search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
some merges from 2.2. Still need to merge in changes from pdb_tdb.c
[Samba.git] / source / passdb / pdb_ldap.c
blob408b22a62957c5865dfa44578875c0d34812175a
1 /*
2 Unix SMB/Netbios implementation.
3 Version 2.9.
4 LDAP protocol helper functions for SAMBA
5 Copyright (C) Gerald Carter 2001
6 Copyright (C) Shahms King 2001
7 Copyright (C) Jean François Micouleau 1998
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22
23 */
24
25 #include "includes.h"
26
27 #ifdef WITH_LDAP_SAM
28 /* TODO:
29 * persistent connections: if using NSS LDAP, many connections are made
30 * however, using only one within Samba would be nice
31 *
32 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
33 *
34 * Other LDAP based login attributes: accountExpires, etc.
35 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
36 * structures don't have fields for some of these attributes)
37 *
38 * SSL is done, but can't get the certificate based authentication to work
39 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 */
41
42 /* NOTE: this will NOT work against an Active Directory server
43 * due to the fact that the two password fields cannot be retrieved
44 * from a server; recommend using security = domain in this situation
45 * and/or winbind
46 */
47
48 #include <lber.h>
49 #include <ldap.h>
50
51 #ifndef SAM_ACCOUNT
52 #define SAM_ACCOUNT struct sam_passwd
53 #endif
54
55 struct ldap_enum_info {
56 LDAP *ldap_struct;
57 LDAPMessage *result;
58 LDAPMessage *entry;
59 };
60
61 static struct ldap_enum_info global_ldap_ent;
62
63
64 extern pstring samlogon_user;
65 extern BOOL sam_logon_in_ssb;
66
67
68 /*******************************************************************
69 open a connection to the ldap server.
70 ******************************************************************/
71 static BOOL ldap_open_connection (LDAP ** ldap_struct)
72 {
73 int port;
74 int version, rc;
75 int tls = LDAP_OPT_X_TLS_HARD;
76
77 /* there should be an lp_ldap_ssl_port(), what happen if for some
78 reason we need to bind an SSLed LDAP on port 389 ?? ---simo */
79 if (lp_ldap_ssl() == LDAP_SSL_ON && lp_ldap_port() == 389) {
80 port = 636;
81 }
82 else {
83 port = lp_ldap_port();
84 }
85
86 if ((*ldap_struct = ldap_init(lp_ldap_server(), port)) == NULL) {
87 DEBUG(0, ("The LDAP server is not responding !\n"));
88 return False;
89 }
90
91 /* Connect to older servers using SSL and V2 rather than Start TLS */
92 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
93 {
94 if (version != LDAP_VERSION2)
95 {
96 version = LDAP_VERSION2;
97 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
98 }
99 }
100
101 switch (lp_ldap_ssl())
102 {
103 case LDAP_SSL_START_TLS:
104 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
105 &version) == LDAP_OPT_SUCCESS)
106 {
107 if (version < LDAP_VERSION3)
108 {
109 version = LDAP_VERSION3;
110 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
111 &version);
112 }
113 }
114 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
115 {
116 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
117 ldap_err2string(rc)));
118 return False;
119 }
120 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
121 break;
122
123 case LDAP_SSL_ON:
124 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
125 {
126 DEBUG(0, ("Failed to setup a TLS session\n"));
127 }
128 break;
129
130 case LDAP_SSL_OFF:
131 default:
132 /*
133 * No special needs to setup options prior to the LDAP
134 * bind (which should be called next via ldap_connect_system()
135 */
136 break;
137 }
138
139 DEBUG(2, ("ldap_open_connection: connection opened\n"));
140 return True;
141 }
142
143 /*******************************************************************
144 connect to the ldap server under system privilege.
145 ******************************************************************/
146 static BOOL ldap_connect_system(LDAP * ldap_struct)
147 {
148 int rc;
149 static BOOL got_pw = False;
150 static pstring ldap_secret;
151
152 /* get the password if we don't have it already */
153 if (!got_pw && !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
154 {
155 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
156 lp_ldap_admin_dn()));
157 return False;
158 }
159
160 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
161 (OpenLDAP) doesnt' seem to support it */
162
163 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
164 lp_ldap_admin_dn()));
165
166 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
167 ldap_secret)) != LDAP_SUCCESS)
168 {
169 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
170 return False;
171 }
172
173 DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
174 return True;
175 }
176
177 /*******************************************************************
178 run the search by name.
179 ******************************************************************/
180 static int ldap_search_one_user (LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
181 {
182 int scope = LDAP_SCOPE_SUBTREE;
183 int rc;
184
185 DEBUG(2, ("ldap_search_one_user: searching for:[%s]\n", filter));
186
187 rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result);
188
189 if (rc != LDAP_SUCCESS) {
190 DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n",
191 ldap_err2string (rc)));
192 DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
193 filter));
194 }
195
196 return rc;
197 }
198
199 /*******************************************************************
200 run the search by name.
201 ******************************************************************/
202 static int ldap_search_one_user_by_name (LDAP * ldap_struct, const char *user,
203 LDAPMessage ** result)
204 {
205 pstring filter;
206
207 /*
208 * in the filter expression, replace %u with the real name
209 * so in ldap filter, %u MUST exist :-)
210 */
211 pstrcpy(filter, lp_ldap_filter());
212
213 /*
214 * have to use this here because $ is filtered out
215 * in pstring_sub
216 */
217 all_string_sub(filter, "%u", user, sizeof(pstring));
218
219 return ldap_search_one_user(ldap_struct, filter, result);
220 }
221
222 /*******************************************************************
223 run the search by uid.
224 ******************************************************************/
225 static int ldap_search_one_user_by_uid(LDAP * ldap_struct, int uid,
226 LDAPMessage ** result)
227 {
228 struct passwd *user;
229 pstring filter;
230
231 /* Get the username from the system and look that up in the LDAP */
232
233 if ((user = sys_getpwuid(uid)) == NULL) {
234 DEBUG(3,("ldap_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
235 return LDAP_NO_SUCH_OBJECT;
236 }
237
238 pstrcpy(filter, lp_ldap_filter());
239
240 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
241
242 return ldap_search_one_user(ldap_struct, filter, result);
243 }
244
245 /*******************************************************************
246 run the search by rid.
247 ******************************************************************/
248 static int ldap_search_one_user_by_rid (LDAP * ldap_struct, uint32 rid,
249 LDAPMessage ** result)
250 {
251 pstring filter;
252 int rc;
253
254 /* check if the user rid exsists, if not, try searching on the uid */
255
256 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
257 rc = ldap_search_one_user(ldap_struct, filter, result);
258
259 if (rc != LDAP_SUCCESS)
260 rc = ldap_search_one_user_by_uid(ldap_struct,
261 pdb_user_rid_to_uid(rid), result);
262
263 return rc;
264 }
265
266 /*******************************************************************
267 search an attribute and return the first value found.
268 ******************************************************************/
269 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
270 char *attribute, char *value)
271 {
272 char **values;
273
274 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
275 value = NULL;
276 DEBUG (2, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278 return False;
279 }
280
281 pstrcpy(value, values[0]);
282 ldap_value_free(values);
283 DEBUG (2, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
284
285 return True;
286 }
287
288 /************************************************************************
289 Routine to manage the LDAPMod structure array
290 manage memory used by the array, by each struct, and values
291
292 ************************************************************************/
293 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
294 {
295 LDAPMod **mods;
296 int i;
297 int j;
298
299 mods = *modlist;
300
301 if (attribute == NULL || *attribute == '\0')
302 return;
303
304 if (value == NULL || *value == '\0')
305 return;
306
307 if (mods == NULL)
308 {
309 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
310 if (mods == NULL)
311 {
312 DEBUG(0, ("make_a_mod: out of memory!\n"));
313 return;
314 }
315 mods[0] = NULL;
316 }
317
318 for (i = 0; mods[i] != NULL; ++i) {
319 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
320 break;
321 }
322
323 if (mods[i] == NULL)
324 {
325 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
326 if (mods == NULL)
327 {
328 DEBUG(0, ("make_a_mod: out of memory!\n"));
329 return;
330 }
331 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
332 if (mods[i] == NULL)
333 {
334 DEBUG(0, ("make_a_mod: out of memory!\n"));
335 return;
336 }
337 mods[i]->mod_op = modop;
338 mods[i]->mod_values = NULL;
339 mods[i]->mod_type = strdup(attribute);
340 mods[i + 1] = NULL;
341 }
342
343 if (value != NULL)
344 {
345 j = 0;
346 if (mods[i]->mod_values != NULL) {
347 for (; mods[i]->mod_values[j] != NULL; j++);
348 }
349 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
350 (j + 2) * sizeof (char *));
351
352 if (mods[i]->mod_values == NULL) {
353 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
354 return;
355 }
356 mods[i]->mod_values[j] = strdup(value);
357 mods[i]->mod_values[j + 1] = NULL;
358 }
359 *modlist = mods;
360 }
361
362 /* New Interface is being implemented here */
363
364 /**********************************************************************
365 Initialize SAM_ACCOUNT from an LDAP query
366 (Based on init_sam_from_buffer in pdb_tdb.c)
367 *********************************************************************/
368 static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass,
369 LDAP * ldap_struct, LDAPMessage * entry)
370 {
371 time_t logon_time,
372 logoff_time,
373 kickoff_time,
374 pass_last_set_time,
375 pass_can_change_time,
376 pass_must_change_time;
377 pstring username,
378 domain,
379 nt_username,
380 fullname,
381 homedir,
382 dir_drive,
383 logon_script,
384 profile_path,
385 acct_desc,
386 munged_dial,
387 workstations;
388 struct passwd *sys_user;
389 uint32 user_rid,
390 group_rid;
391 uint8 smblmpwd[16],
392 smbntpwd[16];
393 uint16 acct_ctrl,
394 logon_divs;
395 uint32 hours_len;
396 uint8 hours[MAX_HOURS_LEN];
397 pstring temp;
398 gid_t gid = getegid();
399
400
401 /*
402 * do a little initialization
403 */
404 username[0] = '\0';
405 domain[0] = '\0';
406 nt_username[0] = '\0';
407 fullname[0] = '\0';
408 homedir[0] = '\0';
409 dir_drive[0] = '\0';
410 logon_script[0] = '\0';
411 profile_path[0] = '\0';
412 acct_desc[0] = '\0';
413 munged_dial[0] = '\0';
414 workstations[0] = '\0';
415
416
417 if (sampass == NULL || ldap_struct == NULL || entry == NULL) {
418 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
419 return False;
420 }
421
422 get_single_attribute(ldap_struct, entry, "uid", username);
423 DEBUG(2, ("Entry found for user: %s\n", username));
424
425 pstrcpy(samlogon_user, username);
426
427 pstrcpy(nt_username, username);
428
429 pstrcpy(domain, lp_workgroup());
430
431 get_single_attribute(ldap_struct, entry, "pwdLastSet", temp);
432 pass_last_set_time = (time_t) strtol(temp, NULL, 16);
433
434 get_single_attribute(ldap_struct, entry, "logonTime", temp);
435 logon_time = (time_t) strtol(temp, NULL, 16);
436
437 get_single_attribute(ldap_struct, entry, "logoffTime", temp);
438 logoff_time = (time_t) strtol(temp, NULL, 16);
439
440 get_single_attribute(ldap_struct, entry, "kickoffTime", temp);
441 kickoff_time = (time_t) strtol(temp, NULL, 16);
442
443 get_single_attribute(ldap_struct, entry, "pwdCanChange", temp);
444 pass_can_change_time = (time_t) strtol(temp, NULL, 16);
445
446 get_single_attribute(ldap_struct, entry, "pwdMustChange", temp);
447 pass_must_change_time = (time_t) strtol(temp, NULL, 16);
448
449 /* recommend that 'gecos' and 'displayName' should refer to the same
450 * attribute OID. userFullName depreciated, only used by Samba
451 * primary rules of LDAP: don't make a new attribute when one is already defined
452 * that fits your needs; using cn then displayName rather than 'userFullName'
453 */
454
455 sam_logon_in_ssb = True;
456
457 if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) {
458 get_single_attribute(ldap_struct, entry, "displayName", fullname);
459 }
460
461
462 if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) {
463 pstrcpy(dir_drive, lp_logon_drive());
464 standard_sub_advanced(-1, username, "", gid, username, dir_drive);
465 DEBUG(5,("homeDrive fell back to %s\n",dir_drive));
466 pdb_set_dir_drive(sampass, dir_drive, False);
467 }
468 else
469 pdb_set_dir_drive(sampass, dir_drive, True);
470
471 if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) {
472 pstrcpy(homedir, lp_logon_home());
473 standard_sub_advanced(-1, username, "", gid, username, homedir);
474 DEBUG(5,("smbHome fell back to %s\n",homedir));
475 pdb_set_homedir(sampass, homedir, False);
476 }
477 else
478 pdb_set_homedir(sampass, homedir, True);
479
480 if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) {
481 pstrcpy(logon_script, lp_logon_script());
482 standard_sub_advanced(-1, username, "", gid, username, logon_script);
483 DEBUG(5,("scriptPath fell back to %s\n",logon_script));
484 pdb_set_logon_script(sampass, logon_script, False);
485 }
486 else
487 pdb_set_logon_script(sampass, logon_script, True);
488
489 if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) {
490 pstrcpy(profile_path, lp_logon_path());
491 standard_sub_advanced(-1, username, "", gid, username, profile_path);
492 DEBUG(5,("profilePath fell back to %s\n",profile_path));
493 pdb_set_profile_path(sampass, profile_path, False);
494 }
495 else
496 pdb_set_profile_path(sampass, profile_path, True);
497
498 sam_logon_in_ssb = False;
499
500 get_single_attribute(ldap_struct, entry, "description", acct_desc);
501 get_single_attribute(ldap_struct, entry, "userWorkstations", workstations);
502 get_single_attribute(ldap_struct, entry, "rid", temp);
503 user_rid = (uint32)strtol(temp, NULL, 10);
504 get_single_attribute(ldap_struct, entry, "primaryGroupID", temp);
505 group_rid = (uint32)strtol(temp, NULL, 10);
506
507
508 /* These values MAY be in LDAP, but they can also be retrieved through
509 * sys_getpw*() which is how we're doing it
510 */
511 sys_user = sys_getpwnam(username);
512 if (sys_user == NULL) {
513 DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username));
514 return False;
515 }
516
517
518 /* FIXME: hours stuff should be cleaner */
519
520 logon_divs = 168;
521 hours_len = 21;
522 memset(hours, 0xff, hours_len);
523
524 get_single_attribute (ldap_struct, entry, "lmPassword", temp);
525 pdb_gethexpwd(temp, smblmpwd);
526 memset((char *)temp, '\0', sizeof(temp));
527 get_single_attribute (ldap_struct, entry, "ntPassword", temp);
528 pdb_gethexpwd(temp, smbntpwd);
529 memset((char *)temp, '\0', sizeof(temp));
530 get_single_attribute (ldap_struct, entry, "acctFlags", temp);
531 acct_ctrl = pdb_decode_acct_ctrl(temp);
532
533 if (acct_ctrl == 0)
534 acct_ctrl |= ACB_NORMAL;
535
536
537 pdb_set_acct_ctrl(sampass, acct_ctrl);
538 pdb_set_logon_time(sampass, logon_time);
539 pdb_set_logoff_time(sampass, logoff_time);
540 pdb_set_kickoff_time(sampass, kickoff_time);
541 pdb_set_pass_can_change_time(sampass, pass_can_change_time);
542 pdb_set_pass_must_change_time(sampass, pass_must_change_time);
543 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
544
545 pdb_set_hours_len(sampass, hours_len);
546 pdb_set_logons_divs(sampass, logon_divs);
547
548 pdb_set_uid(sampass, sys_user->pw_uid);
549 pdb_set_gid(sampass, sys_user->pw_gid);
550 pdb_set_user_rid(sampass, user_rid);
551 pdb_set_group_rid(sampass, group_rid);
552
553 pdb_set_username(sampass, username);
554
555 pdb_set_domain(sampass, domain);
556 pdb_set_nt_username(sampass, nt_username);
557
558 pdb_set_fullname(sampass, fullname);
559
560 pdb_set_acct_desc(sampass, acct_desc);
561 pdb_set_workstations(sampass, workstations);
562 pdb_set_munged_dial(sampass, munged_dial);
563
564 if (!pdb_set_nt_passwd(sampass, smbntpwd))
565 return False;
566 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
567 return False;
568
569 /* pdb_set_unknown_3(sampass, unknown3); */
570 /* pdb_set_unknown_5(sampass, unknown5); */
571 /* pdb_set_unknown_6(sampass, unknown6); */
572
573 pdb_set_hours(sampass, hours);
574
575 return True;
576 }
577
578 /**********************************************************************
579 Initialize SAM_ACCOUNT from an LDAP query
580 (Based on init_buffer_from_sam in pdb_tdb.c)
581 *********************************************************************/
582 static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCOUNT * sampass)
583 {
584 pstring temp;
585
586 if (mods == NULL || sampass == NULL) {
587 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
588 return False;
589 }
590
591 *mods = NULL;
592
593 /*
594 * took out adding "objectclass: sambaAccount"
595 * do this on a per-mod basis
596 */
597
598
599 make_a_mod(mods, ldap_state, "uid", pdb_get_username(sampass));
600 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
601
602 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
603 make_a_mod(mods, ldap_state, "pwdLastSet", temp);
604
605 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
606 make_a_mod(mods, ldap_state, "logonTime", temp);
607
608 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
609 make_a_mod(mods, ldap_state, "logoffTime", temp);
610
611 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
612 make_a_mod(mods, ldap_state, "kickoffTime", temp);
613
614 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
615 make_a_mod(mods, ldap_state, "pwdCanChange", temp);
616
617 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
618 make_a_mod(mods, ldap_state, "pwdMustChange", temp);
619
620 /* displayName, cn, and gecos should all be the same
621 * most easily accomplished by giving them the same OID
622 * gecos isn't set here b/c it should be handled by the
623 * add-user script
624 */
625
626 make_a_mod(mods, ldap_state, "displayName", pdb_get_fullname(sampass));
627 make_a_mod(mods, ldap_state, "cn", pdb_get_fullname(sampass));
628 make_a_mod(mods, ldap_state, "description", pdb_get_acct_desc(sampass));
629 make_a_mod(mods, ldap_state, "userWorkstations", pdb_get_workstations(sampass));
630
631 /*
632 * Only updates fields which have been set (not defaults from smb.conf)
633 */
634
635 if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME))
636 make_a_mod(mods, ldap_state, "smbHome", pdb_get_homedir(sampass));
637
638 if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE))
639 make_a_mod(mods, ldap_state, "homeDrive", pdb_get_dirdrive(sampass));
640
641 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT))
642 make_a_mod(mods, ldap_state, "scriptPath", pdb_get_logon_script(sampass));
643
644 if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE))
645 make_a_mod(mods, ldap_state, "profilePath", pdb_get_profile_path(sampass));
646
647
648 if ( !sampass->user_rid)
649 slprintf(temp, sizeof(temp) - 1, "%i", pdb_uid_to_user_rid(pdb_get_uid(sampass)));
650 else
651 slprintf(temp, sizeof(temp) - 1, "%i", sampass->user_rid);
652 make_a_mod(mods, ldap_state, "rid", temp);
653
654 if ( !sampass->group_rid)
655 slprintf(temp, sizeof(temp) - 1, "%i", pdb_gid_to_group_rid(pdb_get_gid(sampass)));
656 else
657 slprintf(temp, sizeof(temp) - 1, "%i", sampass->group_rid);
658 make_a_mod(mods, ldap_state, "primaryGroupID", temp);
659
660 /* FIXME: Hours stuff goes in LDAP */
661 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
662 make_a_mod (mods, ldap_state, "lmPassword", temp);
663
664 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
665 make_a_mod (mods, ldap_state, "ntPassword", temp);
666
667 make_a_mod (mods, ldap_state, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
668 NEW_PW_FORMAT_SPACE_PADDED_LEN));
669
670 return True;
671 }
672
673 /**********************************************************************
674 Connect to LDAP server for password enumeration
675 *********************************************************************/
676 BOOL pdb_setsampwent(BOOL update)
677 {
678 int rc;
679 pstring filter;
680
681 if (!ldap_open_connection(&global_ldap_ent.ldap_struct))
682 {
683 return False;
684 }
685 if (!ldap_connect_system(global_ldap_ent.ldap_struct))
686 {
687 ldap_unbind(global_ldap_ent.ldap_struct);
688 return False;
689 }
690
691 pstrcpy(filter, lp_ldap_filter());
692 all_string_sub(filter, "%u", "*", sizeof(pstring));
693
694 rc = ldap_search_s(global_ldap_ent.ldap_struct, lp_ldap_suffix(),
695 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
696 &global_ldap_ent.result);
697
698 if (rc != LDAP_SUCCESS)
699 {
700 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
701 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
702 ldap_msgfree(global_ldap_ent.result);
703 ldap_unbind(global_ldap_ent.ldap_struct);
704 global_ldap_ent.ldap_struct = NULL;
705 global_ldap_ent.result = NULL;
706 return False;
707 }
708
709 DEBUG(2, ("pdb_setsampwent: %d entries in the base!\n",
710 ldap_count_entries(global_ldap_ent.ldap_struct,
711 global_ldap_ent.result)));
712
713 global_ldap_ent.entry = ldap_first_entry(global_ldap_ent.ldap_struct,
714 global_ldap_ent.result);
715
716 return True;
717 }
718
719 /**********************************************************************
720 End enumeration of the LDAP password list
721 *********************************************************************/
722 void pdb_endsampwent(void)
723 {
724 if (global_ldap_ent.ldap_struct && global_ldap_ent.result)
725 {
726 ldap_msgfree(global_ldap_ent.result);
727 ldap_unbind(global_ldap_ent.ldap_struct);
728 global_ldap_ent.ldap_struct = NULL;
729 global_ldap_ent.result = NULL;
730 }
731 }
732
733 /**********************************************************************
734 Get the next entry in the LDAP password database
735 *********************************************************************/
736 BOOL pdb_getsampwent(SAM_ACCOUNT * user)
737 {
738 if (!global_ldap_ent.entry)
739 return False;
740
741 global_ldap_ent.entry = ldap_next_entry(global_ldap_ent.ldap_struct,
742 global_ldap_ent.entry);
743
744 if (global_ldap_ent.entry != NULL)
745 {
746 return init_sam_from_ldap(user, global_ldap_ent.ldap_struct,
747 global_ldap_ent.entry);
748 }
749 return False;
750 }
751
752 /**********************************************************************
753 Get SAM_ACCOUNT entry from LDAP by username
754 *********************************************************************/
755 BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname)
756 {
757 LDAP *ldap_struct;
758 LDAPMessage *result;
759 LDAPMessage *entry;
760
761 if (!ldap_open_connection(&ldap_struct))
762 return False;
763 if (!ldap_connect_system(ldap_struct))
764 {
765 ldap_unbind(ldap_struct);
766 return False;
767 }
768 if (ldap_search_one_user_by_name(ldap_struct, sname, &result) != LDAP_SUCCESS)
769 {
770 ldap_unbind(ldap_struct);
771 return False;
772 }
773 if (ldap_count_entries(ldap_struct, result) < 1)
774 {
775 DEBUG(0,
776 ("We don't find this user [%s] count=%d\n", sname,
777 ldap_count_entries(ldap_struct, result)));
778 ldap_unbind(ldap_struct);
779 return False;
780 }
781 entry = ldap_first_entry(ldap_struct, result);
782 if (entry)
783 {
784 init_sam_from_ldap(user, ldap_struct, entry);
785 ldap_msgfree(result);
786 ldap_unbind(ldap_struct);
787 return True;
788 }
789 else
790 {
791 ldap_msgfree(result);
792 ldap_unbind(ldap_struct);
793 return False;
794 }
795 }
796
797 /**********************************************************************
798 Get SAM_ACCOUNT entry from LDAP by rid
799 *********************************************************************/
800 BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid)
801 {
802 LDAP *ldap_struct;
803 LDAPMessage *result;
804 LDAPMessage *entry;
805
806 if (!ldap_open_connection(&ldap_struct))
807 return False;
808
809 if (!ldap_connect_system(ldap_struct))
810 {
811 ldap_unbind(ldap_struct);
812 return False;
813 }
814 if (ldap_search_one_user_by_rid(ldap_struct, rid, &result) !=
815 LDAP_SUCCESS)
816 {
817 ldap_unbind(ldap_struct);
818 return False;
819 }
820
821 if (ldap_count_entries(ldap_struct, result) < 1)
822 {
823 DEBUG(0,
824 ("We don't find this rid [%i] count=%d\n", rid,
825 ldap_count_entries(ldap_struct, result)));
826 ldap_unbind(ldap_struct);
827 return False;
828 }
829
830 entry = ldap_first_entry(ldap_struct, result);
831 if (entry)
832 {
833 init_sam_from_ldap(user, ldap_struct, entry);
834 ldap_msgfree(result);
835 ldap_unbind(ldap_struct);
836 return True;
837 }
838 else
839 {
840 ldap_msgfree(result);
841 ldap_unbind(ldap_struct);
842 return False;
843 }
844 }
845
846 /**********************************************************************
847 Delete entry from LDAP for username
848 *********************************************************************/
849 BOOL pdb_delete_sam_account(const char *sname)
850 {
851 int rc;
852 char *dn;
853 LDAP *ldap_struct;
854 LDAPMessage *entry;
855 LDAPMessage *result;
856
857 if (!ldap_open_connection (&ldap_struct))
858 return False;
859
860 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
861
862 if (!ldap_connect_system (ldap_struct)) {
863 ldap_unbind (ldap_struct);
864 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname));
865 return False;
866 }
867
868 rc = ldap_search_one_user_by_name (ldap_struct, sname, &result);
869 if (ldap_count_entries (ldap_struct, result) == 0) {
870 DEBUG (0, ("User doesn't exit!\n"));
871 ldap_msgfree (result);
872 ldap_unbind (ldap_struct);
873 return False;
874 }
875
876 entry = ldap_first_entry (ldap_struct, result);
877 dn = ldap_get_dn (ldap_struct, entry);
878
879 rc = ldap_delete_s (ldap_struct, dn);
880
881 ldap_memfree (dn);
882 if (rc != LDAP_SUCCESS) {
883 char *ld_error;
884 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
885 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
886 sname, ldap_err2string (rc), ld_error));
887 free (ld_error);
888 ldap_unbind (ldap_struct);
889 return False;
890 }
891
892 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
893 ldap_unbind (ldap_struct);
894 return True;
895 }
896
897 /**********************************************************************
898 Update SAM_ACCOUNT
899 *********************************************************************/
900 BOOL pdb_update_sam_account(const SAM_ACCOUNT * newpwd, BOOL override)
901 {
902 int rc;
903 char *dn;
904 LDAP *ldap_struct;
905 LDAPMessage *result;
906 LDAPMessage *entry;
907 LDAPMod **mods;
908
909 if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
910 return False;
911
912 if (!ldap_connect_system(ldap_struct)) /* connect as system account */
913 {
914 ldap_unbind(ldap_struct);
915 return False;
916 }
917
918 rc = ldap_search_one_user_by_name(ldap_struct,
919 pdb_get_username(newpwd), &result);
920
921 if (ldap_count_entries(ldap_struct, result) == 0)
922 {
923 DEBUG(0, ("No user to modify!\n"));
924 ldap_msgfree(result);
925 ldap_unbind(ldap_struct);
926 return False;
927 }
928
929 init_ldap_from_sam(&mods, LDAP_MOD_REPLACE, newpwd);
930
931 entry = ldap_first_entry(ldap_struct, result);
932 dn = ldap_get_dn(ldap_struct, entry);
933
934 rc = ldap_modify_s(ldap_struct, dn, mods);
935
936 if (rc != LDAP_SUCCESS)
937 {
938 char *ld_error;
939 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
940 &ld_error);
941 DEBUG(0,
942 ("failed to modify user with uid = %s with: %s\n\t%s\n",
943 pdb_get_username(newpwd), ldap_err2string(rc),
944 ld_error));
945 free(ld_error);
946 ldap_unbind(ldap_struct);
947 return False;
948 }
949
950 DEBUG(2,
951 ("successfully modified uid = %s in the LDAP database\n",
952 pdb_get_username(newpwd)));
953 ldap_mods_free(mods, 1);
954 ldap_unbind(ldap_struct);
955 return True;
956 }
957
958 /**********************************************************************
959 Add SAM_ACCOUNT to LDAP
960 *********************************************************************/
961 BOOL pdb_add_sam_account(const SAM_ACCOUNT * newpwd)
962 {
963 int rc;
964 pstring filter;
965 LDAP *ldap_struct;
966 LDAPMessage *result;
967 pstring dn;
968 LDAPMod **mods;
969 int ldap_op;
970 uint32 num_result;
971
972 if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
973 {
974 return False;
975 }
976
977 if (!ldap_connect_system(ldap_struct)) /* connect as system account */
978 {
979 ldap_unbind(ldap_struct);
980 return False;
981 }
982
983 rc = ldap_search_one_user_by_name (ldap_struct, pdb_get_username(newpwd), &result);
984
985 if (ldap_count_entries(ldap_struct, result) != 0)
986 {
987 DEBUG(0,("User already in the base, with samba properties\n"));
988 ldap_msgfree(result);
989 ldap_unbind(ldap_struct);
990 return False;
991 }
992 ldap_msgfree(result);
993
994 slprintf (filter, sizeof (filter) - 1, "uid=%s", pdb_get_username(newpwd));
995 rc = ldap_search_one_user(ldap_struct, filter, &result);
996 num_result = ldap_count_entries(ldap_struct, result);
997
998 if (num_result > 1) {
999 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1000 return False;
1001 }
1002
1003 /* Check if we need to update an existing entry */
1004 if (num_result == 1) {
1005 char *tmp;
1006 LDAPMessage *entry;
1007
1008 DEBUG(3,("User exists without samba properties: adding them\n"));
1009 ldap_op = LDAP_MOD_REPLACE;
1010 entry = ldap_first_entry (ldap_struct, result);
1011 tmp = ldap_get_dn (ldap_struct, entry);
1012 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1013 ldap_memfree (tmp);
1014 }
1015 else {
1016 /* Check if we need to add an entry */
1017 DEBUG(3,("Adding new user\n"));
1018 ldap_op = LDAP_MOD_ADD;
1019 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_suffix ());
1020 }
1021
1022 ldap_msgfree(result);
1023
1024 init_ldap_from_sam(&mods, ldap_op, newpwd);
1025 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
1026
1027 if (ldap_op == LDAP_MOD_REPLACE) {
1028 rc = ldap_modify_s(ldap_struct, dn, mods);
1029 }
1030 else {
1031 rc = ldap_add_s(ldap_struct, dn, mods);
1032 }
1033
1034 if (rc != LDAP_SUCCESS)
1035 {
1036 char *ld_error;
1037
1038 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1039 DEBUG(0,("failed to modify user with uid = %s with: %s\n\t%s\n",
1040 pdb_get_username(newpwd), ldap_err2string (rc), ld_error));
1041 free(ld_error);
1042 ldap_mods_free(mods, 1);
1043 ldap_unbind(ldap_struct);
1044 return False;
1045 }
1046
1047 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
1048 ldap_mods_free(mods, 1);
1049 ldap_unbind(ldap_struct);
1050 return True;
1051 }
1052
1053 #else
1054 void dummy_function(void);
1055 void
1056 dummy_function (void)
1057 {
1058 } /* stop some compilers complaining */
1059 #endif
Samba GIT mirror