search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r1383: sync from 3.0 tree
[Samba.git] / source / passdb / pdb_ldap.c
blobd2ee9a2d9dc92b975684d3d7ce30cec29d3631c2
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23
24 */
25
26 /* TODO:
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
29 *
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
35 *
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
43 * and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 /*
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
58 *
59 */
60
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65 #endif
66
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
71 #endif
72
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
77 #endif
78
79
80 #ifndef SAM_ACCOUNT
81 #define SAM_ACCOUNT struct sam_passwd
82 #endif
83
84 #define MODIFY_TIMESTAMP_STRING "modifyTimestamp"
85
86 #include "smbldap.h"
87
88 struct ldapsam_privates {
89 struct smbldap_state *smbldap_state;
90
91 /* Former statics */
92 LDAPMessage *result;
93 LDAPMessage *entry;
94 int index;
95
96 const char *domain_name;
97 DOM_SID domain_sid;
98
99 /* configuration items */
100 int schema_ver;
101 };
102
103 /**********************************************************************
104 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
105 **********************************************************************/
106
107 static void private_data_free_fn(void **result)
108 {
109 ldap_msgfree(*result);
110 *result = NULL;
111 }
112
113 /**********************************************************************
114 Get the attribute name given a user schame version.
115 **********************************************************************/
116
117 static const char* get_userattr_key2string( int schema_ver, int key )
118 {
119 switch ( schema_ver ) {
120 case SCHEMAVER_SAMBAACCOUNT:
121 return get_attr_key2string( attrib_map_v22, key );
122
123 case SCHEMAVER_SAMBASAMACCOUNT:
124 return get_attr_key2string( attrib_map_v30, key );
125
126 default:
127 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
128 break;
129 }
130 return NULL;
131 }
132
133 /**********************************************************************
134 Return the list of attribute names given a user schema version.
135 **********************************************************************/
136
137 static char** get_userattr_list( int schema_ver )
138 {
139 switch ( schema_ver ) {
140 case SCHEMAVER_SAMBAACCOUNT:
141 return get_attr_list( attrib_map_v22 );
142
143 case SCHEMAVER_SAMBASAMACCOUNT:
144 return get_attr_list( attrib_map_v30 );
145 default:
146 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
147 break;
148 }
149
150 return NULL;
151 }
152
153 /*******************************************************************
154 Generate the LDAP search filter for the objectclass based on the
155 version of the schema we are using.
156 ******************************************************************/
157
158 static const char* get_objclass_filter( int schema_ver )
159 {
160 static fstring objclass_filter;
161
162 switch( schema_ver ) {
163 case SCHEMAVER_SAMBAACCOUNT:
164 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
165 break;
166 case SCHEMAVER_SAMBASAMACCOUNT:
167 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
168 break;
169 default:
170 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
171 break;
172 }
173
174 return objclass_filter;
175 }
176
177 /*******************************************************************
178 Run the search by name.
179 ******************************************************************/
180
181 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state,
182 const char *user,
183 LDAPMessage ** result, char **attr)
184 {
185 pstring filter;
186 char *escape_user = escape_ldap_string_alloc(user);
187
188 if (!escape_user) {
189 return LDAP_NO_MEMORY;
190 }
191
192 /*
193 * in the filter expression, replace %u with the real name
194 * so in ldap filter, %u MUST exist :-)
195 */
196 pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(),
197 get_objclass_filter(ldap_state->schema_ver));
198
199 /*
200 * have to use this here because $ is filtered out
201 * in pstring_sub
202 */
203
204
205 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
206 SAFE_FREE(escape_user);
207
208 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
209 }
210
211 /*******************************************************************
212 Run the search by rid.
213 ******************************************************************/
214
215 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
216 uint32 rid, LDAPMessage ** result,
217 char **attr)
218 {
219 pstring filter;
220 int rc;
221
222 pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
223 get_objclass_filter(ldap_state->schema_ver));
224
225 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
226
227 return rc;
228 }
229
230 /*******************************************************************
231 Run the search by SID.
232 ******************************************************************/
233
234 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
235 const DOM_SID *sid, LDAPMessage ** result,
236 char **attr)
237 {
238 pstring filter;
239 int rc;
240 fstring sid_string;
241
242 pstr_sprintf(filter, "(&(%s=%s)%s)",
243 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
244 sid_to_string(sid_string, sid),
245 get_objclass_filter(ldap_state->schema_ver));
246
247 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
248
249 return rc;
250 }
251
252 /*******************************************************************
253 Delete complete object or objectclass and attrs from
254 object found in search_result depending on lp_ldap_delete_dn
255 ******************************************************************/
256
257 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
258 LDAPMessage *result,
259 const char *objectclass,
260 char **attrs)
261 {
262 int rc;
263 LDAPMessage *entry = NULL;
264 LDAPMod **mods = NULL;
265 char *name, *dn;
266 BerElement *ptr = NULL;
267
268 rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
269
270 if (rc != 1) {
271 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
272 return NT_STATUS_UNSUCCESSFUL;
273 }
274
275 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
276 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
277 if (!dn) {
278 return NT_STATUS_UNSUCCESSFUL;
279 }
280
281 if (lp_ldap_delete_dn()) {
282 NTSTATUS ret = NT_STATUS_OK;
283 rc = smbldap_delete(ldap_state->smbldap_state, dn);
284
285 if (rc != LDAP_SUCCESS) {
286 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
287 ret = NT_STATUS_UNSUCCESSFUL;
288 }
289 SAFE_FREE(dn);
290 return ret;
291 }
292
293 /* Ok, delete only the SAM attributes */
294
295 for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
296 name != NULL;
297 name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
298 char **attrib;
299
300 /* We are only allowed to delete the attributes that
301 really exist. */
302
303 for (attrib = attrs; *attrib != NULL; attrib++) {
304 if (StrCaseCmp(*attrib, name) == 0) {
305 DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name));
306 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
307 }
308 }
309
310 ldap_memfree(name);
311 }
312
313 if (ptr != NULL) {
314 ber_free(ptr, 0);
315 }
316
317 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
318
319 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
320 ldap_mods_free(mods, True);
321
322 if (rc != LDAP_SUCCESS) {
323 char *ld_error = NULL;
324 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
325 &ld_error);
326
327 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
328 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
329 SAFE_FREE(ld_error);
330 SAFE_FREE(dn);
331 return NT_STATUS_UNSUCCESSFUL;
332 }
333
334 SAFE_FREE(dn);
335 return NT_STATUS_OK;
336 }
337
338 /* New Interface is being implemented here */
339
340 #if 0 /* JERRY - not uesed anymore */
341
342 /**********************************************************************
343 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
344 *********************************************************************/
345 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
346 SAM_ACCOUNT * sampass,
347 LDAPMessage * entry,
348 gid_t *gid)
349 {
350 pstring homedir;
351 pstring temp;
352 char **ldap_values;
353 char **values;
354
355 if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
356 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
357 return False;
358 }
359
360 for (values=ldap_values;*values;values++) {
361 if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
362 break;
363 }
364 }
365
366 if (!*values) { /*end of array, no posixAccount */
367 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
368 ldap_value_free(ldap_values);
369 return False;
370 }
371 ldap_value_free(ldap_values);
372
373 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
374 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
375 {
376 return False;
377 }
378
379 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
380 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
381 {
382 return False;
383 }
384
385 *gid = (gid_t)atol(temp);
386
387 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
388
389 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
390
391 return True;
392 }
393
394 #endif
395
396 static time_t ldapsam_get_entry_timestamp(
397 struct ldapsam_privates *ldap_state,
398 LDAPMessage * entry)
399 {
400 pstring temp;
401 struct tm tm;
402
403 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct,
404 entry, MODIFY_TIMESTAMP_STRING, temp))
405 return (time_t) 0;
406
407 strptime(temp, "%Y%m%d%H%M%SZ", &tm);
408 tzset();
409 return timegm(&tm);
410 }
411
412 /**********************************************************************
413 Initialize SAM_ACCOUNT from an LDAP query.
414 (Based on init_sam_from_buffer in pdb_tdb.c)
415 *********************************************************************/
416
417 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
418 SAM_ACCOUNT * sampass,
419 LDAPMessage * entry)
420 {
421 time_t logon_time,
422 logoff_time,
423 kickoff_time,
424 pass_last_set_time,
425 pass_can_change_time,
426 pass_must_change_time,
427 ldap_entry_time,
428 bad_password_time;
429 pstring username,
430 domain,
431 nt_username,
432 fullname,
433 homedir,
434 dir_drive,
435 logon_script,
436 profile_path,
437 acct_desc,
438 workstations;
439 char munged_dial[2048];
440 uint32 user_rid;
441 uint8 smblmpwd[LM_HASH_LEN],
442 smbntpwd[NT_HASH_LEN];
443 uint16 acct_ctrl = 0,
444 logon_divs;
445 uint16 bad_password_count = 0,
446 logon_count = 0;
447 uint32 hours_len;
448 uint8 hours[MAX_HOURS_LEN];
449 pstring temp;
450 LOGIN_CACHE *cache_entry = NULL;
451
452 /*
453 * do a little initialization
454 */
455 username[0] = '\0';
456 domain[0] = '\0';
457 nt_username[0] = '\0';
458 fullname[0] = '\0';
459 homedir[0] = '\0';
460 dir_drive[0] = '\0';
461 logon_script[0] = '\0';
462 profile_path[0] = '\0';
463 acct_desc[0] = '\0';
464 munged_dial[0] = '\0';
465 workstations[0] = '\0';
466
467
468 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
469 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
470 return False;
471 }
472
473 if (ldap_state->smbldap_state->ldap_struct == NULL) {
474 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
475 return False;
476 }
477
478 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
479 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
480 return False;
481 }
482
483 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
484
485 pstrcpy(nt_username, username);
486
487 pstrcpy(domain, ldap_state->domain_name);
488
489 pdb_set_username(sampass, username, PDB_SET);
490
491 pdb_set_domain(sampass, domain, PDB_DEFAULT);
492 pdb_set_nt_username(sampass, nt_username, PDB_SET);
493
494 /* deal with different attributes between the schema first */
495
496 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
497 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
498 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
499 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
500 }
501
502 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
503 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
504 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
505 } else {
506 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
507 }
508 } else {
509 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
510 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
511 user_rid = (uint32)atol(temp);
512 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
513 }
514
515 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
516 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
517 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
518 } else {
519 uint32 group_rid;
520
521 group_rid = (uint32)atol(temp);
522
523 /* for some reason, we often have 0 as a primary group RID.
524 Make sure that we treat this just as a 'default' value */
525
526 if ( group_rid > 0 )
527 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
528 else
529 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
530 }
531 }
532
533 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
534 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
535 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
536 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
537 username));
538 return False;
539 }
540
541 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
542 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
543 /* leave as default */
544 } else {
545 pass_last_set_time = (time_t) atol(temp);
546 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
547 }
548
549 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
550 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
551 /* leave as default */
552 } else {
553 logon_time = (time_t) atol(temp);
554 pdb_set_logon_time(sampass, logon_time, PDB_SET);
555 }
556
557 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
558 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
559 /* leave as default */
560 } else {
561 logoff_time = (time_t) atol(temp);
562 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
563 }
564
565 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
566 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
567 /* leave as default */
568 } else {
569 kickoff_time = (time_t) atol(temp);
570 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
571 }
572
573 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
574 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
575 /* leave as default */
576 } else {
577 pass_can_change_time = (time_t) atol(temp);
578 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
579 }
580
581 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
582 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
583 /* leave as default */
584 } else {
585 pass_must_change_time = (time_t) atol(temp);
586 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
587 }
588
589 /* recommend that 'gecos' and 'displayName' should refer to the same
590 * attribute OID. userFullName depreciated, only used by Samba
591 * primary rules of LDAP: don't make a new attribute when one is already defined
592 * that fits your needs; using cn then displayName rather than 'userFullName'
593 */
594
595 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
596 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
597 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
598 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
599 /* leave as default */
600 } else {
601 pdb_set_fullname(sampass, fullname, PDB_SET);
602 }
603 } else {
604 pdb_set_fullname(sampass, fullname, PDB_SET);
605 }
606
607 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
608 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
609 {
610 pdb_set_dir_drive( sampass,
611 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
612 PDB_DEFAULT );
613 } else {
614 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
615 }
616
617 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
618 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
619 {
620 pdb_set_homedir( sampass,
621 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
622 PDB_DEFAULT );
623 } else {
624 pdb_set_homedir(sampass, homedir, PDB_SET);
625 }
626
627 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
628 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
629 {
630 pdb_set_logon_script( sampass,
631 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
632 PDB_DEFAULT );
633 } else {
634 pdb_set_logon_script(sampass, logon_script, PDB_SET);
635 }
636
637 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
638 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
639 {
640 pdb_set_profile_path( sampass,
641 talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
642 PDB_DEFAULT );
643 } else {
644 pdb_set_profile_path(sampass, profile_path, PDB_SET);
645 }
646
647 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
648 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
649 {
650 /* leave as default */
651 } else {
652 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
653 }
654
655 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
656 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
657 /* leave as default */;
658 } else {
659 pdb_set_workstations(sampass, workstations, PDB_SET);
660 }
661
662 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
663 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
664 /* leave as default */;
665 } else {
666 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
667 }
668
669 /* FIXME: hours stuff should be cleaner */
670
671 logon_divs = 168;
672 hours_len = 21;
673 memset(hours, 0xff, hours_len);
674
675 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
676 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
677 /* leave as default */
678 } else {
679 pdb_gethexpwd(temp, smblmpwd);
680 memset((char *)temp, '\0', strlen(temp)+1);
681 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
682 return False;
683 ZERO_STRUCT(smblmpwd);
684 }
685
686 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
687 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
688 /* leave as default */
689 } else {
690 pdb_gethexpwd(temp, smbntpwd);
691 memset((char *)temp, '\0', strlen(temp)+1);
692 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
693 return False;
694 ZERO_STRUCT(smbntpwd);
695 }
696
697 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
698 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
699 acct_ctrl |= ACB_NORMAL;
700 } else {
701 acct_ctrl = pdb_decode_acct_ctrl(temp);
702
703 if (acct_ctrl == 0)
704 acct_ctrl |= ACB_NORMAL;
705
706 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
707 }
708
709 pdb_set_hours_len(sampass, hours_len, PDB_SET);
710 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
711
712 /* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
713
714 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
715 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
716 /* leave as default */
717 } else {
718 bad_password_count = (uint32) atol(temp);
719 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
720 }
721
722 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
723 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
724 /* leave as default */
725 } else {
726 bad_password_time = (time_t) atol(temp);
727 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
728 }
729
730
731 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
732 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
733 /* leave as default */
734 } else {
735 logon_count = (uint32) atol(temp);
736 pdb_set_logon_count(sampass, logon_count, PDB_SET);
737 }
738
739 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
740
741 pdb_set_hours(sampass, hours, PDB_SET);
742
743 /* check the timestamp of the cache vs ldap entry */
744 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
745 entry)))
746 return True;
747
748 /* see if we have newer updates */
749 if (!(cache_entry = login_cache_read(sampass))) {
750 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
751 (unsigned int)pdb_get_bad_password_count(sampass),
752 (unsigned int)pdb_get_bad_password_time(sampass)));
753 return True;
754 }
755
756 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
757 (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
758 (unsigned int)cache_entry->bad_password_time));
759
760 if (ldap_entry_time > cache_entry->entry_timestamp) {
761 /* cache is older than directory , so
762 we need to delete the entry but allow the
763 fields to be written out */
764 login_cache_delentry(sampass);
765 } else {
766 /* read cache in */
767 pdb_set_acct_ctrl(sampass,
768 pdb_get_acct_ctrl(sampass) |
769 (cache_entry->acct_ctrl & ACB_AUTOLOCK),
770 PDB_SET);
771 pdb_set_bad_password_count(sampass,
772 cache_entry->bad_password_count,
773 PDB_SET);
774 pdb_set_bad_password_time(sampass,
775 cache_entry->bad_password_time,
776 PDB_SET);
777 }
778
779 SAFE_FREE(cache_entry);
780 return True;
781 }
782
783 /**********************************************************************
784 Initialize SAM_ACCOUNT from an LDAP query.
785 (Based on init_buffer_from_sam in pdb_tdb.c)
786 *********************************************************************/
787
788 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
789 LDAPMessage *existing,
790 LDAPMod *** mods, SAM_ACCOUNT * sampass,
791 BOOL (*need_update)(const SAM_ACCOUNT *,
792 enum pdb_elements))
793 {
794 pstring temp;
795 uint32 rid;
796
797 if (mods == NULL || sampass == NULL) {
798 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
799 return False;
800 }
801
802 *mods = NULL;
803
804 /*
805 * took out adding "objectclass: sambaAccount"
806 * do this on a per-mod basis
807 */
808 if (need_update(sampass, PDB_USERNAME))
809 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
810 "uid", pdb_get_username(sampass));
811
812 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
813
814 /* only update the RID if we actually need to */
815 if (need_update(sampass, PDB_USERSID)) {
816 fstring sid_string;
817 fstring dom_sid_string;
818 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
819
820 switch ( ldap_state->schema_ver ) {
821 case SCHEMAVER_SAMBAACCOUNT:
822 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
823 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
824 sid_to_string(sid_string, user_sid),
825 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
826 return False;
827 }
828 slprintf(temp, sizeof(temp) - 1, "%i", rid);
829 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
830 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
831 temp);
832 break;
833
834 case SCHEMAVER_SAMBASAMACCOUNT:
835 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
836 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
837 sid_to_string(sid_string, user_sid));
838 break;
839
840 default:
841 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
842 break;
843 }
844 }
845
846 /* we don't need to store the primary group RID - so leaving it
847 'free' to hang off the unix primary group makes life easier */
848
849 if (need_update(sampass, PDB_GROUPSID)) {
850 fstring sid_string;
851 fstring dom_sid_string;
852 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
853
854 switch ( ldap_state->schema_ver ) {
855 case SCHEMAVER_SAMBAACCOUNT:
856 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
857 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
858 sid_to_string(sid_string, group_sid),
859 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
860 return False;
861 }
862
863 slprintf(temp, sizeof(temp) - 1, "%i", rid);
864 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
865 get_userattr_key2string(ldap_state->schema_ver,
866 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
867 break;
868
869 case SCHEMAVER_SAMBASAMACCOUNT:
870 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
871 get_userattr_key2string(ldap_state->schema_ver,
872 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
873 break;
874
875 default:
876 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
877 break;
878 }
879
880 }
881
882 /* displayName, cn, and gecos should all be the same
883 * most easily accomplished by giving them the same OID
884 * gecos isn't set here b/c it should be handled by the
885 * add-user script
886 * We change displayName only and fall back to cn if
887 * it does not exist.
888 */
889
890 if (need_update(sampass, PDB_FULLNAME))
891 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
892 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
893 pdb_get_fullname(sampass));
894
895 if (need_update(sampass, PDB_ACCTDESC))
896 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
897 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
898 pdb_get_acct_desc(sampass));
899
900 if (need_update(sampass, PDB_WORKSTATIONS))
901 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
902 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
903 pdb_get_workstations(sampass));
904
905 if (need_update(sampass, PDB_MUNGEDDIAL))
906 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
907 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
908 pdb_get_munged_dial(sampass));
909
910 if (need_update(sampass, PDB_SMBHOME))
911 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
912 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
913 pdb_get_homedir(sampass));
914
915 if (need_update(sampass, PDB_DRIVE))
916 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
917 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
918 pdb_get_dir_drive(sampass));
919
920 if (need_update(sampass, PDB_LOGONSCRIPT))
921 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
922 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
923 pdb_get_logon_script(sampass));
924
925 if (need_update(sampass, PDB_PROFILE))
926 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
927 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
928 pdb_get_profile_path(sampass));
929
930 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
931 if (need_update(sampass, PDB_LOGONTIME))
932 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
933 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
934
935 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
936 if (need_update(sampass, PDB_LOGOFFTIME))
937 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
938 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
939
940 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
941 if (need_update(sampass, PDB_KICKOFFTIME))
942 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
943 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
944
945 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
946 if (need_update(sampass, PDB_CANCHANGETIME))
947 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
948 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
949
950 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
951 if (need_update(sampass, PDB_MUSTCHANGETIME))
952 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
953 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
954
955
956 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
957 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
958
959 if (need_update(sampass, PDB_LMPASSWD)) {
960 const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
961 if (lm_pw) {
962 pdb_sethexpwd(temp, lm_pw,
963 pdb_get_acct_ctrl(sampass));
964 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
965 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
966 temp);
967 } else {
968 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
969 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
970 NULL);
971 }
972 }
973 if (need_update(sampass, PDB_NTPASSWD)) {
974 const uchar *nt_pw = pdb_get_nt_passwd(sampass);
975 if (nt_pw) {
976 pdb_sethexpwd(temp, nt_pw,
977 pdb_get_acct_ctrl(sampass));
978 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
979 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
980 temp);
981 } else {
982 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
983 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
984 NULL);
985 }
986 }
987
988 if (need_update(sampass, PDB_PASSLASTSET)) {
989 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
990 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
991 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
992 temp);
993 }
994 }
995
996 /* FIXME: Hours stuff goes in LDAP */
997
998 if (need_update(sampass, PDB_ACCTCTRL))
999 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1000 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1001 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1002
1003 /* password lockout cache:
1004 - If we are now autolocking or clearing, we write to ldap
1005 - If we are clearing, we delete the cache entry
1006 - If the count is > 0, we update the cache
1007
1008 This even means when autolocking, we cache, just in case the
1009 update doesn't work, and we have to cache the autolock flag */
1010
1011 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1012 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1013 uint16 badcount = pdb_get_bad_password_count(sampass);
1014 time_t badtime = pdb_get_bad_password_time(sampass);
1015 uint32 pol;
1016 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1017
1018 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1019 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1020
1021 if ((badcount >= pol) || (badcount == 0)) {
1022 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1023 (unsigned int)badcount, (unsigned int)badtime));
1024 slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1025 smbldap_make_mod(
1026 ldap_state->smbldap_state->ldap_struct,
1027 existing, mods,
1028 get_userattr_key2string(
1029 ldap_state->schema_ver,
1030 LDAP_ATTR_BAD_PASSWORD_COUNT),
1031 temp);
1032
1033 slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1034 smbldap_make_mod(
1035 ldap_state->smbldap_state->ldap_struct,
1036 existing, mods,
1037 get_userattr_key2string(
1038 ldap_state->schema_ver,
1039 LDAP_ATTR_BAD_PASSWORD_TIME),
1040 temp);
1041 }
1042 if (badcount == 0) {
1043 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1044 login_cache_delentry(sampass);
1045 } else {
1046 LOGIN_CACHE cache_entry;
1047
1048 cache_entry.entry_timestamp = time(NULL);
1049 cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1050 cache_entry.bad_password_count = badcount;
1051 cache_entry.bad_password_time = badtime;
1052
1053 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1054 login_cache_write(sampass, cache_entry);
1055 }
1056 }
1057
1058 return True;
1059 }
1060
1061 /**********************************************************************
1062 Connect to LDAP server for password enumeration.
1063 *********************************************************************/
1064
1065 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
1066 {
1067 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1068 int rc;
1069 pstring filter;
1070 char **attr_list;
1071
1072 pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(),
1073 get_objclass_filter(ldap_state->schema_ver));
1074 all_string_sub(filter, "%u", "*", sizeof(pstring));
1075
1076 attr_list = get_userattr_list(ldap_state->schema_ver);
1077 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
1078 attr_list, &ldap_state->result);
1079 free_attr_list( attr_list );
1080
1081 if (rc != LDAP_SUCCESS) {
1082 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1083 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter));
1084 ldap_msgfree(ldap_state->result);
1085 ldap_state->result = NULL;
1086 return NT_STATUS_UNSUCCESSFUL;
1087 }
1088
1089 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1090 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1091 ldap_state->result)));
1092
1093 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1094 ldap_state->result);
1095 ldap_state->index = 0;
1096
1097 return NT_STATUS_OK;
1098 }
1099
1100 /**********************************************************************
1101 End enumeration of the LDAP password list.
1102 *********************************************************************/
1103
1104 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1105 {
1106 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1107 if (ldap_state->result) {
1108 ldap_msgfree(ldap_state->result);
1109 ldap_state->result = NULL;
1110 }
1111 }
1112
1113 /**********************************************************************
1114 Get the next entry in the LDAP password database.
1115 *********************************************************************/
1116
1117 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1118 {
1119 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1120 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1121 BOOL bret = False;
1122
1123 while (!bret) {
1124 if (!ldap_state->entry)
1125 return ret;
1126
1127 ldap_state->index++;
1128 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1129
1130 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1131 ldap_state->entry);
1132 }
1133
1134 return NT_STATUS_OK;
1135 }
1136
1137 static void append_attr(char ***attr_list, const char *new_attr)
1138 {
1139 int i;
1140
1141 for (i=0; (*attr_list)[i] != NULL; i++)
1142 ;
1143
1144 (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2));
1145 SMB_ASSERT((*attr_list) != NULL);
1146 (*attr_list)[i] = strdup(new_attr);
1147 (*attr_list)[i+1] = NULL;
1148 }
1149
1150 /**********************************************************************
1151 Get SAM_ACCOUNT entry from LDAP by username.
1152 *********************************************************************/
1153
1154 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1155 {
1156 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1157 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1158 LDAPMessage *result = NULL;
1159 LDAPMessage *entry = NULL;
1160 int count;
1161 char ** attr_list;
1162 int rc;
1163
1164 attr_list = get_userattr_list( ldap_state->schema_ver );
1165 append_attr(&attr_list, MODIFY_TIMESTAMP_STRING);
1166 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1167 free_attr_list( attr_list );
1168
1169 if ( rc != LDAP_SUCCESS )
1170 return NT_STATUS_NO_SUCH_USER;
1171
1172 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1173
1174 if (count < 1) {
1175 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1176 ldap_msgfree(result);
1177 return NT_STATUS_NO_SUCH_USER;
1178 } else if (count > 1) {
1179 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1180 ldap_msgfree(result);
1181 return NT_STATUS_NO_SUCH_USER;
1182 }
1183
1184 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1185 if (entry) {
1186 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1187 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1188 ldap_msgfree(result);
1189 return NT_STATUS_NO_SUCH_USER;
1190 }
1191 pdb_set_backend_private_data(user, result,
1192 private_data_free_fn,
1193 my_methods, PDB_CHANGED);
1194 ret = NT_STATUS_OK;
1195 } else {
1196 ldap_msgfree(result);
1197 }
1198 return ret;
1199 }
1200
1201 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1202 const DOM_SID *sid, LDAPMessage **result)
1203 {
1204 int rc = -1;
1205 char ** attr_list;
1206 uint32 rid;
1207
1208 switch ( ldap_state->schema_ver ) {
1209 case SCHEMAVER_SAMBASAMACCOUNT:
1210 attr_list = get_userattr_list(ldap_state->schema_ver);
1211 append_attr(&attr_list, MODIFY_TIMESTAMP_STRING);
1212 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1213 free_attr_list( attr_list );
1214
1215 if ( rc != LDAP_SUCCESS )
1216 return rc;
1217 break;
1218
1219 case SCHEMAVER_SAMBAACCOUNT:
1220 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1221 return rc;
1222 }
1223
1224 attr_list = get_userattr_list(ldap_state->schema_ver);
1225 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1226 free_attr_list( attr_list );
1227
1228 if ( rc != LDAP_SUCCESS )
1229 return rc;
1230 break;
1231 }
1232 return rc;
1233 }
1234
1235 /**********************************************************************
1236 Get SAM_ACCOUNT entry from LDAP by SID.
1237 *********************************************************************/
1238
1239 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1240 {
1241 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1242 LDAPMessage *result = NULL;
1243 LDAPMessage *entry = NULL;
1244 int count;
1245 int rc;
1246 fstring sid_string;
1247
1248 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1249 sid, &result);
1250 if (rc != LDAP_SUCCESS)
1251 return NT_STATUS_NO_SUCH_USER;
1252
1253 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1254
1255 if (count < 1) {
1256 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1257 count));
1258 ldap_msgfree(result);
1259 return NT_STATUS_NO_SUCH_USER;
1260 } else if (count > 1) {
1261 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1262 count));
1263 ldap_msgfree(result);
1264 return NT_STATUS_NO_SUCH_USER;
1265 }
1266
1267 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1268 if (!entry) {
1269 ldap_msgfree(result);
1270 return NT_STATUS_NO_SUCH_USER;
1271 }
1272
1273 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1274 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1275 ldap_msgfree(result);
1276 return NT_STATUS_NO_SUCH_USER;
1277 }
1278
1279 pdb_set_backend_private_data(user, result,
1280 private_data_free_fn,
1281 my_methods, PDB_CHANGED);
1282 return NT_STATUS_OK;
1283 }
1284
1285 /********************************************************************
1286 Do the actual modification - also change a plaintext passord if
1287 it it set.
1288 **********************************************************************/
1289
1290 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1291 SAM_ACCOUNT *newpwd, char *dn,
1292 LDAPMod **mods, int ldap_op,
1293 BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
1294 {
1295 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1296 int rc;
1297
1298 if (!my_methods || !newpwd || !dn) {
1299 return NT_STATUS_INVALID_PARAMETER;
1300 }
1301
1302 if (!mods) {
1303 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1304 /* may be password change below however */
1305 } else {
1306 switch(ldap_op) {
1307 case LDAP_MOD_ADD:
1308 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1309 "objectclass",
1310 LDAP_OBJ_ACCOUNT);
1311 rc = smbldap_add(ldap_state->smbldap_state,
1312 dn, mods);
1313 break;
1314 case LDAP_MOD_REPLACE:
1315 rc = smbldap_modify(ldap_state->smbldap_state,
1316 dn ,mods);
1317 break;
1318 default:
1319 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1320 ldap_op));
1321 return NT_STATUS_INVALID_PARAMETER;
1322 }
1323
1324 if (rc!=LDAP_SUCCESS) {
1325 char *ld_error = NULL;
1326 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1327 &ld_error);
1328 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1329 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1330 dn, ldap_err2string(rc),
1331 ld_error?ld_error:"unknown"));
1332 SAFE_FREE(ld_error);
1333 return NT_STATUS_UNSUCCESSFUL;
1334 }
1335 }
1336
1337 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1338 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1339 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1340 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1341 BerElement *ber;
1342 struct berval *bv;
1343 char *retoid;
1344 struct berval *retdata;
1345 char *utf8_password;
1346 char *utf8_dn;
1347
1348 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1349 return NT_STATUS_NO_MEMORY;
1350 }
1351
1352 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1353 return NT_STATUS_NO_MEMORY;
1354 }
1355
1356 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1357 DEBUG(0,("ber_alloc_t returns NULL\n"));
1358 SAFE_FREE(utf8_password);
1359 return NT_STATUS_UNSUCCESSFUL;
1360 }
1361
1362 ber_printf (ber, "{");
1363 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1364 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1365 ber_printf (ber, "N}");
1366
1367 if ((rc = ber_flatten (ber, &bv))<0) {
1368 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1369 ber_free(ber,1);
1370 SAFE_FREE(utf8_dn);
1371 SAFE_FREE(utf8_password);
1372 return NT_STATUS_UNSUCCESSFUL;
1373 }
1374
1375 SAFE_FREE(utf8_dn);
1376 SAFE_FREE(utf8_password);
1377 ber_free(ber, 1);
1378
1379 if ((rc = smbldap_extended_operation(ldap_state->smbldap_state,
1380 LDAP_EXOP_MODIFY_PASSWD,
1381 bv, NULL, NULL, &retoid,
1382 &retdata)) != LDAP_SUCCESS) {
1383 char *ld_error = NULL;
1384 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1385 &ld_error);
1386 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1387 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1388 SAFE_FREE(ld_error);
1389 ber_bvfree(bv);
1390 return NT_STATUS_UNSUCCESSFUL;
1391 } else {
1392 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1393 #ifdef DEBUG_PASSWORD
1394 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1395 #endif
1396 ber_bvfree(retdata);
1397 ber_memfree(retoid);
1398 }
1399 ber_bvfree(bv);
1400 }
1401 return NT_STATUS_OK;
1402 }
1403
1404 /**********************************************************************
1405 Delete entry from LDAP for username.
1406 *********************************************************************/
1407
1408 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1409 {
1410 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1411 const char *sname;
1412 int rc;
1413 LDAPMessage *result = NULL;
1414 NTSTATUS ret;
1415 char **attr_list;
1416 fstring objclass;
1417
1418 if (!sam_acct) {
1419 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1420 return NT_STATUS_INVALID_PARAMETER;
1421 }
1422
1423 sname = pdb_get_username(sam_acct);
1424
1425 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
1426
1427 attr_list= get_userattr_list( ldap_state->schema_ver );
1428 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1429
1430 if (rc != LDAP_SUCCESS) {
1431 free_attr_list( attr_list );
1432 return NT_STATUS_NO_SUCH_USER;
1433 }
1434
1435 switch ( ldap_state->schema_ver ) {
1436 case SCHEMAVER_SAMBASAMACCOUNT:
1437 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1438 break;
1439
1440 case SCHEMAVER_SAMBAACCOUNT:
1441 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1442 break;
1443 default:
1444 fstrcpy( objclass, "UNKNOWN" );
1445 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1446 break;
1447 }
1448
1449 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1450 ldap_msgfree(result);
1451 free_attr_list( attr_list );
1452
1453 return ret;
1454 }
1455
1456 /**********************************************************************
1457 Helper function to determine for update_sam_account whether
1458 we need LDAP modification.
1459 *********************************************************************/
1460
1461 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1462 enum pdb_elements element)
1463 {
1464 return IS_SAM_CHANGED(sampass, element);
1465 }
1466
1467 /**********************************************************************
1468 Update SAM_ACCOUNT.
1469 *********************************************************************/
1470
1471 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1472 {
1473 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1474 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1475 int rc = 0;
1476 char *dn;
1477 LDAPMessage *result = NULL;
1478 LDAPMessage *entry = NULL;
1479 LDAPMod **mods = NULL;
1480 char **attr_list;
1481
1482 result = pdb_get_backend_private_data(newpwd, my_methods);
1483 if (!result) {
1484 attr_list = get_userattr_list(ldap_state->schema_ver);
1485 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1486 free_attr_list( attr_list );
1487 if (rc != LDAP_SUCCESS) {
1488 return NT_STATUS_UNSUCCESSFUL;
1489 }
1490 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1491 }
1492
1493 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1494 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1495 return NT_STATUS_UNSUCCESSFUL;
1496 }
1497
1498 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1499 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1500 if (!dn) {
1501 return NT_STATUS_UNSUCCESSFUL;
1502 }
1503
1504 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1505
1506 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1507 element_is_changed)) {
1508 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1509 SAFE_FREE(dn);
1510 if (mods != NULL)
1511 ldap_mods_free(mods,True);
1512 return NT_STATUS_UNSUCCESSFUL;
1513 }
1514
1515 if (mods == NULL) {
1516 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1517 pdb_get_username(newpwd)));
1518 SAFE_FREE(dn);
1519 return NT_STATUS_OK;
1520 }
1521
1522 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1523 ldap_mods_free(mods,True);
1524 SAFE_FREE(dn);
1525
1526 if (!NT_STATUS_IS_OK(ret)) {
1527 char *ld_error = NULL;
1528 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1529 &ld_error);
1530 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1531 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1532 SAFE_FREE(ld_error);
1533 return ret;
1534 }
1535
1536 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1537 pdb_get_username(newpwd)));
1538 return NT_STATUS_OK;
1539 }
1540
1541 /**********************************************************************
1542 Helper function to determine for update_sam_account whether
1543 we need LDAP modification.
1544 *********************************************************************/
1545
1546 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1547 enum pdb_elements element)
1548 {
1549 return (IS_SAM_SET(sampass, element) ||
1550 IS_SAM_CHANGED(sampass, element));
1551 }
1552
1553 /**********************************************************************
1554 Add SAM_ACCOUNT to LDAP.
1555 *********************************************************************/
1556
1557 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1558 {
1559 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1560 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1561 int rc;
1562 LDAPMessage *result = NULL;
1563 LDAPMessage *entry = NULL;
1564 pstring dn;
1565 LDAPMod **mods = NULL;
1566 int ldap_op = LDAP_MOD_REPLACE;
1567 uint32 num_result;
1568 char **attr_list;
1569 char *escape_user;
1570 const char *username = pdb_get_username(newpwd);
1571 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1572 pstring filter;
1573 fstring sid_string;
1574
1575 if (!username || !*username) {
1576 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1577 return NT_STATUS_INVALID_PARAMETER;
1578 }
1579
1580 /* free this list after the second search or in case we exit on failure */
1581 attr_list = get_userattr_list(ldap_state->schema_ver);
1582
1583 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1584
1585 if (rc != LDAP_SUCCESS) {
1586 free_attr_list( attr_list );
1587 return NT_STATUS_UNSUCCESSFUL;
1588 }
1589
1590 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1591 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1592 username));
1593 ldap_msgfree(result);
1594 free_attr_list( attr_list );
1595 return NT_STATUS_UNSUCCESSFUL;
1596 }
1597 ldap_msgfree(result);
1598 result = NULL;
1599
1600 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1601 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1602 sid, &result);
1603 if (rc == LDAP_SUCCESS) {
1604 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1605 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1606 sid_to_string(sid_string, sid)));
1607 free_attr_list( attr_list );
1608 ldap_msgfree(result);
1609 return NT_STATUS_UNSUCCESSFUL;
1610 }
1611 ldap_msgfree(result);
1612 }
1613 }
1614
1615 /* does the entry already exist but without a samba attributes?
1616 we need to return the samba attributes here */
1617
1618 escape_user = escape_ldap_string_alloc( username );
1619 pstrcpy( filter, lp_ldap_filter() );
1620 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1621 SAFE_FREE( escape_user );
1622
1623 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1624 filter, attr_list, &result);
1625 if ( rc != LDAP_SUCCESS ) {
1626 free_attr_list( attr_list );
1627 return NT_STATUS_UNSUCCESSFUL;
1628 }
1629
1630 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1631
1632 if (num_result > 1) {
1633 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1634 free_attr_list( attr_list );
1635 ldap_msgfree(result);
1636 return NT_STATUS_UNSUCCESSFUL;
1637 }
1638
1639 /* Check if we need to update an existing entry */
1640 if (num_result == 1) {
1641 char *tmp;
1642
1643 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1644 ldap_op = LDAP_MOD_REPLACE;
1645 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1646 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1647 if (!tmp) {
1648 free_attr_list( attr_list );
1649 ldap_msgfree(result);
1650 return NT_STATUS_UNSUCCESSFUL;
1651 }
1652 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1653 SAFE_FREE(tmp);
1654
1655 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1656
1657 /* There might be a SID for this account already - say an idmap entry */
1658
1659 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1660 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1661 sid_to_string(sid_string, sid),
1662 LDAP_OBJ_IDMAP_ENTRY,
1663 LDAP_OBJ_SID_ENTRY);
1664
1665 /* free old result before doing a new search */
1666 if (result != NULL) {
1667 ldap_msgfree(result);
1668 result = NULL;
1669 }
1670 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1671 filter, attr_list, &result);
1672
1673 if ( rc != LDAP_SUCCESS ) {
1674 free_attr_list( attr_list );
1675 return NT_STATUS_UNSUCCESSFUL;
1676 }
1677
1678 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1679
1680 if (num_result > 1) {
1681 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1682 free_attr_list( attr_list );
1683 ldap_msgfree(result);
1684 return NT_STATUS_UNSUCCESSFUL;
1685 }
1686
1687 /* Check if we need to update an existing entry */
1688 if (num_result == 1) {
1689 char *tmp;
1690
1691 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1692 ldap_op = LDAP_MOD_REPLACE;
1693 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1694 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1695 if (!tmp) {
1696 free_attr_list( attr_list );
1697 ldap_msgfree(result);
1698 return NT_STATUS_UNSUCCESSFUL;
1699 }
1700 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1701 SAFE_FREE(tmp);
1702 }
1703 }
1704
1705 free_attr_list( attr_list );
1706
1707 if (num_result == 0) {
1708 /* Check if we need to add an entry */
1709 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1710 ldap_op = LDAP_MOD_ADD;
1711 if (username[strlen(username)-1] == '$') {
1712 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1713 } else {
1714 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1715 }
1716 }
1717
1718 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1719 element_is_set_or_changed)) {
1720 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1721 ldap_msgfree(result);
1722 if (mods != NULL)
1723 ldap_mods_free(mods,True);
1724 return NT_STATUS_UNSUCCESSFUL;
1725 }
1726
1727 ldap_msgfree(result);
1728
1729 if (mods == NULL) {
1730 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
1731 return NT_STATUS_UNSUCCESSFUL;
1732 }
1733 switch ( ldap_state->schema_ver ) {
1734 case SCHEMAVER_SAMBAACCOUNT:
1735 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
1736 break;
1737 case SCHEMAVER_SAMBASAMACCOUNT:
1738 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
1739 break;
1740 default:
1741 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1742 break;
1743 }
1744
1745 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
1746 if (!NT_STATUS_IS_OK(ret)) {
1747 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1748 pdb_get_username(newpwd),dn));
1749 ldap_mods_free(mods, True);
1750 return ret;
1751 }
1752
1753 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
1754 ldap_mods_free(mods, True);
1755
1756 return NT_STATUS_OK;
1757 }
1758
1759 /**********************************************************************
1760 *********************************************************************/
1761
1762 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
1763 const char *filter,
1764 LDAPMessage ** result)
1765 {
1766 int scope = LDAP_SCOPE_SUBTREE;
1767 int rc;
1768 char **attr_list;
1769
1770 attr_list = get_attr_list(groupmap_attr_list);
1771 rc = smbldap_search(ldap_state->smbldap_state,
1772 lp_ldap_group_suffix (), scope,
1773 filter, attr_list, 0, result);
1774 free_attr_list( attr_list );
1775
1776 if (rc != LDAP_SUCCESS) {
1777 char *ld_error = NULL;
1778 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1779 &ld_error);
1780 DEBUG(0, ("ldapsam_search_one_group: "
1781 "Problem during the LDAP search: LDAP error: %s (%s)\n",
1782 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
1783 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1784 lp_ldap_group_suffix(), filter));
1785 SAFE_FREE(ld_error);
1786 }
1787
1788 return rc;
1789 }
1790
1791 /**********************************************************************
1792 *********************************************************************/
1793
1794 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
1795 GROUP_MAP *map, LDAPMessage *entry)
1796 {
1797 pstring temp;
1798
1799 if (ldap_state == NULL || map == NULL || entry == NULL ||
1800 ldap_state->smbldap_state->ldap_struct == NULL) {
1801 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
1802 return False;
1803 }
1804
1805 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1806 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
1807 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1808 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
1809 return False;
1810 }
1811 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
1812
1813 map->gid = (gid_t)atol(temp);
1814
1815 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1816 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
1817 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1818 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
1819 return False;
1820 }
1821
1822 if (!string_to_sid(&map->sid, temp)) {
1823 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
1824 return False;
1825 }
1826
1827 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1828 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
1829 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1830 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
1831 return False;
1832 }
1833 map->sid_name_use = (enum SID_NAME_USE)atol(temp);
1834
1835 if ((map->sid_name_use < SID_NAME_USER) ||
1836 (map->sid_name_use > SID_NAME_UNKNOWN)) {
1837 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
1838 return False;
1839 }
1840
1841 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1842 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
1843 temp[0] = '\0';
1844 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1845 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
1846 {
1847 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
1848 for gidNumber(%lu)\n",(unsigned long)map->gid));
1849 return False;
1850 }
1851 }
1852 fstrcpy(map->nt_name, temp);
1853
1854 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1855 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
1856 temp[0] = '\0';
1857 }
1858 fstrcpy(map->comment, temp);
1859
1860 return True;
1861 }
1862
1863 /**********************************************************************
1864 *********************************************************************/
1865
1866 static BOOL init_ldap_from_group(LDAP *ldap_struct,
1867 LDAPMessage *existing,
1868 LDAPMod ***mods,
1869 const GROUP_MAP *map)
1870 {
1871 pstring tmp;
1872
1873 if (mods == NULL || map == NULL) {
1874 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
1875 return False;
1876 }
1877
1878 *mods = NULL;
1879
1880 sid_to_string(tmp, &map->sid);
1881
1882 smbldap_make_mod(ldap_struct, existing, mods,
1883 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
1884 pstr_sprintf(tmp, "%i", map->sid_name_use);
1885 smbldap_make_mod(ldap_struct, existing, mods,
1886 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
1887
1888 smbldap_make_mod(ldap_struct, existing, mods,
1889 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
1890 smbldap_make_mod(ldap_struct, existing, mods,
1891 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
1892
1893 return True;
1894 }
1895
1896 /**********************************************************************
1897 *********************************************************************/
1898
1899 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
1900 const char *filter,
1901 GROUP_MAP *map)
1902 {
1903 struct ldapsam_privates *ldap_state =
1904 (struct ldapsam_privates *)methods->private_data;
1905 LDAPMessage *result = NULL;
1906 LDAPMessage *entry = NULL;
1907 int count;
1908
1909 if (ldapsam_search_one_group(ldap_state, filter, &result)
1910 != LDAP_SUCCESS) {
1911 return NT_STATUS_NO_SUCH_GROUP;
1912 }
1913
1914 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1915
1916 if (count < 1) {
1917 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
1918 ldap_msgfree(result);
1919 return NT_STATUS_NO_SUCH_GROUP;
1920 }
1921
1922 if (count > 1) {
1923 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
1924 filter, count));
1925 ldap_msgfree(result);
1926 return NT_STATUS_NO_SUCH_GROUP;
1927 }
1928
1929 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1930
1931 if (!entry) {
1932 ldap_msgfree(result);
1933 return NT_STATUS_UNSUCCESSFUL;
1934 }
1935
1936 if (!init_group_from_ldap(ldap_state, map, entry)) {
1937 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
1938 filter));
1939 ldap_msgfree(result);
1940 return NT_STATUS_NO_SUCH_GROUP;
1941 }
1942
1943 ldap_msgfree(result);
1944 return NT_STATUS_OK;
1945 }
1946
1947 /**********************************************************************
1948 *********************************************************************/
1949
1950 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1951 DOM_SID sid)
1952 {
1953 pstring filter;
1954
1955 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
1956 LDAP_OBJ_GROUPMAP,
1957 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
1958 sid_string_static(&sid));
1959
1960 return ldapsam_getgroup(methods, filter, map);
1961 }
1962
1963 /**********************************************************************
1964 *********************************************************************/
1965
1966 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1967 gid_t gid)
1968 {
1969 pstring filter;
1970
1971 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
1972 LDAP_OBJ_GROUPMAP,
1973 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
1974 (unsigned long)gid);
1975
1976 return ldapsam_getgroup(methods, filter, map);
1977 }
1978
1979 /**********************************************************************
1980 *********************************************************************/
1981
1982 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1983 const char *name)
1984 {
1985 pstring filter;
1986 char *escape_name = escape_ldap_string_alloc(name);
1987
1988 if (!escape_name) {
1989 return NT_STATUS_NO_MEMORY;
1990 }
1991
1992 pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
1993 LDAP_OBJ_GROUPMAP,
1994 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
1995 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
1996
1997 SAFE_FREE(escape_name);
1998
1999 return ldapsam_getgroup(methods, filter, map);
2000 }
2001
2002 /**********************************************************************
2003 *********************************************************************/
2004
2005 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
2006 gid_t gid,
2007 LDAPMessage **result)
2008 {
2009 pstring filter;
2010
2011 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%lu))",
2012 LDAP_OBJ_POSIXGROUP, LDAP_OBJ_IDMAP_ENTRY,
2013 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2014 (unsigned long)gid);
2015
2016 return ldapsam_search_one_group(ldap_state, filter, result);
2017 }
2018
2019 /**********************************************************************
2020 *********************************************************************/
2021
2022 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2023 GROUP_MAP *map)
2024 {
2025 struct ldapsam_privates *ldap_state =
2026 (struct ldapsam_privates *)methods->private_data;
2027 LDAPMessage *result = NULL;
2028 LDAPMod **mods = NULL;
2029 int count;
2030
2031 char *tmp;
2032 pstring dn;
2033 LDAPMessage *entry;
2034
2035 GROUP_MAP dummy;
2036
2037 int rc;
2038
2039 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2040 map->gid))) {
2041 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
2042 return NT_STATUS_UNSUCCESSFUL;
2043 }
2044
2045 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2046 if (rc != LDAP_SUCCESS) {
2047 ldap_msgfree(result);
2048 return NT_STATUS_UNSUCCESSFUL;
2049 }
2050
2051 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2052
2053 if ( count == 0 ) {
2054 /* There's no posixGroup account, let's try to find an
2055 * appropriate idmap entry for aliases */
2056
2057 pstring suffix;
2058 pstring filter;
2059 char **attr_list;
2060
2061 ldap_msgfree(result);
2062
2063 pstrcpy( suffix, lp_ldap_idmap_suffix() );
2064 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%u))",
2065 LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_GIDNUMBER,
2066 map->gid);
2067
2068 attr_list = get_attr_list( sidmap_attr_list );
2069 rc = smbldap_search(ldap_state->smbldap_state, suffix,
2070 LDAP_SCOPE_SUBTREE, filter, attr_list,
2071 0, &result);
2072
2073 free_attr_list(attr_list);
2074
2075 if (rc != LDAP_SUCCESS) {
2076 DEBUG(3,("Failure looking up entry (%s)\n",
2077 ldap_err2string(rc) ));
2078 ldap_msgfree(result);
2079 return NT_STATUS_UNSUCCESSFUL;
2080 }
2081 }
2082
2083 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2084 if ( count == 0 ) {
2085 ldap_msgfree(result);
2086 return NT_STATUS_UNSUCCESSFUL;
2087 }
2088
2089 if (count > 1) {
2090 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2091 (unsigned long)map->gid));
2092 ldap_msgfree(result);
2093 return NT_STATUS_UNSUCCESSFUL;
2094 }
2095
2096 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2097 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2098 if (!tmp) {
2099 ldap_msgfree(result);
2100 return NT_STATUS_UNSUCCESSFUL;
2101 }
2102 pstrcpy(dn, tmp);
2103 SAFE_FREE(tmp);
2104
2105 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2106 result, &mods, map)) {
2107 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2108 ldap_mods_free(mods, True);
2109 ldap_msgfree(result);
2110 return NT_STATUS_UNSUCCESSFUL;
2111 }
2112
2113 ldap_msgfree(result);
2114
2115 if (mods == NULL) {
2116 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2117 return NT_STATUS_UNSUCCESSFUL;
2118 }
2119
2120 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2121
2122 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2123 ldap_mods_free(mods, True);
2124
2125 if (rc != LDAP_SUCCESS) {
2126 char *ld_error = NULL;
2127 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2128 &ld_error);
2129 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid,
2130 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2131 SAFE_FREE(ld_error);
2132 return NT_STATUS_UNSUCCESSFUL;
2133 }
2134
2135 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2136 return NT_STATUS_OK;
2137 }
2138
2139 /**********************************************************************
2140 *********************************************************************/
2141
2142 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2143 GROUP_MAP *map)
2144 {
2145 struct ldapsam_privates *ldap_state =
2146 (struct ldapsam_privates *)methods->private_data;
2147 int rc;
2148 char *dn = NULL;
2149 LDAPMessage *result = NULL;
2150 LDAPMessage *entry = NULL;
2151 LDAPMod **mods = NULL;
2152
2153 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2154
2155 if (rc != LDAP_SUCCESS) {
2156 return NT_STATUS_UNSUCCESSFUL;
2157 }
2158
2159 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2160 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2161 ldap_msgfree(result);
2162 return NT_STATUS_UNSUCCESSFUL;
2163 }
2164
2165 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2166
2167 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2168 result, &mods, map)) {
2169 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2170 ldap_msgfree(result);
2171 if (mods != NULL)
2172 ldap_mods_free(mods,True);
2173 return NT_STATUS_UNSUCCESSFUL;
2174 }
2175
2176 if (mods == NULL) {
2177 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2178 ldap_msgfree(result);
2179 return NT_STATUS_OK;
2180 }
2181
2182 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2183 if (!dn) {
2184 ldap_msgfree(result);
2185 return NT_STATUS_UNSUCCESSFUL;
2186 }
2187 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2188 SAFE_FREE(dn);
2189
2190 ldap_mods_free(mods, True);
2191 ldap_msgfree(result);
2192
2193 if (rc != LDAP_SUCCESS) {
2194 char *ld_error = NULL;
2195 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2196 &ld_error);
2197 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid,
2198 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2199 SAFE_FREE(ld_error);
2200 return NT_STATUS_UNSUCCESSFUL;
2201 }
2202
2203 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2204 return NT_STATUS_OK;
2205 }
2206
2207 /**********************************************************************
2208 *********************************************************************/
2209
2210 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2211 DOM_SID sid)
2212 {
2213 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2214 pstring sidstring, filter;
2215 LDAPMessage *result = NULL;
2216 int rc;
2217 NTSTATUS ret;
2218 char **attr_list;
2219
2220 sid_to_string(sidstring, &sid);
2221
2222 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2223 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2224
2225 rc = ldapsam_search_one_group(ldap_state, filter, &result);
2226
2227 if (rc != LDAP_SUCCESS) {
2228 return NT_STATUS_NO_SUCH_GROUP;
2229 }
2230
2231 attr_list = get_attr_list( groupmap_attr_list_to_delete );
2232 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2233 free_attr_list ( attr_list );
2234
2235 ldap_msgfree(result);
2236
2237 return ret;
2238 }
2239
2240 /**********************************************************************
2241 *********************************************************************/
2242
2243 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2244 {
2245 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2246 fstring filter;
2247 int rc;
2248 char **attr_list;
2249
2250 pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2251 attr_list = get_attr_list( groupmap_attr_list );
2252 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2253 LDAP_SCOPE_SUBTREE, filter,
2254 attr_list, 0, &ldap_state->result);
2255 free_attr_list( attr_list );
2256
2257 if (rc != LDAP_SUCCESS) {
2258 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
2259 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2260 ldap_msgfree(ldap_state->result);
2261 ldap_state->result = NULL;
2262 return NT_STATUS_UNSUCCESSFUL;
2263 }
2264
2265 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2266 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2267 ldap_state->result)));
2268
2269 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2270 ldap_state->index = 0;
2271
2272 return NT_STATUS_OK;
2273 }
2274
2275 /**********************************************************************
2276 *********************************************************************/
2277
2278 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
2279 {
2280 ldapsam_endsampwent(my_methods);
2281 }
2282
2283 /**********************************************************************
2284 *********************************************************************/
2285
2286 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
2287 GROUP_MAP *map)
2288 {
2289 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2290 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2291 BOOL bret = False;
2292
2293 while (!bret) {
2294 if (!ldap_state->entry)
2295 return ret;
2296
2297 ldap_state->index++;
2298 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
2299
2300 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2301 ldap_state->entry);
2302 }
2303
2304 return NT_STATUS_OK;
2305 }
2306
2307 /**********************************************************************
2308 *********************************************************************/
2309
2310 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
2311 enum SID_NAME_USE sid_name_use,
2312 GROUP_MAP **rmap, int *num_entries,
2313 BOOL unix_only)
2314 {
2315 GROUP_MAP map;
2316 GROUP_MAP *mapt;
2317 int entries = 0;
2318
2319 *num_entries = 0;
2320 *rmap = NULL;
2321
2322 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
2323 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2324 return NT_STATUS_ACCESS_DENIED;
2325 }
2326
2327 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
2328 if (sid_name_use != SID_NAME_UNKNOWN &&
2329 sid_name_use != map.sid_name_use) {
2330 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
2331 continue;
2332 }
2333 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
2334 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
2335 continue;
2336 }
2337
2338 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
2339 if (!mapt) {
2340 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2341 SAFE_FREE(*rmap);
2342 return NT_STATUS_UNSUCCESSFUL;
2343 }
2344 else
2345 (*rmap) = mapt;
2346
2347 mapt[entries] = map;
2348
2349 entries += 1;
2350
2351 }
2352 ldapsam_endsamgrent(methods);
2353
2354 *num_entries = entries;
2355
2356 return NT_STATUS_OK;
2357 }
2358
2359 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
2360 const DOM_SID *alias,
2361 const DOM_SID *member,
2362 int modop)
2363 {
2364 struct ldapsam_privates *ldap_state =
2365 (struct ldapsam_privates *)methods->private_data;
2366 char *dn;
2367 LDAPMessage *result = NULL;
2368 LDAPMessage *entry = NULL;
2369 int count;
2370 LDAPMod **mods = NULL;
2371 int rc;
2372
2373 pstring filter;
2374
2375 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2376 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
2377 get_attr_key2string(groupmap_attr_list,
2378 LDAP_ATTR_GROUP_SID),
2379 sid_string_static(alias));
2380
2381 if (ldapsam_search_one_group(ldap_state, filter,
2382 &result) != LDAP_SUCCESS)
2383 return NT_STATUS_NO_SUCH_ALIAS;
2384
2385 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2386 result);
2387
2388 if (count < 1) {
2389 DEBUG(4, ("ldapsam_add_aliasmem: Did not find alias\n"));
2390 ldap_msgfree(result);
2391 return NT_STATUS_NO_SUCH_ALIAS;
2392 }
2393
2394 if (count > 1) {
2395 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2396 "count=%d\n", filter, count));
2397 ldap_msgfree(result);
2398 return NT_STATUS_NO_SUCH_ALIAS;
2399 }
2400
2401 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
2402 result);
2403
2404 if (!entry) {
2405 ldap_msgfree(result);
2406 return NT_STATUS_UNSUCCESSFUL;
2407 }
2408
2409 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2410 if (!dn) {
2411 ldap_msgfree(result);
2412 return NT_STATUS_UNSUCCESSFUL;
2413 }
2414
2415 smbldap_set_mod(&mods, modop,
2416 get_attr_key2string(groupmap_attr_list,
2417 LDAP_ATTR_SID_LIST),
2418 sid_string_static(member));
2419
2420 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2421
2422 ldap_mods_free(mods, True);
2423 ldap_msgfree(result);
2424
2425 if (rc != LDAP_SUCCESS) {
2426 char *ld_error = NULL;
2427 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
2428 LDAP_OPT_ERROR_STRING,&ld_error);
2429
2430 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes "
2431 "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
2432 ld_error?ld_error:"unknown"));
2433 SAFE_FREE(ld_error);
2434 SAFE_FREE(dn);
2435 return NT_STATUS_UNSUCCESSFUL;
2436 }
2437
2438 SAFE_FREE(dn);
2439
2440 return NT_STATUS_OK;
2441 }
2442
2443 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
2444 const DOM_SID *alias,
2445 const DOM_SID *member)
2446 {
2447 return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
2448 }
2449
2450 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
2451 const DOM_SID *alias,
2452 const DOM_SID *member)
2453 {
2454 return ldapsam_modify_aliasmem(methods, alias, member,
2455 LDAP_MOD_DELETE);
2456 }
2457
2458 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
2459 const DOM_SID *alias, DOM_SID **members,
2460 int *num_members)
2461 {
2462 struct ldapsam_privates *ldap_state =
2463 (struct ldapsam_privates *)methods->private_data;
2464 LDAPMessage *result = NULL;
2465 LDAPMessage *entry = NULL;
2466 int count;
2467 char **values;
2468 int i;
2469 pstring filter;
2470
2471 *members = NULL;
2472 *num_members = 0;
2473
2474 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2475 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
2476 get_attr_key2string(groupmap_attr_list,
2477 LDAP_ATTR_GROUP_SID),
2478 sid_string_static(alias));
2479
2480 if (ldapsam_search_one_group(ldap_state, filter,
2481 &result) != LDAP_SUCCESS)
2482 return NT_STATUS_NO_SUCH_ALIAS;
2483
2484 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2485 result);
2486
2487 if (count < 1) {
2488 DEBUG(4, ("ldapsam_add_aliasmem: Did not find alias\n"));
2489 ldap_msgfree(result);
2490 return NT_STATUS_NO_SUCH_ALIAS;
2491 }
2492
2493 if (count > 1) {
2494 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2495 "count=%d\n", filter, count));
2496 ldap_msgfree(result);
2497 return NT_STATUS_NO_SUCH_ALIAS;
2498 }
2499
2500 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
2501 result);
2502
2503 if (!entry) {
2504 ldap_msgfree(result);
2505 return NT_STATUS_UNSUCCESSFUL;
2506 }
2507
2508 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
2509 entry,
2510 get_attr_key2string(groupmap_attr_list,
2511 LDAP_ATTR_SID_LIST));
2512
2513 if (values == NULL) {
2514 ldap_msgfree(result);
2515 return NT_STATUS_OK;
2516 }
2517
2518 count = ldap_count_values(values);
2519
2520 for (i=0; i<count; i++) {
2521 DOM_SID member;
2522
2523 if (!string_to_sid(&member, values[i]))
2524 continue;
2525
2526 add_sid_to_array(&member, members, num_members);
2527 }
2528
2529 ldap_value_free(values);
2530 ldap_msgfree(result);
2531
2532 return NT_STATUS_OK;
2533 }
2534
2535 static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
2536 const DOM_SID *sid,
2537 DOM_SID **aliases, int *num)
2538 {
2539 struct ldapsam_privates *ldap_state =
2540 (struct ldapsam_privates *)methods->private_data;
2541
2542 fstring sid_string;
2543 const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
2544
2545 LDAPMessage *result = NULL;
2546 LDAPMessage *entry = NULL;
2547 int count;
2548 int rc;
2549 pstring filter;
2550
2551 sid_to_string(sid_string, sid);
2552 pstr_sprintf(filter, "(&(|(objectclass=%s)(objectclass=%s))(%s=%s))",
2553 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
2554 get_attr_key2string(groupmap_attr_list,
2555 LDAP_ATTR_SID_LIST), sid_string);
2556
2557 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2558 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2559
2560 if (rc != LDAP_SUCCESS)
2561 return NT_STATUS_UNSUCCESSFUL;
2562
2563 *aliases = NULL;
2564 *num = 0;
2565
2566 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2567 result);
2568
2569 if (count < 1) {
2570 ldap_msgfree(result);
2571 return NT_STATUS_OK;
2572 }
2573
2574
2575 for (entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
2576 result);
2577 entry != NULL;
2578 entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2579 entry))
2580 {
2581 DOM_SID alias;
2582 char **vals;
2583 vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
2584 entry, LDAP_ATTRIBUTE_SID);
2585
2586 if (vals == NULL)
2587 continue;
2588
2589 if (vals[0] == NULL) {
2590 ldap_value_free(vals);
2591 continue;
2592 }
2593
2594 if (!string_to_sid(&alias, vals[0])) {
2595 ldap_value_free(vals);
2596 continue;
2597 }
2598
2599 add_sid_to_array(&alias, aliases, num);
2600 ldap_value_free(vals);
2601 }
2602
2603 ldap_msgfree(result);
2604 return NT_STATUS_OK;
2605 }
2606
2607 /**********************************************************************
2608 Housekeeping
2609 *********************************************************************/
2610
2611 static void free_private_data(void **vp)
2612 {
2613 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
2614
2615 smbldap_free_struct(&(*ldap_state)->smbldap_state);
2616
2617 if ((*ldap_state)->result != NULL) {
2618 ldap_msgfree((*ldap_state)->result);
2619 (*ldap_state)->result = NULL;
2620 }
2621
2622 *ldap_state = NULL;
2623
2624 /* No need to free any further, as it is talloc()ed */
2625 }
2626
2627 /**********************************************************************
2628 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2629 *********************************************************************/
2630
2631 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
2632 const char *location)
2633 {
2634 NTSTATUS nt_status;
2635 struct ldapsam_privates *ldap_state;
2636
2637 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
2638 return nt_status;
2639 }
2640
2641 (*pdb_method)->name = "ldapsam";
2642
2643 (*pdb_method)->setsampwent = ldapsam_setsampwent;
2644 (*pdb_method)->endsampwent = ldapsam_endsampwent;
2645 (*pdb_method)->getsampwent = ldapsam_getsampwent;
2646 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
2647 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
2648 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
2649 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
2650 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
2651
2652 (*pdb_method)->getgrsid = ldapsam_getgrsid;
2653 (*pdb_method)->getgrgid = ldapsam_getgrgid;
2654 (*pdb_method)->getgrnam = ldapsam_getgrnam;
2655 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
2656 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
2657 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
2658 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
2659
2660 /* TODO: Setup private data and free */
2661
2662 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
2663 if (!ldap_state) {
2664 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2665 return NT_STATUS_NO_MEMORY;
2666 }
2667
2668 if (!NT_STATUS_IS_OK(nt_status =
2669 smbldap_init(pdb_context->mem_ctx, location,
2670 &ldap_state->smbldap_state)));
2671
2672 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
2673 if (!ldap_state->domain_name) {
2674 return NT_STATUS_NO_MEMORY;
2675 }
2676
2677 (*pdb_method)->private_data = ldap_state;
2678
2679 (*pdb_method)->free_private_data = free_private_data;
2680
2681 return NT_STATUS_OK;
2682 }
2683
2684 /**********************************************************************
2685 Initialise the 'compat' mode for pdb_ldap
2686 *********************************************************************/
2687
2688 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2689 {
2690 NTSTATUS nt_status;
2691 struct ldapsam_privates *ldap_state;
2692
2693 #ifdef WITH_LDAP_SAMCONFIG
2694 if (!location) {
2695 int ldap_port = lp_ldap_port();
2696
2697 /* remap default port if not using SSL (ie clear or TLS) */
2698 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
2699 ldap_port = 389;
2700 }
2701
2702 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
2703 if (!location) {
2704 return NT_STATUS_NO_MEMORY;
2705 }
2706 }
2707 #endif
2708
2709 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2710 return nt_status;
2711 }
2712
2713 (*pdb_method)->name = "ldapsam_compat";
2714
2715 ldap_state = (*pdb_method)->private_data;
2716 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
2717
2718 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2719
2720 return NT_STATUS_OK;
2721 }
2722
2723 /**********************************************************************
2724 Initialise the normal mode for pdb_ldap
2725 *********************************************************************/
2726
2727 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2728 {
2729 NTSTATUS nt_status;
2730 struct ldapsam_privates *ldap_state;
2731 uint32 alg_rid_base;
2732 pstring alg_rid_base_string;
2733 LDAPMessage *result = NULL;
2734 LDAPMessage *entry = NULL;
2735 DOM_SID ldap_domain_sid;
2736 DOM_SID secrets_domain_sid;
2737 pstring domain_sid_string;
2738
2739 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2740 return nt_status;
2741 }
2742
2743 (*pdb_method)->name = "ldapsam";
2744
2745 (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
2746 (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
2747 (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
2748 (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
2749
2750 ldap_state = (*pdb_method)->private_data;
2751 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
2752
2753 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2754
2755 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result,
2756 ldap_state->domain_name, True);
2757
2758 if ( !NT_STATUS_IS_OK(nt_status) ) {
2759 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
2760 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
2761 and will risk BDCs having inconsistant SIDs\n"));
2762 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2763 return NT_STATUS_OK;
2764 }
2765
2766 /* Given that the above might fail, everything below this must be optional */
2767
2768 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2769 if (!entry) {
2770 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
2771 ldap_msgfree(result);
2772 return NT_STATUS_UNSUCCESSFUL;
2773 }
2774
2775 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2776 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2777 domain_sid_string)) {
2778 BOOL found_sid;
2779 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
2780 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string));
2781 return NT_STATUS_INVALID_PARAMETER;
2782 }
2783 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
2784 if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
2785 fstring new_sid_str, old_sid_str;
2786 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
2787 ldap_state->domain_name,
2788 sid_to_string(old_sid_str, &secrets_domain_sid),
2789 sid_to_string(new_sid_str, &ldap_domain_sid)));
2790
2791 /* reset secrets.tdb sid */
2792 secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
2793 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid())));
2794 }
2795 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
2796 }
2797
2798 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2799 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE),
2800 alg_rid_base_string)) {
2801 alg_rid_base = (uint32)atol(alg_rid_base_string);
2802 if (alg_rid_base != algorithmic_rid_base()) {
2803 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2804 "database was initialised. Aborting. \n"));
2805 ldap_msgfree(result);
2806 return NT_STATUS_UNSUCCESSFUL;
2807 }
2808 }
2809 ldap_msgfree(result);
2810
2811 return NT_STATUS_OK;
2812 }
2813
2814 NTSTATUS pdb_ldap_init(void)
2815 {
2816 NTSTATUS nt_status;
2817 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
2818 return nt_status;
2819
2820 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
2821 return nt_status;
2822
2823 return NT_STATUS_OK;
2824 }
Samba GIT mirror