2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 /****************************************************************
23 parse the raw extension string into a GP_EXT structure
24 ****************************************************************/
26 bool ads_parse_gp_ext(TALLOC_CTX
*mem_ctx
,
27 const char *extension_raw
,
28 struct GP_EXT
**gp_ext
)
31 struct GP_EXT
*ext
= NULL
;
32 char **ext_list
= NULL
;
33 char **ext_strings
= NULL
;
40 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw
));
42 ext
= TALLOC_ZERO_P(mem_ctx
, struct GP_EXT
);
47 ext_list
= str_list_make(mem_ctx
, extension_raw
, "]");
52 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
59 ext
->extensions
= TALLOC_ZERO_ARRAY(mem_ctx
, char *,
61 ext
->extensions_guid
= TALLOC_ZERO_ARRAY(mem_ctx
, char *,
63 ext
->snapins
= TALLOC_ZERO_ARRAY(mem_ctx
, char *,
65 ext
->snapins_guid
= TALLOC_ZERO_ARRAY(mem_ctx
, char *,
69 ext
->gp_extension
= talloc_strdup(mem_ctx
, extension_raw
);
71 if (!ext
->extensions
|| !ext
->extensions_guid
||
72 !ext
->snapins
|| !ext
->snapins_guid
||
77 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
82 DEBUGADD(10,("extension #%d\n", i
));
90 ext_strings
= str_list_make(mem_ctx
, p
, "}");
91 if (ext_strings
== NULL
) {
95 for (k
= 0; ext_strings
[k
] != NULL
; k
++) {
105 ext
->extensions
[i
] = talloc_strdup(mem_ctx
,
106 cse_gpo_guid_string_to_name(q
));
107 ext
->extensions_guid
[i
] = talloc_strdup(mem_ctx
, q
);
109 /* we might have no name for the guid */
110 if (ext
->extensions_guid
[i
] == NULL
) {
114 for (k
= 1; ext_strings
[k
] != NULL
; k
++) {
116 char *m
= ext_strings
[k
];
122 /* FIXME: theoretically there could be more than one
123 * snapin per extension */
124 ext
->snapins
[i
] = talloc_strdup(mem_ctx
,
125 cse_snapin_gpo_guid_string_to_name(m
));
126 ext
->snapins_guid
[i
] = talloc_strdup(mem_ctx
, m
);
128 /* we might have no name for the guid */
129 if (ext
->snapins_guid
[i
] == NULL
) {
140 TALLOC_FREE(ext_list
);
141 TALLOC_FREE(ext_strings
);
148 /****************************************************************
149 parse the raw link string into a GP_LINK structure
150 ****************************************************************/
152 static ADS_STATUS
gpo_parse_gplink(TALLOC_CTX
*mem_ctx
,
153 const char *gp_link_raw
,
155 struct GP_LINK
*gp_link
)
157 ADS_STATUS status
= ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
161 ZERO_STRUCTP(gp_link
);
163 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw
));
165 link_list
= str_list_make(mem_ctx
, gp_link_raw
, "]");
170 for (i
= 0; link_list
[i
] != NULL
; i
++) {
174 gp_link
->gp_opts
= options
;
175 gp_link
->num_links
= i
;
177 if (gp_link
->num_links
) {
178 gp_link
->link_names
= TALLOC_ZERO_ARRAY(mem_ctx
, char *,
180 gp_link
->link_opts
= TALLOC_ZERO_ARRAY(mem_ctx
, uint32_t,
184 gp_link
->gp_link
= talloc_strdup(mem_ctx
, gp_link_raw
);
186 if (!gp_link
->link_names
|| !gp_link
->link_opts
|| !gp_link
->gp_link
) {
190 for (i
= 0; link_list
[i
] != NULL
; i
++) {
194 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i
));
207 gp_link
->link_names
[i
] = talloc_strdup(mem_ctx
, q
);
208 if (gp_link
->link_names
[i
] == NULL
) {
211 gp_link
->link_names
[i
][PTR_DIFF(p
, q
)] = 0;
213 gp_link
->link_opts
[i
] = atoi(p
+ 1);
215 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
216 gp_link
->link_names
[i
]));
217 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
218 gp_link
->link_opts
[i
]));
222 status
= ADS_SUCCESS
;
225 TALLOC_FREE(link_list
);
230 /****************************************************************
231 helper call to get a GP_LINK structure from a linkdn
232 ****************************************************************/
234 ADS_STATUS
ads_get_gpo_link(ADS_STRUCT
*ads
,
237 struct GP_LINK
*gp_link_struct
)
240 const char *attrs
[] = {"gPLink", "gPOptions", NULL
};
241 LDAPMessage
*res
= NULL
;
245 ZERO_STRUCTP(gp_link_struct
);
247 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
248 if (!ADS_ERR_OK(status
)) {
249 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
250 ads_errstr(status
)));
254 if (ads_count_replies(ads
, res
) != 1) {
255 DEBUG(10,("ads_get_gpo_link: no result\n"));
256 ads_msgfree(ads
, res
);
257 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
260 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
261 if (gp_link
== NULL
) {
262 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
263 ads_msgfree(ads
, res
);
264 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
267 /* perfectly legal to have no options */
268 if (!ads_pull_uint32(ads
, res
, "gPOptions", &gp_options
)) {
269 DEBUG(10,("ads_get_gpo_link: "
270 "no 'gPOptions' attribute found\n"));
274 ads_msgfree(ads
, res
);
276 return gpo_parse_gplink(mem_ctx
, gp_link
, gp_options
, gp_link_struct
);
279 /****************************************************************
280 helper call to add a gp link
281 ****************************************************************/
283 ADS_STATUS
ads_add_gpo_link(ADS_STRUCT
*ads
,
290 const char *attrs
[] = {"gPLink", NULL
};
291 LDAPMessage
*res
= NULL
;
292 const char *gp_link
, *gp_link_new
;
295 /* although ADS allows to set anything here, we better check here if
296 * the gpo_dn is sane */
298 if (!strnequal(gpo_dn
, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
299 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
302 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
303 if (!ADS_ERR_OK(status
)) {
304 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
305 ads_errstr(status
)));
309 if (ads_count_replies(ads
, res
) != 1) {
310 DEBUG(10,("ads_add_gpo_link: no result\n"));
311 ads_msgfree(ads
, res
);
312 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
315 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
316 if (gp_link
== NULL
) {
317 gp_link_new
= talloc_asprintf(mem_ctx
, "[%s;%d]",
320 gp_link_new
= talloc_asprintf(mem_ctx
, "%s[%s;%d]",
321 gp_link
, gpo_dn
, gpo_opt
);
324 ads_msgfree(ads
, res
);
325 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
327 mods
= ads_init_mods(mem_ctx
);
328 ADS_ERROR_HAVE_NO_MEMORY(mods
);
330 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
331 if (!ADS_ERR_OK(status
)) {
335 return ads_gen_mod(ads
, link_dn
, mods
);
338 /****************************************************************
339 helper call to delete add a gp link
340 ****************************************************************/
342 /* untested & broken */
343 ADS_STATUS
ads_delete_gpo_link(ADS_STRUCT
*ads
,
349 const char *attrs
[] = {"gPLink", NULL
};
350 LDAPMessage
*res
= NULL
;
351 const char *gp_link
, *gp_link_new
= NULL
;
354 /* check for a sane gpo_dn */
355 if (gpo_dn
[0] != '[') {
356 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
357 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
360 if (gpo_dn
[strlen(gpo_dn
)] != ']') {
361 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
362 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
365 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
366 if (!ADS_ERR_OK(status
)) {
367 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
368 ads_errstr(status
)));
372 if (ads_count_replies(ads
, res
) != 1) {
373 DEBUG(10,("ads_delete_gpo_link: no result\n"));
374 ads_msgfree(ads
, res
);
375 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
378 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
379 if (gp_link
== NULL
) {
380 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
383 /* find link to delete */
384 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
387 ads_msgfree(ads
, res
);
388 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
390 mods
= ads_init_mods(mem_ctx
);
391 ADS_ERROR_HAVE_NO_MEMORY(mods
);
393 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
394 if (!ADS_ERR_OK(status
)) {
398 return ads_gen_mod(ads
, link_dn
, mods
);
401 /****************************************************************
402 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
403 ****************************************************************/
405 ADS_STATUS
ads_parse_gpo(ADS_STRUCT
*ads
,
409 struct GROUP_POLICY_OBJECT
*gpo
)
413 ADS_ERROR_HAVE_NO_MEMORY(res
);
416 gpo
->ds_path
= talloc_strdup(mem_ctx
, gpo_dn
);
418 gpo
->ds_path
= ads_get_dn(ads
, res
);
421 ADS_ERROR_HAVE_NO_MEMORY(gpo
->ds_path
);
423 if (!ads_pull_uint32(ads
, res
, "versionNumber", &gpo
->version
)) {
424 return ADS_ERROR(LDAP_NO_MEMORY
);
427 if (!ads_pull_uint32(ads
, res
, "flags", &gpo
->options
)) {
428 return ADS_ERROR(LDAP_NO_MEMORY
);
431 gpo
->file_sys_path
= ads_pull_string(ads
, mem_ctx
, res
,
433 ADS_ERROR_HAVE_NO_MEMORY(gpo
->file_sys_path
);
435 gpo
->display_name
= ads_pull_string(ads
, mem_ctx
, res
,
437 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
439 gpo
->name
= ads_pull_string(ads
, mem_ctx
, res
,
441 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
443 gpo
->machine_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
444 "gPCMachineExtensionNames");
445 gpo
->user_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
446 "gPCUserExtensionNames");
448 ads_pull_sd(ads
, mem_ctx
, res
, "ntSecurityDescriptor",
449 &gpo
->security_descriptor
);
450 ADS_ERROR_HAVE_NO_MEMORY(gpo
->security_descriptor
);
452 return ADS_ERROR(LDAP_SUCCESS
);
455 /****************************************************************
456 get a GROUP_POLICY_OBJECT structure based on different input paramters
457 ****************************************************************/
459 ADS_STATUS
ads_get_gpo(ADS_STRUCT
*ads
,
462 const char *display_name
,
463 const char *guid_name
,
464 struct GROUP_POLICY_OBJECT
*gpo
)
467 LDAPMessage
*res
= NULL
;
470 const char *attrs
[] = {
475 "gPCFunctionalityVersion",
476 "gPCMachineExtensionNames",
477 "gPCUserExtensionNames",
480 "ntSecurityDescriptor",
483 uint32_t sd_flags
= DACL_SECURITY_INFORMATION
;
487 if (!gpo_dn
&& !display_name
&& !guid_name
) {
488 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
493 if (strnequal(gpo_dn
, "LDAP://", strlen("LDAP://")) != 0) {
494 gpo_dn
= gpo_dn
+ strlen("LDAP://");
497 status
= ads_search_retry_dn_sd_flags(ads
, &res
,
501 } else if (display_name
|| guid_name
) {
503 filter
= talloc_asprintf(mem_ctx
,
504 "(&(objectclass=groupPolicyContainer)(%s=%s))",
505 display_name
? "displayName" : "name",
506 display_name
? display_name
: guid_name
);
507 ADS_ERROR_HAVE_NO_MEMORY(filter
);
509 status
= ads_do_search_all_sd_flags(ads
, ads
->config
.bind_path
,
510 LDAP_SCOPE_SUBTREE
, filter
,
511 attrs
, sd_flags
, &res
);
514 if (!ADS_ERR_OK(status
)) {
515 DEBUG(10,("ads_get_gpo: search failed with %s\n",
516 ads_errstr(status
)));
520 if (ads_count_replies(ads
, res
) != 1) {
521 DEBUG(10,("ads_get_gpo: no result\n"));
522 ads_msgfree(ads
, res
);
523 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
526 dn
= ads_get_dn(ads
, res
);
528 ads_msgfree(ads
, res
);
529 return ADS_ERROR(LDAP_NO_MEMORY
);
532 status
= ads_parse_gpo(ads
, mem_ctx
, res
, dn
, gpo
);
533 ads_msgfree(ads
, res
);
534 ads_memfree(ads
, dn
);
539 /****************************************************************
540 add a gplink to the GROUP_POLICY_OBJECT linked list
541 ****************************************************************/
543 static ADS_STATUS
add_gplink_to_gpo_list(ADS_STRUCT
*ads
,
545 struct GROUP_POLICY_OBJECT
**gpo_list
,
547 struct GP_LINK
*gp_link
,
548 enum GPO_LINK_TYPE link_type
,
549 bool only_add_forced_gpos
,
550 const struct nt_user_token
*token
)
555 for (i
= 0; i
< gp_link
->num_links
; i
++) {
557 struct GROUP_POLICY_OBJECT
*new_gpo
= NULL
;
559 if (gp_link
->link_opts
[i
] & GPO_LINK_OPT_DISABLED
) {
560 DEBUG(10,("skipping disabled GPO\n"));
564 if (only_add_forced_gpos
) {
566 if (!(gp_link
->link_opts
[i
] & GPO_LINK_OPT_ENFORCED
)) {
567 DEBUG(10,("skipping nonenforced GPO link "
568 "because GPOPTIONS_BLOCK_INHERITANCE "
572 DEBUG(10,("adding enforced GPO link although "
573 "the GPOPTIONS_BLOCK_INHERITANCE "
578 new_gpo
= TALLOC_ZERO_P(mem_ctx
, struct GROUP_POLICY_OBJECT
);
579 ADS_ERROR_HAVE_NO_MEMORY(new_gpo
);
581 status
= ads_get_gpo(ads
, mem_ctx
, gp_link
->link_names
[i
],
582 NULL
, NULL
, new_gpo
);
583 if (!ADS_ERR_OK(status
)) {
584 DEBUG(10,("failed to get gpo: %s\n",
585 gp_link
->link_names
[i
]));
589 status
= ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo
,
591 if (!ADS_ERR_OK(status
)) {
592 DEBUG(10,("skipping GPO \"%s\" as object "
593 "has no access to it\n",
594 new_gpo
->display_name
));
595 TALLOC_FREE(new_gpo
);
599 new_gpo
->link
= link_dn
;
600 new_gpo
->link_type
= link_type
;
602 DLIST_ADD(*gpo_list
, new_gpo
);
604 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
605 "to GPO list\n", i
, gp_link
->link_names
[i
]));
608 return ADS_ERROR(LDAP_SUCCESS
);
611 /****************************************************************
612 ****************************************************************/
614 ADS_STATUS
ads_get_sid_token(ADS_STRUCT
*ads
,
617 struct nt_user_token
**token
)
621 DOM_SID primary_group_sid
;
622 DOM_SID
*ad_token_sids
;
623 size_t num_ad_token_sids
= 0;
625 size_t num_token_sids
= 0;
626 struct nt_user_token
*new_token
= NULL
;
629 status
= ads_get_tokensids(ads
, mem_ctx
, dn
,
630 &object_sid
, &primary_group_sid
,
631 &ad_token_sids
, &num_ad_token_sids
);
632 if (!ADS_ERR_OK(status
)) {
636 token_sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, 1);
637 ADS_ERROR_HAVE_NO_MEMORY(token_sids
);
639 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
643 if (!ADS_ERR_OK(status
)) {
647 for (i
= 0; i
< num_ad_token_sids
; i
++) {
649 if (sid_check_is_in_builtin(&ad_token_sids
[i
])) {
653 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
657 if (!ADS_ERR_OK(status
)) {
662 new_token
= create_local_nt_token(mem_ctx
, &object_sid
, false,
663 num_token_sids
, token_sids
);
664 ADS_ERROR_HAVE_NO_MEMORY(new_token
);
668 debug_nt_user_token(DBGC_CLASS
, 5, *token
);
670 return ADS_ERROR_LDAP(LDAP_SUCCESS
);
673 /****************************************************************
674 ****************************************************************/
676 static ADS_STATUS
add_local_policy_to_gpo_list(TALLOC_CTX
*mem_ctx
,
677 struct GROUP_POLICY_OBJECT
**gpo_list
,
678 enum GPO_LINK_TYPE link_type
)
680 struct GROUP_POLICY_OBJECT
*gpo
= NULL
;
682 ADS_ERROR_HAVE_NO_MEMORY(gpo_list
);
684 gpo
= TALLOC_ZERO_P(mem_ctx
, struct GROUP_POLICY_OBJECT
);
685 ADS_ERROR_HAVE_NO_MEMORY(gpo
);
687 gpo
->name
= talloc_strdup(mem_ctx
, "Local Policy");
688 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
690 gpo
->display_name
= talloc_strdup(mem_ctx
, "Local Policy");
691 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
693 gpo
->link_type
= link_type
;
695 DLIST_ADD(*gpo_list
, gpo
);
697 return ADS_ERROR_NT(NT_STATUS_OK
);
700 /****************************************************************
701 get the full list of GROUP_POLICY_OBJECTs for a given dn
702 ****************************************************************/
704 ADS_STATUS
ads_get_gpo_list(ADS_STRUCT
*ads
,
708 const struct nt_user_token
*token
,
709 struct GROUP_POLICY_OBJECT
**gpo_list
)
711 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
714 struct GP_LINK gp_link
;
715 const char *parent_dn
, *site_dn
, *tmp_dn
;
716 bool add_only_forced_gpos
= false;
718 ZERO_STRUCTP(gpo_list
);
721 return ADS_ERROR(LDAP_PARAM_ERROR
);
724 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn
));
727 status
= add_local_policy_to_gpo_list(mem_ctx
, gpo_list
,
729 if (!ADS_ERR_OK(status
)) {
735 /* are site GPOs valid for users as well ??? */
736 if (flags
& GPO_LIST_FLAG_MACHINE
) {
738 status
= ads_site_dn_for_machine(ads
, mem_ctx
,
739 ads
->config
.ldap_server_name
,
741 if (!ADS_ERR_OK(status
)) {
745 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
748 status
= ads_get_gpo_link(ads
, mem_ctx
, site_dn
, &gp_link
);
749 if (ADS_ERR_OK(status
)) {
751 if (DEBUGLEVEL
>= 100) {
752 dump_gplink(ads
, mem_ctx
, &gp_link
);
755 status
= add_gplink_to_gpo_list(ads
, mem_ctx
, gpo_list
,
758 add_only_forced_gpos
,
760 if (!ADS_ERR_OK(status
)) {
764 if (flags
& GPO_LIST_FLAG_SITEONLY
) {
765 return ADS_ERROR(LDAP_SUCCESS
);
768 /* inheritance can't be blocked at the site level */
774 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
775 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
779 /* An account can just be a member of one domain */
780 if (strncmp(parent_dn
, "DC=", strlen("DC=")) == 0) {
782 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
785 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
787 if (ADS_ERR_OK(status
)) {
789 if (DEBUGLEVEL
>= 100) {
790 dump_gplink(ads
, mem_ctx
, &gp_link
);
793 /* block inheritance from now on */
794 if (gp_link
.gp_opts
&
795 GPOPTIONS_BLOCK_INHERITANCE
) {
796 add_only_forced_gpos
= true;
799 status
= add_gplink_to_gpo_list(ads
,
805 add_only_forced_gpos
,
807 if (!ADS_ERR_OK(status
)) {
819 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
820 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
823 /* (O)rganizational(U)nit */
825 /* An account can be a member of more OUs */
826 if (strncmp(parent_dn
, "OU=", strlen("OU=")) == 0) {
828 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
831 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
833 if (ADS_ERR_OK(status
)) {
835 if (DEBUGLEVEL
>= 100) {
836 dump_gplink(ads
, mem_ctx
, &gp_link
);
839 /* block inheritance from now on */
840 if (gp_link
.gp_opts
&
841 GPOPTIONS_BLOCK_INHERITANCE
) {
842 add_only_forced_gpos
= true;
845 status
= add_gplink_to_gpo_list(ads
,
851 add_only_forced_gpos
,
853 if (!ADS_ERR_OK(status
)) {
863 return ADS_ERROR(LDAP_SUCCESS
);
866 #endif /* HAVE_LDAP */