search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[GLUE] Rsync SAMBA_3_0 SVN r25598 in order to create the v3-0-test branch.
[Samba.git] / source / libads / ldap.c
blob5d498abb1c0e87c691892fbd61830deabe452e8e
1 /*
2 Unix SMB/CIFS implementation.
3 ads (active directory) utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 Copyright (C) Guenther Deschner 2005
8 Copyright (C) Gerald Carter 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26
27 #ifdef HAVE_LDAP
28
29 /**
30 * @file ldap.c
31 * @brief basic ldap client-side routines for ads server communications
32 *
33 * The routines contained here should do the necessary ldap calls for
34 * ads setups.
35 *
36 * Important note: attribute names passed into ads_ routines must
37 * already be in UTF-8 format. We do not convert them because in almost
38 * all cases, they are just ascii (which is represented with the same
39 * codepoints in UTF-8). This may have to change at some point
40 **/
41
42
43 #define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
44
45 static SIG_ATOMIC_T gotalarm;
46
47 /***************************************************************
48 Signal function to tell us we timed out.
49 ****************************************************************/
50
51 static void gotalarm_sig(void)
52 {
53 gotalarm = 1;
54 }
55
56 LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
57 {
58 LDAP *ldp = NULL;
59
60 /* Setup timeout */
61 gotalarm = 0;
62 CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
63 alarm(to);
64 /* End setup timeout. */
65
66 ldp = ldap_open(server, port);
67
68 if (ldp == NULL) {
69 DEBUG(2,("Could not open LDAP connection to %s:%d: %s\n",
70 server, port, strerror(errno)));
71 }
72
73 /* Teardown timeout. */
74 CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
75 alarm(0);
76
77 return ldp;
78 }
79
80 static int ldap_search_with_timeout(LDAP *ld,
81 LDAP_CONST char *base,
82 int scope,
83 LDAP_CONST char *filter,
84 char **attrs,
85 int attrsonly,
86 LDAPControl **sctrls,
87 LDAPControl **cctrls,
88 int sizelimit,
89 LDAPMessage **res )
90 {
91 struct timeval timeout;
92 int result;
93
94 /* Setup timeout for the ldap_search_ext_s call - local and remote. */
95 timeout.tv_sec = lp_ldap_timeout();
96 timeout.tv_usec = 0;
97
98 /* Setup alarm timeout.... Do we need both of these ? JRA. */
99 gotalarm = 0;
100 CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
101 alarm(lp_ldap_timeout());
102 /* End setup timeout. */
103
104 result = ldap_search_ext_s(ld, base, scope, filter, attrs,
105 attrsonly, sctrls, cctrls, &timeout,
106 sizelimit, res);
107
108 /* Teardown timeout. */
109 CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
110 alarm(0);
111
112 if (gotalarm != 0)
113 return LDAP_TIMELIMIT_EXCEEDED;
114
115 return result;
116 }
117
118 /**********************************************
119 Do client and server sitename match ?
120 **********************************************/
121
122 BOOL ads_sitename_match(ADS_STRUCT *ads)
123 {
124 if (ads->config.server_site_name == NULL &&
125 ads->config.client_site_name == NULL ) {
126 DEBUG(10,("ads_sitename_match: both null\n"));
127 return True;
128 }
129 if (ads->config.server_site_name &&
130 ads->config.client_site_name &&
131 strequal(ads->config.server_site_name,
132 ads->config.client_site_name)) {
133 DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
134 return True;
135 }
136 DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
137 ads->config.server_site_name ? ads->config.server_site_name : "NULL",
138 ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
139 return False;
140 }
141
142 /**********************************************
143 Is this the closest DC ?
144 **********************************************/
145
146 BOOL ads_closest_dc(ADS_STRUCT *ads)
147 {
148 if (ads->config.flags & ADS_CLOSEST) {
149 DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag set\n"));
150 return True;
151 }
152
153 /* not sure if this can ever happen */
154 if (ads_sitename_match(ads)) {
155 DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag not set but sites match\n"));
156 return True;
157 }
158
159 DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
160 ads->config.ldap_server_name));
161
162 return False;
163 }
164
165
166 /*
167 try a connection to a given ldap server, returning True and setting the servers IP
168 in the ads struct if successful
169 */
170 BOOL ads_try_connect(ADS_STRUCT *ads, const char *server )
171 {
172 char *srv;
173 struct cldap_netlogon_reply cldap_reply;
174
175 if (!server || !*server) {
176 return False;
177 }
178
179 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
180 server, ads->server.realm));
181
182 /* this copes with inet_ntoa brokenness */
183
184 srv = SMB_STRDUP(server);
185
186 ZERO_STRUCT( cldap_reply );
187
188 if ( !ads_cldap_netlogon( srv, ads->server.realm, &cldap_reply ) ) {
189 DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
190 SAFE_FREE( srv );
191 return False;
192 }
193
194 /* Check the CLDAP reply flags */
195
196 if ( !(cldap_reply.flags & ADS_LDAP) ) {
197 DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
198 srv));
199 SAFE_FREE( srv );
200 return False;
201 }
202
203 /* Fill in the ads->config values */
204
205 SAFE_FREE(ads->config.realm);
206 SAFE_FREE(ads->config.bind_path);
207 SAFE_FREE(ads->config.ldap_server_name);
208 SAFE_FREE(ads->config.server_site_name);
209 SAFE_FREE(ads->config.client_site_name);
210 SAFE_FREE(ads->server.workgroup);
211
212 ads->config.flags = cldap_reply.flags;
213 ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.hostname);
214 strupper_m(cldap_reply.domain);
215 ads->config.realm = SMB_STRDUP(cldap_reply.domain);
216 ads->config.bind_path = ads_build_dn(ads->config.realm);
217 if (*cldap_reply.server_site_name) {
218 ads->config.server_site_name =
219 SMB_STRDUP(cldap_reply.server_site_name);
220 }
221 if (*cldap_reply.client_site_name) {
222 ads->config.client_site_name =
223 SMB_STRDUP(cldap_reply.client_site_name);
224 }
225
226 ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain);
227
228 ads->ldap_port = LDAP_PORT;
229 ads->ldap_ip = *interpret_addr2(srv);
230 SAFE_FREE(srv);
231
232 /* Store our site name. */
233 sitename_store( cldap_reply.domain, cldap_reply.client_site_name );
234
235 return True;
236 }
237
238 /**********************************************************************
239 Try to find an AD dc using our internal name resolution routines
240 Try the realm first and then then workgroup name if netbios is not
241 disabled
242 **********************************************************************/
243
244 static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
245 {
246 const char *c_realm;
247 int count, i=0;
248 struct ip_service *ip_list;
249 pstring realm;
250 BOOL got_realm = False;
251 BOOL use_own_domain = False;
252 char *sitename;
253 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
254
255 /* if the realm and workgroup are both empty, assume they are ours */
256
257 /* realm */
258 c_realm = ads->server.realm;
259
260 if ( !c_realm || !*c_realm ) {
261 /* special case where no realm and no workgroup means our own */
262 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
263 use_own_domain = True;
264 c_realm = lp_realm();
265 }
266 }
267
268 if (c_realm && *c_realm)
269 got_realm = True;
270
271 /* we need to try once with the realm name and fallback to the
272 netbios domain name if we fail (if netbios has not been disabled */
273
274 if ( !got_realm && !lp_disable_netbios() ) {
275 c_realm = ads->server.workgroup;
276 if (!c_realm || !*c_realm) {
277 if ( use_own_domain )
278 c_realm = lp_workgroup();
279 }
280
281 if ( !c_realm || !*c_realm ) {
282 DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
283 return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
284 }
285 }
286
287 pstrcpy( realm, c_realm );
288
289 sitename = sitename_fetch(realm);
290
291 again:
292
293 DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
294 (got_realm ? "realm" : "domain"), realm));
295
296 status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
297 if (!NT_STATUS_IS_OK(status)) {
298 /* fall back to netbios if we can */
299 if ( got_realm && !lp_disable_netbios() ) {
300 got_realm = False;
301 goto again;
302 }
303
304 SAFE_FREE(sitename);
305 return status;
306 }
307
308 /* if we fail this loop, then giveup since all the IP addresses returned were dead */
309 for ( i=0; i<count; i++ ) {
310 fstring server;
311
312 fstrcpy( server, inet_ntoa(ip_list[i].ip) );
313
314 if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
315 continue;
316
317 if (!got_realm) {
318 /* realm in this case is a workgroup name. We need
319 to ignore any IP addresses in the negative connection
320 cache that match ip addresses returned in the ad realm
321 case. It sucks that I have to reproduce the logic above... */
322 c_realm = ads->server.realm;
323 if ( !c_realm || !*c_realm ) {
324 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
325 c_realm = lp_realm();
326 }
327 }
328 if (c_realm && *c_realm &&
329 !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
330 /* Ensure we add the workgroup name for this
331 IP address as negative too. */
332 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
333 continue;
334 }
335 }
336
337 if ( ads_try_connect(ads, server) ) {
338 SAFE_FREE(ip_list);
339 SAFE_FREE(sitename);
340 return NT_STATUS_OK;
341 }
342
343 /* keep track of failures */
344 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
345 }
346
347 SAFE_FREE(ip_list);
348
349 /* In case we failed to contact one of our closest DC on our site we
350 * need to try to find another DC, retry with a site-less SRV DNS query
351 * - Guenther */
352
353 if (sitename) {
354 DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
355 "trying to find another DC\n", sitename));
356 SAFE_FREE(sitename);
357 namecache_delete(realm, 0x1C);
358 goto again;
359 }
360
361 return NT_STATUS_NO_LOGON_SERVERS;
362 }
363
364
365 /**
366 * Connect to the LDAP server
367 * @param ads Pointer to an existing ADS_STRUCT
368 * @return status of connection
369 **/
370 ADS_STATUS ads_connect(ADS_STRUCT *ads)
371 {
372 int version = LDAP_VERSION3;
373 ADS_STATUS status;
374 NTSTATUS ntstatus;
375
376 ads->last_attempt = time(NULL);
377 ads->ld = NULL;
378
379 /* try with a user specified server */
380
381 if (ads->server.ldap_server &&
382 ads_try_connect(ads, ads->server.ldap_server)) {
383 goto got_connection;
384 }
385
386 ntstatus = ads_find_dc(ads);
387 if (NT_STATUS_IS_OK(ntstatus)) {
388 goto got_connection;
389 }
390
391 return ADS_ERROR_NT(ntstatus);
392
393 got_connection:
394 DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip)));
395
396 if (!ads->auth.user_name) {
397 /* Must use the userPrincipalName value here or sAMAccountName
398 and not servicePrincipalName; found by Guenther Deschner */
399
400 asprintf(&ads->auth.user_name, "%s$", global_myname() );
401 }
402
403 if (!ads->auth.realm) {
404 ads->auth.realm = SMB_STRDUP(ads->config.realm);
405 }
406
407 if (!ads->auth.kdc_server) {
408 ads->auth.kdc_server = SMB_STRDUP(inet_ntoa(ads->ldap_ip));
409 }
410
411 #if KRB5_DNS_HACK
412 /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
413 to MIT kerberos to work (tridge) */
414 {
415 char *env;
416 asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
417 setenv(env, ads->auth.kdc_server, 1);
418 free(env);
419 }
420 #endif
421
422 /* If the caller() requested no LDAP bind, then we are done */
423
424 if (ads->auth.flags & ADS_AUTH_NO_BIND) {
425 return ADS_SUCCESS;
426 }
427
428 /* Otherwise setup the TCP LDAP session */
429
430 if ( (ads->ld = ldap_open_with_timeout(ads->config.ldap_server_name,
431 LDAP_PORT, lp_ldap_timeout())) == NULL )
432 {
433 return ADS_ERROR(LDAP_OPERATIONS_ERROR);
434 }
435
436 /* cache the successful connection for workgroup and realm */
437 if (ads_closest_dc(ads)) {
438 saf_store( ads->server.workgroup, inet_ntoa(ads->ldap_ip));
439 saf_store( ads->server.realm, inet_ntoa(ads->ldap_ip));
440 }
441
442 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
443
444 status = ADS_ERROR(smb_ldap_start_tls(ads->ld, version));
445 if (!ADS_ERR_OK(status)) {
446 return status;
447 }
448
449 /* fill in the current time and offsets */
450
451 status = ads_current_time( ads );
452 if ( !ADS_ERR_OK(status) ) {
453 return status;
454 }
455
456 /* Now do the bind */
457
458 if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
459 return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
460 }
461
462 if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
463 return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password));
464 }
465
466 return ads_sasl_bind(ads);
467 }
468
469 /*
470 Duplicate a struct berval into talloc'ed memory
471 */
472 static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
473 {
474 struct berval *value;
475
476 if (!in_val) return NULL;
477
478 value = TALLOC_ZERO_P(ctx, struct berval);
479 if (value == NULL)
480 return NULL;
481 if (in_val->bv_len == 0) return value;
482
483 value->bv_len = in_val->bv_len;
484 value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
485 in_val->bv_len);
486 return value;
487 }
488
489 /*
490 Make a values list out of an array of (struct berval *)
491 */
492 static struct berval **ads_dup_values(TALLOC_CTX *ctx,
493 const struct berval **in_vals)
494 {
495 struct berval **values;
496 int i;
497
498 if (!in_vals) return NULL;
499 for (i=0; in_vals[i]; i++)
500 ; /* count values */
501 values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
502 if (!values) return NULL;
503
504 for (i=0; in_vals[i]; i++) {
505 values[i] = dup_berval(ctx, in_vals[i]);
506 }
507 return values;
508 }
509
510 /*
511 UTF8-encode a values list out of an array of (char *)
512 */
513 static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
514 {
515 char **values;
516 int i;
517
518 if (!in_vals) return NULL;
519 for (i=0; in_vals[i]; i++)
520 ; /* count values */
521 values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
522 if (!values) return NULL;
523
524 for (i=0; in_vals[i]; i++) {
525 push_utf8_talloc(ctx, &values[i], in_vals[i]);
526 }
527 return values;
528 }
529
530 /*
531 Pull a (char *) array out of a UTF8-encoded values list
532 */
533 static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
534 {
535 char **values;
536 int i;
537
538 if (!in_vals) return NULL;
539 for (i=0; in_vals[i]; i++)
540 ; /* count values */
541 values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
542 if (!values) return NULL;
543
544 for (i=0; in_vals[i]; i++) {
545 pull_utf8_talloc(ctx, &values[i], in_vals[i]);
546 }
547 return values;
548 }
549
550 /**
551 * Do a search with paged results. cookie must be null on the first
552 * call, and then returned on each subsequent call. It will be null
553 * again when the entire search is complete
554 * @param ads connection to ads server
555 * @param bind_path Base dn for the search
556 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
557 * @param expr Search expression - specified in local charset
558 * @param attrs Attributes to retrieve - specified in utf8 or ascii
559 * @param res ** which will contain results - free res* with ads_msgfree()
560 * @param count Number of entries retrieved on this page
561 * @param cookie The paged results cookie to be returned on subsequent calls
562 * @return status of search
563 **/
564 static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
565 const char *bind_path,
566 int scope, const char *expr,
567 const char **attrs, void *args,
568 LDAPMessage **res,
569 int *count, struct berval **cookie)
570 {
571 int rc, i, version;
572 char *utf8_expr, *utf8_path, **search_attrs;
573 LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols;
574 BerElement *cookie_be = NULL;
575 struct berval *cookie_bv= NULL;
576 BerElement *extdn_be = NULL;
577 struct berval *extdn_bv= NULL;
578
579 TALLOC_CTX *ctx;
580 ads_control *external_control = (ads_control *) args;
581
582 *res = NULL;
583
584 if (!(ctx = talloc_init("ads_do_paged_search_args")))
585 return ADS_ERROR(LDAP_NO_MEMORY);
586
587 /* 0 means the conversion worked but the result was empty
588 so we only fail if it's -1. In any case, it always
589 at least nulls out the dest */
590 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
591 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
592 rc = LDAP_NO_MEMORY;
593 goto done;
594 }
595
596 if (!attrs || !(*attrs))
597 search_attrs = NULL;
598 else {
599 /* This would be the utf8-encoded version...*/
600 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
601 if (!(str_list_copy(&search_attrs, attrs))) {
602 rc = LDAP_NO_MEMORY;
603 goto done;
604 }
605 }
606
607
608 /* Paged results only available on ldap v3 or later */
609 ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
610 if (version < LDAP_VERSION3) {
611 rc = LDAP_NOT_SUPPORTED;
612 goto done;
613 }
614
615 cookie_be = ber_alloc_t(LBER_USE_DER);
616 if (*cookie) {
617 ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
618 ber_bvfree(*cookie); /* don't need it from last time */
619 *cookie = NULL;
620 } else {
621 ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
622 }
623 ber_flatten(cookie_be, &cookie_bv);
624 PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
625 PagedResults.ldctl_iscritical = (char) 1;
626 PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
627 PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
628
629 NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
630 NoReferrals.ldctl_iscritical = (char) 0;
631 NoReferrals.ldctl_value.bv_len = 0;
632 NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
633
634 if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) {
635
636 ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control);
637 ExtendedDn.ldctl_iscritical = (char) external_control->critical;
638
639 /* win2k does not accept a ldctl_value beeing passed in */
640
641 if (external_control->val != 0) {
642
643 if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
644 rc = LDAP_NO_MEMORY;
645 goto done;
646 }
647
648 if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) {
649 rc = LDAP_NO_MEMORY;
650 goto done;
651 }
652 if ((ber_flatten(extdn_be, &extdn_bv)) == -1) {
653 rc = LDAP_NO_MEMORY;
654 goto done;
655 }
656
657 ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len;
658 ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val;
659
660 } else {
661 ExtendedDn.ldctl_value.bv_len = 0;
662 ExtendedDn.ldctl_value.bv_val = NULL;
663 }
664
665 controls[0] = &NoReferrals;
666 controls[1] = &PagedResults;
667 controls[2] = &ExtendedDn;
668 controls[3] = NULL;
669
670 } else {
671 controls[0] = &NoReferrals;
672 controls[1] = &PagedResults;
673 controls[2] = NULL;
674 }
675
676 /* we need to disable referrals as the openldap libs don't
677 handle them and paged results at the same time. Using them
678 together results in the result record containing the server
679 page control being removed from the result list (tridge/jmcd)
680
681 leaving this in despite the control that says don't generate
682 referrals, in case the server doesn't support it (jmcd)
683 */
684 ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
685
686 rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
687 search_attrs, 0, controls,
688 NULL, LDAP_NO_LIMIT,
689 (LDAPMessage **)res);
690
691 ber_free(cookie_be, 1);
692 ber_bvfree(cookie_bv);
693
694 if (rc) {
695 DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
696 ldap_err2string(rc)));
697 goto done;
698 }
699
700 rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL,
701 NULL, &rcontrols, 0);
702
703 if (!rcontrols) {
704 goto done;
705 }
706
707 for (i=0; rcontrols[i]; i++) {
708 if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
709 cookie_be = ber_init(&rcontrols[i]->ldctl_value);
710 ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
711 &cookie_bv);
712 /* the berval is the cookie, but must be freed when
713 it is all done */
714 if (cookie_bv->bv_len) /* still more to do */
715 *cookie=ber_bvdup(cookie_bv);
716 else
717 *cookie=NULL;
718 ber_bvfree(cookie_bv);
719 ber_free(cookie_be, 1);
720 break;
721 }
722 }
723 ldap_controls_free(rcontrols);
724
725 done:
726 talloc_destroy(ctx);
727
728 if (extdn_be) {
729 ber_free(extdn_be, 1);
730 }
731
732 if (extdn_bv) {
733 ber_bvfree(extdn_bv);
734 }
735
736 /* if/when we decide to utf8-encode attrs, take out this next line */
737 str_list_free(&search_attrs);
738
739 return ADS_ERROR(rc);
740 }
741
742 static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
743 int scope, const char *expr,
744 const char **attrs, LDAPMessage **res,
745 int *count, struct berval **cookie)
746 {
747 return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
748 }
749
750
751 /**
752 * Get all results for a search. This uses ads_do_paged_search() to return
753 * all entries in a large search.
754 * @param ads connection to ads server
755 * @param bind_path Base dn for the search
756 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
757 * @param expr Search expression
758 * @param attrs Attributes to retrieve
759 * @param res ** which will contain results - free res* with ads_msgfree()
760 * @return status of search
761 **/
762 ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
763 int scope, const char *expr,
764 const char **attrs, void *args,
765 LDAPMessage **res)
766 {
767 struct berval *cookie = NULL;
768 int count = 0;
769 ADS_STATUS status;
770
771 *res = NULL;
772 status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
773 &count, &cookie);
774
775 if (!ADS_ERR_OK(status))
776 return status;
777
778 #ifdef HAVE_LDAP_ADD_RESULT_ENTRY
779 while (cookie) {
780 LDAPMessage *res2 = NULL;
781 ADS_STATUS status2;
782 LDAPMessage *msg, *next;
783
784 status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
785 attrs, args, &res2, &count, &cookie);
786
787 if (!ADS_ERR_OK(status2)) break;
788
789 /* this relies on the way that ldap_add_result_entry() works internally. I hope
790 that this works on all ldap libs, but I have only tested with openldap */
791 for (msg = ads_first_entry(ads, res2); msg; msg = next) {
792 next = ads_next_entry(ads, msg);
793 ldap_add_result_entry((LDAPMessage **)res, msg);
794 }
795 /* note that we do not free res2, as the memory is now
796 part of the main returned list */
797 }
798 #else
799 DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
800 status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
801 #endif
802
803 return status;
804 }
805
806 ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
807 int scope, const char *expr,
808 const char **attrs, LDAPMessage **res)
809 {
810 return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
811 }
812
813 /**
814 * Run a function on all results for a search. Uses ads_do_paged_search() and
815 * runs the function as each page is returned, using ads_process_results()
816 * @param ads connection to ads server
817 * @param bind_path Base dn for the search
818 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
819 * @param expr Search expression - specified in local charset
820 * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
821 * @param fn Function which takes attr name, values list, and data_area
822 * @param data_area Pointer which is passed to function on each call
823 * @return status of search
824 **/
825 ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
826 int scope, const char *expr, const char **attrs,
827 BOOL(*fn)(char *, void **, void *),
828 void *data_area)
829 {
830 struct berval *cookie = NULL;
831 int count = 0;
832 ADS_STATUS status;
833 LDAPMessage *res;
834
835 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
836 &count, &cookie);
837
838 if (!ADS_ERR_OK(status)) return status;
839
840 ads_process_results(ads, res, fn, data_area);
841 ads_msgfree(ads, res);
842
843 while (cookie) {
844 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
845 &res, &count, &cookie);
846
847 if (!ADS_ERR_OK(status)) break;
848
849 ads_process_results(ads, res, fn, data_area);
850 ads_msgfree(ads, res);
851 }
852
853 return status;
854 }
855
856 /**
857 * Do a search with a timeout.
858 * @param ads connection to ads server
859 * @param bind_path Base dn for the search
860 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
861 * @param expr Search expression
862 * @param attrs Attributes to retrieve
863 * @param res ** which will contain results - free res* with ads_msgfree()
864 * @return status of search
865 **/
866 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
867 const char *expr,
868 const char **attrs, LDAPMessage **res)
869 {
870 int rc;
871 char *utf8_expr, *utf8_path, **search_attrs = NULL;
872 TALLOC_CTX *ctx;
873
874 *res = NULL;
875 if (!(ctx = talloc_init("ads_do_search"))) {
876 DEBUG(1,("ads_do_search: talloc_init() failed!"));
877 return ADS_ERROR(LDAP_NO_MEMORY);
878 }
879
880 /* 0 means the conversion worked but the result was empty
881 so we only fail if it's negative. In any case, it always
882 at least nulls out the dest */
883 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
884 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
885 DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
886 rc = LDAP_NO_MEMORY;
887 goto done;
888 }
889
890 if (!attrs || !(*attrs))
891 search_attrs = NULL;
892 else {
893 /* This would be the utf8-encoded version...*/
894 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
895 if (!(str_list_copy(&search_attrs, attrs)))
896 {
897 DEBUG(1,("ads_do_search: str_list_copy() failed!"));
898 rc = LDAP_NO_MEMORY;
899 goto done;
900 }
901 }
902
903 /* see the note in ads_do_paged_search - we *must* disable referrals */
904 ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
905
906 rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
907 search_attrs, 0, NULL, NULL,
908 LDAP_NO_LIMIT,
909 (LDAPMessage **)res);
910
911 if (rc == LDAP_SIZELIMIT_EXCEEDED) {
912 DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
913 rc = 0;
914 }
915
916 done:
917 talloc_destroy(ctx);
918 /* if/when we decide to utf8-encode attrs, take out this next line */
919 str_list_free(&search_attrs);
920 return ADS_ERROR(rc);
921 }
922 /**
923 * Do a general ADS search
924 * @param ads connection to ads server
925 * @param res ** which will contain results - free res* with ads_msgfree()
926 * @param expr Search expression
927 * @param attrs Attributes to retrieve
928 * @return status of search
929 **/
930 ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
931 const char *expr, const char **attrs)
932 {
933 return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
934 expr, attrs, res);
935 }
936
937 /**
938 * Do a search on a specific DistinguishedName
939 * @param ads connection to ads server
940 * @param res ** which will contain results - free res* with ads_msgfree()
941 * @param dn DistinguishName to search
942 * @param attrs Attributes to retrieve
943 * @return status of search
944 **/
945 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
946 const char *dn, const char **attrs)
947 {
948 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
949 attrs, res);
950 }
951
952 /**
953 * Free up memory from a ads_search
954 * @param ads connection to ads server
955 * @param msg Search results to free
956 **/
957 void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
958 {
959 if (!msg) return;
960 ldap_msgfree(msg);
961 }
962
963 /**
964 * Free up memory from various ads requests
965 * @param ads connection to ads server
966 * @param mem Area to free
967 **/
968 void ads_memfree(ADS_STRUCT *ads, void *mem)
969 {
970 SAFE_FREE(mem);
971 }
972
973 /**
974 * Get a dn from search results
975 * @param ads connection to ads server
976 * @param msg Search result
977 * @return dn string
978 **/
979 char *ads_get_dn(ADS_STRUCT *ads, LDAPMessage *msg)
980 {
981 char *utf8_dn, *unix_dn;
982
983 utf8_dn = ldap_get_dn(ads->ld, msg);
984
985 if (!utf8_dn) {
986 DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
987 return NULL;
988 }
989
990 if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
991 DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
992 utf8_dn ));
993 return NULL;
994 }
995 ldap_memfree(utf8_dn);
996 return unix_dn;
997 }
998
999 /**
1000 * Get the parent from a dn
1001 * @param dn the dn to return the parent from
1002 * @return parent dn string
1003 **/
1004 char *ads_parent_dn(const char *dn)
1005 {
1006 char *p;
1007
1008 if (dn == NULL) {
1009 return NULL;
1010 }
1011
1012 p = strchr(dn, ',');
1013
1014 if (p == NULL) {
1015 return NULL;
1016 }
1017
1018 return p+1;
1019 }
1020
1021 /**
1022 * Find a machine account given a hostname
1023 * @param ads connection to ads server
1024 * @param res ** which will contain results - free res* with ads_msgfree()
1025 * @param host Hostname to search for
1026 * @return status of search
1027 **/
1028 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
1029 const char *machine)
1030 {
1031 ADS_STATUS status;
1032 char *expr;
1033 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
1034
1035 *res = NULL;
1036
1037 /* the easiest way to find a machine account anywhere in the tree
1038 is to look for hostname$ */
1039 if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
1040 DEBUG(1, ("asprintf failed!\n"));
1041 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1042 }
1043
1044 status = ads_search(ads, res, expr, attrs);
1045 SAFE_FREE(expr);
1046 return status;
1047 }
1048
1049 /**
1050 * Initialize a list of mods to be used in a modify request
1051 * @param ctx An initialized TALLOC_CTX
1052 * @return allocated ADS_MODLIST
1053 **/
1054 ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1055 {
1056 #define ADS_MODLIST_ALLOC_SIZE 10
1057 LDAPMod **mods;
1058
1059 if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1060 /* -1 is safety to make sure we don't go over the end.
1061 need to reset it to NULL before doing ldap modify */
1062 mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1063
1064 return (ADS_MODLIST)mods;
1065 }
1066
1067
1068 /*
1069 add an attribute to the list, with values list already constructed
1070 */
1071 static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1072 int mod_op, const char *name,
1073 const void *_invals)
1074 {
1075 const void **invals = (const void **)_invals;
1076 int curmod;
1077 LDAPMod **modlist = (LDAPMod **) *mods;
1078 struct berval **ber_values = NULL;
1079 char **char_values = NULL;
1080
1081 if (!invals) {
1082 mod_op = LDAP_MOD_DELETE;
1083 } else {
1084 if (mod_op & LDAP_MOD_BVALUES)
1085 ber_values = ads_dup_values(ctx,
1086 (const struct berval **)invals);
1087 else
1088 char_values = ads_push_strvals(ctx,
1089 (const char **) invals);
1090 }
1091
1092 /* find the first empty slot */
1093 for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1094 curmod++);
1095 if (modlist[curmod] == (LDAPMod *) -1) {
1096 if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
1097 curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1098 return ADS_ERROR(LDAP_NO_MEMORY);
1099 memset(&modlist[curmod], 0,
1100 ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
1101 modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1102 *mods = (ADS_MODLIST)modlist;
1103 }
1104
1105 if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
1106 return ADS_ERROR(LDAP_NO_MEMORY);
1107 modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1108 if (mod_op & LDAP_MOD_BVALUES) {
1109 modlist[curmod]->mod_bvalues = ber_values;
1110 } else if (mod_op & LDAP_MOD_DELETE) {
1111 modlist[curmod]->mod_values = NULL;
1112 } else {
1113 modlist[curmod]->mod_values = char_values;
1114 }
1115
1116 modlist[curmod]->mod_op = mod_op;
1117 return ADS_ERROR(LDAP_SUCCESS);
1118 }
1119
1120 /**
1121 * Add a single string value to a mod list
1122 * @param ctx An initialized TALLOC_CTX
1123 * @param mods An initialized ADS_MODLIST
1124 * @param name The attribute name to add
1125 * @param val The value to add - NULL means DELETE
1126 * @return ADS STATUS indicating success of add
1127 **/
1128 ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1129 const char *name, const char *val)
1130 {
1131 const char *values[2];
1132
1133 values[0] = val;
1134 values[1] = NULL;
1135
1136 if (!val)
1137 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1138 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1139 }
1140
1141 /**
1142 * Add an array of string values to a mod list
1143 * @param ctx An initialized TALLOC_CTX
1144 * @param mods An initialized ADS_MODLIST
1145 * @param name The attribute name to add
1146 * @param vals The array of string values to add - NULL means DELETE
1147 * @return ADS STATUS indicating success of add
1148 **/
1149 ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1150 const char *name, const char **vals)
1151 {
1152 if (!vals)
1153 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1154 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1155 name, (const void **) vals);
1156 }
1157
1158 #if 0
1159 /**
1160 * Add a single ber-encoded value to a mod list
1161 * @param ctx An initialized TALLOC_CTX
1162 * @param mods An initialized ADS_MODLIST
1163 * @param name The attribute name to add
1164 * @param val The value to add - NULL means DELETE
1165 * @return ADS STATUS indicating success of add
1166 **/
1167 static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1168 const char *name, const struct berval *val)
1169 {
1170 const struct berval *values[2];
1171
1172 values[0] = val;
1173 values[1] = NULL;
1174 if (!val)
1175 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1176 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
1177 name, (const void **) values);
1178 }
1179 #endif
1180
1181 /**
1182 * Perform an ldap modify
1183 * @param ads connection to ads server
1184 * @param mod_dn DistinguishedName to modify
1185 * @param mods list of modifications to perform
1186 * @return status of modify
1187 **/
1188 ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
1189 {
1190 int ret,i;
1191 char *utf8_dn = NULL;
1192 /*
1193 this control is needed to modify that contains a currently
1194 non-existent attribute (but allowable for the object) to run
1195 */
1196 LDAPControl PermitModify = {
1197 CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
1198 {0, NULL},
1199 (char) 1};
1200 LDAPControl *controls[2];
1201
1202 controls[0] = &PermitModify;
1203 controls[1] = NULL;
1204
1205 if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
1206 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1207 }
1208
1209 /* find the end of the list, marked by NULL or -1 */
1210 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1211 /* make sure the end of the list is NULL */
1212 mods[i] = NULL;
1213 ret = ldap_modify_ext_s(ads->ld, utf8_dn,
1214 (LDAPMod **) mods, controls, NULL);
1215 SAFE_FREE(utf8_dn);
1216 return ADS_ERROR(ret);
1217 }
1218
1219 /**
1220 * Perform an ldap add
1221 * @param ads connection to ads server
1222 * @param new_dn DistinguishedName to add
1223 * @param mods list of attributes and values for DN
1224 * @return status of add
1225 **/
1226 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
1227 {
1228 int ret, i;
1229 char *utf8_dn = NULL;
1230
1231 if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
1232 DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
1233 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1234 }
1235
1236 /* find the end of the list, marked by NULL or -1 */
1237 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1238 /* make sure the end of the list is NULL */
1239 mods[i] = NULL;
1240
1241 ret = ldap_add_s(ads->ld, utf8_dn, (LDAPMod**)mods);
1242 SAFE_FREE(utf8_dn);
1243 return ADS_ERROR(ret);
1244 }
1245
1246 /**
1247 * Delete a DistinguishedName
1248 * @param ads connection to ads server
1249 * @param new_dn DistinguishedName to delete
1250 * @return status of delete
1251 **/
1252 ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
1253 {
1254 int ret;
1255 char *utf8_dn = NULL;
1256 if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
1257 DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
1258 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1259 }
1260
1261 ret = ldap_delete_s(ads->ld, utf8_dn);
1262 SAFE_FREE(utf8_dn);
1263 return ADS_ERROR(ret);
1264 }
1265
1266 /**
1267 * Build an org unit string
1268 * if org unit is Computers or blank then assume a container, otherwise
1269 * assume a / separated list of organisational units.
1270 * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1271 * @param ads connection to ads server
1272 * @param org_unit Organizational unit
1273 * @return org unit string - caller must free
1274 **/
1275 char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
1276 {
1277 char *ret = NULL;
1278
1279 if (!org_unit || !*org_unit) {
1280
1281 ret = ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
1282
1283 /* samba4 might not yet respond to a wellknownobject-query */
1284 return ret ? ret : SMB_STRDUP("cn=Computers");
1285 }
1286
1287 if (strequal(org_unit, "Computers")) {
1288 return SMB_STRDUP("cn=Computers");
1289 }
1290
1291 /* jmcd: removed "\\" from the separation chars, because it is
1292 needed as an escape for chars like '#' which are valid in an
1293 OU name */
1294 return ads_build_path(org_unit, "/", "ou=", 1);
1295 }
1296
1297 /**
1298 * Get a org unit string for a well-known GUID
1299 * @param ads connection to ads server
1300 * @param wknguid Well known GUID
1301 * @return org unit string - caller must free
1302 **/
1303 char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
1304 {
1305 ADS_STATUS status;
1306 LDAPMessage *res = NULL;
1307 char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
1308 **bind_dn_exp = NULL;
1309 const char *attrs[] = {"distinguishedName", NULL};
1310 int new_ln, wkn_ln, bind_ln, i;
1311
1312 if (wknguid == NULL) {
1313 return NULL;
1314 }
1315
1316 if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
1317 DEBUG(1, ("asprintf failed!\n"));
1318 return NULL;
1319 }
1320
1321 status = ads_search_dn(ads, &res, base, attrs);
1322 if (!ADS_ERR_OK(status)) {
1323 DEBUG(1,("Failed while searching for: %s\n", base));
1324 goto out;
1325 }
1326
1327 if (ads_count_replies(ads, res) != 1) {
1328 goto out;
1329 }
1330
1331 /* substitute the bind-path from the well-known-guid-search result */
1332 wkn_dn = ads_get_dn(ads, res);
1333 if (!wkn_dn) {
1334 goto out;
1335 }
1336
1337 wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
1338 if (!wkn_dn_exp) {
1339 goto out;
1340 }
1341
1342 bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
1343 if (!bind_dn_exp) {
1344 goto out;
1345 }
1346
1347 for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
1348 ;
1349 for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
1350 ;
1351
1352 new_ln = wkn_ln - bind_ln;
1353
1354 ret = SMB_STRDUP(wkn_dn_exp[0]);
1355 if (!ret) {
1356 goto out;
1357 }
1358
1359 for (i=1; i < new_ln; i++) {
1360 char *s = NULL;
1361
1362 if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
1363 SAFE_FREE(ret);
1364 goto out;
1365 }
1366
1367 SAFE_FREE(ret);
1368 ret = SMB_STRDUP(s);
1369 free(s);
1370 if (!ret) {
1371 goto out;
1372 }
1373 }
1374
1375 out:
1376 SAFE_FREE(base);
1377 ads_msgfree(ads, res);
1378 ads_memfree(ads, wkn_dn);
1379 if (wkn_dn_exp) {
1380 ldap_value_free(wkn_dn_exp);
1381 }
1382 if (bind_dn_exp) {
1383 ldap_value_free(bind_dn_exp);
1384 }
1385
1386 return ret;
1387 }
1388
1389 /**
1390 * Adds (appends) an item to an attribute array, rather then
1391 * replacing the whole list
1392 * @param ctx An initialized TALLOC_CTX
1393 * @param mods An initialized ADS_MODLIST
1394 * @param name name of the ldap attribute to append to
1395 * @param vals an array of values to add
1396 * @return status of addition
1397 **/
1398
1399 ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1400 const char *name, const char **vals)
1401 {
1402 return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
1403 (const void *) vals);
1404 }
1405
1406 /**
1407 * Determines the computer account's current KVNO via an LDAP lookup
1408 * @param ads An initialized ADS_STRUCT
1409 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1410 * @return the kvno for the computer account, or -1 in case of a failure.
1411 **/
1412
1413 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *machine_name)
1414 {
1415 LDAPMessage *res = NULL;
1416 uint32 kvno = (uint32)-1; /* -1 indicates a failure */
1417 char *filter;
1418 const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
1419 char *dn_string = NULL;
1420 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1421
1422 DEBUG(5,("ads_get_kvno: Searching for host %s\n", machine_name));
1423 if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1424 return kvno;
1425 }
1426 ret = ads_search(ads, &res, filter, attrs);
1427 SAFE_FREE(filter);
1428 if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
1429 DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
1430 ads_msgfree(ads, res);
1431 return kvno;
1432 }
1433
1434 dn_string = ads_get_dn(ads, res);
1435 if (!dn_string) {
1436 DEBUG(0,("ads_get_kvno: out of memory.\n"));
1437 ads_msgfree(ads, res);
1438 return kvno;
1439 }
1440 DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
1441 ads_memfree(ads, dn_string);
1442
1443 /* ---------------------------------------------------------
1444 * 0 is returned as a default KVNO from this point on...
1445 * This is done because Windows 2000 does not support key
1446 * version numbers. Chances are that a failure in the next
1447 * step is simply due to Windows 2000 being used for a
1448 * domain controller. */
1449 kvno = 0;
1450
1451 if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
1452 DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
1453 DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
1454 ads_msgfree(ads, res);
1455 return kvno;
1456 }
1457
1458 /* Success */
1459 DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
1460 ads_msgfree(ads, res);
1461 return kvno;
1462 }
1463
1464 /**
1465 * This clears out all registered spn's for a given hostname
1466 * @param ads An initilaized ADS_STRUCT
1467 * @param machine_name the NetBIOS name of the computer.
1468 * @return 0 upon success, non-zero otherwise.
1469 **/
1470
1471 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name)
1472 {
1473 TALLOC_CTX *ctx;
1474 LDAPMessage *res = NULL;
1475 ADS_MODLIST mods;
1476 const char *servicePrincipalName[1] = {NULL};
1477 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1478 char *dn_string = NULL;
1479
1480 ret = ads_find_machine_acct(ads, &res, machine_name);
1481 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
1482 DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
1483 DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
1484 ads_msgfree(ads, res);
1485 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1486 }
1487
1488 DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
1489 ctx = talloc_init("ads_clear_service_principal_names");
1490 if (!ctx) {
1491 ads_msgfree(ads, res);
1492 return ADS_ERROR(LDAP_NO_MEMORY);
1493 }
1494
1495 if (!(mods = ads_init_mods(ctx))) {
1496 talloc_destroy(ctx);
1497 ads_msgfree(ads, res);
1498 return ADS_ERROR(LDAP_NO_MEMORY);
1499 }
1500 ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1501 if (!ADS_ERR_OK(ret)) {
1502 DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
1503 ads_msgfree(ads, res);
1504 talloc_destroy(ctx);
1505 return ret;
1506 }
1507 dn_string = ads_get_dn(ads, res);
1508 if (!dn_string) {
1509 talloc_destroy(ctx);
1510 ads_msgfree(ads, res);
1511 return ADS_ERROR(LDAP_NO_MEMORY);
1512 }
1513 ret = ads_gen_mod(ads, dn_string, mods);
1514 ads_memfree(ads,dn_string);
1515 if (!ADS_ERR_OK(ret)) {
1516 DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
1517 machine_name));
1518 ads_msgfree(ads, res);
1519 talloc_destroy(ctx);
1520 return ret;
1521 }
1522
1523 ads_msgfree(ads, res);
1524 talloc_destroy(ctx);
1525 return ret;
1526 }
1527
1528 /**
1529 * This adds a service principal name to an existing computer account
1530 * (found by hostname) in AD.
1531 * @param ads An initialized ADS_STRUCT
1532 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1533 * @param my_fqdn The fully qualified DNS name of the machine
1534 * @param spn A string of the service principal to add, i.e. 'host'
1535 * @return 0 upon sucess, or non-zero if a failure occurs
1536 **/
1537
1538 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
1539 const char *my_fqdn, const char *spn)
1540 {
1541 ADS_STATUS ret;
1542 TALLOC_CTX *ctx;
1543 LDAPMessage *res = NULL;
1544 char *psp1, *psp2;
1545 ADS_MODLIST mods;
1546 char *dn_string = NULL;
1547 const char *servicePrincipalName[3] = {NULL, NULL, NULL};
1548
1549 ret = ads_find_machine_acct(ads, &res, machine_name);
1550 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
1551 DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
1552 machine_name));
1553 DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
1554 spn, machine_name, ads->config.realm));
1555 ads_msgfree(ads, res);
1556 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1557 }
1558
1559 DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
1560 if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
1561 ads_msgfree(ads, res);
1562 return ADS_ERROR(LDAP_NO_MEMORY);
1563 }
1564
1565 /* add short name spn */
1566
1567 if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
1568 talloc_destroy(ctx);
1569 ads_msgfree(ads, res);
1570 return ADS_ERROR(LDAP_NO_MEMORY);
1571 }
1572 strupper_m(psp1);
1573 strlower_m(&psp1[strlen(spn)]);
1574 servicePrincipalName[0] = psp1;
1575
1576 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1577 psp1, machine_name));
1578
1579
1580 /* add fully qualified spn */
1581
1582 if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
1583 ret = ADS_ERROR(LDAP_NO_MEMORY);
1584 goto out;
1585 }
1586 strupper_m(psp2);
1587 strlower_m(&psp2[strlen(spn)]);
1588 servicePrincipalName[1] = psp2;
1589
1590 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1591 psp2, machine_name));
1592
1593 if ( (mods = ads_init_mods(ctx)) == NULL ) {
1594 ret = ADS_ERROR(LDAP_NO_MEMORY);
1595 goto out;
1596 }
1597
1598 ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1599 if (!ADS_ERR_OK(ret)) {
1600 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1601 goto out;
1602 }
1603
1604 if ( (dn_string = ads_get_dn(ads, res)) == NULL ) {
1605 ret = ADS_ERROR(LDAP_NO_MEMORY);
1606 goto out;
1607 }
1608
1609 ret = ads_gen_mod(ads, dn_string, mods);
1610 ads_memfree(ads,dn_string);
1611 if (!ADS_ERR_OK(ret)) {
1612 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1613 goto out;
1614 }
1615
1616 out:
1617 TALLOC_FREE( ctx );
1618 ads_msgfree(ads, res);
1619 return ret;
1620 }
1621
1622 /**
1623 * adds a machine account to the ADS server
1624 * @param ads An intialized ADS_STRUCT
1625 * @param machine_name - the NetBIOS machine name of this account.
1626 * @param account_type A number indicating the type of account to create
1627 * @param org_unit The LDAP path in which to place this account
1628 * @return 0 upon success, or non-zero otherwise
1629 **/
1630
1631 ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
1632 const char *org_unit)
1633 {
1634 ADS_STATUS ret;
1635 char *samAccountName, *controlstr;
1636 TALLOC_CTX *ctx;
1637 ADS_MODLIST mods;
1638 char *machine_escaped = NULL;
1639 char *new_dn;
1640 const char *objectClass[] = {"top", "person", "organizationalPerson",
1641 "user", "computer", NULL};
1642 LDAPMessage *res = NULL;
1643 uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
1644 UF_DONT_EXPIRE_PASSWD |\
1645 UF_ACCOUNTDISABLE );
1646
1647 if (!(ctx = talloc_init("ads_add_machine_acct")))
1648 return ADS_ERROR(LDAP_NO_MEMORY);
1649
1650 ret = ADS_ERROR(LDAP_NO_MEMORY);
1651
1652 machine_escaped = escape_rdn_val_string_alloc(machine_name);
1653 if (!machine_escaped) {
1654 goto done;
1655 }
1656
1657 new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
1658 samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
1659
1660 if ( !new_dn || !samAccountName ) {
1661 goto done;
1662 }
1663
1664 #ifndef ENCTYPE_ARCFOUR_HMAC
1665 acct_control |= UF_USE_DES_KEY_ONLY;
1666 #endif
1667
1668 if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
1669 goto done;
1670 }
1671
1672 if (!(mods = ads_init_mods(ctx))) {
1673 goto done;
1674 }
1675
1676 ads_mod_str(ctx, &mods, "cn", machine_name);
1677 ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
1678 ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
1679 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
1680
1681 ret = ads_gen_add(ads, new_dn, mods);
1682
1683 done:
1684 SAFE_FREE(machine_escaped);
1685 ads_msgfree(ads, res);
1686 talloc_destroy(ctx);
1687
1688 return ret;
1689 }
1690
1691 /*
1692 dump a binary result from ldap
1693 */
1694 static void dump_binary(const char *field, struct berval **values)
1695 {
1696 int i, j;
1697 for (i=0; values[i]; i++) {
1698 printf("%s: ", field);
1699 for (j=0; j<values[i]->bv_len; j++) {
1700 printf("%02X", (unsigned char)values[i]->bv_val[j]);
1701 }
1702 printf("\n");
1703 }
1704 }
1705
1706 static void dump_guid(const char *field, struct berval **values)
1707 {
1708 int i;
1709 UUID_FLAT guid;
1710 for (i=0; values[i]; i++) {
1711 memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
1712 printf("%s: %s\n", field,
1713 smb_uuid_string_static(smb_uuid_unpack_static(guid)));
1714 }
1715 }
1716
1717 /*
1718 dump a sid result from ldap
1719 */
1720 static void dump_sid(const char *field, struct berval **values)
1721 {
1722 int i;
1723 for (i=0; values[i]; i++) {
1724 DOM_SID sid;
1725 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
1726 printf("%s: %s\n", field, sid_string_static(&sid));
1727 }
1728 }
1729
1730 /*
1731 dump ntSecurityDescriptor
1732 */
1733 static void dump_sd(const char *filed, struct berval **values)
1734 {
1735 prs_struct ps;
1736
1737 SEC_DESC *psd = 0;
1738 TALLOC_CTX *ctx = 0;
1739
1740 if (!(ctx = talloc_init("sec_io_desc")))
1741 return;
1742
1743 /* prepare data */
1744 prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL);
1745 prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
1746 prs_set_offset(&ps,0);
1747
1748 /* parse secdesc */
1749 if (!sec_io_desc("sd", &psd, &ps, 1)) {
1750 prs_mem_free(&ps);
1751 talloc_destroy(ctx);
1752 return;
1753 }
1754 if (psd) ads_disp_sd(psd);
1755
1756 prs_mem_free(&ps);
1757 talloc_destroy(ctx);
1758 }
1759
1760 /*
1761 dump a string result from ldap
1762 */
1763 static void dump_string(const char *field, char **values)
1764 {
1765 int i;
1766 for (i=0; values[i]; i++) {
1767 printf("%s: %s\n", field, values[i]);
1768 }
1769 }
1770
1771 /*
1772 dump a field from LDAP on stdout
1773 used for debugging
1774 */
1775
1776 static BOOL ads_dump_field(char *field, void **values, void *data_area)
1777 {
1778 const struct {
1779 const char *name;
1780 BOOL string;
1781 void (*handler)(const char *, struct berval **);
1782 } handlers[] = {
1783 {"objectGUID", False, dump_guid},
1784 {"netbootGUID", False, dump_guid},
1785 {"nTSecurityDescriptor", False, dump_sd},
1786 {"dnsRecord", False, dump_binary},
1787 {"objectSid", False, dump_sid},
1788 {"tokenGroups", False, dump_sid},
1789 {"tokenGroupsNoGCAcceptable", False, dump_sid},
1790 {"tokengroupsGlobalandUniversal", False, dump_sid},
1791 {"mS-DS-CreatorSID", False, dump_sid},
1792 {NULL, True, NULL}
1793 };
1794 int i;
1795
1796 if (!field) { /* must be end of an entry */
1797 printf("\n");
1798 return False;
1799 }
1800
1801 for (i=0; handlers[i].name; i++) {
1802 if (StrCaseCmp(handlers[i].name, field) == 0) {
1803 if (!values) /* first time, indicate string or not */
1804 return handlers[i].string;
1805 handlers[i].handler(field, (struct berval **) values);
1806 break;
1807 }
1808 }
1809 if (!handlers[i].name) {
1810 if (!values) /* first time, indicate string conversion */
1811 return True;
1812 dump_string(field, (char **)values);
1813 }
1814 return False;
1815 }
1816
1817 /**
1818 * Dump a result from LDAP on stdout
1819 * used for debugging
1820 * @param ads connection to ads server
1821 * @param res Results to dump
1822 **/
1823
1824 void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
1825 {
1826 ads_process_results(ads, res, ads_dump_field, NULL);
1827 }
1828
1829 /**
1830 * Walk through results, calling a function for each entry found.
1831 * The function receives a field name, a berval * array of values,
1832 * and a data area passed through from the start. The function is
1833 * called once with null for field and values at the end of each
1834 * entry.
1835 * @param ads connection to ads server
1836 * @param res Results to process
1837 * @param fn Function for processing each result
1838 * @param data_area user-defined area to pass to function
1839 **/
1840 void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
1841 BOOL(*fn)(char *, void **, void *),
1842 void *data_area)
1843 {
1844 LDAPMessage *msg;
1845 TALLOC_CTX *ctx;
1846
1847 if (!(ctx = talloc_init("ads_process_results")))
1848 return;
1849
1850 for (msg = ads_first_entry(ads, res); msg;
1851 msg = ads_next_entry(ads, msg)) {
1852 char *utf8_field;
1853 BerElement *b;
1854
1855 for (utf8_field=ldap_first_attribute(ads->ld,
1856 (LDAPMessage *)msg,&b);
1857 utf8_field;
1858 utf8_field=ldap_next_attribute(ads->ld,
1859 (LDAPMessage *)msg,b)) {
1860 struct berval **ber_vals;
1861 char **str_vals, **utf8_vals;
1862 char *field;
1863 BOOL string;
1864
1865 pull_utf8_talloc(ctx, &field, utf8_field);
1866 string = fn(field, NULL, data_area);
1867
1868 if (string) {
1869 utf8_vals = ldap_get_values(ads->ld,
1870 (LDAPMessage *)msg, field);
1871 str_vals = ads_pull_strvals(ctx,
1872 (const char **) utf8_vals);
1873 fn(field, (void **) str_vals, data_area);
1874 ldap_value_free(utf8_vals);
1875 } else {
1876 ber_vals = ldap_get_values_len(ads->ld,
1877 (LDAPMessage *)msg, field);
1878 fn(field, (void **) ber_vals, data_area);
1879
1880 ldap_value_free_len(ber_vals);
1881 }
1882 ldap_memfree(utf8_field);
1883 }
1884 ber_free(b, 0);
1885 talloc_free_children(ctx);
1886 fn(NULL, NULL, data_area); /* completed an entry */
1887
1888 }
1889 talloc_destroy(ctx);
1890 }
1891
1892 /**
1893 * count how many replies are in a LDAPMessage
1894 * @param ads connection to ads server
1895 * @param res Results to count
1896 * @return number of replies
1897 **/
1898 int ads_count_replies(ADS_STRUCT *ads, void *res)
1899 {
1900 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
1901 }
1902
1903 /**
1904 * pull the first entry from a ADS result
1905 * @param ads connection to ads server
1906 * @param res Results of search
1907 * @return first entry from result
1908 **/
1909 LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
1910 {
1911 return ldap_first_entry(ads->ld, res);
1912 }
1913
1914 /**
1915 * pull the next entry from a ADS result
1916 * @param ads connection to ads server
1917 * @param res Results of search
1918 * @return next entry from result
1919 **/
1920 LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
1921 {
1922 return ldap_next_entry(ads->ld, res);
1923 }
1924
1925 /**
1926 * pull a single string from a ADS result
1927 * @param ads connection to ads server
1928 * @param mem_ctx TALLOC_CTX to use for allocating result string
1929 * @param msg Results of search
1930 * @param field Attribute to retrieve
1931 * @return Result string in talloc context
1932 **/
1933 char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
1934 const char *field)
1935 {
1936 char **values;
1937 char *ret = NULL;
1938 char *ux_string;
1939 size_t rc;
1940
1941 values = ldap_get_values(ads->ld, msg, field);
1942 if (!values)
1943 return NULL;
1944
1945 if (values[0]) {
1946 rc = pull_utf8_talloc(mem_ctx, &ux_string,
1947 values[0]);
1948 if (rc != (size_t)-1)
1949 ret = ux_string;
1950
1951 }
1952 ldap_value_free(values);
1953 return ret;
1954 }
1955
1956 /**
1957 * pull an array of strings from a ADS result
1958 * @param ads connection to ads server
1959 * @param mem_ctx TALLOC_CTX to use for allocating result string
1960 * @param msg Results of search
1961 * @param field Attribute to retrieve
1962 * @return Result strings in talloc context
1963 **/
1964 char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
1965 LDAPMessage *msg, const char *field,
1966 size_t *num_values)
1967 {
1968 char **values;
1969 char **ret = NULL;
1970 int i;
1971
1972 values = ldap_get_values(ads->ld, msg, field);
1973 if (!values)
1974 return NULL;
1975
1976 *num_values = ldap_count_values(values);
1977
1978 ret = TALLOC_ARRAY(mem_ctx, char *, *num_values + 1);
1979 if (!ret) {
1980 ldap_value_free(values);
1981 return NULL;
1982 }
1983
1984 for (i=0;i<*num_values;i++) {
1985 if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
1986 ldap_value_free(values);
1987 return NULL;
1988 }
1989 }
1990 ret[i] = NULL;
1991
1992 ldap_value_free(values);
1993 return ret;
1994 }
1995
1996 /**
1997 * pull an array of strings from a ADS result
1998 * (handle large multivalue attributes with range retrieval)
1999 * @param ads connection to ads server
2000 * @param mem_ctx TALLOC_CTX to use for allocating result string
2001 * @param msg Results of search
2002 * @param field Attribute to retrieve
2003 * @param current_strings strings returned by a previous call to this function
2004 * @param next_attribute The next query should ask for this attribute
2005 * @param num_values How many values did we get this time?
2006 * @param more_values Are there more values to get?
2007 * @return Result strings in talloc context
2008 **/
2009 char **ads_pull_strings_range(ADS_STRUCT *ads,
2010 TALLOC_CTX *mem_ctx,
2011 LDAPMessage *msg, const char *field,
2012 char **current_strings,
2013 const char **next_attribute,
2014 size_t *num_strings,
2015 BOOL *more_strings)
2016 {
2017 char *attr;
2018 char *expected_range_attrib, *range_attr;
2019 BerElement *ptr = NULL;
2020 char **strings;
2021 char **new_strings;
2022 size_t num_new_strings;
2023 unsigned long int range_start;
2024 unsigned long int range_end;
2025
2026 /* we might have been given the whole lot anyway */
2027 if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
2028 *more_strings = False;
2029 return strings;
2030 }
2031
2032 expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
2033
2034 /* look for Range result */
2035 for (attr = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &ptr);
2036 attr;
2037 attr = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, ptr)) {
2038 /* we ignore the fact that this is utf8, as all attributes are ascii... */
2039 if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
2040 range_attr = attr;
2041 break;
2042 }
2043 ldap_memfree(attr);
2044 }
2045 if (!attr) {
2046 ber_free(ptr, 0);
2047 /* nothing here - this field is just empty */
2048 *more_strings = False;
2049 return NULL;
2050 }
2051
2052 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
2053 &range_start, &range_end) == 2) {
2054 *more_strings = True;
2055 } else {
2056 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
2057 &range_start) == 1) {
2058 *more_strings = False;
2059 } else {
2060 DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
2061 range_attr));
2062 ldap_memfree(range_attr);
2063 *more_strings = False;
2064 return NULL;
2065 }
2066 }
2067
2068 if ((*num_strings) != range_start) {
2069 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
2070 " - aborting range retreival\n",
2071 range_attr, (unsigned int)(*num_strings) + 1, range_start));
2072 ldap_memfree(range_attr);
2073 *more_strings = False;
2074 return NULL;
2075 }
2076
2077 new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
2078
2079 if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
2080 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
2081 "strings in this bunch, but we only got %lu - aborting range retreival\n",
2082 range_attr, (unsigned long int)range_end - range_start + 1,
2083 (unsigned long int)num_new_strings));
2084 ldap_memfree(range_attr);
2085 *more_strings = False;
2086 return NULL;
2087 }
2088
2089 strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
2090 *num_strings + num_new_strings);
2091
2092 if (strings == NULL) {
2093 ldap_memfree(range_attr);
2094 *more_strings = False;
2095 return NULL;
2096 }
2097
2098 if (new_strings && num_new_strings) {
2099 memcpy(&strings[*num_strings], new_strings,
2100 sizeof(*new_strings) * num_new_strings);
2101 }
2102
2103 (*num_strings) += num_new_strings;
2104
2105 if (*more_strings) {
2106 *next_attribute = talloc_asprintf(mem_ctx,
2107 "%s;range=%d-*",
2108 field,
2109 (int)*num_strings);
2110
2111 if (!*next_attribute) {
2112 DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
2113 ldap_memfree(range_attr);
2114 *more_strings = False;
2115 return NULL;
2116 }
2117 }
2118
2119 ldap_memfree(range_attr);
2120
2121 return strings;
2122 }
2123
2124 /**
2125 * pull a single uint32 from a ADS result
2126 * @param ads connection to ads server
2127 * @param msg Results of search
2128 * @param field Attribute to retrieve
2129 * @param v Pointer to int to store result
2130 * @return boolean inidicating success
2131 */
2132 BOOL ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2133 uint32 *v)
2134 {
2135 char **values;
2136
2137 values = ldap_get_values(ads->ld, msg, field);
2138 if (!values)
2139 return False;
2140 if (!values[0]) {
2141 ldap_value_free(values);
2142 return False;
2143 }
2144
2145 *v = atoi(values[0]);
2146 ldap_value_free(values);
2147 return True;
2148 }
2149
2150 /**
2151 * pull a single objectGUID from an ADS result
2152 * @param ads connection to ADS server
2153 * @param msg results of search
2154 * @param guid 37-byte area to receive text guid
2155 * @return boolean indicating success
2156 **/
2157 BOOL ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
2158 {
2159 char **values;
2160 UUID_FLAT flat_guid;
2161
2162 values = ldap_get_values(ads->ld, msg, "objectGUID");
2163 if (!values)
2164 return False;
2165
2166 if (values[0]) {
2167 memcpy(&flat_guid.info, values[0], sizeof(UUID_FLAT));
2168 smb_uuid_unpack(flat_guid, guid);
2169 ldap_value_free(values);
2170 return True;
2171 }
2172 ldap_value_free(values);
2173 return False;
2174
2175 }
2176
2177
2178 /**
2179 * pull a single DOM_SID from a ADS result
2180 * @param ads connection to ads server
2181 * @param msg Results of search
2182 * @param field Attribute to retrieve
2183 * @param sid Pointer to sid to store result
2184 * @return boolean inidicating success
2185 */
2186 BOOL ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2187 DOM_SID *sid)
2188 {
2189 struct berval **values;
2190 BOOL ret = False;
2191
2192 values = ldap_get_values_len(ads->ld, msg, field);
2193
2194 if (!values)
2195 return False;
2196
2197 if (values[0])
2198 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
2199
2200 ldap_value_free_len(values);
2201 return ret;
2202 }
2203
2204 /**
2205 * pull an array of DOM_SIDs from a ADS result
2206 * @param ads connection to ads server
2207 * @param mem_ctx TALLOC_CTX for allocating sid array
2208 * @param msg Results of search
2209 * @param field Attribute to retrieve
2210 * @param sids pointer to sid array to allocate
2211 * @return the count of SIDs pulled
2212 **/
2213 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2214 LDAPMessage *msg, const char *field, DOM_SID **sids)
2215 {
2216 struct berval **values;
2217 BOOL ret;
2218 int count, i;
2219
2220 values = ldap_get_values_len(ads->ld, msg, field);
2221
2222 if (!values)
2223 return 0;
2224
2225 for (i=0; values[i]; i++)
2226 /* nop */ ;
2227
2228 if (i) {
2229 (*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
2230 if (!(*sids)) {
2231 ldap_value_free_len(values);
2232 return 0;
2233 }
2234 } else {
2235 (*sids) = NULL;
2236 }
2237
2238 count = 0;
2239 for (i=0; values[i]; i++) {
2240 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
2241 if (ret) {
2242 fstring sid;
2243 DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count])));
2244 count++;
2245 }
2246 }
2247
2248 ldap_value_free_len(values);
2249 return count;
2250 }
2251
2252 /**
2253 * pull a SEC_DESC from a ADS result
2254 * @param ads connection to ads server
2255 * @param mem_ctx TALLOC_CTX for allocating sid array
2256 * @param msg Results of search
2257 * @param field Attribute to retrieve
2258 * @param sd Pointer to *SEC_DESC to store result (talloc()ed)
2259 * @return boolean inidicating success
2260 */
2261 BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2262 LDAPMessage *msg, const char *field, SEC_DESC **sd)
2263 {
2264 struct berval **values;
2265 BOOL ret = False;
2266
2267 values = ldap_get_values_len(ads->ld, msg, field);
2268
2269 if (!values) return False;
2270
2271 if (values[0]) {
2272 prs_struct ps;
2273 prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
2274 prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
2275 prs_set_offset(&ps,0);
2276
2277 ret = sec_io_desc("sd", sd, &ps, 1);
2278 prs_mem_free(&ps);
2279 }
2280
2281 ldap_value_free_len(values);
2282 return ret;
2283 }
2284
2285 /*
2286 * in order to support usernames longer than 21 characters we need to
2287 * use both the sAMAccountName and the userPrincipalName attributes
2288 * It seems that not all users have the userPrincipalName attribute set
2289 *
2290 * @param ads connection to ads server
2291 * @param mem_ctx TALLOC_CTX for allocating sid array
2292 * @param msg Results of search
2293 * @return the username
2294 */
2295 char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2296 LDAPMessage *msg)
2297 {
2298 #if 0 /* JERRY */
2299 char *ret, *p;
2300
2301 /* lookup_name() only works on the sAMAccountName to
2302 returning the username portion of userPrincipalName
2303 breaks winbindd_getpwnam() */
2304
2305 ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
2306 if (ret && (p = strchr_m(ret, '@'))) {
2307 *p = 0;
2308 return ret;
2309 }
2310 #endif
2311 return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
2312 }
2313
2314
2315 /**
2316 * find the update serial number - this is the core of the ldap cache
2317 * @param ads connection to ads server
2318 * @param ads connection to ADS server
2319 * @param usn Pointer to retrieved update serial number
2320 * @return status of search
2321 **/
2322 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
2323 {
2324 const char *attrs[] = {"highestCommittedUSN", NULL};
2325 ADS_STATUS status;
2326 LDAPMessage *res;
2327
2328 status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2329 if (!ADS_ERR_OK(status))
2330 return status;
2331
2332 if (ads_count_replies(ads, res) != 1) {
2333 ads_msgfree(ads, res);
2334 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2335 }
2336
2337 if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
2338 ads_msgfree(ads, res);
2339 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
2340 }
2341
2342 ads_msgfree(ads, res);
2343 return ADS_SUCCESS;
2344 }
2345
2346 /* parse a ADS timestring - typical string is
2347 '20020917091222.0Z0' which means 09:12.22 17th September
2348 2002, timezone 0 */
2349 static time_t ads_parse_time(const char *str)
2350 {
2351 struct tm tm;
2352
2353 ZERO_STRUCT(tm);
2354
2355 if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
2356 &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
2357 &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
2358 return 0;
2359 }
2360 tm.tm_year -= 1900;
2361 tm.tm_mon -= 1;
2362
2363 return timegm(&tm);
2364 }
2365
2366 /********************************************************************
2367 ********************************************************************/
2368
2369 ADS_STATUS ads_current_time(ADS_STRUCT *ads)
2370 {
2371 const char *attrs[] = {"currentTime", NULL};
2372 ADS_STATUS status;
2373 LDAPMessage *res;
2374 char *timestr;
2375 TALLOC_CTX *ctx;
2376 ADS_STRUCT *ads_s = ads;
2377
2378 if (!(ctx = talloc_init("ads_current_time"))) {
2379 return ADS_ERROR(LDAP_NO_MEMORY);
2380 }
2381
2382 /* establish a new ldap tcp session if necessary */
2383
2384 if ( !ads->ld ) {
2385 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2386 ads->server.ldap_server )) == NULL )
2387 {
2388 goto done;
2389 }
2390 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2391 status = ads_connect( ads_s );
2392 if ( !ADS_ERR_OK(status))
2393 goto done;
2394 }
2395
2396 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2397 if (!ADS_ERR_OK(status)) {
2398 goto done;
2399 }
2400
2401 timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
2402 if (!timestr) {
2403 ads_msgfree(ads_s, res);
2404 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2405 goto done;
2406 }
2407
2408 /* but save the time and offset in the original ADS_STRUCT */
2409
2410 ads->config.current_time = ads_parse_time(timestr);
2411
2412 if (ads->config.current_time != 0) {
2413 ads->auth.time_offset = ads->config.current_time - time(NULL);
2414 DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
2415 }
2416
2417 ads_msgfree(ads, res);
2418
2419 status = ADS_SUCCESS;
2420
2421 done:
2422 /* free any temporary ads connections */
2423 if ( ads_s != ads ) {
2424 ads_destroy( &ads_s );
2425 }
2426 talloc_destroy(ctx);
2427
2428 return status;
2429 }
2430
2431 /********************************************************************
2432 ********************************************************************/
2433
2434 ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val)
2435 {
2436 const char *attrs[] = {"domainFunctionality", NULL};
2437 ADS_STATUS status;
2438 LDAPMessage *res;
2439 ADS_STRUCT *ads_s = ads;
2440
2441 *val = DS_DOMAIN_FUNCTION_2000;
2442
2443 /* establish a new ldap tcp session if necessary */
2444
2445 if ( !ads->ld ) {
2446 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2447 ads->server.ldap_server )) == NULL )
2448 {
2449 goto done;
2450 }
2451 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2452 status = ads_connect( ads_s );
2453 if ( !ADS_ERR_OK(status))
2454 goto done;
2455 }
2456
2457 /* If the attribute does not exist assume it is a Windows 2000
2458 functional domain */
2459
2460 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2461 if (!ADS_ERR_OK(status)) {
2462 if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
2463 status = ADS_SUCCESS;
2464 }
2465 goto done;
2466 }
2467
2468 if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
2469 DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
2470 }
2471 DEBUG(3,("ads_domain_func_level: %d\n", *val));
2472
2473
2474 ads_msgfree(ads, res);
2475
2476 done:
2477 /* free any temporary ads connections */
2478 if ( ads_s != ads ) {
2479 ads_destroy( &ads_s );
2480 }
2481
2482 return status;
2483 }
2484
2485 /**
2486 * find the domain sid for our domain
2487 * @param ads connection to ads server
2488 * @param sid Pointer to domain sid
2489 * @return status of search
2490 **/
2491 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
2492 {
2493 const char *attrs[] = {"objectSid", NULL};
2494 LDAPMessage *res;
2495 ADS_STATUS rc;
2496
2497 rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
2498 attrs, &res);
2499 if (!ADS_ERR_OK(rc)) return rc;
2500 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
2501 ads_msgfree(ads, res);
2502 return ADS_ERROR_SYSTEM(ENOENT);
2503 }
2504 ads_msgfree(ads, res);
2505
2506 return ADS_SUCCESS;
2507 }
2508
2509 /**
2510 * find our site name
2511 * @param ads connection to ads server
2512 * @param mem_ctx Pointer to talloc context
2513 * @param site_name Pointer to the sitename
2514 * @return status of search
2515 **/
2516 ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
2517 {
2518 ADS_STATUS status;
2519 LDAPMessage *res;
2520 const char *dn, *service_name;
2521 const char *attrs[] = { "dsServiceName", NULL };
2522
2523 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2524 if (!ADS_ERR_OK(status)) {
2525 return status;
2526 }
2527
2528 service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
2529 if (service_name == NULL) {
2530 ads_msgfree(ads, res);
2531 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2532 }
2533
2534 ads_msgfree(ads, res);
2535
2536 /* go up three levels */
2537 dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
2538 if (dn == NULL) {
2539 return ADS_ERROR(LDAP_NO_MEMORY);
2540 }
2541
2542 *site_name = talloc_strdup(mem_ctx, dn);
2543 if (*site_name == NULL) {
2544 return ADS_ERROR(LDAP_NO_MEMORY);
2545 }
2546
2547 return status;
2548 /*
2549 dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
2550 */
2551 }
2552
2553 /**
2554 * find the site dn where a machine resides
2555 * @param ads connection to ads server
2556 * @param mem_ctx Pointer to talloc context
2557 * @param computer_name name of the machine
2558 * @param site_name Pointer to the sitename
2559 * @return status of search
2560 **/
2561 ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
2562 {
2563 ADS_STATUS status;
2564 LDAPMessage *res;
2565 const char *parent, *config_context, *filter;
2566 const char *attrs[] = { "configurationNamingContext", NULL };
2567 char *dn;
2568
2569 /* shortcut a query */
2570 if (strequal(computer_name, ads->config.ldap_server_name)) {
2571 return ads_site_dn(ads, mem_ctx, site_dn);
2572 }
2573
2574 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2575 if (!ADS_ERR_OK(status)) {
2576 return status;
2577 }
2578
2579 config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
2580 if (config_context == NULL) {
2581 ads_msgfree(ads, res);
2582 return ADS_ERROR(LDAP_NO_MEMORY);
2583 }
2584
2585 filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
2586 if (filter == NULL) {
2587 ads_msgfree(ads, res);
2588 return ADS_ERROR(LDAP_NO_MEMORY);
2589 }
2590
2591 ads_msgfree(ads, res);
2592
2593 status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, filter, NULL, &res);
2594 if (!ADS_ERR_OK(status)) {
2595 return status;
2596 }
2597
2598 if (ads_count_replies(ads, res) != 1) {
2599 ads_msgfree(ads, res);
2600 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2601 }
2602
2603 dn = ads_get_dn(ads, res);
2604 if (dn == NULL) {
2605 ads_msgfree(ads, res);
2606 return ADS_ERROR(LDAP_NO_MEMORY);
2607 }
2608
2609 /* go up three levels */
2610 parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
2611 if (parent == NULL) {
2612 ads_msgfree(ads, res);
2613 ads_memfree(ads, dn);
2614 return ADS_ERROR(LDAP_NO_MEMORY);
2615 }
2616
2617 *site_dn = talloc_strdup(mem_ctx, parent);
2618 if (*site_dn == NULL) {
2619 ads_msgfree(ads, res);
2620 ads_memfree(ads, dn);
2621 return ADS_ERROR(LDAP_NO_MEMORY);
2622 }
2623
2624 ads_memfree(ads, dn);
2625 ads_msgfree(ads, res);
2626
2627 return status;
2628 }
2629
2630 /**
2631 * get the upn suffixes for a domain
2632 * @param ads connection to ads server
2633 * @param mem_ctx Pointer to talloc context
2634 * @param suffixes Pointer to an array of suffixes
2635 * @param num_suffixes Pointer to the number of suffixes
2636 * @return status of search
2637 **/
2638 ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
2639 {
2640 ADS_STATUS status;
2641 LDAPMessage *res;
2642 const char *config_context, *base;
2643 const char *attrs[] = { "configurationNamingContext", NULL };
2644 const char *attrs2[] = { "uPNSuffixes", NULL };
2645
2646 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2647 if (!ADS_ERR_OK(status)) {
2648 return status;
2649 }
2650
2651 config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
2652 if (config_context == NULL) {
2653 ads_msgfree(ads, res);
2654 return ADS_ERROR(LDAP_NO_MEMORY);
2655 }
2656
2657 ads_msgfree(ads, res);
2658
2659 base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
2660 if (base == NULL) {
2661 return ADS_ERROR(LDAP_NO_MEMORY);
2662 }
2663
2664 status = ads_search_dn(ads, &res, base, attrs2);
2665 if (!ADS_ERR_OK(status)) {
2666 return status;
2667 }
2668
2669 if (ads_count_replies(ads, res) != 1) {
2670 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2671 }
2672
2673 (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
2674 if ((*suffixes) == NULL) {
2675 ads_msgfree(ads, res);
2676 return ADS_ERROR(LDAP_NO_MEMORY);
2677 }
2678
2679 ads_msgfree(ads, res);
2680
2681 return status;
2682 }
2683
2684 /**
2685 * pull a DOM_SID from an extended dn string
2686 * @param mem_ctx TALLOC_CTX
2687 * @param flags string type of extended_dn
2688 * @param sid pointer to a DOM_SID
2689 * @return boolean inidicating success
2690 **/
2691 BOOL ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
2692 const char *dn,
2693 enum ads_extended_dn_flags flags,
2694 DOM_SID *sid)
2695 {
2696 char *p, *q;
2697
2698 if (!dn) {
2699 return False;
2700 }
2701
2702 /*
2703 * ADS_EXTENDED_DN_HEX_STRING:
2704 * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2705 *
2706 * ADS_EXTENDED_DN_STRING (only with w2k3):
2707 <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2708 */
2709
2710 p = strchr(dn, ';');
2711 if (!p) {
2712 return False;
2713 }
2714
2715 if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
2716 return False;
2717 }
2718
2719 p += strlen(";<SID=");
2720
2721 q = strchr(p, '>');
2722 if (!q) {
2723 return False;
2724 }
2725
2726 *q = '\0';
2727
2728 DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
2729
2730 switch (flags) {
2731
2732 case ADS_EXTENDED_DN_STRING:
2733 if (!string_to_sid(sid, p)) {
2734 return False;
2735 }
2736 break;
2737 case ADS_EXTENDED_DN_HEX_STRING: {
2738 pstring buf;
2739 size_t buf_len;
2740
2741 buf_len = strhex_to_str(buf, strlen(p), p);
2742 if (buf_len == 0) {
2743 return False;
2744 }
2745
2746 if (!sid_parse(buf, buf_len, sid)) {
2747 DEBUG(10,("failed to parse sid\n"));
2748 return False;
2749 }
2750 break;
2751 }
2752 default:
2753 DEBUG(10,("unknown extended dn format\n"));
2754 return False;
2755 }
2756
2757 return True;
2758 }
2759
2760 /**
2761 * pull an array of DOM_SIDs from a ADS result
2762 * @param ads connection to ads server
2763 * @param mem_ctx TALLOC_CTX for allocating sid array
2764 * @param msg Results of search
2765 * @param field Attribute to retrieve
2766 * @param flags string type of extended_dn
2767 * @param sids pointer to sid array to allocate
2768 * @return the count of SIDs pulled
2769 **/
2770 int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
2771 TALLOC_CTX *mem_ctx,
2772 LDAPMessage *msg,
2773 const char *field,
2774 enum ads_extended_dn_flags flags,
2775 DOM_SID **sids)
2776 {
2777 int i;
2778 size_t dn_count;
2779 char **dn_strings;
2780
2781 if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
2782 &dn_count)) == NULL) {
2783 return 0;
2784 }
2785
2786 (*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1);
2787 if (!(*sids)) {
2788 TALLOC_FREE(dn_strings);
2789 return 0;
2790 }
2791
2792 for (i=0; i<dn_count; i++) {
2793
2794 if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
2795 flags, &(*sids)[i])) {
2796 TALLOC_FREE(*sids);
2797 TALLOC_FREE(dn_strings);
2798 return 0;
2799 }
2800 }
2801
2802 TALLOC_FREE(dn_strings);
2803
2804 return dn_count;
2805 }
2806
2807 /********************************************************************
2808 ********************************************************************/
2809
2810 char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
2811 {
2812 LDAPMessage *res = NULL;
2813 ADS_STATUS status;
2814 int count = 0;
2815 char *name = NULL;
2816
2817 status = ads_find_machine_acct(ads, &res, global_myname());
2818 if (!ADS_ERR_OK(status)) {
2819 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
2820 global_myname()));
2821 goto out;
2822 }
2823
2824 if ( (count = ads_count_replies(ads, res)) != 1 ) {
2825 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
2826 goto out;
2827 }
2828
2829 if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
2830 DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
2831 }
2832
2833 out:
2834 ads_msgfree(ads, res);
2835
2836 return name;
2837 }
2838
2839 /********************************************************************
2840 ********************************************************************/
2841
2842 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
2843 {
2844 LDAPMessage *res = NULL;
2845 ADS_STATUS status;
2846 int count = 0;
2847 char *name = NULL;
2848
2849 status = ads_find_machine_acct(ads, &res, global_myname());
2850 if (!ADS_ERR_OK(status)) {
2851 DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
2852 global_myname()));
2853 goto out;
2854 }
2855
2856 if ( (count = ads_count_replies(ads, res)) != 1 ) {
2857 DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
2858 goto out;
2859 }
2860
2861 if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
2862 DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
2863 }
2864
2865 out:
2866 ads_msgfree(ads, res);
2867
2868 return name;
2869 }
2870
2871 /********************************************************************
2872 ********************************************************************/
2873
2874 char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
2875 {
2876 LDAPMessage *res = NULL;
2877 ADS_STATUS status;
2878 int count = 0;
2879 char *name = NULL;
2880
2881 status = ads_find_machine_acct(ads, &res, global_myname());
2882 if (!ADS_ERR_OK(status)) {
2883 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
2884 global_myname()));
2885 goto out;
2886 }
2887
2888 if ( (count = ads_count_replies(ads, res)) != 1 ) {
2889 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
2890 goto out;
2891 }
2892
2893 if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
2894 DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
2895 }
2896
2897 out:
2898 ads_msgfree(ads, res);
2899
2900 return name;
2901 }
2902
2903 #if 0
2904
2905 SAVED CODE - we used to join via ldap - remember how we did this. JRA.
2906
2907 /**
2908 * Join a machine to a realm
2909 * Creates the machine account and sets the machine password
2910 * @param ads connection to ads server
2911 * @param machine name of host to add
2912 * @param org_unit Organizational unit to place machine in
2913 * @return status of join
2914 **/
2915 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
2916 uint32 account_type, const char *org_unit)
2917 {
2918 ADS_STATUS status;
2919 LDAPMessage *res = NULL;
2920 char *machine;
2921
2922 /* machine name must be lowercase */
2923 machine = SMB_STRDUP(machine_name);
2924 strlower_m(machine);
2925
2926 /*
2927 status = ads_find_machine_acct(ads, (void **)&res, machine);
2928 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
2929 DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
2930 status = ads_leave_realm(ads, machine);
2931 if (!ADS_ERR_OK(status)) {
2932 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
2933 machine, ads->config.realm));
2934 return status;
2935 }
2936 }
2937 */
2938 status = ads_add_machine_acct(ads, machine, account_type, org_unit);
2939 if (!ADS_ERR_OK(status)) {
2940 DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
2941 SAFE_FREE(machine);
2942 return status;
2943 }
2944
2945 status = ads_find_machine_acct(ads, (void **)(void *)&res, machine);
2946 if (!ADS_ERR_OK(status)) {
2947 DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
2948 SAFE_FREE(machine);
2949 return status;
2950 }
2951
2952 SAFE_FREE(machine);
2953 ads_msgfree(ads, res);
2954
2955 return status;
2956 }
2957 #endif
2958
2959 /**
2960 * Delete a machine from the realm
2961 * @param ads connection to ads server
2962 * @param hostname Machine to remove
2963 * @return status of delete
2964 **/
2965 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
2966 {
2967 ADS_STATUS status;
2968 void *msg;
2969 LDAPMessage *res;
2970 char *hostnameDN, *host;
2971 int rc;
2972 LDAPControl ldap_control;
2973 LDAPControl * pldap_control[2] = {NULL, NULL};
2974
2975 pldap_control[0] = &ldap_control;
2976 memset(&ldap_control, 0, sizeof(LDAPControl));
2977 ldap_control.ldctl_oid = (char *)LDAP_SERVER_TREE_DELETE_OID;
2978
2979 /* hostname must be lowercase */
2980 host = SMB_STRDUP(hostname);
2981 strlower_m(host);
2982
2983 status = ads_find_machine_acct(ads, &res, host);
2984 if (!ADS_ERR_OK(status)) {
2985 DEBUG(0, ("Host account for %s does not exist.\n", host));
2986 SAFE_FREE(host);
2987 return status;
2988 }
2989
2990 msg = ads_first_entry(ads, res);
2991 if (!msg) {
2992 SAFE_FREE(host);
2993 return ADS_ERROR_SYSTEM(ENOENT);
2994 }
2995
2996 hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
2997
2998 rc = ldap_delete_ext_s(ads->ld, hostnameDN, pldap_control, NULL);
2999 if (rc) {
3000 DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
3001 }else {
3002 DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
3003 }
3004
3005 if (rc != LDAP_SUCCESS) {
3006 const char *attrs[] = { "cn", NULL };
3007 LDAPMessage *msg_sub;
3008
3009 /* we only search with scope ONE, we do not expect any further
3010 * objects to be created deeper */
3011
3012 status = ads_do_search_retry(ads, hostnameDN,
3013 LDAP_SCOPE_ONELEVEL,
3014 "(objectclass=*)", attrs, &res);
3015
3016 if (!ADS_ERR_OK(status)) {
3017 SAFE_FREE(host);
3018 ads_memfree(ads, hostnameDN);
3019 return status;
3020 }
3021
3022 for (msg_sub = ads_first_entry(ads, res); msg_sub;
3023 msg_sub = ads_next_entry(ads, msg_sub)) {
3024
3025 char *dn = NULL;
3026
3027 if ((dn = ads_get_dn(ads, msg_sub)) == NULL) {
3028 SAFE_FREE(host);
3029 ads_memfree(ads, hostnameDN);
3030 return ADS_ERROR(LDAP_NO_MEMORY);
3031 }
3032
3033 status = ads_del_dn(ads, dn);
3034 if (!ADS_ERR_OK(status)) {
3035 DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
3036 SAFE_FREE(host);
3037 ads_memfree(ads, dn);
3038 ads_memfree(ads, hostnameDN);
3039 return status;
3040 }
3041
3042 ads_memfree(ads, dn);
3043 }
3044
3045 /* there should be no subordinate objects anymore */
3046 status = ads_do_search_retry(ads, hostnameDN,
3047 LDAP_SCOPE_ONELEVEL,
3048 "(objectclass=*)", attrs, &res);
3049
3050 if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
3051 SAFE_FREE(host);
3052 ads_memfree(ads, hostnameDN);
3053 return status;
3054 }
3055
3056 /* delete hostnameDN now */
3057 status = ads_del_dn(ads, hostnameDN);
3058 if (!ADS_ERR_OK(status)) {
3059 SAFE_FREE(host);
3060 DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
3061 ads_memfree(ads, hostnameDN);
3062 return status;
3063 }
3064 }
3065
3066 ads_memfree(ads, hostnameDN);
3067
3068 status = ads_find_machine_acct(ads, &res, host);
3069 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3070 DEBUG(3, ("Failed to remove host account.\n"));
3071 SAFE_FREE(host);
3072 return status;
3073 }
3074
3075 SAFE_FREE(host);
3076 return status;
3077 }
3078
3079 #endif
Samba GIT mirror