2 Unix SMB/Netbios implementation.
4 LDAP protocol helper functions for SAMBA
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 * persistent connections: if using NSS LDAP, many connections are made
29 * however, using only one within Samba would be nice
31 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
33 * Other LDAP based login attributes: accountExpires, etc.
34 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
35 * structures don't have fields for some of these attributes)
37 * SSL is done, but can't get the certificate based authentication to work
38 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
41 /* NOTE: this will NOT work against an Active Directory server
42 * due to the fact that the two password fields cannot be retrieved
43 * from a server; recommend using security = domain in this situation
51 #define SAM_ACCOUNT struct sam_passwd
61 static struct ldap_enum_info global_ldap_ent
;
64 /*******************************************************************
65 open a connection to the ldap server.
66 ******************************************************************/
68 ldap_open_connection (LDAP
** ldap_struct
)
72 int tls
= LDAP_OPT_X_TLS_HARD
;
74 if (lp_ldap_ssl() == LDAP_SSL_ON
&& lp_ldap_port() == 389) {
78 port
= lp_ldap_port();
81 if ((*ldap_struct
= ldap_init(lp_ldap_server(), port
)) == NULL
) {
82 DEBUG(0, ("The LDAP server is not responding !\n"));
86 /* Connect to older servers using SSL and V2 rather than Start TLS */
87 if (ldap_get_option(*ldap_struct
, LDAP_OPT_PROTOCOL_VERSION
, &version
) == LDAP_OPT_SUCCESS
)
89 if (version
!= LDAP_VERSION2
)
91 version
= LDAP_VERSION2
;
92 ldap_set_option (*ldap_struct
, LDAP_OPT_PROTOCOL_VERSION
, &version
);
96 switch (lp_ldap_ssl())
98 case LDAP_SSL_START_TLS
:
99 if (ldap_get_option (*ldap_struct
, LDAP_OPT_PROTOCOL_VERSION
,
100 &version
) == LDAP_OPT_SUCCESS
)
102 if (version
< LDAP_VERSION3
)
104 version
= LDAP_VERSION3
;
105 ldap_set_option (*ldap_struct
, LDAP_OPT_PROTOCOL_VERSION
,
109 if ((rc
= ldap_start_tls_s (*ldap_struct
, NULL
, NULL
)) != LDAP_SUCCESS
)
112 ("Failed to issue the StartTLS instruction: %s\n",
113 ldap_err2string(rc
)));
116 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
119 if (ldap_set_option (*ldap_struct
, LDAP_OPT_X_TLS
, &tls
) != LDAP_SUCCESS
)
121 DEBUG(0, ("Failed to setup a TLS session\n"));
126 /* What is meant here ? JRA. */
130 DEBUG(2, ("ldap_open_connection: connection opened\n"));
134 /*******************************************************************
135 connect to the ldap server under system privilege.
136 ******************************************************************/
137 static BOOL
ldap_connect_system(LDAP
* ldap_struct
)
140 static BOOL got_pw
= False
;
141 static pstring ldap_secret
;
143 /* get the password if we don't have it already */
144 if (!got_pw
&& !(got_pw
=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret
, sizeof(pstring
))))
146 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
147 lp_ldap_admin_dn()));
151 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
152 (OpenLDAP) doesnt' seem to support it */
153 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
154 lp_ldap_admin_dn()));
155 if ((rc
= ldap_simple_bind_s(ldap_struct
, lp_ldap_admin_dn(),
156 ldap_secret
)) != LDAP_SUCCESS
)
158 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc
)));
162 DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
166 /*******************************************************************
167 run the search by name.
168 ******************************************************************/
169 static int ldap_search_one_user (LDAP
* ldap_struct
, const char *filter
, LDAPMessage
** result
)
171 int scope
= LDAP_SCOPE_SUBTREE
;
174 DEBUG(2, ("ldap_search_one_user: searching for:[%s]\n", filter
));
176 rc
= ldap_search_s (ldap_struct
, lp_ldap_suffix (), scope
,
177 filter
, NULL
, 0, result
);
179 if (rc
!= LDAP_SUCCESS
) {
180 DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n",
181 ldap_err2string (rc
)));
182 DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
188 /*******************************************************************
189 run the search by name.
190 ******************************************************************/
191 static int ldap_search_one_user_by_name (LDAP
* ldap_struct
, const char *user
,
192 LDAPMessage
** result
)
197 in the filter expression, replace %u with the real name
198 so in ldap filter, %u MUST exist :-)
200 pstrcpy(filter
, lp_ldap_filter());
202 /* have to use this here because $ is filtered out
205 all_string_sub(filter
, "%u", user
, sizeof(pstring
));
207 return ldap_search_one_user(ldap_struct
, filter
, result
);
210 /*******************************************************************
211 run the search by uid.
212 ******************************************************************/
213 static int ldap_search_one_user_by_uid(LDAP
* ldap_struct
, int uid
,
214 LDAPMessage
** result
)
219 /* Get the username from the system and look that up in the LDAP */
220 user
= sys_getpwuid(uid
);
221 pstrcpy(filter
, lp_ldap_filter());
222 all_string_sub(filter
, "%u", user
->pw_name
, sizeof(pstring
));
224 return ldap_search_one_user(ldap_struct
, filter
, result
);
227 /*******************************************************************
228 run the search by rid.
229 ******************************************************************/
230 static int ldap_search_one_user_by_rid (LDAP
* ldap_struct
, uint32 rid
,
231 LDAPMessage
** result
)
236 /* check if the user rid exsists, if not, try searching on the uid */
237 snprintf(filter
, sizeof(filter
) - 1, "rid=%i", rid
);
238 rc
= ldap_search_one_user(ldap_struct
, filter
, result
);
240 if (rc
!= LDAP_SUCCESS
)
241 rc
= ldap_search_one_user_by_uid(ldap_struct
,
242 pdb_user_rid_to_uid(rid
), result
);
247 /*******************************************************************
248 search an attribute and return the first value found.
249 ******************************************************************/
250 static void get_single_attribute (LDAP
* ldap_struct
, LDAPMessage
* entry
,
251 char *attribute
, char *value
)
255 if ((valeurs
= ldap_get_values (ldap_struct
, entry
, attribute
)) != NULL
) {
256 pstrcpy(value
, valeurs
[0]);
257 ldap_value_free(valeurs
);
258 DEBUG (2, ("get_single_attribute: [%s] = [%s]\n", attribute
, value
));
262 DEBUG (2, ("get_single_attribute: [%s] = [NULL]\n", attribute
));
266 /************************************************************************
267 Routine to manage the LDAPMod structure array
268 manage memory used by the array, by each struct, and values
270 ************************************************************************/
271 static void make_a_mod (LDAPMod
*** modlist
, int modop
, char *attribute
, char *value
)
279 if (attribute
== NULL
|| *attribute
== '\0')
282 if (value
== NULL
|| *value
== '\0')
287 mods
= (LDAPMod
**) malloc(sizeof(LDAPMod
*));
290 DEBUG(0, ("make_a_mod: out of memory!\n"));
296 for (i
= 0; mods
[i
] != NULL
; ++i
) {
297 if (mods
[i
]->mod_op
== modop
&& !strcasecmp(mods
[i
]->mod_type
, attribute
))
303 mods
= (LDAPMod
**) realloc (mods
, (i
+ 2) * sizeof (LDAPMod
*));
306 DEBUG(0, ("make_a_mod: out of memory!\n"));
309 mods
[i
] = (LDAPMod
*) malloc(sizeof(LDAPMod
));
312 DEBUG(0, ("make_a_mod: out of memory!\n"));
315 mods
[i
]->mod_op
= modop
;
316 mods
[i
]->mod_values
= NULL
;
317 mods
[i
]->mod_type
= strdup(attribute
);
324 if (mods
[i
]->mod_values
!= NULL
) {
325 for (; mods
[i
]->mod_values
[j
] != NULL
; j
++);
327 mods
[i
]->mod_values
= (char **)realloc(mods
[i
]->mod_values
,
328 (j
+ 2) * sizeof (char *));
330 if (mods
[i
]->mod_values
== NULL
) {
331 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
334 mods
[i
]->mod_values
[j
] = strdup(value
);
335 mods
[i
]->mod_values
[j
+ 1] = NULL
;
340 /* New Interface is being implemented here */
342 /**********************************************************************
343 Initialize SAM_ACCOUNT from an LDAP query
344 (Based on init_sam_from_buffer in pdb_tdb.c)
345 *********************************************************************/
346 static BOOL
init_sam_from_ldap (SAM_ACCOUNT
* sampass
,
347 LDAP
* ldap_struct
, LDAPMessage
* entry
)
353 pass_can_change_time
,
354 pass_must_change_time
;
355 static pstring username
;
356 static pstring domain
;
357 static pstring nt_username
;
358 static pstring fullname
;
359 static pstring homedir
;
360 static pstring dir_drive
;
361 static pstring logon_script
;
362 static pstring profile_path
;
363 static pstring acct_desc
;
364 static pstring munged_dial
;
365 static pstring workstations
;
366 struct passwd
*sys_user
;
367 uint32 user_rid
, group_rid
;
368 static uint8 smblmpwd
[16];
369 static uint8 smbntpwd
[16];
370 uint16 acct_ctrl
, logon_divs
;
375 get_single_attribute(ldap_struct
, entry
, "uid", username
);
376 DEBUG(2, ("Entry found for user: %s\n", username
));
378 pstrcpy(nt_username
, username
);
380 get_single_attribute(ldap_struct
, entry
, "sambaDomain", domain
);
382 pstrcpy(domain
, lp_workgroup());
384 get_single_attribute(ldap_struct
, entry
, "pwdLastSet", temp
);
385 pass_last_set_time
= (time_t) strtol(temp
, NULL
, 16);
387 get_single_attribute(ldap_struct
, entry
, "logonTime", temp
);
388 logon_time
= (time_t) strtol(temp
, NULL
, 16);
390 get_single_attribute(ldap_struct
, entry
, "logoffTime", temp
);
391 logoff_time
= (time_t) strtol(temp
, NULL
, 16);
393 get_single_attribute(ldap_struct
, entry
, "kickoffTime", temp
);
394 kickoff_time
= (time_t) strtol(temp
, NULL
, 16);
396 get_single_attribute(ldap_struct
, entry
, "pwdCanChange", temp
);
397 pass_can_change_time
= (time_t) strtol(temp
, NULL
, 16);
399 get_single_attribute(ldap_struct
, entry
, "pwdMustChange", temp
);
400 pass_must_change_time
= (time_t) strtol(temp
, NULL
, 16);
402 /* recommend that 'gecos' and 'displayName' should refer to the same
403 * attribute OID. userFullName depreciated, only used by Samba
404 * primary rules of LDAP: don't make a new attribute when one is already defined
405 * that fits your needs; using gecos then displayName then cn rather than 'userFullName'
408 get_single_attribute(ldap_struct
, entry
, "gecos", fullname
);
411 get_single_attribute(ldap_struct
, entry
, "displayName", fullname
);
412 get_single_attribute(ldap_struct
, entry
, "cn", fullname
);
415 get_single_attribute(ldap_struct
, entry
, "homeDrive", dir_drive
);
416 DEBUG(5,("homeDrive is set to %s\n",dir_drive
));
418 pstrcpy(dir_drive
, lp_logon_drive());
419 DEBUG(5,("homeDrive fell back to %s\n",dir_drive
));
422 get_single_attribute(ldap_struct
, entry
, "smbHome", homedir
);
423 DEBUG(5,("smbHome is set to %s\n",homedir
));
425 pstrcpy(homedir
, lp_logon_home());
426 DEBUG(5,("smbHome fell back to %s\n",homedir
));
429 get_single_attribute(ldap_struct
, entry
, "scriptPath", logon_script
);
430 DEBUG(5,("scriptPath is set to %s\n",logon_script
));
431 if (!*logon_script
) {
432 pstrcpy(logon_script
, lp_logon_script());
433 DEBUG(5,("scriptPath fell back to %s\n",logon_script
));
436 get_single_attribute(ldap_struct
, entry
, "profilePath", profile_path
);
437 DEBUG(5,("profilePath is set to %s\n",profile_path
));
438 if (!*profile_path
) {
439 pstrcpy(profile_path
, lp_logon_path());
440 DEBUG(5,("profilePath fell back to %s\n",profile_path
));
443 get_single_attribute(ldap_struct
, entry
, "description", acct_desc
);
444 get_single_attribute(ldap_struct
, entry
, "userWorkstations", workstations
);
445 get_single_attribute(ldap_struct
, entry
, "rid", temp
);
446 user_rid
= (uint32
)strtol(temp
, NULL
, 10);
447 get_single_attribute(ldap_struct
, entry
, "primaryGroupID", temp
);
448 group_rid
= (uint32
)strtol(temp
, NULL
, 10);
451 /* These values MAY be in LDAP, but they can also be retrieved through
452 * sys_getpw*() which is how we're doing it (if you use nss_ldap, then
453 * these values will be stored in LDAP as well, but if not, we want the
454 * local values to override the LDAP for this anyway
455 * homeDirectory attribute
457 sys_user
= sys_getpwnam(username
);
458 if (sys_user
== NULL
)
462 /* FIXME: hours stuff should be cleaner */
465 hours
= malloc(sizeof(hours
) * hours_len
);
466 memset(hours
, 0xff, hours_len
);
468 get_single_attribute (ldap_struct
, entry
, "lmPassword", temp
);
469 pdb_gethexpwd(temp
, smblmpwd
);
470 memset((char *)temp
, '\0', sizeof(temp
));
471 get_single_attribute (ldap_struct
, entry
, "ntPassword", temp
);
472 pdb_gethexpwd(temp
, smbntpwd
);
473 memset((char *)temp
, '\0', sizeof(temp
));
474 get_single_attribute (ldap_struct
, entry
, "acctFlags", temp
);
475 acct_ctrl
= pdb_decode_acct_ctrl(temp
);
478 acct_ctrl
|= ACB_NORMAL
;
481 pdb_set_acct_ctrl(sampass
, acct_ctrl
);
482 pdb_set_logon_time(sampass
, logon_time
);
483 pdb_set_logoff_time(sampass
, logoff_time
);
484 pdb_set_kickoff_time(sampass
, kickoff_time
);
485 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
);
486 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
);
487 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
);
489 pdb_set_hours_len(sampass
, hours_len
);
490 pdb_set_logons_divs(sampass
, logon_divs
);
492 pdb_set_uid(sampass
, sys_user
->pw_uid
);
493 pdb_set_gid(sampass
, sys_user
->pw_gid
);
494 pdb_set_user_rid(sampass
, user_rid
);
495 pdb_set_group_rid(sampass
, group_rid
);
497 pdb_set_username(sampass
, username
);
499 pdb_set_domain(sampass
, domain
);
500 pdb_set_nt_username(sampass
, nt_username
);
502 pdb_set_fullname(sampass
, fullname
);
504 pdb_set_logon_script(sampass
, logon_script
);
505 pdb_set_profile_path(sampass
, profile_path
);
506 pdb_set_dir_drive(sampass
, dir_drive
);
507 pdb_set_homedir(sampass
, homedir
);
508 pdb_set_acct_desc(sampass
, acct_desc
);
509 pdb_set_workstations(sampass
, workstations
);
510 pdb_set_munged_dial(sampass
, munged_dial
);
511 if (!pdb_set_nt_passwd(sampass
, smbntpwd
))
513 if (!pdb_set_lanman_passwd(sampass
, smblmpwd
))
516 /* pdb_set_unknown_3(sampass, unknown3); */
517 /* pdb_set_unknown_5(sampass, unknown5); */
518 /* pdb_set_unknown_6(sampass, unknown6); */
520 pdb_set_hours(sampass
, hours
);
525 /**********************************************************************
526 Initialize SAM_ACCOUNT from an LDAP query
527 (Based on init_buffer_from_sam in pdb_tdb.c)
528 *********************************************************************/
529 static BOOL
init_ldap_from_sam (LDAPMod
*** mods
, int ldap_state
, SAM_ACCOUNT
* sampass
)
536 * took out adding "objectclass: sambaAccount"
537 * do this on a per-mod basis
541 make_a_mod(mods
, ldap_state
, "uid", pdb_get_username(sampass
));
542 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass
)));
544 slprintf(temp
, sizeof(temp
) - 1, "%i", pdb_get_uid(sampass
));
545 make_a_mod(mods
, ldap_state
, "uidNumber", temp
);
547 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_last_set_time(sampass
));
548 make_a_mod(mods
, ldap_state
, "pwdLastSet", temp
);
550 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logon_time(sampass
));
551 make_a_mod(mods
, ldap_state
, "logonTime", temp
);
553 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logoff_time(sampass
));
554 make_a_mod(mods
, ldap_state
, "logoffTime", temp
);
556 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_kickoff_time(sampass
));
557 make_a_mod(mods
, ldap_state
, "kickoffTime", temp
);
559 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_can_change_time(sampass
));
560 make_a_mod(mods
, ldap_state
, "pwdCanChange", temp
);
562 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_must_change_time(sampass
));
563 make_a_mod(mods
, ldap_state
, "pwdMustChange", temp
);
565 /* displayName, cn, and gecos should all be the same
566 * most easily accomplished by giving them the same OID
567 * gecos isn't set here b/c it should be handled by the
571 make_a_mod(mods
, ldap_state
, "displayName", pdb_get_fullname(sampass
));
572 make_a_mod(mods
, ldap_state
, "cn", pdb_get_fullname(sampass
));
574 make_a_mod(mods
, ldap_state
, "smbHome", pdb_get_homedir(sampass
));
575 make_a_mod(mods
, ldap_state
, "homeDrive", pdb_get_dirdrive(sampass
));
576 make_a_mod(mods
, ldap_state
, "scriptPath", pdb_get_logon_script(sampass
));
577 make_a_mod(mods
, ldap_state
, "profilePath", pdb_get_profile_path(sampass
));
578 make_a_mod(mods
, ldap_state
, "description", pdb_get_acct_desc(sampass
));
579 make_a_mod(mods
, ldap_state
, "userWorkstations", pdb_get_workstations(sampass
));
581 if ( !sampass
->user_rid
)
582 sampass
->user_rid
= pdb_uid_to_user_rid(pdb_get_uid(sampass
));
583 slprintf(temp
, sizeof(temp
) - 1, "%i", sampass
->user_rid
);
584 make_a_mod(mods
, ldap_state
, "rid", temp
);
586 if ( !sampass
->group_rid
)
587 sampass
->group_rid
= pdb_gid_to_group_rid(pdb_get_gid(sampass
));
588 slprintf(temp
, sizeof(temp
) - 1, "%i", sampass
->group_rid
);
589 make_a_mod(mods
, ldap_state
, "primaryGroupID", temp
);
591 /* FIXME: Hours stuff goes in LDAP */
592 pdb_sethexpwd (temp
, pdb_get_lanman_passwd(sampass
), pdb_get_acct_ctrl(sampass
));
593 make_a_mod (mods
, ldap_state
, "lmPassword", temp
);
594 pdb_sethexpwd (temp
, pdb_get_nt_passwd(sampass
), pdb_get_acct_ctrl(sampass
));
595 make_a_mod (mods
, ldap_state
, "ntPassword", temp
);
596 make_a_mod (mods
, ldap_state
, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass
),
597 NEW_PW_FORMAT_SPACE_PADDED_LEN
));
602 /**********************************************************************
603 Connect to LDAP server for password enumeration
604 *********************************************************************/
605 BOOL
pdb_setsampwent(BOOL update
)
610 if (!ldap_open_connection(&global_ldap_ent
.ldap_struct
))
614 if (!ldap_connect_system(global_ldap_ent
.ldap_struct
))
616 ldap_unbind(global_ldap_ent
.ldap_struct
);
620 pstrcpy(filter
, lp_ldap_filter());
621 all_string_sub(filter
, "%u", "*", sizeof(pstring
));
623 rc
= ldap_search_s(global_ldap_ent
.ldap_struct
, lp_ldap_suffix(),
624 LDAP_SCOPE_SUBTREE
, filter
, NULL
, 0,
625 &global_ldap_ent
.result
);
627 if (rc
!= LDAP_SUCCESS
)
629 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc
)));
630 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter
));
631 ldap_msgfree(global_ldap_ent
.result
);
632 ldap_unbind(global_ldap_ent
.ldap_struct
);
633 global_ldap_ent
.ldap_struct
= NULL
;
634 global_ldap_ent
.result
= NULL
;
638 DEBUG(2, ("pdb_setsampwent: %d entries in the base!\n",
639 ldap_count_entries(global_ldap_ent
.ldap_struct
,
640 global_ldap_ent
.result
)));
642 global_ldap_ent
.entry
= ldap_first_entry(global_ldap_ent
.ldap_struct
,
643 global_ldap_ent
.result
);
648 /**********************************************************************
649 End enumeration of the LDAP password list
650 *********************************************************************/
651 void pdb_endsampwent(void)
653 if (global_ldap_ent
.ldap_struct
&& global_ldap_ent
.result
)
655 ldap_msgfree(global_ldap_ent
.result
);
656 ldap_unbind(global_ldap_ent
.ldap_struct
);
657 global_ldap_ent
.ldap_struct
= NULL
;
658 global_ldap_ent
.result
= NULL
;
662 /**********************************************************************
663 Get the next entry in the LDAP password database
664 *********************************************************************/
665 BOOL
pdb_getsampwent(SAM_ACCOUNT
* user
)
667 if (!global_ldap_ent
.entry
)
670 global_ldap_ent
.entry
= ldap_next_entry(global_ldap_ent
.ldap_struct
,
671 global_ldap_ent
.entry
);
673 if (global_ldap_ent
.entry
!= NULL
)
675 return init_sam_from_ldap(user
, global_ldap_ent
.ldap_struct
,
676 global_ldap_ent
.entry
);
681 /**********************************************************************
682 Get SAM_ACCOUNT entry from LDAP by username
683 *********************************************************************/
684 BOOL
pdb_getsampwnam(SAM_ACCOUNT
* user
, char *sname
)
690 if (!ldap_open_connection(&ldap_struct
))
692 if (!ldap_connect_system(ldap_struct
))
694 ldap_unbind(ldap_struct
);
697 if (ldap_search_one_user_by_name(ldap_struct
, sname
, &result
) !=
700 ldap_unbind(ldap_struct
);
703 if (ldap_count_entries(ldap_struct
, result
) < 1)
706 ("We don't find this user [%s] count=%d\n", sname
,
707 ldap_count_entries(ldap_struct
, result
)));
708 ldap_unbind(ldap_struct
);
711 entry
= ldap_first_entry(ldap_struct
, result
);
714 init_sam_from_ldap(user
, ldap_struct
, entry
);
715 ldap_msgfree(result
);
716 ldap_unbind(ldap_struct
);
721 ldap_msgfree(result
);
722 ldap_unbind(ldap_struct
);
727 /**********************************************************************
728 Get SAM_ACCOUNT entry from LDAP by rid
729 *********************************************************************/
730 BOOL
pdb_getsampwrid(SAM_ACCOUNT
* user
, uint32 rid
)
736 if (!ldap_open_connection(&ldap_struct
))
739 if (!ldap_connect_system(ldap_struct
))
741 ldap_unbind(ldap_struct
);
744 if (ldap_search_one_user_by_rid(ldap_struct
, rid
, &result
) !=
747 ldap_unbind(ldap_struct
);
751 if (ldap_count_entries(ldap_struct
, result
) < 1)
754 ("We don't find this rid [%i] count=%d\n", rid
,
755 ldap_count_entries(ldap_struct
, result
)));
756 ldap_unbind(ldap_struct
);
760 entry
= ldap_first_entry(ldap_struct
, result
);
763 init_sam_from_ldap(user
, ldap_struct
, entry
);
764 ldap_msgfree(result
);
765 ldap_unbind(ldap_struct
);
770 ldap_msgfree(result
);
771 ldap_unbind(ldap_struct
);
776 /**********************************************************************
777 Get SAM_ACCOUNT entry from LDAP by uid
778 *********************************************************************/
779 BOOL
pdb_getsampwuid(SAM_ACCOUNT
* user
, uid_t uid
)
785 if (!ldap_open_connection(&ldap_struct
))
788 if (!ldap_connect_system(ldap_struct
))
790 ldap_unbind(ldap_struct
);
793 if (ldap_search_one_user_by_uid(ldap_struct
, uid
, &result
) !=
796 ldap_unbind(ldap_struct
);
800 if (ldap_count_entries(ldap_struct
, result
) < 1)
803 ("We don't find this uid [%i] count=%d\n", uid
,
804 ldap_count_entries(ldap_struct
, result
)));
805 ldap_unbind(ldap_struct
);
808 entry
= ldap_first_entry(ldap_struct
, result
);
811 init_sam_from_ldap(user
, ldap_struct
, entry
);
812 ldap_msgfree(result
);
813 ldap_unbind(ldap_struct
);
818 ldap_msgfree(result
);
819 ldap_unbind(ldap_struct
);
825 /**********************************************************************
826 Delete entry from LDAP for username
827 *********************************************************************/
828 BOOL
pdb_delete_sam_account(char *sname
)
836 if (!ldap_open_connection (&ldap_struct
))
839 DEBUG (3, ("Deleting user %s from LDAP.\n", sname
));
841 if (!ldap_connect_system (ldap_struct
)) {
842 ldap_unbind (ldap_struct
);
843 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname
));
847 rc
= ldap_search_one_user_by_name (ldap_struct
, sname
, &result
);
848 if (ldap_count_entries (ldap_struct
, result
) == 0) {
849 DEBUG (0, ("User doesn't exit!\n"));
850 ldap_msgfree (result
);
851 ldap_unbind (ldap_struct
);
855 entry
= ldap_first_entry (ldap_struct
, result
);
856 dn
= ldap_get_dn (ldap_struct
, entry
);
858 rc
= ldap_delete_s (ldap_struct
, dn
);
861 if (rc
!= LDAP_SUCCESS
) {
863 ldap_get_option (ldap_struct
, LDAP_OPT_ERROR_STRING
, &ld_error
);
864 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
865 sname
, ldap_err2string (rc
), ld_error
));
867 ldap_unbind (ldap_struct
);
871 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname
));
872 ldap_unbind (ldap_struct
);
876 /**********************************************************************
878 *********************************************************************/
879 BOOL
pdb_update_sam_account(SAM_ACCOUNT
* newpwd
, BOOL override
)
888 if (!ldap_open_connection(&ldap_struct
)) /* open a connection to the server */
891 if (!ldap_connect_system(ldap_struct
)) /* connect as system account */
893 ldap_unbind(ldap_struct
);
897 rc
= ldap_search_one_user_by_name(ldap_struct
,
898 pdb_get_username(newpwd
), &result
);
900 if (ldap_count_entries(ldap_struct
, result
) == 0)
902 DEBUG(0, ("No user to modify!\n"));
903 ldap_msgfree(result
);
904 ldap_unbind(ldap_struct
);
908 init_ldap_from_sam(&mods
, LDAP_MOD_REPLACE
, newpwd
);
910 entry
= ldap_first_entry(ldap_struct
, result
);
911 dn
= ldap_get_dn(ldap_struct
, entry
);
913 rc
= ldap_modify_s(ldap_struct
, dn
, mods
);
915 if (rc
!= LDAP_SUCCESS
)
918 ldap_get_option(ldap_struct
, LDAP_OPT_ERROR_STRING
,
921 ("failed to modify user with uid = %s with: %s\n\t%s\n",
922 pdb_get_username(newpwd
), ldap_err2string(rc
),
925 ldap_unbind(ldap_struct
);
930 ("successfully modified uid = %s in the LDAP database\n",
931 pdb_get_username(newpwd
)));
932 ldap_mods_free(mods
, 1);
933 ldap_unbind(ldap_struct
);
937 /**********************************************************************
938 Add SAM_ACCOUNT to LDAP
939 *********************************************************************/
940 BOOL
pdb_add_sam_account(SAM_ACCOUNT
* newpwd
)
951 if (!ldap_open_connection(&ldap_struct
)) /* open a connection to the server */
956 if (!ldap_connect_system(ldap_struct
)) /* connect as system account */
958 ldap_unbind(ldap_struct
);
962 rc
= ldap_search_one_user_by_name (ldap_struct
, pdb_get_username(newpwd
), &result
);
964 if (ldap_count_entries(ldap_struct
, result
) != 0)
966 DEBUG(0,("User already in the base, with samba properties\n"));
967 ldap_msgfree(result
);
968 ldap_unbind(ldap_struct
);
971 ldap_msgfree(result
);
973 slprintf (filter
, sizeof (filter
) - 1, "uid=%s", pdb_get_username(newpwd
));
974 rc
= ldap_search_one_user(ldap_struct
, filter
, &result
);
975 num_result
= ldap_count_entries(ldap_struct
, result
);
977 if (num_result
> 1) {
978 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
982 /* Check if we need to update an existing entry */
983 if (num_result
== 1) {
987 DEBUG(3,("User exists without samba properties: adding them\n"));
988 ldap_op
= LDAP_MOD_REPLACE
;
989 entry
= ldap_first_entry (ldap_struct
, result
);
990 tmp
= ldap_get_dn (ldap_struct
, entry
);
991 slprintf (dn
, sizeof (dn
) - 1, "%s", tmp
);
995 /* Check if we need to add an entry */
996 DEBUG(3,("Adding new user\n"));
997 ldap_op
= LDAP_MOD_ADD
;
998 slprintf (dn
, sizeof (dn
) - 1, "uid=%s,%s", pdb_get_username(newpwd
), lp_ldap_suffix ());
1001 ldap_msgfree(result
);
1003 init_ldap_from_sam(&mods
, ldap_op
, newpwd
);
1004 make_a_mod(&mods
, LDAP_MOD_ADD
, "objectclass", "sambaAccount");
1006 if (ldap_op
== LDAP_MOD_REPLACE
) {
1007 rc
= ldap_modify_s(ldap_struct
, dn
, mods
);
1010 rc
= ldap_add_s(ldap_struct
, dn
, mods
);
1013 if (rc
!= LDAP_SUCCESS
)
1017 ldap_get_option (ldap_struct
, LDAP_OPT_ERROR_STRING
, &ld_error
);
1018 DEBUG(0,("failed to modify user with uid = %s with: %s\n\t%s\n",
1019 pdb_get_username(newpwd
), ldap_err2string (rc
), ld_error
));
1021 ldap_mods_free(mods
, 1);
1022 ldap_unbind(ldap_struct
);
1026 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd
)));
1027 ldap_mods_free(mods
, 1);
1028 ldap_unbind(ldap_struct
);
1033 void dummy_function(void);
1035 dummy_function (void)
1037 } /* stop some compilers complaining */