search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libads/cldap: store client sitename also keyed by dns domain name.
[Samba.git] / source / libads / ldap.c
blob063645febf75cc13cecf0c0a6b5ed764c41f8118
1 /*
2 Unix SMB/CIFS implementation.
3 ads (active directory) utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 Copyright (C) Guenther Deschner 2005
8 Copyright (C) Gerald Carter 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/ldb/include/includes.h"
26
27 #ifdef HAVE_LDAP
28
29 /**
30 * @file ldap.c
31 * @brief basic ldap client-side routines for ads server communications
32 *
33 * The routines contained here should do the necessary ldap calls for
34 * ads setups.
35 *
36 * Important note: attribute names passed into ads_ routines must
37 * already be in UTF-8 format. We do not convert them because in almost
38 * all cases, they are just ascii (which is represented with the same
39 * codepoints in UTF-8). This may have to change at some point
40 **/
41
42
43 #define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
44
45 static SIG_ATOMIC_T gotalarm;
46
47 /***************************************************************
48 Signal function to tell us we timed out.
49 ****************************************************************/
50
51 static void gotalarm_sig(void)
52 {
53 gotalarm = 1;
54 }
55
56 LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
57 {
58 LDAP *ldp = NULL;
59
60
61 DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
62 "%u seconds\n", server, port, to));
63
64 /* Setup timeout */
65 gotalarm = 0;
66 CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
67 alarm(to);
68 /* End setup timeout. */
69
70 ldp = ldap_open(server, port);
71
72 if (ldp == NULL) {
73 DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n",
74 server, port, strerror(errno)));
75 } else {
76 DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port));
77 }
78
79 /* Teardown timeout. */
80 CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
81 alarm(0);
82
83 return ldp;
84 }
85
86 static int ldap_search_with_timeout(LDAP *ld,
87 LDAP_CONST char *base,
88 int scope,
89 LDAP_CONST char *filter,
90 char **attrs,
91 int attrsonly,
92 LDAPControl **sctrls,
93 LDAPControl **cctrls,
94 int sizelimit,
95 LDAPMessage **res )
96 {
97 struct timeval timeout;
98 int result;
99
100 /* Setup timeout for the ldap_search_ext_s call - local and remote. */
101 timeout.tv_sec = lp_ldap_timeout();
102 timeout.tv_usec = 0;
103
104 /* Setup alarm timeout.... Do we need both of these ? JRA. */
105 gotalarm = 0;
106 CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
107 alarm(lp_ldap_timeout());
108 /* End setup timeout. */
109
110 result = ldap_search_ext_s(ld, base, scope, filter, attrs,
111 attrsonly, sctrls, cctrls, &timeout,
112 sizelimit, res);
113
114 /* Teardown timeout. */
115 CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
116 alarm(0);
117
118 if (gotalarm != 0)
119 return LDAP_TIMELIMIT_EXCEEDED;
120
121 return result;
122 }
123
124 /**********************************************
125 Do client and server sitename match ?
126 **********************************************/
127
128 bool ads_sitename_match(ADS_STRUCT *ads)
129 {
130 if (ads->config.server_site_name == NULL &&
131 ads->config.client_site_name == NULL ) {
132 DEBUG(10,("ads_sitename_match: both null\n"));
133 return True;
134 }
135 if (ads->config.server_site_name &&
136 ads->config.client_site_name &&
137 strequal(ads->config.server_site_name,
138 ads->config.client_site_name)) {
139 DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
140 return True;
141 }
142 DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
143 ads->config.server_site_name ? ads->config.server_site_name : "NULL",
144 ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
145 return False;
146 }
147
148 /**********************************************
149 Is this the closest DC ?
150 **********************************************/
151
152 bool ads_closest_dc(ADS_STRUCT *ads)
153 {
154 if (ads->config.flags & NBT_SERVER_CLOSEST) {
155 DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
156 return True;
157 }
158
159 /* not sure if this can ever happen */
160 if (ads_sitename_match(ads)) {
161 DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
162 return True;
163 }
164
165 DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
166 ads->config.ldap_server_name));
167
168 return False;
169 }
170
171
172 /*
173 try a connection to a given ldap server, returning True and setting the servers IP
174 in the ads struct if successful
175 */
176 bool ads_try_connect(ADS_STRUCT *ads, const char *server )
177 {
178 char *srv;
179 struct nbt_cldap_netlogon_5 cldap_reply;
180 TALLOC_CTX *mem_ctx = NULL;
181 bool ret = false;
182
183 if (!server || !*server) {
184 return False;
185 }
186
187 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
188 server, ads->server.realm));
189
190 mem_ctx = talloc_init("ads_try_connect");
191 if (!mem_ctx) {
192 DEBUG(0,("out of memory\n"));
193 return false;
194 }
195
196 /* this copes with inet_ntoa brokenness */
197
198 srv = SMB_STRDUP(server);
199
200 ZERO_STRUCT( cldap_reply );
201
202 if ( !ads_cldap_netlogon_5(mem_ctx, srv, ads->server.realm, &cldap_reply ) ) {
203 DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
204 ret = false;
205 goto out;
206 }
207
208 /* Check the CLDAP reply flags */
209
210 if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
211 DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
212 srv));
213 ret = false;
214 goto out;
215 }
216
217 /* Fill in the ads->config values */
218
219 SAFE_FREE(ads->config.realm);
220 SAFE_FREE(ads->config.bind_path);
221 SAFE_FREE(ads->config.ldap_server_name);
222 SAFE_FREE(ads->config.server_site_name);
223 SAFE_FREE(ads->config.client_site_name);
224 SAFE_FREE(ads->server.workgroup);
225
226 ads->config.flags = cldap_reply.server_type;
227 ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
228 ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
229 strupper_m(ads->config.realm);
230 ads->config.bind_path = ads_build_dn(ads->config.realm);
231 if (*cldap_reply.server_site) {
232 ads->config.server_site_name =
233 SMB_STRDUP(cldap_reply.server_site);
234 }
235 if (*cldap_reply.client_site) {
236 ads->config.client_site_name =
237 SMB_STRDUP(cldap_reply.client_site);
238 }
239 ads->server.workgroup = SMB_STRDUP(cldap_reply.domain);
240
241 ads->ldap.port = LDAP_PORT;
242 if (!interpret_string_addr(&ads->ldap.ss, srv, 0)) {
243 DEBUG(1,("ads_try_connect: unable to convert %s "
244 "to an address\n",
245 srv));
246 ret = false;
247 goto out;
248 }
249
250 /* Store our site name. */
251 sitename_store( cldap_reply.domain, cldap_reply.client_site);
252 sitename_store( cldap_reply.dns_domain, cldap_reply.client_site);
253
254 ret = true;
255 out:
256 SAFE_FREE(srv);
257 TALLOC_FREE(mem_ctx);
258
259 return ret;
260 }
261
262 /**********************************************************************
263 Try to find an AD dc using our internal name resolution routines
264 Try the realm first and then then workgroup name if netbios is not
265 disabled
266 **********************************************************************/
267
268 static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
269 {
270 const char *c_realm;
271 int count, i=0;
272 struct ip_service *ip_list;
273 const char *realm;
274 bool got_realm = False;
275 bool use_own_domain = False;
276 char *sitename;
277 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
278
279 /* if the realm and workgroup are both empty, assume they are ours */
280
281 /* realm */
282 c_realm = ads->server.realm;
283
284 if ( !c_realm || !*c_realm ) {
285 /* special case where no realm and no workgroup means our own */
286 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
287 use_own_domain = True;
288 c_realm = lp_realm();
289 }
290 }
291
292 if (c_realm && *c_realm)
293 got_realm = True;
294
295 /* we need to try once with the realm name and fallback to the
296 netbios domain name if we fail (if netbios has not been disabled */
297
298 if ( !got_realm && !lp_disable_netbios() ) {
299 c_realm = ads->server.workgroup;
300 if (!c_realm || !*c_realm) {
301 if ( use_own_domain )
302 c_realm = lp_workgroup();
303 }
304
305 if ( !c_realm || !*c_realm ) {
306 DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
307 return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
308 }
309 }
310
311 realm = c_realm;
312
313 sitename = sitename_fetch(realm);
314
315 again:
316
317 DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
318 (got_realm ? "realm" : "domain"), realm));
319
320 status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
321 if (!NT_STATUS_IS_OK(status)) {
322 /* fall back to netbios if we can */
323 if ( got_realm && !lp_disable_netbios() ) {
324 got_realm = False;
325 goto again;
326 }
327
328 SAFE_FREE(sitename);
329 return status;
330 }
331
332 /* if we fail this loop, then giveup since all the IP addresses returned were dead */
333 for ( i=0; i<count; i++ ) {
334 char server[INET6_ADDRSTRLEN];
335
336 print_sockaddr(server, sizeof(server), &ip_list[i].ss);
337
338 if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
339 continue;
340
341 if (!got_realm) {
342 /* realm in this case is a workgroup name. We need
343 to ignore any IP addresses in the negative connection
344 cache that match ip addresses returned in the ad realm
345 case. It sucks that I have to reproduce the logic above... */
346 c_realm = ads->server.realm;
347 if ( !c_realm || !*c_realm ) {
348 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
349 c_realm = lp_realm();
350 }
351 }
352 if (c_realm && *c_realm &&
353 !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
354 /* Ensure we add the workgroup name for this
355 IP address as negative too. */
356 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
357 continue;
358 }
359 }
360
361 if ( ads_try_connect(ads, server) ) {
362 SAFE_FREE(ip_list);
363 SAFE_FREE(sitename);
364 return NT_STATUS_OK;
365 }
366
367 /* keep track of failures */
368 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
369 }
370
371 SAFE_FREE(ip_list);
372
373 /* In case we failed to contact one of our closest DC on our site we
374 * need to try to find another DC, retry with a site-less SRV DNS query
375 * - Guenther */
376
377 if (sitename) {
378 DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
379 "trying to find another DC\n", sitename));
380 SAFE_FREE(sitename);
381 namecache_delete(realm, 0x1C);
382 goto again;
383 }
384
385 return NT_STATUS_NO_LOGON_SERVERS;
386 }
387
388
389 /**
390 * Connect to the LDAP server
391 * @param ads Pointer to an existing ADS_STRUCT
392 * @return status of connection
393 **/
394 ADS_STATUS ads_connect(ADS_STRUCT *ads)
395 {
396 int version = LDAP_VERSION3;
397 ADS_STATUS status;
398 NTSTATUS ntstatus;
399 char addr[INET6_ADDRSTRLEN];
400
401 ZERO_STRUCT(ads->ldap);
402 ads->ldap.last_attempt = time(NULL);
403 ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
404
405 /* try with a user specified server */
406
407 if (DEBUGLEVEL >= 11) {
408 char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
409 DEBUG(11,("ads_connect: entering\n"));
410 DEBUGADD(11,("%s\n", s));
411 TALLOC_FREE(s);
412 }
413
414 if (ads->server.ldap_server &&
415 ads_try_connect(ads, ads->server.ldap_server)) {
416 goto got_connection;
417 }
418
419 ntstatus = ads_find_dc(ads);
420 if (NT_STATUS_IS_OK(ntstatus)) {
421 goto got_connection;
422 }
423
424 status = ADS_ERROR_NT(ntstatus);
425 goto out;
426
427 got_connection:
428
429 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
430 DEBUG(3,("Successfully contacted LDAP server %s\n", addr));
431
432 if (!ads->auth.user_name) {
433 /* Must use the userPrincipalName value here or sAMAccountName
434 and not servicePrincipalName; found by Guenther Deschner */
435
436 asprintf(&ads->auth.user_name, "%s$", global_myname() );
437 }
438
439 if (!ads->auth.realm) {
440 ads->auth.realm = SMB_STRDUP(ads->config.realm);
441 }
442
443 if (!ads->auth.kdc_server) {
444 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
445 ads->auth.kdc_server = SMB_STRDUP(addr);
446 }
447
448 #if KRB5_DNS_HACK
449 /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
450 to MIT kerberos to work (tridge) */
451 {
452 char *env;
453 asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
454 setenv(env, ads->auth.kdc_server, 1);
455 free(env);
456 }
457 #endif
458
459 /* If the caller() requested no LDAP bind, then we are done */
460
461 if (ads->auth.flags & ADS_AUTH_NO_BIND) {
462 status = ADS_SUCCESS;
463 goto out;
464 }
465
466 ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory");
467 if (!ads->ldap.mem_ctx) {
468 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
469 goto out;
470 }
471
472 /* Otherwise setup the TCP LDAP session */
473
474 ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
475 LDAP_PORT, lp_ldap_timeout());
476 if (ads->ldap.ld == NULL) {
477 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
478 goto out;
479 }
480 DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
481
482 /* cache the successful connection for workgroup and realm */
483 if (ads_closest_dc(ads)) {
484 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
485 saf_store( ads->server.workgroup, addr);
486 saf_store( ads->server.realm, addr);
487 }
488
489 ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
490
491 status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
492 if (!ADS_ERR_OK(status)) {
493 goto out;
494 }
495
496 /* fill in the current time and offsets */
497
498 status = ads_current_time( ads );
499 if ( !ADS_ERR_OK(status) ) {
500 goto out;
501 }
502
503 /* Now do the bind */
504
505 if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
506 status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
507 goto out;
508 }
509
510 if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
511 status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
512 goto out;
513 }
514
515 status = ads_sasl_bind(ads);
516
517 out:
518 if (DEBUGLEVEL >= 11) {
519 char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
520 DEBUG(11,("ads_connect: leaving with: %s\n",
521 ads_errstr(status)));
522 DEBUGADD(11,("%s\n", s));
523 TALLOC_FREE(s);
524 }
525
526 return status;
527 }
528
529 /**
530 * Disconnect the LDAP server
531 * @param ads Pointer to an existing ADS_STRUCT
532 **/
533 void ads_disconnect(ADS_STRUCT *ads)
534 {
535 if (ads->ldap.ld) {
536 ldap_unbind(ads->ldap.ld);
537 ads->ldap.ld = NULL;
538 }
539 if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
540 ads->ldap.wrap_ops->disconnect(ads);
541 }
542 if (ads->ldap.mem_ctx) {
543 talloc_free(ads->ldap.mem_ctx);
544 }
545 ZERO_STRUCT(ads->ldap);
546 }
547
548 /*
549 Duplicate a struct berval into talloc'ed memory
550 */
551 static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
552 {
553 struct berval *value;
554
555 if (!in_val) return NULL;
556
557 value = TALLOC_ZERO_P(ctx, struct berval);
558 if (value == NULL)
559 return NULL;
560 if (in_val->bv_len == 0) return value;
561
562 value->bv_len = in_val->bv_len;
563 value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
564 in_val->bv_len);
565 return value;
566 }
567
568 /*
569 Make a values list out of an array of (struct berval *)
570 */
571 static struct berval **ads_dup_values(TALLOC_CTX *ctx,
572 const struct berval **in_vals)
573 {
574 struct berval **values;
575 int i;
576
577 if (!in_vals) return NULL;
578 for (i=0; in_vals[i]; i++)
579 ; /* count values */
580 values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
581 if (!values) return NULL;
582
583 for (i=0; in_vals[i]; i++) {
584 values[i] = dup_berval(ctx, in_vals[i]);
585 }
586 return values;
587 }
588
589 /*
590 UTF8-encode a values list out of an array of (char *)
591 */
592 static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
593 {
594 char **values;
595 int i;
596
597 if (!in_vals) return NULL;
598 for (i=0; in_vals[i]; i++)
599 ; /* count values */
600 values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
601 if (!values) return NULL;
602
603 for (i=0; in_vals[i]; i++) {
604 if (push_utf8_talloc(ctx, &values[i], in_vals[i]) == (size_t) -1) {
605 TALLOC_FREE(values);
606 return NULL;
607 }
608 }
609 return values;
610 }
611
612 /*
613 Pull a (char *) array out of a UTF8-encoded values list
614 */
615 static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
616 {
617 char **values;
618 int i;
619
620 if (!in_vals) return NULL;
621 for (i=0; in_vals[i]; i++)
622 ; /* count values */
623 values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
624 if (!values) return NULL;
625
626 for (i=0; in_vals[i]; i++) {
627 pull_utf8_talloc(ctx, &values[i], in_vals[i]);
628 }
629 return values;
630 }
631
632 /**
633 * Do a search with paged results. cookie must be null on the first
634 * call, and then returned on each subsequent call. It will be null
635 * again when the entire search is complete
636 * @param ads connection to ads server
637 * @param bind_path Base dn for the search
638 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
639 * @param expr Search expression - specified in local charset
640 * @param attrs Attributes to retrieve - specified in utf8 or ascii
641 * @param res ** which will contain results - free res* with ads_msgfree()
642 * @param count Number of entries retrieved on this page
643 * @param cookie The paged results cookie to be returned on subsequent calls
644 * @return status of search
645 **/
646 static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
647 const char *bind_path,
648 int scope, const char *expr,
649 const char **attrs, void *args,
650 LDAPMessage **res,
651 int *count, struct berval **cookie)
652 {
653 int rc, i, version;
654 char *utf8_expr, *utf8_path, **search_attrs;
655 LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
656 BerElement *cookie_be = NULL;
657 struct berval *cookie_bv= NULL;
658 BerElement *ext_be = NULL;
659 struct berval *ext_bv= NULL;
660
661 TALLOC_CTX *ctx;
662 ads_control *external_control = (ads_control *) args;
663
664 *res = NULL;
665
666 if (!(ctx = talloc_init("ads_do_paged_search_args")))
667 return ADS_ERROR(LDAP_NO_MEMORY);
668
669 /* 0 means the conversion worked but the result was empty
670 so we only fail if it's -1. In any case, it always
671 at least nulls out the dest */
672 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
673 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
674 rc = LDAP_NO_MEMORY;
675 goto done;
676 }
677
678 if (!attrs || !(*attrs))
679 search_attrs = NULL;
680 else {
681 /* This would be the utf8-encoded version...*/
682 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
683 if (!(str_list_copy(talloc_tos(), &search_attrs, attrs))) {
684 rc = LDAP_NO_MEMORY;
685 goto done;
686 }
687 }
688
689 /* Paged results only available on ldap v3 or later */
690 ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
691 if (version < LDAP_VERSION3) {
692 rc = LDAP_NOT_SUPPORTED;
693 goto done;
694 }
695
696 cookie_be = ber_alloc_t(LBER_USE_DER);
697 if (*cookie) {
698 ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
699 ber_bvfree(*cookie); /* don't need it from last time */
700 *cookie = NULL;
701 } else {
702 ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
703 }
704 ber_flatten(cookie_be, &cookie_bv);
705 PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
706 PagedResults.ldctl_iscritical = (char) 1;
707 PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
708 PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
709
710 NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
711 NoReferrals.ldctl_iscritical = (char) 0;
712 NoReferrals.ldctl_value.bv_len = 0;
713 NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
714
715 if (external_control &&
716 (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
717 strequal(external_control->control, ADS_SD_FLAGS_OID))) {
718
719 ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control);
720 ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
721
722 /* win2k does not accept a ldctl_value beeing passed in */
723
724 if (external_control->val != 0) {
725
726 if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
727 rc = LDAP_NO_MEMORY;
728 goto done;
729 }
730
731 if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
732 rc = LDAP_NO_MEMORY;
733 goto done;
734 }
735 if ((ber_flatten(ext_be, &ext_bv)) == -1) {
736 rc = LDAP_NO_MEMORY;
737 goto done;
738 }
739
740 ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
741 ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
742
743 } else {
744 ExternalCtrl.ldctl_value.bv_len = 0;
745 ExternalCtrl.ldctl_value.bv_val = NULL;
746 }
747
748 controls[0] = &NoReferrals;
749 controls[1] = &PagedResults;
750 controls[2] = &ExternalCtrl;
751 controls[3] = NULL;
752
753 } else {
754 controls[0] = &NoReferrals;
755 controls[1] = &PagedResults;
756 controls[2] = NULL;
757 }
758
759 /* we need to disable referrals as the openldap libs don't
760 handle them and paged results at the same time. Using them
761 together results in the result record containing the server
762 page control being removed from the result list (tridge/jmcd)
763
764 leaving this in despite the control that says don't generate
765 referrals, in case the server doesn't support it (jmcd)
766 */
767 ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
768
769 rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
770 search_attrs, 0, controls,
771 NULL, LDAP_NO_LIMIT,
772 (LDAPMessage **)res);
773
774 ber_free(cookie_be, 1);
775 ber_bvfree(cookie_bv);
776
777 if (rc) {
778 DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
779 ldap_err2string(rc)));
780 goto done;
781 }
782
783 rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL,
784 NULL, &rcontrols, 0);
785
786 if (!rcontrols) {
787 goto done;
788 }
789
790 for (i=0; rcontrols[i]; i++) {
791 if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
792 cookie_be = ber_init(&rcontrols[i]->ldctl_value);
793 ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
794 &cookie_bv);
795 /* the berval is the cookie, but must be freed when
796 it is all done */
797 if (cookie_bv->bv_len) /* still more to do */
798 *cookie=ber_bvdup(cookie_bv);
799 else
800 *cookie=NULL;
801 ber_bvfree(cookie_bv);
802 ber_free(cookie_be, 1);
803 break;
804 }
805 }
806 ldap_controls_free(rcontrols);
807
808 done:
809 talloc_destroy(ctx);
810
811 if (ext_be) {
812 ber_free(ext_be, 1);
813 }
814
815 if (ext_bv) {
816 ber_bvfree(ext_bv);
817 }
818
819 /* if/when we decide to utf8-encode attrs, take out this next line */
820 TALLOC_FREE(search_attrs);
821
822 return ADS_ERROR(rc);
823 }
824
825 static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
826 int scope, const char *expr,
827 const char **attrs, LDAPMessage **res,
828 int *count, struct berval **cookie)
829 {
830 return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
831 }
832
833
834 /**
835 * Get all results for a search. This uses ads_do_paged_search() to return
836 * all entries in a large search.
837 * @param ads connection to ads server
838 * @param bind_path Base dn for the search
839 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
840 * @param expr Search expression
841 * @param attrs Attributes to retrieve
842 * @param res ** which will contain results - free res* with ads_msgfree()
843 * @return status of search
844 **/
845 ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
846 int scope, const char *expr,
847 const char **attrs, void *args,
848 LDAPMessage **res)
849 {
850 struct berval *cookie = NULL;
851 int count = 0;
852 ADS_STATUS status;
853
854 *res = NULL;
855 status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
856 &count, &cookie);
857
858 if (!ADS_ERR_OK(status))
859 return status;
860
861 #ifdef HAVE_LDAP_ADD_RESULT_ENTRY
862 while (cookie) {
863 LDAPMessage *res2 = NULL;
864 ADS_STATUS status2;
865 LDAPMessage *msg, *next;
866
867 status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
868 attrs, args, &res2, &count, &cookie);
869
870 if (!ADS_ERR_OK(status2)) break;
871
872 /* this relies on the way that ldap_add_result_entry() works internally. I hope
873 that this works on all ldap libs, but I have only tested with openldap */
874 for (msg = ads_first_message(ads, res2); msg; msg = next) {
875 next = ads_next_message(ads, msg);
876 ldap_add_result_entry((LDAPMessage **)res, msg);
877 }
878 /* note that we do not free res2, as the memory is now
879 part of the main returned list */
880 }
881 #else
882 DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
883 status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
884 #endif
885
886 return status;
887 }
888
889 ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
890 int scope, const char *expr,
891 const char **attrs, LDAPMessage **res)
892 {
893 return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
894 }
895
896 ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
897 int scope, const char *expr,
898 const char **attrs, uint32 sd_flags,
899 LDAPMessage **res)
900 {
901 ads_control args;
902
903 args.control = ADS_SD_FLAGS_OID;
904 args.val = sd_flags;
905 args.critical = True;
906
907 return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
908 }
909
910
911 /**
912 * Run a function on all results for a search. Uses ads_do_paged_search() and
913 * runs the function as each page is returned, using ads_process_results()
914 * @param ads connection to ads server
915 * @param bind_path Base dn for the search
916 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
917 * @param expr Search expression - specified in local charset
918 * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
919 * @param fn Function which takes attr name, values list, and data_area
920 * @param data_area Pointer which is passed to function on each call
921 * @return status of search
922 **/
923 ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
924 int scope, const char *expr, const char **attrs,
925 bool (*fn)(ADS_STRUCT *, char *, void **, void *),
926 void *data_area)
927 {
928 struct berval *cookie = NULL;
929 int count = 0;
930 ADS_STATUS status;
931 LDAPMessage *res;
932
933 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
934 &count, &cookie);
935
936 if (!ADS_ERR_OK(status)) return status;
937
938 ads_process_results(ads, res, fn, data_area);
939 ads_msgfree(ads, res);
940
941 while (cookie) {
942 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
943 &res, &count, &cookie);
944
945 if (!ADS_ERR_OK(status)) break;
946
947 ads_process_results(ads, res, fn, data_area);
948 ads_msgfree(ads, res);
949 }
950
951 return status;
952 }
953
954 /**
955 * Do a search with a timeout.
956 * @param ads connection to ads server
957 * @param bind_path Base dn for the search
958 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
959 * @param expr Search expression
960 * @param attrs Attributes to retrieve
961 * @param res ** which will contain results - free res* with ads_msgfree()
962 * @return status of search
963 **/
964 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
965 const char *expr,
966 const char **attrs, LDAPMessage **res)
967 {
968 int rc;
969 char *utf8_expr, *utf8_path, **search_attrs = NULL;
970 TALLOC_CTX *ctx;
971
972 *res = NULL;
973 if (!(ctx = talloc_init("ads_do_search"))) {
974 DEBUG(1,("ads_do_search: talloc_init() failed!"));
975 return ADS_ERROR(LDAP_NO_MEMORY);
976 }
977
978 /* 0 means the conversion worked but the result was empty
979 so we only fail if it's negative. In any case, it always
980 at least nulls out the dest */
981 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
982 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
983 DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
984 rc = LDAP_NO_MEMORY;
985 goto done;
986 }
987
988 if (!attrs || !(*attrs))
989 search_attrs = NULL;
990 else {
991 /* This would be the utf8-encoded version...*/
992 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
993 if (!(str_list_copy(talloc_tos(), &search_attrs, attrs)))
994 {
995 DEBUG(1,("ads_do_search: str_list_copy() failed!"));
996 rc = LDAP_NO_MEMORY;
997 goto done;
998 }
999 }
1000
1001 /* see the note in ads_do_paged_search - we *must* disable referrals */
1002 ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1003
1004 rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1005 search_attrs, 0, NULL, NULL,
1006 LDAP_NO_LIMIT,
1007 (LDAPMessage **)res);
1008
1009 if (rc == LDAP_SIZELIMIT_EXCEEDED) {
1010 DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
1011 rc = 0;
1012 }
1013
1014 done:
1015 talloc_destroy(ctx);
1016 /* if/when we decide to utf8-encode attrs, take out this next line */
1017 TALLOC_FREE(search_attrs);
1018 return ADS_ERROR(rc);
1019 }
1020 /**
1021 * Do a general ADS search
1022 * @param ads connection to ads server
1023 * @param res ** which will contain results - free res* with ads_msgfree()
1024 * @param expr Search expression
1025 * @param attrs Attributes to retrieve
1026 * @return status of search
1027 **/
1028 ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
1029 const char *expr, const char **attrs)
1030 {
1031 return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
1032 expr, attrs, res);
1033 }
1034
1035 /**
1036 * Do a search on a specific DistinguishedName
1037 * @param ads connection to ads server
1038 * @param res ** which will contain results - free res* with ads_msgfree()
1039 * @param dn DistinguishName to search
1040 * @param attrs Attributes to retrieve
1041 * @return status of search
1042 **/
1043 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
1044 const char *dn, const char **attrs)
1045 {
1046 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
1047 attrs, res);
1048 }
1049
1050 /**
1051 * Free up memory from a ads_search
1052 * @param ads connection to ads server
1053 * @param msg Search results to free
1054 **/
1055 void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
1056 {
1057 if (!msg) return;
1058 ldap_msgfree(msg);
1059 }
1060
1061 /**
1062 * Free up memory from various ads requests
1063 * @param ads connection to ads server
1064 * @param mem Area to free
1065 **/
1066 void ads_memfree(ADS_STRUCT *ads, void *mem)
1067 {
1068 SAFE_FREE(mem);
1069 }
1070
1071 /**
1072 * Get a dn from search results
1073 * @param ads connection to ads server
1074 * @param msg Search result
1075 * @return dn string
1076 **/
1077 char *ads_get_dn(ADS_STRUCT *ads, LDAPMessage *msg)
1078 {
1079 char *utf8_dn, *unix_dn;
1080
1081 utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
1082
1083 if (!utf8_dn) {
1084 DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
1085 return NULL;
1086 }
1087
1088 if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
1089 DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
1090 utf8_dn ));
1091 return NULL;
1092 }
1093 ldap_memfree(utf8_dn);
1094 return unix_dn;
1095 }
1096
1097 /**
1098 * Get the parent from a dn
1099 * @param dn the dn to return the parent from
1100 * @return parent dn string
1101 **/
1102 char *ads_parent_dn(const char *dn)
1103 {
1104 char *p;
1105
1106 if (dn == NULL) {
1107 return NULL;
1108 }
1109
1110 p = strchr(dn, ',');
1111
1112 if (p == NULL) {
1113 return NULL;
1114 }
1115
1116 return p+1;
1117 }
1118
1119 /**
1120 * Find a machine account given a hostname
1121 * @param ads connection to ads server
1122 * @param res ** which will contain results - free res* with ads_msgfree()
1123 * @param host Hostname to search for
1124 * @return status of search
1125 **/
1126 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
1127 const char *machine)
1128 {
1129 ADS_STATUS status;
1130 char *expr;
1131 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
1132
1133 *res = NULL;
1134
1135 /* the easiest way to find a machine account anywhere in the tree
1136 is to look for hostname$ */
1137 if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
1138 DEBUG(1, ("asprintf failed!\n"));
1139 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1140 }
1141
1142 status = ads_search(ads, res, expr, attrs);
1143 SAFE_FREE(expr);
1144 return status;
1145 }
1146
1147 /**
1148 * Initialize a list of mods to be used in a modify request
1149 * @param ctx An initialized TALLOC_CTX
1150 * @return allocated ADS_MODLIST
1151 **/
1152 ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1153 {
1154 #define ADS_MODLIST_ALLOC_SIZE 10
1155 LDAPMod **mods;
1156
1157 if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1158 /* -1 is safety to make sure we don't go over the end.
1159 need to reset it to NULL before doing ldap modify */
1160 mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1161
1162 return (ADS_MODLIST)mods;
1163 }
1164
1165
1166 /*
1167 add an attribute to the list, with values list already constructed
1168 */
1169 static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1170 int mod_op, const char *name,
1171 const void *_invals)
1172 {
1173 const void **invals = (const void **)_invals;
1174 int curmod;
1175 LDAPMod **modlist = (LDAPMod **) *mods;
1176 struct berval **ber_values = NULL;
1177 char **char_values = NULL;
1178
1179 if (!invals) {
1180 mod_op = LDAP_MOD_DELETE;
1181 } else {
1182 if (mod_op & LDAP_MOD_BVALUES)
1183 ber_values = ads_dup_values(ctx,
1184 (const struct berval **)invals);
1185 else
1186 char_values = ads_push_strvals(ctx,
1187 (const char **) invals);
1188 }
1189
1190 /* find the first empty slot */
1191 for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1192 curmod++);
1193 if (modlist[curmod] == (LDAPMod *) -1) {
1194 if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
1195 curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1196 return ADS_ERROR(LDAP_NO_MEMORY);
1197 memset(&modlist[curmod], 0,
1198 ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
1199 modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1200 *mods = (ADS_MODLIST)modlist;
1201 }
1202
1203 if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
1204 return ADS_ERROR(LDAP_NO_MEMORY);
1205 modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1206 if (mod_op & LDAP_MOD_BVALUES) {
1207 modlist[curmod]->mod_bvalues = ber_values;
1208 } else if (mod_op & LDAP_MOD_DELETE) {
1209 modlist[curmod]->mod_values = NULL;
1210 } else {
1211 modlist[curmod]->mod_values = char_values;
1212 }
1213
1214 modlist[curmod]->mod_op = mod_op;
1215 return ADS_ERROR(LDAP_SUCCESS);
1216 }
1217
1218 /**
1219 * Add a single string value to a mod list
1220 * @param ctx An initialized TALLOC_CTX
1221 * @param mods An initialized ADS_MODLIST
1222 * @param name The attribute name to add
1223 * @param val The value to add - NULL means DELETE
1224 * @return ADS STATUS indicating success of add
1225 **/
1226 ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1227 const char *name, const char *val)
1228 {
1229 const char *values[2];
1230
1231 values[0] = val;
1232 values[1] = NULL;
1233
1234 if (!val)
1235 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1236 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1237 }
1238
1239 /**
1240 * Add an array of string values to a mod list
1241 * @param ctx An initialized TALLOC_CTX
1242 * @param mods An initialized ADS_MODLIST
1243 * @param name The attribute name to add
1244 * @param vals The array of string values to add - NULL means DELETE
1245 * @return ADS STATUS indicating success of add
1246 **/
1247 ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1248 const char *name, const char **vals)
1249 {
1250 if (!vals)
1251 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1252 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1253 name, (const void **) vals);
1254 }
1255
1256 #if 0
1257 /**
1258 * Add a single ber-encoded value to a mod list
1259 * @param ctx An initialized TALLOC_CTX
1260 * @param mods An initialized ADS_MODLIST
1261 * @param name The attribute name to add
1262 * @param val The value to add - NULL means DELETE
1263 * @return ADS STATUS indicating success of add
1264 **/
1265 static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1266 const char *name, const struct berval *val)
1267 {
1268 const struct berval *values[2];
1269
1270 values[0] = val;
1271 values[1] = NULL;
1272 if (!val)
1273 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1274 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
1275 name, (const void **) values);
1276 }
1277 #endif
1278
1279 /**
1280 * Perform an ldap modify
1281 * @param ads connection to ads server
1282 * @param mod_dn DistinguishedName to modify
1283 * @param mods list of modifications to perform
1284 * @return status of modify
1285 **/
1286 ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
1287 {
1288 int ret,i;
1289 char *utf8_dn = NULL;
1290 /*
1291 this control is needed to modify that contains a currently
1292 non-existent attribute (but allowable for the object) to run
1293 */
1294 LDAPControl PermitModify = {
1295 CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
1296 {0, NULL},
1297 (char) 1};
1298 LDAPControl *controls[2];
1299
1300 controls[0] = &PermitModify;
1301 controls[1] = NULL;
1302
1303 if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
1304 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1305 }
1306
1307 /* find the end of the list, marked by NULL or -1 */
1308 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1309 /* make sure the end of the list is NULL */
1310 mods[i] = NULL;
1311 ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
1312 (LDAPMod **) mods, controls, NULL);
1313 SAFE_FREE(utf8_dn);
1314 return ADS_ERROR(ret);
1315 }
1316
1317 /**
1318 * Perform an ldap add
1319 * @param ads connection to ads server
1320 * @param new_dn DistinguishedName to add
1321 * @param mods list of attributes and values for DN
1322 * @return status of add
1323 **/
1324 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
1325 {
1326 int ret, i;
1327 char *utf8_dn = NULL;
1328
1329 if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
1330 DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
1331 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1332 }
1333
1334 /* find the end of the list, marked by NULL or -1 */
1335 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1336 /* make sure the end of the list is NULL */
1337 mods[i] = NULL;
1338
1339 ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
1340 SAFE_FREE(utf8_dn);
1341 return ADS_ERROR(ret);
1342 }
1343
1344 /**
1345 * Delete a DistinguishedName
1346 * @param ads connection to ads server
1347 * @param new_dn DistinguishedName to delete
1348 * @return status of delete
1349 **/
1350 ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
1351 {
1352 int ret;
1353 char *utf8_dn = NULL;
1354 if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
1355 DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
1356 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1357 }
1358
1359 ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
1360 SAFE_FREE(utf8_dn);
1361 return ADS_ERROR(ret);
1362 }
1363
1364 /**
1365 * Build an org unit string
1366 * if org unit is Computers or blank then assume a container, otherwise
1367 * assume a / separated list of organisational units.
1368 * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1369 * @param ads connection to ads server
1370 * @param org_unit Organizational unit
1371 * @return org unit string - caller must free
1372 **/
1373 char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
1374 {
1375 char *ret = NULL;
1376
1377 if (!org_unit || !*org_unit) {
1378
1379 ret = ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
1380
1381 /* samba4 might not yet respond to a wellknownobject-query */
1382 return ret ? ret : SMB_STRDUP("cn=Computers");
1383 }
1384
1385 if (strequal(org_unit, "Computers")) {
1386 return SMB_STRDUP("cn=Computers");
1387 }
1388
1389 /* jmcd: removed "\\" from the separation chars, because it is
1390 needed as an escape for chars like '#' which are valid in an
1391 OU name */
1392 return ads_build_path(org_unit, "/", "ou=", 1);
1393 }
1394
1395 /**
1396 * Get a org unit string for a well-known GUID
1397 * @param ads connection to ads server
1398 * @param wknguid Well known GUID
1399 * @return org unit string - caller must free
1400 **/
1401 char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
1402 {
1403 ADS_STATUS status;
1404 LDAPMessage *res = NULL;
1405 char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
1406 **bind_dn_exp = NULL;
1407 const char *attrs[] = {"distinguishedName", NULL};
1408 int new_ln, wkn_ln, bind_ln, i;
1409
1410 if (wknguid == NULL) {
1411 return NULL;
1412 }
1413
1414 if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
1415 DEBUG(1, ("asprintf failed!\n"));
1416 return NULL;
1417 }
1418
1419 status = ads_search_dn(ads, &res, base, attrs);
1420 if (!ADS_ERR_OK(status)) {
1421 DEBUG(1,("Failed while searching for: %s\n", base));
1422 goto out;
1423 }
1424
1425 if (ads_count_replies(ads, res) != 1) {
1426 goto out;
1427 }
1428
1429 /* substitute the bind-path from the well-known-guid-search result */
1430 wkn_dn = ads_get_dn(ads, res);
1431 if (!wkn_dn) {
1432 goto out;
1433 }
1434
1435 wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
1436 if (!wkn_dn_exp) {
1437 goto out;
1438 }
1439
1440 bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
1441 if (!bind_dn_exp) {
1442 goto out;
1443 }
1444
1445 for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
1446 ;
1447 for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
1448 ;
1449
1450 new_ln = wkn_ln - bind_ln;
1451
1452 ret = SMB_STRDUP(wkn_dn_exp[0]);
1453 if (!ret) {
1454 goto out;
1455 }
1456
1457 for (i=1; i < new_ln; i++) {
1458 char *s = NULL;
1459
1460 if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
1461 SAFE_FREE(ret);
1462 goto out;
1463 }
1464
1465 SAFE_FREE(ret);
1466 ret = SMB_STRDUP(s);
1467 free(s);
1468 if (!ret) {
1469 goto out;
1470 }
1471 }
1472
1473 out:
1474 SAFE_FREE(base);
1475 ads_msgfree(ads, res);
1476 ads_memfree(ads, wkn_dn);
1477 if (wkn_dn_exp) {
1478 ldap_value_free(wkn_dn_exp);
1479 }
1480 if (bind_dn_exp) {
1481 ldap_value_free(bind_dn_exp);
1482 }
1483
1484 return ret;
1485 }
1486
1487 /**
1488 * Adds (appends) an item to an attribute array, rather then
1489 * replacing the whole list
1490 * @param ctx An initialized TALLOC_CTX
1491 * @param mods An initialized ADS_MODLIST
1492 * @param name name of the ldap attribute to append to
1493 * @param vals an array of values to add
1494 * @return status of addition
1495 **/
1496
1497 ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1498 const char *name, const char **vals)
1499 {
1500 return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
1501 (const void *) vals);
1502 }
1503
1504 /**
1505 * Determines the computer account's current KVNO via an LDAP lookup
1506 * @param ads An initialized ADS_STRUCT
1507 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1508 * @return the kvno for the computer account, or -1 in case of a failure.
1509 **/
1510
1511 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *machine_name)
1512 {
1513 LDAPMessage *res = NULL;
1514 uint32 kvno = (uint32)-1; /* -1 indicates a failure */
1515 char *filter;
1516 const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
1517 char *dn_string = NULL;
1518 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1519
1520 DEBUG(5,("ads_get_kvno: Searching for host %s\n", machine_name));
1521 if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1522 return kvno;
1523 }
1524 ret = ads_search(ads, &res, filter, attrs);
1525 SAFE_FREE(filter);
1526 if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
1527 DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
1528 ads_msgfree(ads, res);
1529 return kvno;
1530 }
1531
1532 dn_string = ads_get_dn(ads, res);
1533 if (!dn_string) {
1534 DEBUG(0,("ads_get_kvno: out of memory.\n"));
1535 ads_msgfree(ads, res);
1536 return kvno;
1537 }
1538 DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
1539 ads_memfree(ads, dn_string);
1540
1541 /* ---------------------------------------------------------
1542 * 0 is returned as a default KVNO from this point on...
1543 * This is done because Windows 2000 does not support key
1544 * version numbers. Chances are that a failure in the next
1545 * step is simply due to Windows 2000 being used for a
1546 * domain controller. */
1547 kvno = 0;
1548
1549 if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
1550 DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
1551 DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
1552 ads_msgfree(ads, res);
1553 return kvno;
1554 }
1555
1556 /* Success */
1557 DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
1558 ads_msgfree(ads, res);
1559 return kvno;
1560 }
1561
1562 /**
1563 * This clears out all registered spn's for a given hostname
1564 * @param ads An initilaized ADS_STRUCT
1565 * @param machine_name the NetBIOS name of the computer.
1566 * @return 0 upon success, non-zero otherwise.
1567 **/
1568
1569 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name)
1570 {
1571 TALLOC_CTX *ctx;
1572 LDAPMessage *res = NULL;
1573 ADS_MODLIST mods;
1574 const char *servicePrincipalName[1] = {NULL};
1575 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1576 char *dn_string = NULL;
1577
1578 ret = ads_find_machine_acct(ads, &res, machine_name);
1579 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
1580 DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
1581 DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
1582 ads_msgfree(ads, res);
1583 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1584 }
1585
1586 DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
1587 ctx = talloc_init("ads_clear_service_principal_names");
1588 if (!ctx) {
1589 ads_msgfree(ads, res);
1590 return ADS_ERROR(LDAP_NO_MEMORY);
1591 }
1592
1593 if (!(mods = ads_init_mods(ctx))) {
1594 talloc_destroy(ctx);
1595 ads_msgfree(ads, res);
1596 return ADS_ERROR(LDAP_NO_MEMORY);
1597 }
1598 ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1599 if (!ADS_ERR_OK(ret)) {
1600 DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
1601 ads_msgfree(ads, res);
1602 talloc_destroy(ctx);
1603 return ret;
1604 }
1605 dn_string = ads_get_dn(ads, res);
1606 if (!dn_string) {
1607 talloc_destroy(ctx);
1608 ads_msgfree(ads, res);
1609 return ADS_ERROR(LDAP_NO_MEMORY);
1610 }
1611 ret = ads_gen_mod(ads, dn_string, mods);
1612 ads_memfree(ads,dn_string);
1613 if (!ADS_ERR_OK(ret)) {
1614 DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
1615 machine_name));
1616 ads_msgfree(ads, res);
1617 talloc_destroy(ctx);
1618 return ret;
1619 }
1620
1621 ads_msgfree(ads, res);
1622 talloc_destroy(ctx);
1623 return ret;
1624 }
1625
1626 /**
1627 * This adds a service principal name to an existing computer account
1628 * (found by hostname) in AD.
1629 * @param ads An initialized ADS_STRUCT
1630 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1631 * @param my_fqdn The fully qualified DNS name of the machine
1632 * @param spn A string of the service principal to add, i.e. 'host'
1633 * @return 0 upon sucess, or non-zero if a failure occurs
1634 **/
1635
1636 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
1637 const char *my_fqdn, const char *spn)
1638 {
1639 ADS_STATUS ret;
1640 TALLOC_CTX *ctx;
1641 LDAPMessage *res = NULL;
1642 char *psp1, *psp2;
1643 ADS_MODLIST mods;
1644 char *dn_string = NULL;
1645 const char *servicePrincipalName[3] = {NULL, NULL, NULL};
1646
1647 ret = ads_find_machine_acct(ads, &res, machine_name);
1648 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
1649 DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
1650 machine_name));
1651 DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
1652 spn, machine_name, ads->config.realm));
1653 ads_msgfree(ads, res);
1654 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1655 }
1656
1657 DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
1658 if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
1659 ads_msgfree(ads, res);
1660 return ADS_ERROR(LDAP_NO_MEMORY);
1661 }
1662
1663 /* add short name spn */
1664
1665 if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
1666 talloc_destroy(ctx);
1667 ads_msgfree(ads, res);
1668 return ADS_ERROR(LDAP_NO_MEMORY);
1669 }
1670 strupper_m(psp1);
1671 strlower_m(&psp1[strlen(spn)]);
1672 servicePrincipalName[0] = psp1;
1673
1674 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1675 psp1, machine_name));
1676
1677
1678 /* add fully qualified spn */
1679
1680 if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
1681 ret = ADS_ERROR(LDAP_NO_MEMORY);
1682 goto out;
1683 }
1684 strupper_m(psp2);
1685 strlower_m(&psp2[strlen(spn)]);
1686 servicePrincipalName[1] = psp2;
1687
1688 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1689 psp2, machine_name));
1690
1691 if ( (mods = ads_init_mods(ctx)) == NULL ) {
1692 ret = ADS_ERROR(LDAP_NO_MEMORY);
1693 goto out;
1694 }
1695
1696 ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1697 if (!ADS_ERR_OK(ret)) {
1698 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1699 goto out;
1700 }
1701
1702 if ( (dn_string = ads_get_dn(ads, res)) == NULL ) {
1703 ret = ADS_ERROR(LDAP_NO_MEMORY);
1704 goto out;
1705 }
1706
1707 ret = ads_gen_mod(ads, dn_string, mods);
1708 ads_memfree(ads,dn_string);
1709 if (!ADS_ERR_OK(ret)) {
1710 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1711 goto out;
1712 }
1713
1714 out:
1715 TALLOC_FREE( ctx );
1716 ads_msgfree(ads, res);
1717 return ret;
1718 }
1719
1720 /**
1721 * adds a machine account to the ADS server
1722 * @param ads An intialized ADS_STRUCT
1723 * @param machine_name - the NetBIOS machine name of this account.
1724 * @param account_type A number indicating the type of account to create
1725 * @param org_unit The LDAP path in which to place this account
1726 * @return 0 upon success, or non-zero otherwise
1727 **/
1728
1729 ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
1730 const char *org_unit)
1731 {
1732 ADS_STATUS ret;
1733 char *samAccountName, *controlstr;
1734 TALLOC_CTX *ctx;
1735 ADS_MODLIST mods;
1736 char *machine_escaped = NULL;
1737 char *new_dn;
1738 const char *objectClass[] = {"top", "person", "organizationalPerson",
1739 "user", "computer", NULL};
1740 LDAPMessage *res = NULL;
1741 uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
1742 UF_DONT_EXPIRE_PASSWD |\
1743 UF_ACCOUNTDISABLE );
1744
1745 if (!(ctx = talloc_init("ads_add_machine_acct")))
1746 return ADS_ERROR(LDAP_NO_MEMORY);
1747
1748 ret = ADS_ERROR(LDAP_NO_MEMORY);
1749
1750 machine_escaped = escape_rdn_val_string_alloc(machine_name);
1751 if (!machine_escaped) {
1752 goto done;
1753 }
1754
1755 new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
1756 samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
1757
1758 if ( !new_dn || !samAccountName ) {
1759 goto done;
1760 }
1761
1762 #ifndef ENCTYPE_ARCFOUR_HMAC
1763 acct_control |= UF_USE_DES_KEY_ONLY;
1764 #endif
1765
1766 if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
1767 goto done;
1768 }
1769
1770 if (!(mods = ads_init_mods(ctx))) {
1771 goto done;
1772 }
1773
1774 ads_mod_str(ctx, &mods, "cn", machine_name);
1775 ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
1776 ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
1777 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
1778
1779 ret = ads_gen_add(ads, new_dn, mods);
1780
1781 done:
1782 SAFE_FREE(machine_escaped);
1783 ads_msgfree(ads, res);
1784 talloc_destroy(ctx);
1785
1786 return ret;
1787 }
1788
1789 /**
1790 * move a machine account to another OU on the ADS server
1791 * @param ads - An intialized ADS_STRUCT
1792 * @param machine_name - the NetBIOS machine name of this account.
1793 * @param org_unit - The LDAP path in which to place this account
1794 * @param moved - whether we moved the machine account (optional)
1795 * @return 0 upon success, or non-zero otherwise
1796 **/
1797
1798 ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
1799 const char *org_unit, bool *moved)
1800 {
1801 ADS_STATUS rc;
1802 int ldap_status;
1803 LDAPMessage *res = NULL;
1804 char *filter = NULL;
1805 char *computer_dn = NULL;
1806 char *parent_dn;
1807 char *computer_rdn = NULL;
1808 bool need_move = False;
1809
1810 if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1811 rc = ADS_ERROR(LDAP_NO_MEMORY);
1812 goto done;
1813 }
1814
1815 /* Find pre-existing machine */
1816 rc = ads_search(ads, &res, filter, NULL);
1817 if (!ADS_ERR_OK(rc)) {
1818 goto done;
1819 }
1820
1821 computer_dn = ads_get_dn(ads, res);
1822 if (!computer_dn) {
1823 rc = ADS_ERROR(LDAP_NO_MEMORY);
1824 goto done;
1825 }
1826
1827 parent_dn = ads_parent_dn(computer_dn);
1828 if (strequal(parent_dn, org_unit)) {
1829 goto done;
1830 }
1831
1832 need_move = True;
1833
1834 if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
1835 rc = ADS_ERROR(LDAP_NO_MEMORY);
1836 goto done;
1837 }
1838
1839 ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn,
1840 org_unit, 1, NULL, NULL);
1841 rc = ADS_ERROR(ldap_status);
1842
1843 done:
1844 ads_msgfree(ads, res);
1845 SAFE_FREE(filter);
1846 SAFE_FREE(computer_dn);
1847 SAFE_FREE(computer_rdn);
1848
1849 if (!ADS_ERR_OK(rc)) {
1850 need_move = False;
1851 }
1852
1853 if (moved) {
1854 *moved = need_move;
1855 }
1856
1857 return rc;
1858 }
1859
1860 /*
1861 dump a binary result from ldap
1862 */
1863 static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values)
1864 {
1865 int i, j;
1866 for (i=0; values[i]; i++) {
1867 printf("%s: ", field);
1868 for (j=0; j<values[i]->bv_len; j++) {
1869 printf("%02X", (unsigned char)values[i]->bv_val[j]);
1870 }
1871 printf("\n");
1872 }
1873 }
1874
1875 static void dump_guid(ADS_STRUCT *ads, const char *field, struct berval **values)
1876 {
1877 int i;
1878 for (i=0; values[i]; i++) {
1879
1880 UUID_FLAT guid;
1881 struct GUID tmp;
1882
1883 memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
1884 smb_uuid_unpack(guid, &tmp);
1885 printf("%s: %s\n", field, smb_uuid_string(talloc_tos(), tmp));
1886 }
1887 }
1888
1889 /*
1890 dump a sid result from ldap
1891 */
1892 static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
1893 {
1894 int i;
1895 for (i=0; values[i]; i++) {
1896 DOM_SID sid;
1897 fstring tmp;
1898 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
1899 printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
1900 }
1901 }
1902
1903 /*
1904 dump ntSecurityDescriptor
1905 */
1906 static void dump_sd(ADS_STRUCT *ads, const char *filed, struct berval **values)
1907 {
1908 TALLOC_CTX *frame = talloc_stackframe();
1909 struct security_descriptor *psd;
1910 NTSTATUS status;
1911
1912 status = unmarshall_sec_desc(talloc_tos(), (uint8 *)values[0]->bv_val,
1913 values[0]->bv_len, &psd);
1914 if (!NT_STATUS_IS_OK(status)) {
1915 DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
1916 nt_errstr(status)));
1917 TALLOC_FREE(frame);
1918 return;
1919 }
1920
1921 if (psd) {
1922 ads_disp_sd(ads, talloc_tos(), psd);
1923 }
1924
1925 TALLOC_FREE(frame);
1926 }
1927
1928 /*
1929 dump a string result from ldap
1930 */
1931 static void dump_string(const char *field, char **values)
1932 {
1933 int i;
1934 for (i=0; values[i]; i++) {
1935 printf("%s: %s\n", field, values[i]);
1936 }
1937 }
1938
1939 /*
1940 dump a field from LDAP on stdout
1941 used for debugging
1942 */
1943
1944 static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *data_area)
1945 {
1946 const struct {
1947 const char *name;
1948 bool string;
1949 void (*handler)(ADS_STRUCT *, const char *, struct berval **);
1950 } handlers[] = {
1951 {"objectGUID", False, dump_guid},
1952 {"netbootGUID", False, dump_guid},
1953 {"nTSecurityDescriptor", False, dump_sd},
1954 {"dnsRecord", False, dump_binary},
1955 {"objectSid", False, dump_sid},
1956 {"tokenGroups", False, dump_sid},
1957 {"tokenGroupsNoGCAcceptable", False, dump_sid},
1958 {"tokengroupsGlobalandUniversal", False, dump_sid},
1959 {"mS-DS-CreatorSID", False, dump_sid},
1960 {"msExchMailboxGuid", False, dump_guid},
1961 {NULL, True, NULL}
1962 };
1963 int i;
1964
1965 if (!field) { /* must be end of an entry */
1966 printf("\n");
1967 return False;
1968 }
1969
1970 for (i=0; handlers[i].name; i++) {
1971 if (StrCaseCmp(handlers[i].name, field) == 0) {
1972 if (!values) /* first time, indicate string or not */
1973 return handlers[i].string;
1974 handlers[i].handler(ads, field, (struct berval **) values);
1975 break;
1976 }
1977 }
1978 if (!handlers[i].name) {
1979 if (!values) /* first time, indicate string conversion */
1980 return True;
1981 dump_string(field, (char **)values);
1982 }
1983 return False;
1984 }
1985
1986 /**
1987 * Dump a result from LDAP on stdout
1988 * used for debugging
1989 * @param ads connection to ads server
1990 * @param res Results to dump
1991 **/
1992
1993 void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
1994 {
1995 ads_process_results(ads, res, ads_dump_field, NULL);
1996 }
1997
1998 /**
1999 * Walk through results, calling a function for each entry found.
2000 * The function receives a field name, a berval * array of values,
2001 * and a data area passed through from the start. The function is
2002 * called once with null for field and values at the end of each
2003 * entry.
2004 * @param ads connection to ads server
2005 * @param res Results to process
2006 * @param fn Function for processing each result
2007 * @param data_area user-defined area to pass to function
2008 **/
2009 void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
2010 bool (*fn)(ADS_STRUCT *, char *, void **, void *),
2011 void *data_area)
2012 {
2013 LDAPMessage *msg;
2014 TALLOC_CTX *ctx;
2015
2016 if (!(ctx = talloc_init("ads_process_results")))
2017 return;
2018
2019 for (msg = ads_first_entry(ads, res); msg;
2020 msg = ads_next_entry(ads, msg)) {
2021 char *utf8_field;
2022 BerElement *b;
2023
2024 for (utf8_field=ldap_first_attribute(ads->ldap.ld,
2025 (LDAPMessage *)msg,&b);
2026 utf8_field;
2027 utf8_field=ldap_next_attribute(ads->ldap.ld,
2028 (LDAPMessage *)msg,b)) {
2029 struct berval **ber_vals;
2030 char **str_vals, **utf8_vals;
2031 char *field;
2032 bool string;
2033
2034 pull_utf8_talloc(ctx, &field, utf8_field);
2035 string = fn(ads, field, NULL, data_area);
2036
2037 if (string) {
2038 utf8_vals = ldap_get_values(ads->ldap.ld,
2039 (LDAPMessage *)msg, field);
2040 str_vals = ads_pull_strvals(ctx,
2041 (const char **) utf8_vals);
2042 fn(ads, field, (void **) str_vals, data_area);
2043 ldap_value_free(utf8_vals);
2044 } else {
2045 ber_vals = ldap_get_values_len(ads->ldap.ld,
2046 (LDAPMessage *)msg, field);
2047 fn(ads, field, (void **) ber_vals, data_area);
2048
2049 ldap_value_free_len(ber_vals);
2050 }
2051 ldap_memfree(utf8_field);
2052 }
2053 ber_free(b, 0);
2054 talloc_free_children(ctx);
2055 fn(ads, NULL, NULL, data_area); /* completed an entry */
2056
2057 }
2058 talloc_destroy(ctx);
2059 }
2060
2061 /**
2062 * count how many replies are in a LDAPMessage
2063 * @param ads connection to ads server
2064 * @param res Results to count
2065 * @return number of replies
2066 **/
2067 int ads_count_replies(ADS_STRUCT *ads, void *res)
2068 {
2069 return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res);
2070 }
2071
2072 /**
2073 * pull the first entry from a ADS result
2074 * @param ads connection to ads server
2075 * @param res Results of search
2076 * @return first entry from result
2077 **/
2078 LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
2079 {
2080 return ldap_first_entry(ads->ldap.ld, res);
2081 }
2082
2083 /**
2084 * pull the next entry from a ADS result
2085 * @param ads connection to ads server
2086 * @param res Results of search
2087 * @return next entry from result
2088 **/
2089 LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
2090 {
2091 return ldap_next_entry(ads->ldap.ld, res);
2092 }
2093
2094 /**
2095 * pull the first message from a ADS result
2096 * @param ads connection to ads server
2097 * @param res Results of search
2098 * @return first message from result
2099 **/
2100 LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res)
2101 {
2102 return ldap_first_message(ads->ldap.ld, res);
2103 }
2104
2105 /**
2106 * pull the next message from a ADS result
2107 * @param ads connection to ads server
2108 * @param res Results of search
2109 * @return next message from result
2110 **/
2111 LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res)
2112 {
2113 return ldap_next_message(ads->ldap.ld, res);
2114 }
2115
2116 /**
2117 * pull a single string from a ADS result
2118 * @param ads connection to ads server
2119 * @param mem_ctx TALLOC_CTX to use for allocating result string
2120 * @param msg Results of search
2121 * @param field Attribute to retrieve
2122 * @return Result string in talloc context
2123 **/
2124 char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
2125 const char *field)
2126 {
2127 char **values;
2128 char *ret = NULL;
2129 char *ux_string;
2130 size_t rc;
2131
2132 values = ldap_get_values(ads->ldap.ld, msg, field);
2133 if (!values)
2134 return NULL;
2135
2136 if (values[0]) {
2137 rc = pull_utf8_talloc(mem_ctx, &ux_string,
2138 values[0]);
2139 if (rc != (size_t)-1)
2140 ret = ux_string;
2141
2142 }
2143 ldap_value_free(values);
2144 return ret;
2145 }
2146
2147 /**
2148 * pull an array of strings from a ADS result
2149 * @param ads connection to ads server
2150 * @param mem_ctx TALLOC_CTX to use for allocating result string
2151 * @param msg Results of search
2152 * @param field Attribute to retrieve
2153 * @return Result strings in talloc context
2154 **/
2155 char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2156 LDAPMessage *msg, const char *field,
2157 size_t *num_values)
2158 {
2159 char **values;
2160 char **ret = NULL;
2161 int i;
2162
2163 values = ldap_get_values(ads->ldap.ld, msg, field);
2164 if (!values)
2165 return NULL;
2166
2167 *num_values = ldap_count_values(values);
2168
2169 ret = TALLOC_ARRAY(mem_ctx, char *, *num_values + 1);
2170 if (!ret) {
2171 ldap_value_free(values);
2172 return NULL;
2173 }
2174
2175 for (i=0;i<*num_values;i++) {
2176 if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
2177 ldap_value_free(values);
2178 return NULL;
2179 }
2180 }
2181 ret[i] = NULL;
2182
2183 ldap_value_free(values);
2184 return ret;
2185 }
2186
2187 /**
2188 * pull an array of strings from a ADS result
2189 * (handle large multivalue attributes with range retrieval)
2190 * @param ads connection to ads server
2191 * @param mem_ctx TALLOC_CTX to use for allocating result string
2192 * @param msg Results of search
2193 * @param field Attribute to retrieve
2194 * @param current_strings strings returned by a previous call to this function
2195 * @param next_attribute The next query should ask for this attribute
2196 * @param num_values How many values did we get this time?
2197 * @param more_values Are there more values to get?
2198 * @return Result strings in talloc context
2199 **/
2200 char **ads_pull_strings_range(ADS_STRUCT *ads,
2201 TALLOC_CTX *mem_ctx,
2202 LDAPMessage *msg, const char *field,
2203 char **current_strings,
2204 const char **next_attribute,
2205 size_t *num_strings,
2206 bool *more_strings)
2207 {
2208 char *attr;
2209 char *expected_range_attrib, *range_attr;
2210 BerElement *ptr = NULL;
2211 char **strings;
2212 char **new_strings;
2213 size_t num_new_strings;
2214 unsigned long int range_start;
2215 unsigned long int range_end;
2216
2217 /* we might have been given the whole lot anyway */
2218 if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
2219 *more_strings = False;
2220 return strings;
2221 }
2222
2223 expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
2224
2225 /* look for Range result */
2226 for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr);
2227 attr;
2228 attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) {
2229 /* we ignore the fact that this is utf8, as all attributes are ascii... */
2230 if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
2231 range_attr = attr;
2232 break;
2233 }
2234 ldap_memfree(attr);
2235 }
2236 if (!attr) {
2237 ber_free(ptr, 0);
2238 /* nothing here - this field is just empty */
2239 *more_strings = False;
2240 return NULL;
2241 }
2242
2243 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
2244 &range_start, &range_end) == 2) {
2245 *more_strings = True;
2246 } else {
2247 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
2248 &range_start) == 1) {
2249 *more_strings = False;
2250 } else {
2251 DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
2252 range_attr));
2253 ldap_memfree(range_attr);
2254 *more_strings = False;
2255 return NULL;
2256 }
2257 }
2258
2259 if ((*num_strings) != range_start) {
2260 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
2261 " - aborting range retreival\n",
2262 range_attr, (unsigned int)(*num_strings) + 1, range_start));
2263 ldap_memfree(range_attr);
2264 *more_strings = False;
2265 return NULL;
2266 }
2267
2268 new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
2269
2270 if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
2271 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
2272 "strings in this bunch, but we only got %lu - aborting range retreival\n",
2273 range_attr, (unsigned long int)range_end - range_start + 1,
2274 (unsigned long int)num_new_strings));
2275 ldap_memfree(range_attr);
2276 *more_strings = False;
2277 return NULL;
2278 }
2279
2280 strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
2281 *num_strings + num_new_strings);
2282
2283 if (strings == NULL) {
2284 ldap_memfree(range_attr);
2285 *more_strings = False;
2286 return NULL;
2287 }
2288
2289 if (new_strings && num_new_strings) {
2290 memcpy(&strings[*num_strings], new_strings,
2291 sizeof(*new_strings) * num_new_strings);
2292 }
2293
2294 (*num_strings) += num_new_strings;
2295
2296 if (*more_strings) {
2297 *next_attribute = talloc_asprintf(mem_ctx,
2298 "%s;range=%d-*",
2299 field,
2300 (int)*num_strings);
2301
2302 if (!*next_attribute) {
2303 DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
2304 ldap_memfree(range_attr);
2305 *more_strings = False;
2306 return NULL;
2307 }
2308 }
2309
2310 ldap_memfree(range_attr);
2311
2312 return strings;
2313 }
2314
2315 /**
2316 * pull a single uint32 from a ADS result
2317 * @param ads connection to ads server
2318 * @param msg Results of search
2319 * @param field Attribute to retrieve
2320 * @param v Pointer to int to store result
2321 * @return boolean inidicating success
2322 */
2323 bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2324 uint32 *v)
2325 {
2326 char **values;
2327
2328 values = ldap_get_values(ads->ldap.ld, msg, field);
2329 if (!values)
2330 return False;
2331 if (!values[0]) {
2332 ldap_value_free(values);
2333 return False;
2334 }
2335
2336 *v = atoi(values[0]);
2337 ldap_value_free(values);
2338 return True;
2339 }
2340
2341 /**
2342 * pull a single objectGUID from an ADS result
2343 * @param ads connection to ADS server
2344 * @param msg results of search
2345 * @param guid 37-byte area to receive text guid
2346 * @return boolean indicating success
2347 **/
2348 bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
2349 {
2350 char **values;
2351 UUID_FLAT flat_guid;
2352
2353 values = ldap_get_values(ads->ldap.ld, msg, "objectGUID");
2354 if (!values)
2355 return False;
2356
2357 if (values[0]) {
2358 memcpy(&flat_guid.info, values[0], sizeof(UUID_FLAT));
2359 smb_uuid_unpack(flat_guid, guid);
2360 ldap_value_free(values);
2361 return True;
2362 }
2363 ldap_value_free(values);
2364 return False;
2365
2366 }
2367
2368
2369 /**
2370 * pull a single DOM_SID from a ADS result
2371 * @param ads connection to ads server
2372 * @param msg Results of search
2373 * @param field Attribute to retrieve
2374 * @param sid Pointer to sid to store result
2375 * @return boolean inidicating success
2376 */
2377 bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2378 DOM_SID *sid)
2379 {
2380 struct berval **values;
2381 bool ret = False;
2382
2383 values = ldap_get_values_len(ads->ldap.ld, msg, field);
2384
2385 if (!values)
2386 return False;
2387
2388 if (values[0])
2389 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
2390
2391 ldap_value_free_len(values);
2392 return ret;
2393 }
2394
2395 /**
2396 * pull an array of DOM_SIDs from a ADS result
2397 * @param ads connection to ads server
2398 * @param mem_ctx TALLOC_CTX for allocating sid array
2399 * @param msg Results of search
2400 * @param field Attribute to retrieve
2401 * @param sids pointer to sid array to allocate
2402 * @return the count of SIDs pulled
2403 **/
2404 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2405 LDAPMessage *msg, const char *field, DOM_SID **sids)
2406 {
2407 struct berval **values;
2408 bool ret;
2409 int count, i;
2410
2411 values = ldap_get_values_len(ads->ldap.ld, msg, field);
2412
2413 if (!values)
2414 return 0;
2415
2416 for (i=0; values[i]; i++)
2417 /* nop */ ;
2418
2419 if (i) {
2420 (*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
2421 if (!(*sids)) {
2422 ldap_value_free_len(values);
2423 return 0;
2424 }
2425 } else {
2426 (*sids) = NULL;
2427 }
2428
2429 count = 0;
2430 for (i=0; values[i]; i++) {
2431 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
2432 if (ret) {
2433 DEBUG(10, ("pulling SID: %s\n",
2434 sid_string_dbg(&(*sids)[count])));
2435 count++;
2436 }
2437 }
2438
2439 ldap_value_free_len(values);
2440 return count;
2441 }
2442
2443 /**
2444 * pull a SEC_DESC from a ADS result
2445 * @param ads connection to ads server
2446 * @param mem_ctx TALLOC_CTX for allocating sid array
2447 * @param msg Results of search
2448 * @param field Attribute to retrieve
2449 * @param sd Pointer to *SEC_DESC to store result (talloc()ed)
2450 * @return boolean inidicating success
2451 */
2452 bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2453 LDAPMessage *msg, const char *field, SEC_DESC **sd)
2454 {
2455 struct berval **values;
2456 bool ret = true;
2457
2458 values = ldap_get_values_len(ads->ldap.ld, msg, field);
2459
2460 if (!values) return false;
2461
2462 if (values[0]) {
2463 NTSTATUS status;
2464 status = unmarshall_sec_desc(mem_ctx,
2465 (uint8 *)values[0]->bv_val,
2466 values[0]->bv_len, sd);
2467 if (!NT_STATUS_IS_OK(status)) {
2468 DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
2469 nt_errstr(status)));
2470 ret = false;
2471 }
2472 }
2473
2474 ldap_value_free_len(values);
2475 return ret;
2476 }
2477
2478 /*
2479 * in order to support usernames longer than 21 characters we need to
2480 * use both the sAMAccountName and the userPrincipalName attributes
2481 * It seems that not all users have the userPrincipalName attribute set
2482 *
2483 * @param ads connection to ads server
2484 * @param mem_ctx TALLOC_CTX for allocating sid array
2485 * @param msg Results of search
2486 * @return the username
2487 */
2488 char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2489 LDAPMessage *msg)
2490 {
2491 #if 0 /* JERRY */
2492 char *ret, *p;
2493
2494 /* lookup_name() only works on the sAMAccountName to
2495 returning the username portion of userPrincipalName
2496 breaks winbindd_getpwnam() */
2497
2498 ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
2499 if (ret && (p = strchr_m(ret, '@'))) {
2500 *p = 0;
2501 return ret;
2502 }
2503 #endif
2504 return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
2505 }
2506
2507
2508 /**
2509 * find the update serial number - this is the core of the ldap cache
2510 * @param ads connection to ads server
2511 * @param ads connection to ADS server
2512 * @param usn Pointer to retrieved update serial number
2513 * @return status of search
2514 **/
2515 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
2516 {
2517 const char *attrs[] = {"highestCommittedUSN", NULL};
2518 ADS_STATUS status;
2519 LDAPMessage *res;
2520
2521 status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2522 if (!ADS_ERR_OK(status))
2523 return status;
2524
2525 if (ads_count_replies(ads, res) != 1) {
2526 ads_msgfree(ads, res);
2527 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2528 }
2529
2530 if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
2531 ads_msgfree(ads, res);
2532 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
2533 }
2534
2535 ads_msgfree(ads, res);
2536 return ADS_SUCCESS;
2537 }
2538
2539 /* parse a ADS timestring - typical string is
2540 '20020917091222.0Z0' which means 09:12.22 17th September
2541 2002, timezone 0 */
2542 static time_t ads_parse_time(const char *str)
2543 {
2544 struct tm tm;
2545
2546 ZERO_STRUCT(tm);
2547
2548 if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
2549 &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
2550 &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
2551 return 0;
2552 }
2553 tm.tm_year -= 1900;
2554 tm.tm_mon -= 1;
2555
2556 return timegm(&tm);
2557 }
2558
2559 /********************************************************************
2560 ********************************************************************/
2561
2562 ADS_STATUS ads_current_time(ADS_STRUCT *ads)
2563 {
2564 const char *attrs[] = {"currentTime", NULL};
2565 ADS_STATUS status;
2566 LDAPMessage *res;
2567 char *timestr;
2568 TALLOC_CTX *ctx;
2569 ADS_STRUCT *ads_s = ads;
2570
2571 if (!(ctx = talloc_init("ads_current_time"))) {
2572 return ADS_ERROR(LDAP_NO_MEMORY);
2573 }
2574
2575 /* establish a new ldap tcp session if necessary */
2576
2577 if ( !ads->ldap.ld ) {
2578 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2579 ads->server.ldap_server )) == NULL )
2580 {
2581 goto done;
2582 }
2583 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2584 status = ads_connect( ads_s );
2585 if ( !ADS_ERR_OK(status))
2586 goto done;
2587 }
2588
2589 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2590 if (!ADS_ERR_OK(status)) {
2591 goto done;
2592 }
2593
2594 timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
2595 if (!timestr) {
2596 ads_msgfree(ads_s, res);
2597 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2598 goto done;
2599 }
2600
2601 /* but save the time and offset in the original ADS_STRUCT */
2602
2603 ads->config.current_time = ads_parse_time(timestr);
2604
2605 if (ads->config.current_time != 0) {
2606 ads->auth.time_offset = ads->config.current_time - time(NULL);
2607 DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
2608 }
2609
2610 ads_msgfree(ads, res);
2611
2612 status = ADS_SUCCESS;
2613
2614 done:
2615 /* free any temporary ads connections */
2616 if ( ads_s != ads ) {
2617 ads_destroy( &ads_s );
2618 }
2619 talloc_destroy(ctx);
2620
2621 return status;
2622 }
2623
2624 /********************************************************************
2625 ********************************************************************/
2626
2627 ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val)
2628 {
2629 const char *attrs[] = {"domainFunctionality", NULL};
2630 ADS_STATUS status;
2631 LDAPMessage *res;
2632 ADS_STRUCT *ads_s = ads;
2633
2634 *val = DS_DOMAIN_FUNCTION_2000;
2635
2636 /* establish a new ldap tcp session if necessary */
2637
2638 if ( !ads->ldap.ld ) {
2639 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2640 ads->server.ldap_server )) == NULL )
2641 {
2642 goto done;
2643 }
2644 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2645 status = ads_connect( ads_s );
2646 if ( !ADS_ERR_OK(status))
2647 goto done;
2648 }
2649
2650 /* If the attribute does not exist assume it is a Windows 2000
2651 functional domain */
2652
2653 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2654 if (!ADS_ERR_OK(status)) {
2655 if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
2656 status = ADS_SUCCESS;
2657 }
2658 goto done;
2659 }
2660
2661 if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
2662 DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
2663 }
2664 DEBUG(3,("ads_domain_func_level: %d\n", *val));
2665
2666
2667 ads_msgfree(ads, res);
2668
2669 done:
2670 /* free any temporary ads connections */
2671 if ( ads_s != ads ) {
2672 ads_destroy( &ads_s );
2673 }
2674
2675 return status;
2676 }
2677
2678 /**
2679 * find the domain sid for our domain
2680 * @param ads connection to ads server
2681 * @param sid Pointer to domain sid
2682 * @return status of search
2683 **/
2684 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
2685 {
2686 const char *attrs[] = {"objectSid", NULL};
2687 LDAPMessage *res;
2688 ADS_STATUS rc;
2689
2690 rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
2691 attrs, &res);
2692 if (!ADS_ERR_OK(rc)) return rc;
2693 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
2694 ads_msgfree(ads, res);
2695 return ADS_ERROR_SYSTEM(ENOENT);
2696 }
2697 ads_msgfree(ads, res);
2698
2699 return ADS_SUCCESS;
2700 }
2701
2702 /**
2703 * find our site name
2704 * @param ads connection to ads server
2705 * @param mem_ctx Pointer to talloc context
2706 * @param site_name Pointer to the sitename
2707 * @return status of search
2708 **/
2709 ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
2710 {
2711 ADS_STATUS status;
2712 LDAPMessage *res;
2713 const char *dn, *service_name;
2714 const char *attrs[] = { "dsServiceName", NULL };
2715
2716 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2717 if (!ADS_ERR_OK(status)) {
2718 return status;
2719 }
2720
2721 service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
2722 if (service_name == NULL) {
2723 ads_msgfree(ads, res);
2724 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2725 }
2726
2727 ads_msgfree(ads, res);
2728
2729 /* go up three levels */
2730 dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
2731 if (dn == NULL) {
2732 return ADS_ERROR(LDAP_NO_MEMORY);
2733 }
2734
2735 *site_name = talloc_strdup(mem_ctx, dn);
2736 if (*site_name == NULL) {
2737 return ADS_ERROR(LDAP_NO_MEMORY);
2738 }
2739
2740 return status;
2741 /*
2742 dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
2743 */
2744 }
2745
2746 /**
2747 * find the site dn where a machine resides
2748 * @param ads connection to ads server
2749 * @param mem_ctx Pointer to talloc context
2750 * @param computer_name name of the machine
2751 * @param site_name Pointer to the sitename
2752 * @return status of search
2753 **/
2754 ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
2755 {
2756 ADS_STATUS status;
2757 LDAPMessage *res;
2758 const char *parent, *filter;
2759 char *config_context = NULL;
2760 char *dn;
2761
2762 /* shortcut a query */
2763 if (strequal(computer_name, ads->config.ldap_server_name)) {
2764 return ads_site_dn(ads, mem_ctx, site_dn);
2765 }
2766
2767 status = ads_config_path(ads, mem_ctx, &config_context);
2768 if (!ADS_ERR_OK(status)) {
2769 return status;
2770 }
2771
2772 filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
2773 if (filter == NULL) {
2774 return ADS_ERROR(LDAP_NO_MEMORY);
2775 }
2776
2777 status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE,
2778 filter, NULL, &res);
2779 if (!ADS_ERR_OK(status)) {
2780 return status;
2781 }
2782
2783 if (ads_count_replies(ads, res) != 1) {
2784 ads_msgfree(ads, res);
2785 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2786 }
2787
2788 dn = ads_get_dn(ads, res);
2789 if (dn == NULL) {
2790 ads_msgfree(ads, res);
2791 return ADS_ERROR(LDAP_NO_MEMORY);
2792 }
2793
2794 /* go up three levels */
2795 parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
2796 if (parent == NULL) {
2797 ads_msgfree(ads, res);
2798 ads_memfree(ads, dn);
2799 return ADS_ERROR(LDAP_NO_MEMORY);
2800 }
2801
2802 *site_dn = talloc_strdup(mem_ctx, parent);
2803 if (*site_dn == NULL) {
2804 ads_msgfree(ads, res);
2805 ads_memfree(ads, dn);
2806 return ADS_ERROR(LDAP_NO_MEMORY);
2807 }
2808
2809 ads_memfree(ads, dn);
2810 ads_msgfree(ads, res);
2811
2812 return status;
2813 }
2814
2815 /**
2816 * get the upn suffixes for a domain
2817 * @param ads connection to ads server
2818 * @param mem_ctx Pointer to talloc context
2819 * @param suffixes Pointer to an array of suffixes
2820 * @param num_suffixes Pointer to the number of suffixes
2821 * @return status of search
2822 **/
2823 ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
2824 {
2825 ADS_STATUS status;
2826 LDAPMessage *res;
2827 const char *base;
2828 char *config_context = NULL;
2829 const char *attrs[] = { "uPNSuffixes", NULL };
2830
2831 status = ads_config_path(ads, mem_ctx, &config_context);
2832 if (!ADS_ERR_OK(status)) {
2833 return status;
2834 }
2835
2836 base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
2837 if (base == NULL) {
2838 return ADS_ERROR(LDAP_NO_MEMORY);
2839 }
2840
2841 status = ads_search_dn(ads, &res, base, attrs);
2842 if (!ADS_ERR_OK(status)) {
2843 return status;
2844 }
2845
2846 if (ads_count_replies(ads, res) != 1) {
2847 ads_msgfree(ads, res);
2848 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2849 }
2850
2851 (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
2852 if ((*suffixes) == NULL) {
2853 ads_msgfree(ads, res);
2854 return ADS_ERROR(LDAP_NO_MEMORY);
2855 }
2856
2857 ads_msgfree(ads, res);
2858
2859 return status;
2860 }
2861
2862 /**
2863 * get the joinable ous for a domain
2864 * @param ads connection to ads server
2865 * @param mem_ctx Pointer to talloc context
2866 * @param ous Pointer to an array of ous
2867 * @param num_ous Pointer to the number of ous
2868 * @return status of search
2869 **/
2870 ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
2871 TALLOC_CTX *mem_ctx,
2872 char ***ous,
2873 size_t *num_ous)
2874 {
2875 ADS_STATUS status;
2876 LDAPMessage *res = NULL;
2877 LDAPMessage *msg = NULL;
2878 const char *attrs[] = { "dn", NULL };
2879 int count = 0;
2880
2881 status = ads_search(ads, &res,
2882 "(|(objectClass=domain)(objectclass=organizationalUnit))",
2883 attrs);
2884 if (!ADS_ERR_OK(status)) {
2885 return status;
2886 }
2887
2888 count = ads_count_replies(ads, res);
2889 if (count < 1) {
2890 ads_msgfree(ads, res);
2891 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2892 }
2893
2894 for (msg = ads_first_entry(ads, res); msg;
2895 msg = ads_next_entry(ads, msg)) {
2896
2897 char *dn = NULL;
2898
2899 dn = ads_get_dn(ads, msg);
2900 if (!dn) {
2901 ads_msgfree(ads, res);
2902 return ADS_ERROR(LDAP_NO_MEMORY);
2903 }
2904
2905 if (!add_string_to_array(mem_ctx, dn,
2906 (const char ***)ous,
2907 (int *)num_ous)) {
2908 ads_memfree(ads, dn);
2909 ads_msgfree(ads, res);
2910 return ADS_ERROR(LDAP_NO_MEMORY);
2911 }
2912
2913 ads_memfree(ads, dn);
2914 }
2915
2916 ads_msgfree(ads, res);
2917
2918 return status;
2919 }
2920
2921
2922 /**
2923 * pull a DOM_SID from an extended dn string
2924 * @param mem_ctx TALLOC_CTX
2925 * @param extended_dn string
2926 * @param flags string type of extended_dn
2927 * @param sid pointer to a DOM_SID
2928 * @return boolean inidicating success
2929 **/
2930 bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
2931 const char *extended_dn,
2932 enum ads_extended_dn_flags flags,
2933 DOM_SID *sid)
2934 {
2935 char *p, *q, *dn;
2936
2937 if (!extended_dn) {
2938 return False;
2939 }
2940
2941 /* otherwise extended_dn gets stripped off */
2942 if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
2943 return False;
2944 }
2945 /*
2946 * ADS_EXTENDED_DN_HEX_STRING:
2947 * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2948 *
2949 * ADS_EXTENDED_DN_STRING (only with w2k3):
2950 <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2951 */
2952
2953 p = strchr(dn, ';');
2954 if (!p) {
2955 return False;
2956 }
2957
2958 if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
2959 return False;
2960 }
2961
2962 p += strlen(";<SID=");
2963
2964 q = strchr(p, '>');
2965 if (!q) {
2966 return False;
2967 }
2968
2969 *q = '\0';
2970
2971 DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
2972
2973 switch (flags) {
2974
2975 case ADS_EXTENDED_DN_STRING:
2976 if (!string_to_sid(sid, p)) {
2977 return False;
2978 }
2979 break;
2980 case ADS_EXTENDED_DN_HEX_STRING: {
2981 fstring buf;
2982 size_t buf_len;
2983
2984 buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
2985 if (buf_len == 0) {
2986 return False;
2987 }
2988
2989 if (!sid_parse(buf, buf_len, sid)) {
2990 DEBUG(10,("failed to parse sid\n"));
2991 return False;
2992 }
2993 break;
2994 }
2995 default:
2996 DEBUG(10,("unknown extended dn format\n"));
2997 return False;
2998 }
2999
3000 return True;
3001 }
3002
3003 /**
3004 * pull an array of DOM_SIDs from a ADS result
3005 * @param ads connection to ads server
3006 * @param mem_ctx TALLOC_CTX for allocating sid array
3007 * @param msg Results of search
3008 * @param field Attribute to retrieve
3009 * @param flags string type of extended_dn
3010 * @param sids pointer to sid array to allocate
3011 * @return the count of SIDs pulled
3012 **/
3013 int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
3014 TALLOC_CTX *mem_ctx,
3015 LDAPMessage *msg,
3016 const char *field,
3017 enum ads_extended_dn_flags flags,
3018 DOM_SID **sids)
3019 {
3020 int i;
3021 size_t dn_count;
3022 char **dn_strings;
3023
3024 if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
3025 &dn_count)) == NULL) {
3026 return 0;
3027 }
3028
3029 (*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1);
3030 if (!(*sids)) {
3031 TALLOC_FREE(dn_strings);
3032 return 0;
3033 }
3034
3035 for (i=0; i<dn_count; i++) {
3036
3037 if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
3038 flags, &(*sids)[i])) {
3039 TALLOC_FREE(*sids);
3040 TALLOC_FREE(dn_strings);
3041 return 0;
3042 }
3043 }
3044
3045 TALLOC_FREE(dn_strings);
3046
3047 return dn_count;
3048 }
3049
3050 /********************************************************************
3051 ********************************************************************/
3052
3053 char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3054 {
3055 LDAPMessage *res = NULL;
3056 ADS_STATUS status;
3057 int count = 0;
3058 char *name = NULL;
3059
3060 status = ads_find_machine_acct(ads, &res, global_myname());
3061 if (!ADS_ERR_OK(status)) {
3062 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3063 global_myname()));
3064 goto out;
3065 }
3066
3067 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3068 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3069 goto out;
3070 }
3071
3072 if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
3073 DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
3074 }
3075
3076 out:
3077 ads_msgfree(ads, res);
3078
3079 return name;
3080 }
3081
3082 /********************************************************************
3083 ********************************************************************/
3084
3085 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3086 {
3087 LDAPMessage *res = NULL;
3088 ADS_STATUS status;
3089 int count = 0;
3090 char *name = NULL;
3091
3092 status = ads_find_machine_acct(ads, &res, machine_name);
3093 if (!ADS_ERR_OK(status)) {
3094 DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
3095 global_myname()));
3096 goto out;
3097 }
3098
3099 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3100 DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
3101 goto out;
3102 }
3103
3104 if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
3105 DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
3106 }
3107
3108 out:
3109 ads_msgfree(ads, res);
3110
3111 return name;
3112 }
3113
3114 /********************************************************************
3115 ********************************************************************/
3116
3117 char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3118 {
3119 LDAPMessage *res = NULL;
3120 ADS_STATUS status;
3121 int count = 0;
3122 char *name = NULL;
3123
3124 status = ads_find_machine_acct(ads, &res, global_myname());
3125 if (!ADS_ERR_OK(status)) {
3126 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3127 global_myname()));
3128 goto out;
3129 }
3130
3131 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3132 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3133 goto out;
3134 }
3135
3136 if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
3137 DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
3138 }
3139
3140 out:
3141 ads_msgfree(ads, res);
3142
3143 return name;
3144 }
3145
3146 #if 0
3147
3148 SAVED CODE - we used to join via ldap - remember how we did this. JRA.
3149
3150 /**
3151 * Join a machine to a realm
3152 * Creates the machine account and sets the machine password
3153 * @param ads connection to ads server
3154 * @param machine name of host to add
3155 * @param org_unit Organizational unit to place machine in
3156 * @return status of join
3157 **/
3158 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
3159 uint32 account_type, const char *org_unit)
3160 {
3161 ADS_STATUS status;
3162 LDAPMessage *res = NULL;
3163 char *machine;
3164
3165 /* machine name must be lowercase */
3166 machine = SMB_STRDUP(machine_name);
3167 strlower_m(machine);
3168
3169 /*
3170 status = ads_find_machine_acct(ads, (void **)&res, machine);
3171 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3172 DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
3173 status = ads_leave_realm(ads, machine);
3174 if (!ADS_ERR_OK(status)) {
3175 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
3176 machine, ads->config.realm));
3177 return status;
3178 }
3179 }
3180 */
3181 status = ads_add_machine_acct(ads, machine, account_type, org_unit);
3182 if (!ADS_ERR_OK(status)) {
3183 DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
3184 SAFE_FREE(machine);
3185 return status;
3186 }
3187
3188 status = ads_find_machine_acct(ads, (void **)(void *)&res, machine);
3189 if (!ADS_ERR_OK(status)) {
3190 DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
3191 SAFE_FREE(machine);
3192 return status;
3193 }
3194
3195 SAFE_FREE(machine);
3196 ads_msgfree(ads, res);
3197
3198 return status;
3199 }
3200 #endif
3201
3202 /**
3203 * Delete a machine from the realm
3204 * @param ads connection to ads server
3205 * @param hostname Machine to remove
3206 * @return status of delete
3207 **/
3208 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
3209 {
3210 ADS_STATUS status;
3211 void *msg;
3212 LDAPMessage *res;
3213 char *hostnameDN, *host;
3214 int rc;
3215 LDAPControl ldap_control;
3216 LDAPControl * pldap_control[2] = {NULL, NULL};
3217
3218 pldap_control[0] = &ldap_control;
3219 memset(&ldap_control, 0, sizeof(LDAPControl));
3220 ldap_control.ldctl_oid = (char *)LDAP_SERVER_TREE_DELETE_OID;
3221
3222 /* hostname must be lowercase */
3223 host = SMB_STRDUP(hostname);
3224 strlower_m(host);
3225
3226 status = ads_find_machine_acct(ads, &res, host);
3227 if (!ADS_ERR_OK(status)) {
3228 DEBUG(0, ("Host account for %s does not exist.\n", host));
3229 SAFE_FREE(host);
3230 return status;
3231 }
3232
3233 msg = ads_first_entry(ads, res);
3234 if (!msg) {
3235 SAFE_FREE(host);
3236 return ADS_ERROR_SYSTEM(ENOENT);
3237 }
3238
3239 hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
3240
3241 rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
3242 if (rc) {
3243 DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
3244 }else {
3245 DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
3246 }
3247
3248 if (rc != LDAP_SUCCESS) {
3249 const char *attrs[] = { "cn", NULL };
3250 LDAPMessage *msg_sub;
3251
3252 /* we only search with scope ONE, we do not expect any further
3253 * objects to be created deeper */
3254
3255 status = ads_do_search_retry(ads, hostnameDN,
3256 LDAP_SCOPE_ONELEVEL,
3257 "(objectclass=*)", attrs, &res);
3258
3259 if (!ADS_ERR_OK(status)) {
3260 SAFE_FREE(host);
3261 ads_memfree(ads, hostnameDN);
3262 return status;
3263 }
3264
3265 for (msg_sub = ads_first_entry(ads, res); msg_sub;
3266 msg_sub = ads_next_entry(ads, msg_sub)) {
3267
3268 char *dn = NULL;
3269
3270 if ((dn = ads_get_dn(ads, msg_sub)) == NULL) {
3271 SAFE_FREE(host);
3272 ads_memfree(ads, hostnameDN);
3273 return ADS_ERROR(LDAP_NO_MEMORY);
3274 }
3275
3276 status = ads_del_dn(ads, dn);
3277 if (!ADS_ERR_OK(status)) {
3278 DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
3279 SAFE_FREE(host);
3280 ads_memfree(ads, dn);
3281 ads_memfree(ads, hostnameDN);
3282 return status;
3283 }
3284
3285 ads_memfree(ads, dn);
3286 }
3287
3288 /* there should be no subordinate objects anymore */
3289 status = ads_do_search_retry(ads, hostnameDN,
3290 LDAP_SCOPE_ONELEVEL,
3291 "(objectclass=*)", attrs, &res);
3292
3293 if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
3294 SAFE_FREE(host);
3295 ads_memfree(ads, hostnameDN);
3296 return status;
3297 }
3298
3299 /* delete hostnameDN now */
3300 status = ads_del_dn(ads, hostnameDN);
3301 if (!ADS_ERR_OK(status)) {
3302 SAFE_FREE(host);
3303 DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
3304 ads_memfree(ads, hostnameDN);
3305 return status;
3306 }
3307 }
3308
3309 ads_memfree(ads, hostnameDN);
3310
3311 status = ads_find_machine_acct(ads, &res, host);
3312 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3313 DEBUG(3, ("Failed to remove host account.\n"));
3314 SAFE_FREE(host);
3315 return status;
3316 }
3317
3318 SAFE_FREE(host);
3319 return status;
3320 }
3321
3322 /**
3323 * pull all token-sids from an LDAP dn
3324 * @param ads connection to ads server
3325 * @param mem_ctx TALLOC_CTX for allocating sid array
3326 * @param dn of LDAP object
3327 * @param user_sid pointer to DOM_SID (objectSid)
3328 * @param primary_group_sid pointer to DOM_SID (self composed)
3329 * @param sids pointer to sid array to allocate
3330 * @param num_sids counter of SIDs pulled
3331 * @return status of token query
3332 **/
3333 ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
3334 TALLOC_CTX *mem_ctx,
3335 const char *dn,
3336 DOM_SID *user_sid,
3337 DOM_SID *primary_group_sid,
3338 DOM_SID **sids,
3339 size_t *num_sids)
3340 {
3341 ADS_STATUS status;
3342 LDAPMessage *res = NULL;
3343 int count = 0;
3344 size_t tmp_num_sids;
3345 DOM_SID *tmp_sids;
3346 DOM_SID tmp_user_sid;
3347 DOM_SID tmp_primary_group_sid;
3348 uint32 pgid;
3349 const char *attrs[] = {
3350 "objectSid",
3351 "tokenGroups",
3352 "primaryGroupID",
3353 NULL
3354 };
3355
3356 status = ads_search_retry_dn(ads, &res, dn, attrs);
3357 if (!ADS_ERR_OK(status)) {
3358 return status;
3359 }
3360
3361 count = ads_count_replies(ads, res);
3362 if (count != 1) {
3363 ads_msgfree(ads, res);
3364 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
3365 }
3366
3367 if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
3368 ads_msgfree(ads, res);
3369 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3370 }
3371
3372 if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
3373 ads_msgfree(ads, res);
3374 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3375 }
3376
3377 {
3378 /* hack to compose the primary group sid without knowing the
3379 * domsid */
3380
3381 DOM_SID domsid;
3382 uint32 dummy_rid;
3383
3384 sid_copy(&domsid, &tmp_user_sid);
3385
3386 if (!sid_split_rid(&domsid, &dummy_rid)) {
3387 ads_msgfree(ads, res);
3388 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3389 }
3390
3391 if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
3392 ads_msgfree(ads, res);
3393 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3394 }
3395 }
3396
3397 tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
3398
3399 if (tmp_num_sids == 0 || !tmp_sids) {
3400 ads_msgfree(ads, res);
3401 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3402 }
3403
3404 if (num_sids) {
3405 *num_sids = tmp_num_sids;
3406 }
3407
3408 if (sids) {
3409 *sids = tmp_sids;
3410 }
3411
3412 if (user_sid) {
3413 *user_sid = tmp_user_sid;
3414 }
3415
3416 if (primary_group_sid) {
3417 *primary_group_sid = tmp_primary_group_sid;
3418 }
3419
3420 DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
3421
3422 ads_msgfree(ads, res);
3423 return ADS_ERROR_LDAP(LDAP_SUCCESS);
3424 }
3425
3426 /**
3427 * Find a sAMAccoutName in LDAP
3428 * @param ads connection to ads server
3429 * @param mem_ctx TALLOC_CTX for allocating sid array
3430 * @param samaccountname to search
3431 * @param uac_ret uint32 pointer userAccountControl attribute value
3432 * @param dn_ret pointer to dn
3433 * @return status of token query
3434 **/
3435 ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
3436 TALLOC_CTX *mem_ctx,
3437 const char *samaccountname,
3438 uint32 *uac_ret,
3439 const char **dn_ret)
3440 {
3441 ADS_STATUS status;
3442 const char *attrs[] = { "userAccountControl", NULL };
3443 const char *filter;
3444 LDAPMessage *res = NULL;
3445 char *dn = NULL;
3446 uint32 uac = 0;
3447
3448 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
3449 samaccountname);
3450 if (filter == NULL) {
3451 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
3452 goto out;
3453 }
3454
3455 status = ads_do_search_all(ads, ads->config.bind_path,
3456 LDAP_SCOPE_SUBTREE,
3457 filter, attrs, &res);
3458
3459 if (!ADS_ERR_OK(status)) {
3460 goto out;
3461 }
3462
3463 if (ads_count_replies(ads, res) != 1) {
3464 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3465 goto out;
3466 }
3467
3468 dn = ads_get_dn(ads, res);
3469 if (dn == NULL) {
3470 status = ADS_ERROR(LDAP_NO_MEMORY);
3471 goto out;
3472 }
3473
3474 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
3475 status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
3476 goto out;
3477 }
3478
3479 if (uac_ret) {
3480 *uac_ret = uac;
3481 }
3482
3483 if (dn_ret) {
3484 *dn_ret = talloc_strdup(mem_ctx, dn);
3485 if (!*dn_ret) {
3486 status = ADS_ERROR(LDAP_NO_MEMORY);
3487 goto out;
3488 }
3489 }
3490 out:
3491 ads_memfree(ads, dn);
3492 ads_msgfree(ads, res);
3493
3494 return status;
3495 }
3496
3497 /**
3498 * find our configuration path
3499 * @param ads connection to ads server
3500 * @param mem_ctx Pointer to talloc context
3501 * @param config_path Pointer to the config path
3502 * @return status of search
3503 **/
3504 ADS_STATUS ads_config_path(ADS_STRUCT *ads,
3505 TALLOC_CTX *mem_ctx,
3506 char **config_path)
3507 {
3508 ADS_STATUS status;
3509 LDAPMessage *res = NULL;
3510 const char *config_context = NULL;
3511 const char *attrs[] = { "configurationNamingContext", NULL };
3512
3513 status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
3514 "(objectclass=*)", attrs, &res);
3515 if (!ADS_ERR_OK(status)) {
3516 return status;
3517 }
3518
3519 config_context = ads_pull_string(ads, mem_ctx, res,
3520 "configurationNamingContext");
3521 ads_msgfree(ads, res);
3522 if (!config_context) {
3523 return ADS_ERROR(LDAP_NO_MEMORY);
3524 }
3525
3526 if (config_path) {
3527 *config_path = talloc_strdup(mem_ctx, config_context);
3528 if (!*config_path) {
3529 return ADS_ERROR(LDAP_NO_MEMORY);
3530 }
3531 }
3532
3533 return ADS_ERROR(LDAP_SUCCESS);
3534 }
3535
3536 /**
3537 * find the displayName of an extended right
3538 * @param ads connection to ads server
3539 * @param config_path The config path
3540 * @param mem_ctx Pointer to talloc context
3541 * @param GUID struct of the rightsGUID
3542 * @return status of search
3543 **/
3544 const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
3545 const char *config_path,
3546 TALLOC_CTX *mem_ctx,
3547 const struct GUID *rights_guid)
3548 {
3549 ADS_STATUS rc;
3550 LDAPMessage *res = NULL;
3551 char *expr = NULL;
3552 const char *attrs[] = { "displayName", NULL };
3553 const char *result = NULL;
3554 const char *path;
3555
3556 if (!ads || !mem_ctx || !rights_guid) {
3557 goto done;
3558 }
3559
3560 expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
3561 smb_uuid_string(mem_ctx, *rights_guid));
3562 if (!expr) {
3563 goto done;
3564 }
3565
3566 path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path);
3567 if (!path) {
3568 goto done;
3569 }
3570
3571 rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE,
3572 expr, attrs, &res);
3573 if (!ADS_ERR_OK(rc)) {
3574 goto done;
3575 }
3576
3577 if (ads_count_replies(ads, res) != 1) {
3578 goto done;
3579 }
3580
3581 result = ads_pull_string(ads, mem_ctx, res, "displayName");
3582
3583 done:
3584 ads_msgfree(ads, res);
3585 return result;
3586
3587 }
3588
3589 /**
3590 * verify or build and verify an account ou
3591 * @param mem_ctx Pointer to talloc context
3592 * @param ads connection to ads server
3593 * @param account_ou
3594 * @return status of search
3595 **/
3596
3597 ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
3598 ADS_STRUCT *ads,
3599 const char **account_ou)
3600 {
3601 struct ldb_dn *name_dn = NULL;
3602 const char *name = NULL;
3603 char *ou_string = NULL;
3604
3605 name_dn = ldb_dn_explode(mem_ctx, *account_ou);
3606 if (name_dn) {
3607 return ADS_SUCCESS;
3608 }
3609
3610 ou_string = ads_ou_string(ads, *account_ou);
3611 if (!ou_string) {
3612 return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3613 }
3614
3615 name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
3616 ads->config.bind_path);
3617 SAFE_FREE(ou_string);
3618 if (!name) {
3619 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3620 }
3621
3622 name_dn = ldb_dn_explode(mem_ctx, name);
3623 if (!name_dn) {
3624 return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3625 }
3626
3627 *account_ou = talloc_strdup(mem_ctx, name);
3628 if (!*account_ou) {
3629 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3630 }
3631
3632 return ADS_SUCCESS;
3633 }
3634
3635 #endif
Samba GIT mirror