search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[GLUE] Rsync SAMBA_3_0 SVN r25598 in order to create the v3-0-test branch.
[Samba.git] / examples / misc / adssearch.pl
blob4482222934f5e7e2ba6db0c49da33910a0f8b7e8
1 #!/usr/bin/perl -w
2 #
3 # adssearch.pl - query an Active Directory server and
4 # display objects in a human readable format
5 #
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2007
7 #
8 # TODO: add range retrieval
9 # write sddl-converter, decode userParameters
10 # apparently only win2k3 allows simple-binds with machine-accounts.
11 # make sasl support independent from Authen::SASL::Cyrus v >0.11
12 use strict;
13
14 use Net::LDAP;
15 use Net::LDAP::Control;
16 use Net::LDAP::Constant qw(LDAP_REFERRAL);
17 use Convert::ASN1;
18 use Time::Local;
19 use POSIX qw(strftime);
20 use Getopt::Long;
21
22 my $have_sasl;
23 my $works_sasl;
24 my $pref_version;
25 BEGIN {
26 my $class = 'Authen::SASL';
27 $pref_version = "0.32";
28 if ( eval "require $class;" ) {
29 $have_sasl = 1;
30 }
31 if ( eval "Net::LDAP->VERSION($pref_version);" ) {
32 $works_sasl = 1;
33 }
34 }
35
36 # users may set defaults here
37 my $base = "";
38 my $binddn = "";
39 my $password = "";
40 my $server = "";
41 my $rebind_url;
42
43
44 my $tdbdump = "/usr/bin/tdbdump";
45 my $testparm = "/usr/bin/testparm";
46 my $net = "/usr/bin/net";
47 my $dig = "/usr/bin/dig";
48 my $nmblookup = "/usr/bin/nmblookup";
49 my $secrets_tdb = "/etc/samba/secrets.tdb";
50 my $klist = "/usr/bin/klist";
51 my $kinit = "/usr/bin/kinit";
52 my $workgroup = "";
53 my $machine = "";
54 my $realm = "";
55
56 # parse input
57 my (
58 $opt_asq,
59 $opt_base,
60 $opt_binddn,
61 $opt_debug,
62 $opt_display_extendeddn,
63 $opt_display_metadata,
64 $opt_display_raw,
65 $opt_domain_scope,
66 $opt_dump_rootdse,
67 $opt_dump_schema,
68 $opt_dump_wknguid,
69 $opt_fastbind,
70 $opt_help,
71 $opt_host,
72 $opt_machine,
73 $opt_notify,
74 $opt_notify_nodiffs,
75 $opt_paging,
76 $opt_password,
77 $opt_port,
78 $opt_realm,
79 $opt_saslmech,
80 $opt_scope,
81 $opt_simpleauth,
82 $opt_starttls,
83 $opt_user,
84 $opt_verbose,
85 $opt_workgroup,
86 );
87
88 GetOptions(
89 'asq=s' => \$opt_asq,
90 'base|b=s' => \$opt_base,
91 'D|DN=s' => \$opt_binddn,
92 'debug=i' => \$opt_debug,
93 'domain_scope' => \$opt_domain_scope,
94 'extendeddn|e:i' => \$opt_display_extendeddn,
95 'fastbind' => \$opt_fastbind,
96 'help' => \$opt_help,
97 'host|h=s' => \$opt_host,
98 'machine|P' => \$opt_machine,
99 'metadata|m' => \$opt_display_metadata,
100 'nodiffs' => \$opt_notify_nodiffs,
101 'notify|n' => \$opt_notify,
102 'paging:i' => \$opt_paging,
103 'password|w=s' => \$opt_password,
104 'port=i' => \$opt_port,
105 'rawdisplay' => \$opt_display_raw,
106 'realm|R=s' => \$opt_realm,
107 'rootDSE' => \$opt_dump_rootdse,
108 'saslmech|Y=s' => \$opt_saslmech,
109 'schema|c' => \$opt_dump_schema,
110 'scope|s=s' => \$opt_scope,
111 'simpleauth|x' => \$opt_simpleauth,
112 'tls|Z' => \$opt_starttls,
113 'user|U=s' => \$opt_user,
114 'verbose|v' => \$opt_verbose,
115 'wknguid' => \$opt_dump_wknguid,
116 'workgroup|k=s' => \$opt_workgroup,
117 );
118
119
120 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
121 usage();
122 exit 1;
123 }
124
125 if ($opt_fastbind && !$opt_simpleauth) {
126 printf("LDAP fast bind can only be performed with simple binds\n");
127 exit 1;
128 }
129
130 if ($opt_notify) {
131 $opt_paging = undef;
132 }
133
134 # get the query
135 my $query = shift;
136 my @attrs = @ARGV;
137
138 # some global vars
139 my $filter = "";
140 my ($dse, $uri);
141 my ($attr, $value);
142 my (@ctrls, @ctrls_s);
143 my ($ctl_paged, $cookie);
144 my ($page_count, $total_entry_count);
145 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
146 my ($mesg, $usn);
147 my (%entry_store);
148 my $async_search;
149
150 # fixed values and vars
151 my $set = "X";
152 my $unset = "-";
153 my $tabsize = "\t\t\t";
154
155 # get defaults
156 my $scope = $opt_scope || "sub";
157 my $port = $opt_port;
158
159 my %ads_controls = (
160 "LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
161 "LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
162 "LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
163 "LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
164 "LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
165 "LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
166 "LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
167 "LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
168 "LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
169 "LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
170 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
171 "LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
172 "LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
173 "LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
174 "LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
175 "LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
176 "LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
177 "LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
178 "LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
179 "NONE (Get stats control)" => "1.2.840.113556.1.4.970",
180 "LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
181 "LDAP_SERVER_SHUTDOWN_NOTIFY_OID" => "1.2.840.113556.1.4.1907",
182 );
183
184 my %ads_capabilities = (
185 "LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
186 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
187 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
188 );
189
190 my %ads_extensions = (
191 "LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
192 "LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
193 "LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
194 "NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
195 );
196
197 my %ads_matching_rules = (
198 "LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
199 "LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
200 );
201
202 my %wknguids = (
203 "WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
204 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
205 "WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
206 "WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
207 );
208
209 my %ads_systemflags = (
210 "FLAG_DONT_REPLICATE" => 0x00000001, # 1
211 "FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
212 "FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
213 "FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
214 "FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
215 "FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
216 "FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
217 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
218 #"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
219 #"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
220 "FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
221 );
222
223 my %ads_mixed_domain = (
224 "NATIVE_LEVEL_DOMAIN" => 0,
225 "MIXED_LEVEL_DOMAIN" => 1,
226 );
227
228 my %ads_ds_func = (
229 "DS_BEHAVIOR_WIN2000" => 0, # untested
230 "DS_BEHAVIOR_WIN2003" => 2,
231 );
232
233 my %ads_instance_type = (
234 "DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
235 "IT_WRITE" => 0x4,
236 "IT_NC_ABOVE" => 0x8,
237 );
238
239 my %ads_uacc = (
240 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
241 "ACCOUNT_OK" => 0x800000, # 8388608
242 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
243 );
244
245 my %ads_gpoptions = (
246 "GPOPTIONS_INHERIT" => 0,
247 "GPOPTIONS_BLOCK_INHERITANCE" => 1,
248 );
249
250 my %ads_gplink_opts = (
251 "GPLINK_OPT_NONE" => 0,
252 "GPLINK_OPT_DISABLED" => 1,
253 "GPLINK_OPT_ENFORCED" => 2,
254 );
255
256 my %ads_gpflags = (
257 "GPFLAGS_ALL_ENABLED" => 0,
258 "GPFLAGS_USER_SETTINGS_DISABLED" => 1,
259 "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
260 "GPFLAGS_ALL_DISABLED" => 3,
261 );
262
263 my %ads_serverstate = (
264 "SERVER_ENABLED" => 1,
265 "SERVER_DISABLED" => 2,
266 );
267
268 my %ads_sdeffective = (
269 "OWNER_SECURITY_INFORMATION" => 0x01,
270 "DACL_SECURITY_INFORMATION" => 0x04,
271 "SACL_SECURITY_INFORMATION" => 0x10,
272 );
273
274 my %ads_trustattrs = (
275 "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
276 "TRUST_ATTRIBUTE_TREE_PARENT" => 2,
277 "TRUST_ATTRIBUTE_TREE_ROOT" => 3,
278 "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
279 );
280
281 my %ads_trustdirection = (
282 "TRUST_DIRECTION_INBOUND" => 1,
283 "TRUST_DIRECTION_OUTBOUND" => 2,
284 "TRUST_DIRECTION_BIDIRECTIONAL" => 3,
285 );
286
287 my %ads_trusttype = (
288 "TRUST_TYPE_DOWNLEVEL" => 1,
289 "TRUST_TYPE_UPLEVEL" => 2,
290 "TRUST_TYPE_KERBEROS" => 3,
291 "TRUST_TYPE_DCE" => 4,
292 );
293
294 my %ads_pwdproperties = (
295 "DOMAIN_PASSWORD_COMPLEX" => 1,
296 "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
297 "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
298 "DOMAIN_LOCKOUT_ADMINS" => 8,
299 "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
300 "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
301 );
302
303 my %ads_uascompat = (
304 "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
305 "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
306 );
307
308 my %ads_frstypes = (
309 "REPLICA_SET_SYSVOL" => 2, # unsure
310 "REPLICA_SET_DFS" => 1, # unsure
311 "REPLICA_SET_OTHER" => 0, # unsure
312 );
313
314 my %ads_gp_cse_extensions = (
315 "Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
316 "Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
317 "EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
318 "Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
319 "IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
320 "Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
321 "QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
322 "Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
323 "Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
324 "Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
325 );
326
327 # guess work
328 my %ads_gpcextensions = (
329 "Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
330 "Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
331 "EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
332 "Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
333 "Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
334 "Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
335 "Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
336 "Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
337 "Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
338 "unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
339 "unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
340 );
341
342 my %ads_gpo_default_guids = (
343 "Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
344 "Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
345 "mist" => "61718096-3D3F-4398-8318-203A48976F9E",
346 );
347
348 my %ads_uf = (
349 "UF_SCRIPT" => 0x00000001,
350 "UF_ACCOUNTDISABLE" => 0x00000002,
351 # "UF_UNUSED_1" => 0x00000004,
352 "UF_HOMEDIR_REQUIRED" => 0x00000008,
353 "UF_LOCKOUT" => 0x00000010,
354 "UF_PASSWD_NOTREQD" => 0x00000020,
355 "UF_PASSWD_CANT_CHANGE" => 0x00000040,
356 "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" => 0x00000080,
357 "UF_TEMP_DUPLICATE_ACCOUNT" => 0x00000100,
358 "UF_NORMAL_ACCOUNT" => 0x00000200,
359 # "UF_UNUSED_2" => 0x00000400,
360 "UF_INTERDOMAIN_TRUST_ACCOUNT" => 0x00000800,
361 "UF_WORKSTATION_TRUST_ACCOUNT" => 0x00001000,
362 "UF_SERVER_TRUST_ACCOUNT" => 0x00002000,
363 # "UF_UNUSED_3" => 0x00004000,
364 # "UF_UNUSED_4" => 0x00008000,
365 "UF_DONT_EXPIRE_PASSWD" => 0x00010000,
366 "UF_MNS_LOGON_ACCOUNT" => 0x00020000,
367 "UF_SMARTCARD_REQUIRED" => 0x00040000,
368 "UF_TRUSTED_FOR_DELEGATION" => 0x00080000,
369 "UF_NOT_DELEGATED" => 0x00100000,
370 "UF_USE_DES_KEY_ONLY" => 0x00200000,
371 "UF_DONT_REQUIRE_PREAUTH" => 0x00400000,
372 "UF_PASSWORD_EXPIRED" => 0x00800000,
373 "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000,
374 "UF_NO_AUTH_DATA_REQUIRED" => 0x02000000,
375 # "UF_UNUSED_8" => 0x04000000,
376 # "UF_UNUSED_9" => 0x08000000,
377 # "UF_UNUSED_10" => 0x10000000,
378 # "UF_UNUSED_11" => 0x20000000,
379 # "UF_UNUSED_12" => 0x40000000,
380 # "UF_UNUSED_13" => 0x80000000,
381 );
382
383 my %ads_grouptype = (
384 "GROUP_TYPE_BUILTIN_LOCAL_GROUP" => 0x00000001,
385 "GROUP_TYPE_ACCOUNT_GROUP" => 0x00000002,
386 "GROUP_TYPE_RESOURCE_GROUP" => 0x00000004,
387 "GROUP_TYPE_UNIVERSAL_GROUP" => 0x00000008,
388 "GROUP_TYPE_APP_BASIC_GROUP" => 0x00000010,
389 "GROUP_TYPE_APP_QUERY_GROUP" => 0x00000020,
390 "GROUP_TYPE_SECURITY_ENABLED" => 0x80000000,
391 );
392
393 my %ads_atype = (
394 "ATYPE_NORMAL_ACCOUNT" => 0x30000000,
395 "ATYPE_WORKSTATION_TRUST" => 0x30000001,
396 "ATYPE_INTERDOMAIN_TRUST" => 0x30000002,
397 "ATYPE_SECURITY_GLOBAL_GROUP" => 0x10000000,
398 "ATYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x10000001,
399 "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP
400 "ATYPE_SECURITY_LOCAL_GROUP" => 0x20000000,
401 "ATYPE_DISTRIBUTION_LOCAL_GROUP" => 0x20000001,
402 "ATYPE_ACCOUNT" => 0x30000000, # ATYPE_NORMAL_ACCOUNT
403 "ATYPE_GLOBAL_GROUP" => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP
404 "ATYPE_LOCAL_GROUP" => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP
405 );
406
407 my %ads_gtype = (
408 "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP" => 0x80000005,
409 "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP" => 0x80000004,
410 "GTYPE_SECURITY_GLOBAL_GROUP" => 0x80000002,
411 "GTYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x00000002,
412 "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004,
413 "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x00000008,
414 );
415
416 my %munged_dial = (
417 "CtxCfgPresent" => \&dump_int,
418 "CtxCfgFlags1" => \&dump_int,
419 "CtxCallback" => \&dump_string,
420 "CtxShadow" => \&dump_string,
421 "CtxMaxConnectionTime" => \&dump_int,
422 "CtxMaxDisconnectionTime"=> \&dump_int,
423 "CtxMaxIdleTime" => \&dump_int,
424 "CtxKeyboardLayout" => \&dump_int,
425 "CtxMinEncryptionLevel" => \&dump_int,
426 "CtxWorkDirectory" => \&dump_string,
427 "CtxNWLogonServer" => \&dump_string,
428 "CtxWFHomeDir" => \&dump_string,
429 "CtxWFHomeDirDrive" => \&dump_string,
430 "CtxWFProfilePath" => \&dump_string,
431 "CtxInitialProgram" => \&dump_string,
432 "CtxCallbackNumber" => \&dump_string,
433 );
434
435 $SIG{__WARN__} = sub {
436 use Carp;
437 Carp::cluck (shift);
438 };
439
440 # if there is data missing, we try to autodetect with samba-tools (if installed)
441 # this might fill up workgroup, machine, realm
442 get_samba_info();
443
444 # get a workgroup
445 $workgroup = $workgroup || $opt_workgroup || "";
446
447 # get the server
448 $server = process_servername($opt_host) ||
449 detect_server($workgroup,$opt_realm) ||
450 die "please define server to query with -h host\n";
451
452
453 # get the base
454 $base = defined($opt_base)? $opt_base : "" ||
455 get_base_from_rootdse($server,$dse);
456
457 # get the realm
458 $realm = $opt_realm ||
459 get_realm_from_rootdse($server,$dse);
460
461 # get sasl mechs
462 my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
463 my $sasl_mech = "GSSAPI";
464 if ($opt_saslmech) {
465 $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
466 }
467
468 # set bind type
469 my $sasl_bind = 1 if (!$opt_simpleauth);
470
471 # get username
472 my $user = check_user($opt_user) || $ENV{'USER'} || "";
473
474 # gen upn
475 my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
476
477 # get binddn
478 $binddn = $opt_binddn || $upn;
479
480 # get the password
481 $password = $password || $opt_password;
482 if (!$password) {
483 $password = $opt_machine ? get_machine_password($workgroup) : get_password();
484 }
485
486 my %attr_handler = (
487 "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
488 "accountExpires" => \&dump_nttime,
489 "badPasswordTime" => \&dump_nttime,
490 "creationTime" => \&dump_nttime,
491 "currentTime" => \&dump_timestr,
492 "domainControllerFunctionality" => \&dump_ds_func,
493 "domainFunctionality" => \&dump_ds_func,
494 "fRSReplicaSetGUID" => \&dump_guid,
495 "fRSReplicaSetType" => \&dump_frstype,
496 "fRSVersionGUID" => \&dump_guid,
497 "flags" => \&dump_gpflags, # fixme: possibly only on gpos!
498 "forceLogoff" => \&dump_nttime_abs,
499 "forestFunctionality" => \&dump_ds_func,
500 # "gPCMachineExtensionNames" => \&dump_gpcextensions,
501 # "gPCUserExtensionNames" => \&dump_gpcextensions,
502 "gPLink" => \&dump_gplink,
503 "gPOptions" => \&dump_gpoptions,
504 "groupType" => \&dump_gtype,
505 "instanceType" => \&dump_instance_type,
506 "lastLogon" => \&dump_nttime,
507 "lastLogonTimestamp" => \&dump_nttime,
508 "lockOutObservationWindow" => \&dump_nttime_abs,
509 "lockoutDuration" => \&dump_nttime_abs,
510 "lockoutTime" => \&dump_nttime,
511 # "logonHours" => \&dump_logonhours,
512 "maxPwdAge" => \&dump_nttime_abs,
513 "minPwdAge" => \&dump_nttime_abs,
514 "modifyTimeStamp" => \&dump_timestr,
515 "msDS-Behavior-Version" => \&dump_ds_func, #unsure
516 "msDS-User-Account-Control-Computed" => \&dump_uacc,
517 "mS-DS-CreatorSID" => \&dump_sid,
518 # "msRADIUSFramedIPAddress" => \&dump_ipaddr,
519 # "msRASSavedFramedIPAddress" => \&dump_ipaddr,
520 "netbootGUID" => \&dump_guid,
521 "nTMixedDomain" => \&dump_mixed_domain,
522 "nTSecurityDescriptor" => \&dump_secdesc,
523 "objectGUID" => \&dump_guid,
524 "objectSid" => \&dump_sid,
525 "pKT" => \&dump_pkt,
526 "pKTGuid" => \&dump_guid,
527 "pwdLastSet" => \&dump_nttime,
528 "pwdProperties" => \&dump_pwdproperties,
529 "sAMAccountType" => \&dump_atype,
530 "sDRightsEffective" => \&dump_sdeffective,
531 "securityIdentifier" => \&dump_sid,
532 "serverState" => \&dump_serverstate,
533 "supportedCapabilities", => \&dump_capabilities,
534 "supportedControl", => \&dump_controls,
535 "supportedExtension", => \&dump_extension,
536 "systemFlags" => \&dump_systemflags,
537 "tokenGroups", => \&dump_sid,
538 "tokenGroupsGlobalAndUniversal" => \&dump_sid,
539 "tokenGroupsNoGCAcceptable" => \&dump_sid,
540 "trustAttributes" => \&dump_trustattr,
541 "trustDirection" => \&dump_trustdirection,
542 "trustType" => \&dump_trusttype,
543 "uASCompat" => \&dump_uascompat,
544 "userAccountControl" => \&dump_uac,
545 "userCertificate" => \&dump_cert,
546 "userFlags" => \&dump_uf,
547 "userParameters" => \&dump_munged_dial,
548 "whenChanged" => \&dump_timestr,
549 "whenCreated" => \&dump_timestr,
550 # "dSCorePropagationData" => \&dump_timestr,
551 );
552
553
554
555 ################
556 # subfunctions #
557 ################
558
559 sub usage {
560 print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
561 print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
562 print "\t--base|-b [base]\n\t\tUse base [base]\n";
563 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
564 print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
565 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
566 print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
567 print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
568 print "\t--help\n\t\tDisplay help page\n";
569 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
570 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
571 print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
572 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
573 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
574 print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
575 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
576 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
577 print "\t--rawdisplay\n\t\tDo not interpret values\n";
578 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
579 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
580 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
581 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
582 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
583 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
584 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
585 print "\t--user|-U [user]\n\t\tUse [user]\n";
586 print "\t--wknguid\n\t\tDisplay well known guids\n";
587 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
588 }
589
590 sub write_ads_list {
591 my ($mod,$attr,$value) = @_;
592 my $ofh = select(STDOUT);
593 $~ = "ADS_LIST";
594 select($ofh);
595 write();
596
597 format ADS_LIST =
598 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
599 $mod, $attr, $value
600 .
601 }
602
603 sub write_ads {
604 my ($mod,$attr,$value) = @_;
605 my $ofh = select(STDOUT);
606 $~ = "ADS";
607 select($ofh);
608 write();
609
610 format ADS =
611 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
612 $mod, $attr, $value
613 ~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
614 $value
615 .
616 }
617
618 sub detect_server {
619
620 my $workgroup = shift;
621 my $realm = shift;
622 my $result;
623 my $found;
624
625 # try net cache (nbt records)
626 if ( -x $net && $workgroup ) {
627 my $key = sprintf("NBT/%s#1C", uc($workgroup));
628 chomp($result = `$net cache search $key 2>&1 /dev/null`);
629 $result =~ s/^.*Value: //;
630 $result =~ s/:.*//;
631 return $result if $result;
632 printf("%10s query failed for [%s]\n", "net cache", $key);
633 }
634
635 # try dns SRV entries
636 if ( -x $dig && $realm ) {
637 my $key = sprintf("_ldap._tcp.%s", lc($realm));
638 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
639 $result =~ s/.* //g;
640 $result =~ s/.$//g;
641 return $result if $result;
642 printf("%10s query failed for [%s]\n", "dns", $key);
643 }
644
645 # try netbios broadcast query
646 if ( -x $nmblookup && $workgroup ) {
647 my $key = sprintf("%s#1C", uc($workgroup));
648 my $pattern = sprintf("%s<1c>", uc($workgroup));
649 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
650 $result =~ s/\s.*//;
651 return $result if $result;
652 printf("%10s query failed for [%s]\n", "nmblookup", $key);
653 }
654
655 return "";
656 }
657
658 sub get_samba_info {
659
660 if (! -x $testparm) { return -1; }
661
662 my $tmp;
663 open(TESTPARM, "$testparm -s -v 2> /dev/null |");
664 while (my $line = <TESTPARM>) {
665 chomp($line);
666 if ($line =~ /netbios name/) {
667 ($tmp, $machine) = split(/=/, $line);
668 $machine =~ s/\s+|\t+//g;
669 }
670 if ($line =~ /realm/) {
671 ($tmp, $realm) = split(/=/, $line);
672 $realm =~ s/\s+|\t+//g;
673 }
674 if ($line =~ /workgroup/) {
675 ($tmp, $workgroup) = split(/=/, $line);
676 $workgroup =~ s/\s+|\t+//g;
677 }
678 }
679 close(TESTPARM);
680 return 0;
681 }
682
683 sub gen_upn {
684 my $machine = shift;
685 my $realm = shift;
686 if ($machine && $realm) {
687 return sprintf("%s\@%s", lc($machine), uc($realm));
688 };
689 return undef;
690 }
691
692 sub get_password {
693 if (!$password && $opt_simpleauth && check_ticket($user)) {
694 return prompt_password($user);
695 }
696 return "";
697 }
698
699 sub get_user {
700 my $user = shift || prompt_user();
701 return $user;
702 }
703
704 sub get_machine_password {
705
706 my $workgroup = shift || "";
707 $workgroup = uc($workgroup);
708
709 my ($found, $tmp);
710 -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
711 -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
712
713 # get machine-password
714 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
715 open(SECRETS,"$tdbdump $secrets_tdb |");
716 while(my $line = <SECRETS>) {
717 chomp($line);
718 if ($found) {
719 $line =~ s/\\00//;
720 ($line,$password) = split(/"/, $line);
721 last;
722 }
723 if ($line =~ /$key/) {
724 $found = 1;
725 }
726 }
727 close(SECRETS);
728
729 if ($found) {
730 print "Successfully autodetected machine password for workgroup: $workgroup\n";
731 return $password;
732 } else {
733 warn "No machine password available for $workgroup\n";
734 }
735 return "";
736 }
737
738 sub prompt_password {
739
740 my $acct = shift || "";
741 if ($acct =~ /\%/) {
742 ($acct, $password) = split(/\%/, $acct);
743 return $password;
744 }
745 system "stty -echo";
746 print "Enter password for $acct:";
747 my $password = <STDIN>;
748 chomp($password);
749 print "\n";
750 system "stty echo";
751 return $password;
752 }
753
754 sub prompt_user {
755
756 print "Enter Username:";
757 my $user = <STDIN>;
758 chomp($user);
759 print "\n";
760 return $user;
761 }
762
763 sub check_ticket {
764 return 0;
765 # works only for heimdal
766 return system("$klist -t");
767 }
768
769 sub get_ticket {
770
771 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
772
773 open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
774 printf KRB5CONF "# autogenerated by $0\n";
775 printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
776 printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
777 close(KRB5CONF);
778
779 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
780 return -1;
781 }
782
783 return 0;
784 }
785
786 sub check_user {
787 my $acct = shift || "";
788 if ($acct =~ /\%/) {
789 ($acct, $password) = split(/\%/, $acct);
790 }
791 return $acct;
792 }
793
794 sub check_root_dse($$$@) {
795
796 # bogus function??
797 my $server = shift || "";
798 $dse = shift || get_dse($server) || return -1;
799 my $attr = shift || die "unknown query";
800 my @array = @_;
801
802 my $dse_list = $dse->get_value($attr, asref => '1');
803 my @dse_array = @$dse_list;
804
805 foreach my $i (@array) {
806 # we could use -> supported_control but this
807 # is only available in newer versions of perl-ldap
808 # if ( ! $dse->supported_control( $i ) ) {
809 if ( grep(/$i->type()/, @dse_array) ) {
810 printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
811 return -1;
812 }
813 }
814 return 0;
815 }
816
817 sub check_ctrls ($$@) {
818 my $server = shift;
819 my $dse = shift;
820 my @array = @_;
821 return check_root_dse($server, $dse, "supportedControl", @array);
822 }
823
824 sub check_exts ($$@) {
825 my $server = shift;
826 my $dse = shift;
827 my @array = @_;
828 return check_root_dse($server, $dse, "supportedExtension", @array);
829 }
830
831 sub get_base_from_rootdse {
832
833 my $server = shift || "";
834 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
835 return $dse->get_value('defaultNamingContext');
836 }
837
838 sub get_realm_from_rootdse {
839
840 my $server = shift || "";
841 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
842 my $service = $dse->get_value('ldapServiceName') || "";
843 if ($service) {
844 my ($t,$realm) = split(/\@/, $service);
845 return $realm;
846 } else {
847 die "very odd: could not get realm";
848 }
849 }
850
851 sub get_sasl_mechs_from_rootdse {
852
853 my $server = shift || "";
854 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
855 my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
856 return @$mechs;
857 }
858
859 sub get_dse {
860
861 my $server = shift || return undef;
862 $async_ldap_hd = shift || get_ldap_hd($server,1);
863 if (!$async_ldap_hd) {
864 print "oh, no connection\n";
865 return undef;
866 }
867 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
868 if ($mesg->code) { die "failed to bind\n"; };
869 my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
870
871 return $dse;
872 }
873
874 sub process_servername {
875
876 my $name = shift || return "";
877 if ($name =~ /^ldaps:\/\//i ) {
878 $name =~ s#^ldaps://##i;
879 $uri = sprintf("%s://%s", "ldaps", $name);
880 } else {
881 $name =~ s#^ldap://##i;
882 $uri = sprintf("%s://%s", "ldap", $name);
883 }
884 return $name;
885 }
886
887 sub get_ldap_hd {
888
889 my $server = shift || return undef;
890 my $async = shift || "0";
891 my $hd;
892 die "uri unavailable" if (!$uri);
893 if ($uri =~ /^ldaps:\/\//i ) {
894 $port = $port || 636;
895 use Net::LDAPS;
896 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
897 die "host $server not available: $!";
898 } else {
899 $port = $port || 389;
900 $hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
901 die "host $server not available: $!";
902 }
903 $hd->debug($opt_debug);
904 if ($opt_starttls) {
905 $hd->start_tls( verify => 'none' );
906 }
907
908 return $hd;
909 }
910
911 sub get_sasl_hd {
912
913 if (!$have_sasl) {
914 print "no sasl support\n";
915 return undef;
916 }
917
918 my $hd;
919 if ($sasl_mech && $sasl_mech eq "GSSAPI") {
920 my $user = sprintf("%s\@%s", $user, uc($realm));
921 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
922 print "Could not get Kerberos ticket for user [$user]\n";
923 return undef;
924 }
925
926 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
927 my $conn = $hd->client_new("ldap", $server);
928
929 if ($conn->code == -1) {
930 printf "%s\n", $conn->error();
931 return undef;
932 };
933
934 } elsif ($sasl_mech) {
935
936 # here comes generic sasl code
937 $hd = Authen::SASL->new( mechanism => $sasl_mech,
938 callback => {
939 user => \&get_user,
940 pass => \&get_password
941 }
942 ) || die "nope";
943 } else {
944 $sasl_bind = 0;
945 print "no supported SASL mechanism found (@sasl_mechs).\n";
946 print "falling back to simple bind.\n";
947 return undef;
948 }
949
950 return $hd;
951 }
952
953 sub check_sasl_mech {
954 my $mech_check = shift;
955 my $have_mech = 0;
956 foreach my $mech (@sasl_mechs) {
957 $have_mech = 1 if ($mech eq uc($mech_check));
958 }
959 if (!$have_mech) {
960 return -1;
961 }
962 return 0;
963 }
964
965 sub store_result ($) {
966
967 my $entry = shift;
968 return if (!$entry);
969 $entry_store{$entry->dn} = $entry;
970 }
971
972 sub display_result_diff ($) {
973
974 my $entry_new = shift;
975 return if ( !$entry_new);
976
977 if ( !exists $entry_store{$entry_new->dn}) {
978 print "can't display any differences yet. full dump...\n";
979 display_entry_generic($entry_new);
980 return;
981 }
982
983 my $entry_old = $entry_store{$entry_new->dn};
984
985 foreach my $attr (sort $entry_new->attributes) {
986 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
987 display_attr_generic("add:\t", $entry_new, $attr);
988 next;
989 }
990 }
991
992 foreach my $attr (sort $entry_old->attributes) {
993 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
994 display_attr_generic("del:\t", $entry_old, $attr);
995 next;
996 }
997
998 # now check for all values if they have changed, display changes
999 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
1000
1001 $old_vals = $entry_old->get_value($attr, asref => 1);
1002 @old_vals = @$old_vals;
1003 $new_vals = $entry_new->get_value($attr, asref => 1);
1004 @new_vals = @$new_vals;
1005
1006 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
1007 if ($old_vals[0] ne $new_vals[0]) {
1008 display_attr_generic("old:\t", $entry_old, $attr);
1009 display_attr_generic("new:\t", $entry_new, $attr);
1010 }
1011 next;
1012 }
1013
1014 # handle multivalued diffs
1015 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
1016 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
1017 foreach my $val (sort keys %new) {
1018 if (!exists $old{$val}) {
1019 display_value_generic("add:\t", $attr, $val);
1020 }
1021 }
1022 foreach my $val (sort keys %old) {
1023 if (!exists $new{$val}) {
1024 display_value_generic("del:\t", $attr, $val);
1025 }
1026 }
1027 }
1028 print "\n";
1029
1030 }
1031
1032 sub sid2string ($) {
1033
1034 # Fix from Michael James <michael@james.st>
1035 my $binary_sid = shift;
1036 my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1037 my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1038 return $sid_string;
1039
1040 }
1041
1042 sub string_to_guid {
1043 my $string = shift;
1044 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1045
1046 return pack("I", hex $1) .
1047 pack("S", hex $2) .
1048 pack("S", hex $3) .
1049 pack("C", hex $4) .
1050 pack("C", hex $5) .
1051 pack("C", hex $6) .
1052 pack("C", hex $7) .
1053 pack("C", hex $8) .
1054 pack("C", hex $9) .
1055 pack("C", hex $10) .
1056 pack("C", hex $11);
1057
1058 # print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1059 }
1060
1061 sub bindstring_to_guid {
1062 my $str = shift;
1063 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
1064 substr($str,0,2),
1065 substr($str,2,2),
1066 substr($str,4,2),
1067 substr($str,6,2),
1068 substr($str,8,2),
1069 substr($str,10,2),
1070 substr($str,12,2),
1071 substr($str,14,2),
1072 substr($str,16,2),
1073 substr($str,18,2),
1074 substr($str,20,2),
1075 substr($str,22,2),
1076 substr($str,24,2),
1077 substr($str,26,2),
1078 substr($str,28,2),
1079 substr($str,30,2));
1080 }
1081
1082 sub guid_to_string {
1083 my $guid = shift;
1084 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
1085 unpack("I", $guid),
1086 unpack("S", substr($guid, 4, 2)),
1087 unpack("S", substr($guid, 6, 2)),
1088 unpack("C", substr($guid, 8, 1)),
1089 unpack("C", substr($guid, 9, 1)),
1090 unpack("C", substr($guid, 10, 1)),
1091 unpack("C", substr($guid, 11, 1)),
1092 unpack("C", substr($guid, 12, 1)),
1093 unpack("C", substr($guid, 13, 1)),
1094 unpack("C", substr($guid, 14, 1)),
1095 unpack("C", substr($guid, 15, 1));
1096 return lc($string);
1097 }
1098
1099 sub guid_to_bindstring {
1100 my $guid = shift;
1101 return unpack("H" . 2 * length($guid), $guid),
1102 }
1103
1104 sub dump_wknguid {
1105 print "Dumping Well known GUIDs:\n";
1106 foreach my $wknguid (keys %wknguids) {
1107
1108 my $guid = bindstring_to_guid($wknguids{$wknguid});
1109 my $str = guid_to_string($guid);
1110 my $back = guid_to_bindstring($guid);
1111
1112 printf "wkguid: %s\n", $wknguid;
1113 printf "bind_string format: %s\n", $wknguids{$wknguid};
1114 printf "string format: %s\n", guid_to_string($guid);
1115 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1116
1117 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1118 }
1119 }
1120
1121 sub gen_bitmask_string_format($%) {
1122 my $mod = shift;
1123 my (%tmp) = @_;
1124 my @list;
1125 foreach my $key (sort keys %tmp) {
1126 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1127 }
1128 return join("\n$mod$tabsize",@list);
1129 }
1130
1131
1132 sub nt_to_unixtime ($) {
1133 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1134 my $t64 = shift;
1135 $t64 =~ s/(.+).{7,7}/$1/;
1136 $t64 -= 11644473600;
1137 return $t64;
1138 }
1139
1140 sub dump_equal {
1141 my $val = shift;
1142 my $mod = shift || die "no mod";
1143 my (%header) = @_;
1144 my %tmp;
1145 my $found = 0;
1146 foreach my $key (keys %header) {
1147 if ($header{$key} eq $val) {
1148 $tmp{"($val)"} = $key;
1149 $found = 1;
1150 last;
1151 }
1152 }
1153 if (!$found) { $tmp{$val} = ""; };
1154 return gen_bitmask_string_format($mod,%tmp);
1155 }
1156
1157 sub dump_bitmask {
1158 my $op = shift || die "no op";
1159 my $val = shift;
1160 my $mod = shift || die "no mod";
1161 my (%header) = @_;
1162 my %tmp;
1163 $tmp{""} = sprintf("%s (0x%08x)", $val, $val);
1164 foreach my $key (sort keys %header) { # sort by val !
1165 my $val_hex = sprintf("0x%08x", $header{$key});
1166 if ($op eq "&") {
1167 $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset;
1168 } elsif ($op eq "==") {
1169 $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset;
1170 } else {
1171 print "unknown operator: $op\n";
1172 return;
1173 }
1174 }
1175 return gen_bitmask_string_format($mod,%tmp);
1176 }
1177
1178 sub dump_bitmask_and {
1179 return dump_bitmask("&",@_);
1180 }
1181
1182 sub dump_bitmask_equal {
1183 return dump_bitmask("==",@_);
1184 }
1185
1186 sub dump_uac {
1187 return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1188 }
1189
1190 sub dump_uascompat {
1191 return dump_bitmask_equal(@_,%ads_uascompat);
1192 }
1193
1194 sub dump_gpoptions {
1195 return dump_bitmask_equal(@_,%ads_gpoptions);
1196 }
1197
1198 sub dump_gpflags {
1199 return dump_bitmask_equal(@_,%ads_gpflags);
1200 }
1201
1202 sub dump_uacc {
1203 return dump_bitmask_equal(@_,%ads_uacc);
1204 }
1205
1206 sub dump_uf {
1207 return dump_bitmask_and(@_,%ads_uf);
1208 }
1209
1210 sub dump_gtype {
1211 my $ret = dump_bitmask_and(@_,%ads_grouptype);
1212 $ret .= "\n$tabsize\t";
1213 $ret .= dump_bitmask_equal(@_,%ads_gtype);
1214 return $ret;
1215 }
1216
1217 sub dump_atype {
1218 return dump_bitmask_equal(@_,%ads_atype);
1219 }
1220
1221 sub dump_controls {
1222 return dump_equal(@_,%ads_controls);
1223 }
1224
1225 sub dump_capabilities {
1226 return dump_equal(@_,%ads_capabilities);
1227 }
1228
1229 sub dump_extension {
1230 return dump_equal(@_,%ads_extensions);
1231 }
1232
1233 sub dump_systemflags {
1234 return dump_bitmask_and(@_,%ads_systemflags);
1235 }
1236
1237 sub dump_instance_type {
1238 return dump_bitmask_and(@_,%ads_instance_type);
1239 }
1240
1241 sub dump_ds_func {
1242 return dump_bitmask_equal(@_,%ads_ds_func);
1243 }
1244
1245 sub dump_serverstate {
1246 return dump_bitmask_equal(@_,%ads_serverstate);
1247 }
1248
1249 sub dump_sdeffective {
1250 return dump_bitmask_and(@_,%ads_sdeffective);
1251 }
1252
1253 sub dump_trustattr {
1254 return dump_bitmask_equal(@_,%ads_trustattrs);
1255 }
1256
1257 sub dump_trusttype {
1258 return dump_bitmask_equal(@_,%ads_trusttype);
1259 }
1260
1261 sub dump_trustdirection {
1262 return dump_bitmask_equal(@_,%ads_trustdirection);
1263 }
1264
1265 sub dump_pwdproperties {
1266 return dump_bitmask_and(@_,%ads_pwdproperties);
1267 }
1268
1269 sub dump_frstype {
1270 return dump_bitmask_equal(@_,%ads_frstypes)
1271 }
1272
1273 sub dump_mixed_domain {
1274 return dump_bitmask_equal(@_,%ads_mixed_domain);
1275 }
1276
1277 sub dump_sid {
1278 my $bin_sid = shift;
1279 return sid2string($bin_sid);
1280 }
1281
1282 sub dump_guid {
1283 my $guid = shift;
1284 return guid_to_string($guid);
1285 }
1286
1287 sub dump_secdesc {
1288 my $val = shift;
1289 return "FIXME: write sddl-converter!";
1290 }
1291
1292 sub dump_nttime {
1293 my $nttime = shift;
1294 if ($nttime == 0) {
1295 return sprintf("%s (%s)", "never", $nttime);
1296 }
1297 my $localtime = localtime(nt_to_unixtime($nttime));
1298 return sprintf("%s (%s)", $localtime, $nttime);
1299 }
1300
1301 sub dump_nttime_abs {
1302 if ($_[0] == 9223372036854775807) {
1303 return sprintf("%s (%s)", "now", $_[0]);
1304 }
1305 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1306 return sprintf("%s (%s)", "never", $_[0]);
1307 }
1308 # FIXME: actually *do* abs time !
1309 return dump_nttime($_[0]);
1310 }
1311
1312 sub dump_timestr {
1313 my $time = shift;
1314 if ($time eq "16010101000010.0Z") {
1315 return sprintf("%s (%s)", "never", $time);
1316 }
1317 my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1318 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1319 $mon -= 1;
1320 my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1321 return sprintf("%s (%s)", $localtime, $time);
1322 }
1323
1324 sub dump_string {
1325 return $_[0];
1326 }
1327
1328 sub dump_int {
1329 return sprintf("%d", $_[0]);
1330 }
1331
1332 sub dump_munged_dial {
1333 my $dial = shift;
1334 return "FIXME! decode this";
1335 }
1336
1337 sub dump_cert {
1338
1339 my $cert = shift;
1340 open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1341 print OPENSSL $cert;
1342 close(OPENSSL);
1343 return "";
1344 }
1345
1346 sub dump_pkt {
1347 my $pkt = shift;
1348 return "not yet";
1349 printf("%s: ", $pkt);
1350 printf("%02X", $pkt);
1351
1352 }
1353
1354 sub dump_gplink {
1355
1356 my $gplink = shift;
1357 my $gplink_mod = $gplink;
1358 my @links = split("\\]\\[", $gplink_mod);
1359 foreach my $link (@links) {
1360 $link =~ s/^\[|\]$//g;
1361 my ($ldap_link, $opt) = split(";", $link);
1362 my @array = ( "$opt", "\t" );
1363 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1364 }
1365 return $gplink;
1366 }
1367
1368 sub construct_filter {
1369
1370 my $tmp = shift;
1371
1372 if (!$tmp || $opt_notify) {
1373 return "(objectclass=*)";
1374 }
1375
1376 if ($tmp && $tmp !~ /^.*\=/) {
1377 return "(ANR=$tmp)";
1378 }
1379
1380 return $tmp;
1381 # (&(objectCategory=person)
1382 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1383 }
1384
1385 sub construct_attrs {
1386
1387 my @attrs = @_;
1388
1389 if (!@attrs) {
1390 push(@attrs,"*");
1391 }
1392
1393 if ($opt_notify) {
1394 push(@attrs,"uSNChanged");
1395 }
1396
1397 if ($opt_display_metadata) {
1398 push(@attrs,"msDS-ReplAttributeMetaData");
1399 push(@attrs,"replPropertyMetaData");
1400 }
1401
1402 if ($opt_verbose) {
1403 push(@attrs,"nTSecurityDescriptor");
1404 push(@attrs,"msDS-KeyVersionNumber");
1405 push(@attrs,"msDS-User-Account-Control-Computed");
1406 push(@attrs,"modifyTimeStamp");
1407 }
1408
1409 return sort @attrs;
1410 }
1411
1412 sub print_header {
1413
1414 print "\n";
1415 printf "%10s: %s\n", "uri", $uri;
1416 printf "%10s: %s\n", "port", $port;
1417 printf "%10s: %s\n", "base", $base;
1418 printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1419 printf "%10s: %s\n", "password", $password;
1420 printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1421 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1422 printf "%10s: %s\n", "filter", $filter;
1423 printf "%10s: %s\n", "scope", $scope;
1424 printf "%10s: %s\n", "attrs", join(", ", @attrs);
1425 printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1426 printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1427 printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1428 printf "\n";
1429 }
1430
1431 sub gen_controls {
1432
1433 # setup attribute-scoped query control
1434 my $asq_asn = Convert::ASN1->new;
1435 $asq_asn->prepare(
1436 q< asq ::= SEQUENCE {
1437 sourceAttribute OCTET_STRING
1438 }
1439 >
1440 );
1441 my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1442 my $ctl_asq = Net::LDAP::Control->new(
1443 type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1444 critical => 'true',
1445 value => $ctl_asq_val);
1446
1447
1448 # setup extended dn control
1449 my $asn_extended_dn = Convert::ASN1->new;
1450 $asn_extended_dn->prepare(
1451 q< ExtendedDn ::= SEQUENCE {
1452 mode INTEGER
1453 }
1454 >
1455 );
1456
1457 # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1458 my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
1459 my $ctl_extended_dn = Net::LDAP::Control->new(
1460 type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1461 critical => 'true',
1462 value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
1463
1464 # setup notify control
1465 my $ctl_notification = Net::LDAP::Control->new(
1466 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1467 critical => 'true');
1468
1469
1470 # setup paging control
1471 $ctl_paged = Net::LDAP::Control->new(
1472 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1473 critical => 'true',
1474 size => $opt_paging ? $opt_paging : 1000);
1475
1476 # setup domscope control
1477 my $ctl_domscope = Net::LDAP::Control->new(
1478 type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1479 critical => 'true',
1480 value => "");
1481
1482 if (defined($opt_paging)) {
1483 push(@ctrls, $ctl_paged);
1484 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1485 }
1486
1487 if (defined($opt_display_extendeddn)) {
1488 push(@ctrls, $ctl_extended_dn);
1489 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1490 }
1491 if ($opt_notify) {
1492 push(@ctrls, $ctl_notification);
1493 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1494 }
1495
1496 if ($opt_asq) {
1497 push(@ctrls, $ctl_asq);
1498 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1499 }
1500
1501 if ($opt_domain_scope) {
1502 push(@ctrls, $ctl_domscope);
1503 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1504 }
1505
1506 return @ctrls;
1507 }
1508
1509 sub display_value_generic ($$$) {
1510
1511 my ($mod,$attr,$value) = @_;
1512 return unless (defined($value) and defined($attr));
1513
1514 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1515 $value = $attr_handler{$attr}($value,$mod);
1516 write_ads_list($mod,$attr,$value);
1517 return;
1518 }
1519 write_ads($mod,$attr,$value);
1520 }
1521
1522 sub display_attr_generic ($$$) {
1523
1524 my ($mod,$entry,$attr) = @_;
1525 return if (!$attr || !$entry);
1526
1527 my $ref = $entry->get_value($attr, asref => 1);
1528 my @values = @$ref;
1529
1530 foreach my $value ( sort @values) {
1531 display_value_generic($mod,$attr,$value);
1532 }
1533 }
1534
1535 sub display_entry_generic ($) {
1536
1537 my $entry = shift;
1538 return if (!$entry);
1539
1540 foreach my $attr ( sort $entry->attributes) {
1541 display_attr_generic("\t",$entry,$attr);
1542 }
1543 }
1544
1545 sub display_ldap_err ($) {
1546
1547 my $msg = shift;
1548 print_header();
1549 my ($package, $filename, $line, $subroutine) = caller(0);
1550
1551 print "got error from ADS:\n";
1552 printf("%s(%d): ERROR (%s): %s\n",
1553 $subroutine, $line, $msg->code, $msg->error);
1554
1555 }
1556
1557 sub process_result {
1558
1559 my ($msg,$entry) = @_;
1560
1561 if (!defined($msg)) {
1562 return;
1563 }
1564
1565 if ($msg->code) {
1566 display_ldap_err($msg);
1567 exit 1;
1568 }
1569
1570 if (!defined($entry)) {
1571 return;
1572 }
1573
1574 if ($entry->isa('Net::LDAP::Reference')) {
1575 foreach my $ref ($entry->references) {
1576 print "\ngot Reference: [$ref]\n";
1577 }
1578 return;
1579 }
1580
1581 print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1582
1583 display_entry_generic($entry);
1584 }
1585
1586 sub default_callback {
1587
1588 my ($res,$obj) = @_;
1589
1590 if (!$opt_notify && $res->code == LDAP_REFERRAL) {
1591 return;
1592 }
1593
1594 if (!$opt_notify) {
1595 return process_result($res,$obj);
1596 }
1597 }
1598
1599 sub error_callback {
1600
1601 my ($msg,$entry) = @_;
1602
1603 if (!$msg) {
1604 return;
1605 }
1606
1607 if ($msg->code) {
1608 display_ldap_err($msg);
1609 exit(1);
1610 }
1611 return;
1612 }
1613
1614 sub notify_callback {
1615
1616 my ($msg, $obj) = @_;
1617
1618 if (! defined($obj)) {
1619 return;
1620 }
1621
1622 if ($obj->isa('Net::LDAP::Reference')) {
1623 foreach my $ref ($obj->references) {
1624 print "\ngot Reference: [$ref]\n";
1625 }
1626 return;
1627 }
1628
1629 while (1) {
1630
1631 my $async_entry = $async_search->pop_entry;
1632
1633 if (!$async_entry->dn) {
1634 print "very weird. entry has no dn\n";
1635 next;
1636 }
1637
1638 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1639
1640 my $new_usn = $async_entry->get_value('uSNChanged');
1641 if (!$new_usn) {
1642 die "odd, no usnChanged attribute???";
1643 }
1644 if (!$usn || $new_usn > $usn) {
1645 $usn = $new_usn;
1646 if ($opt_notify_nodiffs) {
1647 display_entry_generic($async_entry);
1648 } else {
1649 display_result_diff($async_entry);
1650 }
1651 }
1652 store_result($async_entry);
1653 }
1654 }
1655
1656 sub do_bind($$) {
1657
1658 my $async_ldap_hd = shift || return undef;
1659 my $sasl_bind = shift;
1660
1661 if ($sasl_bind) {
1662 if (!$works_sasl) {
1663 print "this version of Net::LDAP does not have proper SASL support.\n";
1664 print "Need at least perl-ldap V. $pref_version\n";
1665 }
1666 $sasl_hd = get_sasl_hd();
1667 if (!$sasl_hd) {
1668 print "failed to create SASL handle\n";
1669 return -1;
1670 }
1671 $mesg = $async_ldap_hd->bind(
1672 sasl => $sasl_hd,
1673 callback => \&error_callback
1674 ) || die "doesnt work";
1675 } else {
1676 $sasl_mech = "";
1677 $mesg = $async_ldap_hd->bind(
1678 $binddn,
1679 password => $password,
1680 callback => $opt_fastbind ? undef : \&error_callback
1681 ) || die "doesnt work";
1682 };
1683 if ($mesg->code) {
1684 display_ldap_err($mesg) if (!$opt_fastbind);
1685 return -1;
1686 }
1687 return 0;
1688 }
1689
1690 sub do_fast_bind() {
1691
1692 do_unbind();
1693
1694 my $hd = get_ldap_hd($server,1);
1695
1696 my $mesg = $hd->extension(
1697 name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1698
1699 if ($mesg->code) {
1700 display_ldap_err($mesg);
1701 return -1;
1702 }
1703
1704 my $ret = do_bind($hd, undef);
1705 $hd->unbind;
1706
1707 printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n",
1708 $ret == 0 ? "succeeded" : "failed");
1709
1710 return $ret;
1711 }
1712
1713 sub do_unbind() {
1714 if ($async_ldap_hd) {
1715 $async_ldap_hd->unbind;
1716 }
1717 if ($sync_ldap_hd) {
1718 $sync_ldap_hd->unbind;
1719 }
1720 }
1721
1722 ###############################################################################
1723
1724 sub main () {
1725
1726 if ($opt_fastbind) {
1727
1728 if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1729 print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1730 exit 1;
1731 }
1732
1733 # fast bind can only bind, not search
1734 exit do_fast_bind();
1735 }
1736
1737 $filter = construct_filter($query);
1738 @attrs = construct_attrs(@attrs);
1739 @ctrls = gen_controls();
1740
1741 if (check_ctrls($server,$dse,@ctrls) == -1) {
1742 print "not all required LDAP Controls are supported by this server\n";
1743 exit 1;
1744 }
1745
1746 if ($opt_dump_rootdse) {
1747 print "Dumping Root-DSE:\n";
1748 display_entry_generic($dse);
1749 exit 0;
1750 }
1751
1752 if ($opt_dump_wknguid) {
1753 dump_wknguid();
1754 exit 0;
1755 }
1756
1757 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1758 exit 1;
1759 }
1760
1761 print_header();
1762
1763 if ($opt_dump_schema) {
1764 print "Dumping Schema:\n";
1765 my $ads_schema = $async_ldap_hd->schema;
1766 $ads_schema->dump;
1767 exit 0;
1768 }
1769
1770 while (1) {
1771
1772 $async_search = $async_ldap_hd->search(
1773 base => $base,
1774 filter => $filter,
1775 attrs => [ @attrs ],
1776 control => [ @ctrls ],
1777 callback => \&default_callback,
1778 scope => $scope,
1779 ) || die "cannot search";
1780
1781 if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) {
1782 foreach my $ref ($async_search->referrals) {
1783 print "\ngot Referral: [$ref]\n";
1784 $async_ldap_hd->unbind();
1785 $async_ldap_hd = get_ldap_hd($ref, 1);
1786 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1787 $async_ldap_hd->unbind();
1788 next;
1789 }
1790 print "\nsuccessful rebind to: [$ref]\n";
1791 last;
1792 }
1793 next; # repeat the query
1794 }
1795
1796 if ($opt_notify) {
1797
1798 print "Base [$base] is registered now for change-notify\n";
1799 print "\nWaiting for change-notify...\n";
1800
1801 my $sync_ldap_hd = get_ldap_hd($server,0);
1802 if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1803 exit 2;
1804 }
1805
1806 my $sync_search = $sync_ldap_hd->search(
1807 base => $base,
1808 filter => $filter,
1809 attrs => [ @attrs ],
1810 callback => \&notify_callback,
1811 scope => $scope,
1812 ) || die "cannot search";
1813
1814 }
1815
1816 $total_entry_count += $async_search->count;
1817 ++$page_count;
1818 print "-" x 80 . "\n";
1819 printf("Got %d Entries in Page %d \n\n",
1820 $async_search->count, $page_count);
1821 my ($resp) = $async_search->control(
1822 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1823 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1824 }
1825
1826 if ($async_search->entries == 0) {
1827 print "No entries found with filter $filter\n";
1828 } else {
1829 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);
1830 }
1831
1832 do_unbind()
1833 }
1834
1835 main();
1836
1837 exit 0;
Samba GIT mirror