search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[GLUE] Rsync SAMBA_3_0 SVN r25598 in order to create the v3-0-test branch.
[Samba.git] / source / libgpo / gpo_ldap.c
blob6c1079832d0f5b47a102685f048a57f5c7ebd207
1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #ifdef HAVE_LDAP
24
25 /****************************************************************
26 parse the raw extension string into a GP_EXT structure
27 ****************************************************************/
28
29 ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
30 const char *extension_raw,
31 struct GP_EXT *gp_ext)
32 {
33 char **ext_list;
34 char **ext_strings = NULL;
35 int i;
36
37 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
38
39 ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
40 if (ext_list == NULL) {
41 goto parse_error;
42 }
43
44 for (i = 0; ext_list[i] != NULL; i++) {
45 /* no op */
46 }
47
48 gp_ext->num_exts = i;
49
50 if (gp_ext->num_exts) {
51 gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
52 gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
53 gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
54 gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
55 } else {
56 gp_ext->extensions = NULL;
57 gp_ext->extensions_guid = NULL;
58 gp_ext->snapins = NULL;
59 gp_ext->snapins_guid = NULL;
60 }
61
62 if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL ||
63 gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL ||
64 gp_ext->gp_extension == NULL) {
65 goto parse_error;
66 }
67
68 gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
69
70 for (i = 0; ext_list[i] != NULL; i++) {
71
72 int k;
73 char *p, *q;
74
75 DEBUGADD(10,("extension #%d\n", i));
76
77 p = ext_list[i];
78
79 if (p[0] == '[') {
80 p++;
81 }
82
83 ext_strings = str_list_make_talloc(mem_ctx, p, "}");
84 if (ext_strings == NULL) {
85 goto parse_error;
86 }
87
88 for (k = 0; ext_strings[k] != NULL; k++) {
89 /* no op */
90 }
91
92 q = ext_strings[0];
93
94 if (q[0] == '{') {
95 q++;
96 }
97
98 gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
99 gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
100
101 /* we might have no name for the guid */
102 if (gp_ext->extensions_guid[i] == NULL) {
103 goto parse_error;
104 }
105
106 for (k = 1; ext_strings[k] != NULL; k++) {
107
108 char *m = ext_strings[k];
109
110 if (m[0] == '{') {
111 m++;
112 }
113
114 /* FIXME: theoretically there could be more than one snapin per extension */
115 gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
116 gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
117
118 /* we might have no name for the guid */
119 if (gp_ext->snapins_guid[i] == NULL) {
120 goto parse_error;
121 }
122 }
123 }
124
125 if (ext_list) {
126 str_list_free_talloc(mem_ctx, &ext_list);
127 }
128 if (ext_strings) {
129 str_list_free_talloc(mem_ctx, &ext_strings);
130 }
131
132 return ADS_ERROR(LDAP_SUCCESS);
133
134 parse_error:
135 if (ext_list) {
136 str_list_free_talloc(mem_ctx, &ext_list);
137 }
138 if (ext_strings) {
139 str_list_free_talloc(mem_ctx, &ext_strings);
140 }
141
142 return ADS_ERROR(LDAP_NO_MEMORY);
143 }
144
145 /****************************************************************
146 parse the raw link string into a GP_LINK structure
147 ****************************************************************/
148
149 ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx,
150 const char *gp_link_raw,
151 uint32 options,
152 struct GP_LINK *gp_link)
153 {
154 char **link_list;
155 int i;
156
157 DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw));
158
159 link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
160 if (link_list == NULL) {
161 goto parse_error;
162 }
163
164 for (i = 0; link_list[i] != NULL; i++) {
165 /* no op */
166 }
167
168 gp_link->gp_opts = options;
169 gp_link->num_links = i;
170
171 if (gp_link->num_links) {
172 gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
173 gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
174 } else {
175 gp_link->link_names = NULL;
176 gp_link->link_opts = NULL;
177 }
178
179 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
180
181 if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
182 goto parse_error;
183 }
184
185 for (i = 0; link_list[i] != NULL; i++) {
186
187 char *p, *q;
188
189 DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i));
190
191 q = link_list[i];
192 if (q[0] == '[') {
193 q++;
194 };
195
196 p = strchr(q, ';');
197
198 if (p == NULL) {
199 goto parse_error;
200 }
201
202 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
203 if (gp_link->link_names[i] == NULL) {
204 goto parse_error;
205 }
206 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
207
208 gp_link->link_opts[i] = atoi(p + 1);
209
210 DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i]));
211 DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
212
213 }
214
215 if (link_list) {
216 str_list_free_talloc(mem_ctx, &link_list);
217 }
218
219 return ADS_ERROR(LDAP_SUCCESS);
220
221 parse_error:
222 if (link_list) {
223 str_list_free_talloc(mem_ctx, &link_list);
224 }
225
226 return ADS_ERROR(LDAP_NO_MEMORY);
227 }
228
229 /****************************************************************
230 helper call to get a GP_LINK structure from a linkdn
231 ****************************************************************/
232
233 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
234 TALLOC_CTX *mem_ctx,
235 const char *link_dn,
236 struct GP_LINK *gp_link_struct)
237 {
238 ADS_STATUS status;
239 const char *attrs[] = {"gPLink", "gPOptions", NULL};
240 LDAPMessage *res = NULL;
241 const char *gp_link;
242 uint32 gp_options;
243
244 ZERO_STRUCTP(gp_link_struct);
245
246 status = ads_search_dn(ads, &res, link_dn, attrs);
247 if (!ADS_ERR_OK(status)) {
248 DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
249 return status;
250 }
251
252 if (ads_count_replies(ads, res) != 1) {
253 DEBUG(10,("ads_get_gpo_link: no result\n"));
254 ads_msgfree(ads, res);
255 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
256 }
257
258 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
259 if (gp_link == NULL) {
260 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
261 ads_msgfree(ads, res);
262 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
263 }
264
265 /* perfectly leggal to have no options */
266 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
267 DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
268 gp_options = 0;
269 }
270
271 ads_msgfree(ads, res);
272
273 return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
274 }
275
276 /****************************************************************
277 helper call to add a gp link
278 ****************************************************************/
279
280 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
281 TALLOC_CTX *mem_ctx,
282 const char *link_dn,
283 const char *gpo_dn,
284 uint32 gpo_opt)
285 {
286 ADS_STATUS status;
287 const char *attrs[] = {"gPLink", NULL};
288 LDAPMessage *res = NULL;
289 const char *gp_link, *gp_link_new;
290 ADS_MODLIST mods;
291
292 /* although ADS allows to set anything here, we better check here if
293 * the gpo_dn is sane */
294
295 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
296 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
297 }
298
299 status = ads_search_dn(ads, &res, link_dn, attrs);
300 if (!ADS_ERR_OK(status)) {
301 DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
302 return status;
303 }
304
305 if (ads_count_replies(ads, res) != 1) {
306 DEBUG(10,("ads_add_gpo_link: no result\n"));
307 ads_msgfree(ads, res);
308 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
309 }
310
311 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
312 if (gp_link == NULL) {
313 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
314 } else {
315 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
316 }
317
318 ads_msgfree(ads, res);
319 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
320
321 mods = ads_init_mods(mem_ctx);
322 ADS_ERROR_HAVE_NO_MEMORY(mods);
323
324 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
325 if (!ADS_ERR_OK(status)) {
326 return status;
327 }
328
329 return ads_gen_mod(ads, link_dn, mods);
330 }
331
332 /****************************************************************
333 helper call to delete add a gp link
334 ****************************************************************/
335
336 /* untested & broken */
337 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
338 TALLOC_CTX *mem_ctx,
339 const char *link_dn,
340 const char *gpo_dn)
341 {
342 ADS_STATUS status;
343 const char *attrs[] = {"gPLink", NULL};
344 LDAPMessage *res = NULL;
345 const char *gp_link, *gp_link_new = NULL;
346 ADS_MODLIST mods;
347
348 /* check for a sane gpo_dn */
349 if (gpo_dn[0] != '[') {
350 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
351 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
352 }
353
354 if (gpo_dn[strlen(gpo_dn)] != ']') {
355 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
356 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
357 }
358
359 status = ads_search_dn(ads, &res, link_dn, attrs);
360 if (!ADS_ERR_OK(status)) {
361 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
362 return status;
363 }
364
365 if (ads_count_replies(ads, res) != 1) {
366 DEBUG(10,("ads_delete_gpo_link: no result\n"));
367 ads_msgfree(ads, res);
368 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
369 }
370
371 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
372 if (gp_link == NULL) {
373 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
374 }
375
376 /* find link to delete */
377 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
378
379 ads_msgfree(ads, res);
380 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
381
382 mods = ads_init_mods(mem_ctx);
383 ADS_ERROR_HAVE_NO_MEMORY(mods);
384
385 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
386 if (!ADS_ERR_OK(status)) {
387 return status;
388 }
389
390 return ads_gen_mod(ads, link_dn, mods);
391 }
392
393 /****************************************************************
394 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
395 ****************************************************************/
396
397 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
398 TALLOC_CTX *mem_ctx,
399 LDAPMessage *res,
400 const char *gpo_dn,
401 struct GROUP_POLICY_OBJECT *gpo)
402 {
403 ZERO_STRUCTP(gpo);
404
405 ADS_ERROR_HAVE_NO_MEMORY(res);
406
407 if (gpo_dn) {
408 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
409 } else {
410 gpo->ds_path = ads_get_dn(ads, res);
411 }
412
413 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
414
415 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
416 return ADS_ERROR(LDAP_NO_MEMORY);
417 }
418
419 /* sure ??? */
420 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
421 return ADS_ERROR(LDAP_NO_MEMORY);
422 }
423
424 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
425 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
426
427 gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
428 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
429
430 gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
431 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
432
433 /* ???, this is optional to have and what does it depend on, the 'flags' ?) */
434 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
435 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
436
437 return ADS_ERROR(LDAP_SUCCESS);
438 }
439
440 /****************************************************************
441 get a GROUP_POLICY_OBJECT structure based on different input paramters
442 ****************************************************************/
443
444 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
445 TALLOC_CTX *mem_ctx,
446 const char *gpo_dn,
447 const char *display_name,
448 const char *guid_name,
449 struct GROUP_POLICY_OBJECT *gpo)
450 {
451 ADS_STATUS status;
452 LDAPMessage *res = NULL;
453 char *dn;
454 const char *filter;
455 const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath",
456 "gPCFunctionalityVersion", "gPCMachineExtensionNames",
457 "gPCUserExtensionNames", "gPCWQLFilter", "name",
458 "versionNumber", NULL};
459
460 ZERO_STRUCTP(gpo);
461
462 if (!gpo_dn && !display_name && !guid_name) {
463 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
464 }
465
466 if (gpo_dn) {
467
468 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
469 gpo_dn = gpo_dn + strlen("LDAP://");
470 }
471
472 status = ads_search_dn(ads, &res, gpo_dn, attrs);
473
474 } else if (display_name || guid_name) {
475
476 filter = talloc_asprintf(mem_ctx,
477 "(&(objectclass=groupPolicyContainer)(%s=%s))",
478 display_name ? "displayName" : "name",
479 display_name ? display_name : guid_name);
480 ADS_ERROR_HAVE_NO_MEMORY(filter);
481
482 status = ads_do_search_all(ads, ads->config.bind_path,
483 LDAP_SCOPE_SUBTREE, filter,
484 attrs, &res);
485 }
486
487 if (!ADS_ERR_OK(status)) {
488 DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
489 return status;
490 }
491
492 if (ads_count_replies(ads, res) != 1) {
493 DEBUG(10,("ads_get_gpo: no result\n"));
494 ads_msgfree(ads, res);
495 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
496 }
497
498 dn = ads_get_dn(ads, res);
499 if (dn == NULL) {
500 ads_msgfree(ads, res);
501 return ADS_ERROR(LDAP_NO_MEMORY);
502 }
503
504 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
505 ads_msgfree(ads, res);
506 ads_memfree(ads, dn);
507
508 return status;
509 }
510
511 /****************************************************************
512 add a gplink to the GROUP_POLICY_OBJECT linked list
513 ****************************************************************/
514
515 ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
516 TALLOC_CTX *mem_ctx,
517 struct GROUP_POLICY_OBJECT **gpo_list,
518 const char *link_dn,
519 struct GP_LINK *gp_link,
520 enum GPO_LINK_TYPE link_type,
521 BOOL only_add_forced_gpos)
522 {
523 ADS_STATUS status;
524 int i;
525
526 for (i = 0; i < gp_link->num_links; i++) {
527
528 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
529
530 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
531 DEBUG(10,("skipping disabled GPO\n"));
532 continue;
533 }
534
535 if (only_add_forced_gpos) {
536
537 if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
538 DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
539 continue;
540 } else {
541 DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
542 }
543 }
544
545 new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT);
546 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
547
548 ZERO_STRUCTP(new_gpo);
549
550 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
551 if (!ADS_ERR_OK(status)) {
552 return status;
553 }
554
555 new_gpo->link = link_dn;
556 new_gpo->link_type = link_type;
557
558 DLIST_ADD(*gpo_list, new_gpo);
559
560 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n",
561 i, gp_link->link_names[i]));
562 }
563
564 return ADS_ERROR(LDAP_SUCCESS);
565 }
566
567 /****************************************************************
568 get the full list of GROUP_POLICY_OBJECTs for a given dn
569 ****************************************************************/
570
571 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
572 TALLOC_CTX *mem_ctx,
573 const char *dn,
574 uint32 flags,
575 struct GROUP_POLICY_OBJECT **gpo_list)
576 {
577 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
578
579 ADS_STATUS status;
580 struct GP_LINK gp_link;
581 const char *parent_dn, *site_dn, *tmp_dn;
582 BOOL add_only_forced_gpos = False;
583
584 ZERO_STRUCTP(gpo_list);
585
586 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
587
588 /* (L)ocal */
589 /* not yet... */
590
591 /* (S)ite */
592
593 /* are site GPOs valid for users as well ??? */
594 if (flags & GPO_LIST_FLAG_MACHINE) {
595
596 status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
597 if (!ADS_ERR_OK(status)) {
598 return status;
599 }
600
601 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
602
603 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
604 if (ADS_ERR_OK(status)) {
605
606 if (DEBUGLEVEL >= 100) {
607 dump_gplink(ads, mem_ctx, &gp_link);
608 }
609
610 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
611 site_dn, &gp_link, GP_LINK_SITE,
612 add_only_forced_gpos);
613 if (!ADS_ERR_OK(status)) {
614 return status;
615 }
616
617 if (flags & GPO_LIST_FLAG_SITEONLY) {
618 return ADS_ERROR(LDAP_SUCCESS);
619 }
620
621 /* inheritance can't be blocked at the site level */
622 }
623 }
624
625 tmp_dn = dn;
626
627 while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
628 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
629
630 /* (D)omain */
631
632 /* An account can just be a member of one domain */
633 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
634
635 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
636
637 status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
638 if (ADS_ERR_OK(status)) {
639
640 if (DEBUGLEVEL >= 100) {
641 dump_gplink(ads, mem_ctx, &gp_link);
642 }
643
644 /* block inheritance from now on */
645 if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
646 add_only_forced_gpos = True;
647 }
648
649 status = add_gplink_to_gpo_list(ads, mem_ctx,
650 gpo_list, parent_dn,
651 &gp_link, GP_LINK_DOMAIN,
652 add_only_forced_gpos);
653 if (!ADS_ERR_OK(status)) {
654 return status;
655 }
656 }
657 }
658
659 tmp_dn = parent_dn;
660 }
661
662 /* reset dn again */
663 tmp_dn = dn;
664
665 while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
666 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
667
668
669 /* (O)rganizational(U)nit */
670
671 /* An account can be a member of more OUs */
672 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
673
674 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
675
676 status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
677 if (ADS_ERR_OK(status)) {
678
679 if (DEBUGLEVEL >= 100) {
680 dump_gplink(ads, mem_ctx, &gp_link);
681 }
682
683 /* block inheritance from now on */
684 if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
685 add_only_forced_gpos = True;
686 }
687
688 status = add_gplink_to_gpo_list(ads, mem_ctx,
689 gpo_list, parent_dn,
690 &gp_link, GP_LINK_OU,
691 add_only_forced_gpos);
692 if (!ADS_ERR_OK(status)) {
693 return status;
694 }
695 }
696 }
697
698 tmp_dn = parent_dn;
699
700 };
701
702 return ADS_ERROR(LDAP_SUCCESS);
703 }
704
705 #endif /* HAVE_LDAP */
Samba GIT mirror