getgrgid
= ldapsam_getgrgid
;
2654 (*pdb_method
)->getgrnam
= ldapsam_getgrnam
;
2655 (*pdb_method
)->add_group_mapping_entry
= ldapsam_add_group_mapping_entry
;
2656 (*pdb_method
)->update_group_mapping_entry
= ldapsam_update_group_mapping_entry
;
2657 (*pdb_method
)->delete_group_mapping_entry
= ldapsam_delete_group_mapping_entry
;
2658 (*pdb_method
)->enum_group_mapping
= ldapsam_enum_group_mapping
;
2660 /* TODO: Setup private data and free */
2662 ldap_state
= talloc_zero(pdb_context
->mem_ctx
, sizeof(*ldap_state
));
2664 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2665 return NT_STATUS_NO_MEMORY
;
2668 if (!NT_STATUS_IS_OK(nt_status
=
2669 smbldap_init(pdb_context
->mem_ctx
, location
,
2670 &ldap_state
->smbldap_state
)));
2672 ldap_state
->domain_name
= talloc_strdup(pdb_context
->mem_ctx
, get_global_sam_name());
2673 if (!ldap_state
->domain_name
) {
2674 return NT_STATUS_NO_MEMORY
;
2677 (*pdb_method
)->private_data
= ldap_state
;
2679 (*pdb_method
)->free_private_data
= free_private_data
;
2681 return NT_STATUS_OK
;
2684 /**********************************************************************
2685 Initialise the 'compat' mode for pdb_ldap
2686 *********************************************************************/
2688 static NTSTATUS
pdb_init_ldapsam_compat(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
, const char *location
)
2691 struct ldapsam_privates
*ldap_state
;
2693 #ifdef WITH_LDAP_SAMCONFIG
2695 int ldap_port
= lp_ldap_port();
2697 /* remap default port if not using SSL (ie clear or TLS) */
2698 if ( (lp_ldap_ssl() != LDAP_SSL_ON
) && (ldap_port
== 636) ) {
2702 location
= talloc_asprintf(pdb_context
->mem_ctx
, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON
? "ldaps" : "ldap", lp_ldap_server(), ldap_port
);
2704 return NT_STATUS_NO_MEMORY
;
2709 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_ldapsam_common(pdb_context
, pdb_method
, location
))) {
2713 (*pdb_method
)->name
= "ldapsam_compat";
2715 ldap_state
= (*pdb_method
)->private_data
;
2716 ldap_state
->schema_ver
= SCHEMAVER_SAMBAACCOUNT
;
2718 sid_copy(&ldap_state
->domain_sid
, get_global_sam_sid());
2720 return NT_STATUS_OK
;
2723 /**********************************************************************
2724 Initialise the normal mode for pdb_ldap
2725 *********************************************************************/
2727 static NTSTATUS
pdb_init_ldapsam(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
, const char *location
)
2730 struct ldapsam_privates
*ldap_state
;
2731 uint32 alg_rid_base
;
2732 pstring alg_rid_base_string
;
2733 LDAPMessage
*result
= NULL
;
2734 LDAPMessage
*entry
= NULL
;
2735 DOM_SID ldap_domain_sid
;
2736 DOM_SID secrets_domain_sid
;
2737 pstring domain_sid_string
;
2739 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_ldapsam_common(pdb_context
, pdb_method
, location
))) {
2743 (*pdb_method
)->name
= "ldapsam";
2745 (*pdb_method
)->add_aliasmem
= ldapsam_add_aliasmem
;
2746 (*pdb_method
)->del_aliasmem
= ldapsam_del_aliasmem
;
2747 (*pdb_method
)->enum_aliasmem
= ldapsam_enum_aliasmem
;
2748 (*pdb_method
)->enum_alias_memberships
= ldapsam_alias_memberships
;
2750 ldap_state
= (*pdb_method
)->private_data
;
2751 ldap_state
->schema_ver
= SCHEMAVER_SAMBASAMACCOUNT
;
2753 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2755 nt_status
= smbldap_search_domain_info(ldap_state
->smbldap_state
, &result
,
2756 ldap_state
->domain_name
, True
);
2758 if ( !NT_STATUS_IS_OK(nt_status
) ) {
2759 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
2760 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
2761 and will risk BDCs having inconsistant SIDs\n"));
2762 sid_copy(&ldap_state
->domain_sid
, get_global_sam_sid());
2763 return NT_STATUS_OK
;
2766 /* Given that the above might fail, everything below this must be optional */
2768 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2770 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
2771 ldap_msgfree(result
);
2772 return NT_STATUS_UNSUCCESSFUL
;
2775 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
2776 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
2777 domain_sid_string
)) {
2779 if (!string_to_sid(&ldap_domain_sid
, domain_sid_string
)) {
2780 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string
));
2781 return NT_STATUS_INVALID_PARAMETER
;
2783 found_sid
= secrets_fetch_domain_sid(ldap_state
->domain_name
, &secrets_domain_sid
);
2784 if (!found_sid
|| !sid_equal(&secrets_domain_sid
, &ldap_domain_sid
)) {
2785 fstring new_sid_str
, old_sid_str
;
2786 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
2787 ldap_state
->domain_name
,
2788 sid_to_string(old_sid_str
, &secrets_domain_sid
),
2789 sid_to_string(new_sid_str
, &ldap_domain_sid
)));
2791 /* reset secrets.tdb sid */
2792 secrets_store_domain_sid(ldap_state
->domain_name
, &ldap_domain_sid
);
2793 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str
, get_global_sam_sid())));
2795 sid_copy(&ldap_state
->domain_sid
, &ldap_domain_sid
);
2798 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
2799 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ALGORITHMIC_RID_BASE
),
2800 alg_rid_base_string
)) {
2801 alg_rid_base
= (uint32
)atol(alg_rid_base_string
);
2802 if (alg_rid_base
!= algorithmic_rid_base()) {
2803 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2804 "database was initialised. Aborting. \n"));
2805 ldap_msgfree(result
);
2806 return NT_STATUS_UNSUCCESSFUL
;
2809 ldap_msgfree(result
);
2811 return NT_STATUS_OK
;
2814 NTSTATUS
pdb_ldap_init(void)
2817 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "ldapsam", pdb_init_ldapsam
)))
2820 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "ldapsam_compat", pdb_init_ldapsam_compat
)))
2823 return NT_STATUS_OK
;