search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19801: grabbing minor changes (some missing pieces from jmcd's SAMR work as well)
[Samba.git] / source / passdb / pdb_ldap.c
blobc0b78cde5e53576b67487a198d9d86ceffd36ce5
1 /*
2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
9 Copyright (C) Simo Sorce 2006
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24
25 */
26
27 /* TODO:
28 * persistent connections: if using NSS LDAP, many connections are made
29 * however, using only one within Samba would be nice
30 *
31 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 *
33 * Other LDAP based login attributes: accountExpires, etc.
34 * (should be the domain of Samba proper, but the sam_password/struct samu
35 * structures don't have fields for some of these attributes)
36 *
37 * SSL is done, but can't get the certificate based authentication to work
38 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
39 */
40
41 /* NOTE: this will NOT work against an Active Directory server
42 * due to the fact that the two password fields cannot be retrieved
43 * from a server; recommend using security = domain in this situation
44 * and/or winbind
45 */
46
47 #include "includes.h"
48
49 #undef DBGC_CLASS
50 #define DBGC_CLASS DBGC_PASSDB
51
52 #include <lber.h>
53 #include <ldap.h>
54
55 /*
56 * Work around versions of the LDAP client libs that don't have the OIDs
57 * defined, or have them defined under the old name.
58 * This functionality is really a factor of the server, not the client
59 *
60 */
61
62 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
63 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
64 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
65 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
66 #endif
67
68 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
69 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
70 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
71 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
72 #endif
73
74 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
75 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
76 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
77 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
78 #endif
79
80
81 #include "smbldap.h"
82
83 /**********************************************************************
84 Simple helper function to make stuff better readable
85 **********************************************************************/
86
87 static LDAP *priv2ld(struct ldapsam_privates *priv)
88 {
89 return priv->smbldap_state->ldap_struct;
90 }
91
92 /**********************************************************************
93 Get the attribute name given a user schame version.
94 **********************************************************************/
95
96 static const char* get_userattr_key2string( int schema_ver, int key )
97 {
98 switch ( schema_ver ) {
99 case SCHEMAVER_SAMBAACCOUNT:
100 return get_attr_key2string( attrib_map_v22, key );
101
102 case SCHEMAVER_SAMBASAMACCOUNT:
103 return get_attr_key2string( attrib_map_v30, key );
104
105 default:
106 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
107 break;
108 }
109 return NULL;
110 }
111
112 /**********************************************************************
113 Return the list of attribute names given a user schema version.
114 **********************************************************************/
115
116 const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
117 {
118 switch ( schema_ver ) {
119 case SCHEMAVER_SAMBAACCOUNT:
120 return get_attr_list( mem_ctx, attrib_map_v22 );
121
122 case SCHEMAVER_SAMBASAMACCOUNT:
123 return get_attr_list( mem_ctx, attrib_map_v30 );
124 default:
125 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
126 break;
127 }
128
129 return NULL;
130 }
131
132 /**************************************************************************
133 Return the list of attribute names to delete given a user schema version.
134 **************************************************************************/
135
136 static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
137 int schema_ver )
138 {
139 switch ( schema_ver ) {
140 case SCHEMAVER_SAMBAACCOUNT:
141 return get_attr_list( mem_ctx,
142 attrib_map_to_delete_v22 );
143
144 case SCHEMAVER_SAMBASAMACCOUNT:
145 return get_attr_list( mem_ctx,
146 attrib_map_to_delete_v30 );
147 default:
148 DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
149 break;
150 }
151
152 return NULL;
153 }
154
155
156 /*******************************************************************
157 Generate the LDAP search filter for the objectclass based on the
158 version of the schema we are using.
159 ******************************************************************/
160
161 static const char* get_objclass_filter( int schema_ver )
162 {
163 static fstring objclass_filter;
164
165 switch( schema_ver ) {
166 case SCHEMAVER_SAMBAACCOUNT:
167 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
168 break;
169 case SCHEMAVER_SAMBASAMACCOUNT:
170 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
171 break;
172 default:
173 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174 break;
175 }
176
177 return objclass_filter;
178 }
179
180 /*****************************************************************
181 Scan a sequence number off OpenLDAP's syncrepl contextCSN
182 ******************************************************************/
183
184 static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
185 {
186 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
187 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
188 LDAPMessage *msg = NULL;
189 LDAPMessage *entry = NULL;
190 TALLOC_CTX *mem_ctx;
191 char **values = NULL;
192 int rc, num_result, num_values, rid;
193 pstring suffix;
194 fstring tok;
195 const char *p;
196 const char **attrs;
197
198 /* Unfortunatly there is no proper way to detect syncrepl-support in
199 * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
200 * but do not show up in the root-DSE yet. Neither we can query the
201 * subschema-context for the syncProviderSubentry or syncConsumerSubentry
202 * objectclass. Currently we require lp_ldap_suffix() to show up as
203 * namingContext. - Guenther
204 */
205
206 if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
207 return ntstatus;
208 }
209
210 if (!seq_num) {
211 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
212 return ntstatus;
213 }
214
215 if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) {
216 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
217 "as top-level namingContext\n", lp_ldap_suffix()));
218 return ntstatus;
219 }
220
221 mem_ctx = talloc_init("ldapsam_get_seq_num");
222
223 if (mem_ctx == NULL)
224 return NT_STATUS_NO_MEMORY;
225
226 if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) {
227 ntstatus = NT_STATUS_NO_MEMORY;
228 goto done;
229 }
230
231 /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
232 rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
233 if (rid > 0) {
234
235 /* consumer syncreplCookie: */
236 /* csn=20050126161620Z#0000001#00#00000 */
237 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
238 attrs[1] = NULL;
239 pstr_sprintf( suffix, "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
240
241 } else {
242
243 /* provider contextCSN */
244 /* 20050126161620Z#000009#00#000000 */
245 attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
246 attrs[1] = NULL;
247 pstr_sprintf( suffix, "cn=ldapsync,%s", lp_ldap_suffix());
248
249 }
250
251 rc = smbldap_search(ldap_state->smbldap_state, suffix,
252 LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
253
254 if (rc != LDAP_SUCCESS) {
255 goto done;
256 }
257
258 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
259 if (num_result != 1) {
260 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
261 goto done;
262 }
263
264 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
265 if (entry == NULL) {
266 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
267 goto done;
268 }
269
270 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
271 if (values == NULL) {
272 DEBUG(3,("ldapsam_get_seq_num: no values\n"));
273 goto done;
274 }
275
276 num_values = ldap_count_values(values);
277 if (num_values == 0) {
278 DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
279 goto done;
280 }
281
282 p = values[0];
283 if (!next_token(&p, tok, "#", sizeof(tok))) {
284 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
285 goto done;
286 }
287
288 p = tok;
289 if (!strncmp(p, "csn=", strlen("csn=")))
290 p += strlen("csn=");
291
292 DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
293
294 *seq_num = generalized_to_unix_time(p);
295
296 /* very basic sanity check */
297 if (*seq_num <= 0) {
298 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
299 (int)*seq_num));
300 goto done;
301 }
302
303 ntstatus = NT_STATUS_OK;
304
305 done:
306 if (values != NULL)
307 ldap_value_free(values);
308 if (msg != NULL)
309 ldap_msgfree(msg);
310 if (mem_ctx)
311 talloc_destroy(mem_ctx);
312
313 return ntstatus;
314 }
315
316 /*******************************************************************
317 Run the search by name.
318 ******************************************************************/
319
320 int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
321 const char *user,
322 LDAPMessage ** result,
323 const char **attr)
324 {
325 pstring filter;
326 char *escape_user = escape_ldap_string_alloc(user);
327
328 if (!escape_user) {
329 return LDAP_NO_MEMORY;
330 }
331
332 /*
333 * in the filter expression, replace %u with the real name
334 * so in ldap filter, %u MUST exist :-)
335 */
336 pstr_sprintf(filter, "(&%s%s)", "(uid=%u)",
337 get_objclass_filter(ldap_state->schema_ver));
338
339 /*
340 * have to use this here because $ is filtered out
341 * in pstring_sub
342 */
343
344
345 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
346 SAFE_FREE(escape_user);
347
348 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
349 }
350
351 /*******************************************************************
352 Run the search by rid.
353 ******************************************************************/
354
355 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
356 uint32 rid, LDAPMessage ** result,
357 const char **attr)
358 {
359 pstring filter;
360 int rc;
361
362 pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
363 get_objclass_filter(ldap_state->schema_ver));
364
365 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
366
367 return rc;
368 }
369
370 /*******************************************************************
371 Run the search by SID.
372 ******************************************************************/
373
374 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
375 const DOM_SID *sid, LDAPMessage ** result,
376 const char **attr)
377 {
378 pstring filter;
379 int rc;
380 fstring sid_string;
381
382 pstr_sprintf(filter, "(&(%s=%s)%s)",
383 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
384 sid_to_string(sid_string, sid),
385 get_objclass_filter(ldap_state->schema_ver));
386
387 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
388
389 return rc;
390 }
391
392 /*******************************************************************
393 Delete complete object or objectclass and attrs from
394 object found in search_result depending on lp_ldap_delete_dn
395 ******************************************************************/
396
397 static int ldapsam_delete_entry(struct ldapsam_privates *priv,
398 TALLOC_CTX *mem_ctx,
399 LDAPMessage *entry,
400 const char *objectclass,
401 const char **attrs)
402 {
403 LDAPMod **mods = NULL;
404 char *name;
405 const char *dn;
406 BerElement *ptr = NULL;
407
408 dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
409 if (dn == NULL) {
410 return LDAP_NO_MEMORY;
411 }
412
413 if (lp_ldap_delete_dn()) {
414 return smbldap_delete(priv->smbldap_state, dn);
415 }
416
417 /* Ok, delete only the SAM attributes */
418
419 for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
420 name != NULL;
421 name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
422 const char **attrib;
423
424 /* We are only allowed to delete the attributes that
425 really exist. */
426
427 for (attrib = attrs; *attrib != NULL; attrib++) {
428 if (strequal(*attrib, name)) {
429 DEBUG(10, ("ldapsam_delete_entry: deleting "
430 "attribute %s\n", name));
431 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
432 NULL);
433 }
434 }
435 ldap_memfree(name);
436 }
437
438 if (ptr != NULL) {
439 ber_free(ptr, 0);
440 }
441
442 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
443 talloc_autofree_ldapmod(mem_ctx, mods);
444
445 return smbldap_modify(priv->smbldap_state, dn, mods);
446 }
447
448 static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
449 {
450 pstring temp;
451 struct tm tm;
452
453 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
454 get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
455 temp))
456 return (time_t) 0;
457
458 strptime(temp, "%Y%m%d%H%M%SZ", &tm);
459 tzset();
460 return timegm(&tm);
461 }
462
463 /**********************************************************************
464 Initialize struct samu from an LDAP query.
465 (Based on init_sam_from_buffer in pdb_tdb.c)
466 *********************************************************************/
467
468 static BOOL init_sam_from_ldap(struct ldapsam_privates *ldap_state,
469 struct samu * sampass,
470 LDAPMessage * entry)
471 {
472 time_t logon_time,
473 logoff_time,
474 kickoff_time,
475 pass_last_set_time,
476 pass_can_change_time,
477 pass_must_change_time,
478 ldap_entry_time,
479 bad_password_time;
480 pstring username,
481 domain,
482 nt_username,
483 fullname,
484 homedir,
485 dir_drive,
486 logon_script,
487 profile_path,
488 acct_desc,
489 workstations;
490 char munged_dial[2048];
491 uint32 user_rid;
492 uint8 smblmpwd[LM_HASH_LEN],
493 smbntpwd[NT_HASH_LEN];
494 BOOL use_samba_attrs = True;
495 uint32 acct_ctrl = 0;
496 uint16 logon_divs;
497 uint16 bad_password_count = 0,
498 logon_count = 0;
499 uint32 hours_len;
500 uint8 hours[MAX_HOURS_LEN];
501 pstring temp;
502 LOGIN_CACHE *cache_entry = NULL;
503 uint32 pwHistLen;
504 pstring tmpstring;
505 BOOL expand_explicit = lp_passdb_expand_explicit();
506
507 /*
508 * do a little initialization
509 */
510 username[0] = '\0';
511 domain[0] = '\0';
512 nt_username[0] = '\0';
513 fullname[0] = '\0';
514 homedir[0] = '\0';
515 dir_drive[0] = '\0';
516 logon_script[0] = '\0';
517 profile_path[0] = '\0';
518 acct_desc[0] = '\0';
519 munged_dial[0] = '\0';
520 workstations[0] = '\0';
521
522
523 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
524 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
525 return False;
526 }
527
528 if (priv2ld(ldap_state) == NULL) {
529 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
530 "ldap_struct is NULL!\n"));
531 return False;
532 }
533
534 if (!smbldap_get_single_pstring(priv2ld(ldap_state), entry, "uid",
535 username)) {
536 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
537 "this user!\n"));
538 return False;
539 }
540
541 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
542
543 pstrcpy(nt_username, username);
544
545 pstrcpy(domain, ldap_state->domain_name);
546
547 pdb_set_username(sampass, username, PDB_SET);
548
549 pdb_set_domain(sampass, domain, PDB_DEFAULT);
550 pdb_set_nt_username(sampass, nt_username, PDB_SET);
551
552 /* deal with different attributes between the schema first */
553
554 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
555 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
556 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
557 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
558 }
559 } else {
560 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
561 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
562 user_rid = (uint32)atol(temp);
563 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
564 }
565 }
566
567 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
568 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
569 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
570 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
571 username));
572 return False;
573 }
574
575 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
576 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
577 /* leave as default */
578 } else {
579 pass_last_set_time = (time_t) atol(temp);
580 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
581 }
582
583 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
584 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
585 /* leave as default */
586 } else {
587 logon_time = (time_t) atol(temp);
588 pdb_set_logon_time(sampass, logon_time, PDB_SET);
589 }
590
591 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
592 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
593 /* leave as default */
594 } else {
595 logoff_time = (time_t) atol(temp);
596 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
597 }
598
599 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
600 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
601 /* leave as default */
602 } else {
603 kickoff_time = (time_t) atol(temp);
604 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
605 }
606
607 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
608 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
609 /* leave as default */
610 } else {
611 pass_can_change_time = (time_t) atol(temp);
612 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
613 }
614
615 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
616 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
617 /* leave as default */
618 } else {
619 pass_must_change_time = (time_t) atol(temp);
620 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
621 }
622
623 /* recommend that 'gecos' and 'displayName' should refer to the same
624 * attribute OID. userFullName depreciated, only used by Samba
625 * primary rules of LDAP: don't make a new attribute when one is already defined
626 * that fits your needs; using cn then displayName rather than 'userFullName'
627 */
628
629 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
630 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
631 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
632 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
633 /* leave as default */
634 } else {
635 pdb_set_fullname(sampass, fullname, PDB_SET);
636 }
637 } else {
638 pdb_set_fullname(sampass, fullname, PDB_SET);
639 }
640
641 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
642 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
643 {
644 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
645 } else {
646 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
647 }
648
649 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
650 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
651 {
652 pdb_set_homedir( sampass,
653 talloc_sub_basic(sampass, username, lp_logon_home()),
654 PDB_DEFAULT );
655 } else {
656 pstrcpy( tmpstring, homedir );
657 if (expand_explicit) {
658 standard_sub_basic( username, tmpstring,
659 sizeof(tmpstring) );
660 }
661 pdb_set_homedir(sampass, tmpstring, PDB_SET);
662 }
663
664 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
665 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
666 {
667 pdb_set_logon_script( sampass,
668 talloc_sub_basic(sampass, username, lp_logon_script()),
669 PDB_DEFAULT );
670 } else {
671 pstrcpy( tmpstring, logon_script );
672 if (expand_explicit) {
673 standard_sub_basic( username, tmpstring,
674 sizeof(tmpstring) );
675 }
676 pdb_set_logon_script(sampass, tmpstring, PDB_SET);
677 }
678
679 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
680 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
681 {
682 pdb_set_profile_path( sampass,
683 talloc_sub_basic( sampass, username, lp_logon_path()),
684 PDB_DEFAULT );
685 } else {
686 pstrcpy( tmpstring, profile_path );
687 if (expand_explicit) {
688 standard_sub_basic( username, tmpstring,
689 sizeof(tmpstring) );
690 }
691 pdb_set_profile_path(sampass, tmpstring, PDB_SET);
692 }
693
694 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
695 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
696 {
697 /* leave as default */
698 } else {
699 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
700 }
701
702 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
703 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
704 /* leave as default */;
705 } else {
706 pdb_set_workstations(sampass, workstations, PDB_SET);
707 }
708
709 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
710 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
711 /* leave as default */;
712 } else {
713 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
714 }
715
716 /* FIXME: hours stuff should be cleaner */
717
718 logon_divs = 168;
719 hours_len = 21;
720 memset(hours, 0xff, hours_len);
721
722 if (ldap_state->is_nds_ldap) {
723 char *user_dn;
724 size_t pwd_len;
725 char clear_text_pw[512];
726
727 /* Make call to Novell eDirectory ldap extension to get clear text password.
728 NOTE: This will only work if we have an SSL connection to eDirectory. */
729 user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
730 if (user_dn != NULL) {
731 DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
732
733 pwd_len = sizeof(clear_text_pw);
734 if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
735 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
736 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
737 SAFE_FREE(user_dn);
738 return False;
739 }
740 ZERO_STRUCT(smblmpwd);
741 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
742 SAFE_FREE(user_dn);
743 return False;
744 }
745 ZERO_STRUCT(smbntpwd);
746 use_samba_attrs = False;
747 }
748
749 SAFE_FREE(user_dn);
750
751 } else {
752 DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
753 }
754 }
755
756 if (use_samba_attrs) {
757 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
758 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
759 /* leave as default */
760 } else {
761 pdb_gethexpwd(temp, smblmpwd);
762 memset((char *)temp, '\0', strlen(temp)+1);
763 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
764 return False;
765 ZERO_STRUCT(smblmpwd);
766 }
767
768 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
769 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
770 /* leave as default */
771 } else {
772 pdb_gethexpwd(temp, smbntpwd);
773 memset((char *)temp, '\0', strlen(temp)+1);
774 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
775 return False;
776 ZERO_STRUCT(smbntpwd);
777 }
778 }
779
780 pwHistLen = 0;
781
782 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
783 if (pwHistLen > 0){
784 uint8 *pwhist = NULL;
785 int i;
786 char history_string[MAX_PW_HISTORY_LEN*64];
787
788 pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
789
790 if ((pwhist = SMB_MALLOC_ARRAY(uint8, pwHistLen * PW_HISTORY_ENTRY_LEN)) == NULL){
791 DEBUG(0, ("init_sam_from_ldap: malloc failed!\n"));
792 return False;
793 }
794 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
795
796 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
797 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
798 history_string, sizeof(history_string))) {
799 /* leave as default - zeros */
800 } else {
801 BOOL hex_failed = False;
802 for (i = 0; i < pwHistLen; i++){
803 /* Get the 16 byte salt. */
804 if (!pdb_gethexpwd(&history_string[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
805 hex_failed = True;
806 break;
807 }
808 /* Get the 16 byte MD5 hash of salt+passwd. */
809 if (!pdb_gethexpwd(&history_string[(i*64)+32],
810 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN])) {
811 hex_failed = True;
812 break;
813 }
814 }
815 if (hex_failed) {
816 DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n",
817 username));
818 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
819 }
820 }
821 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
822 SAFE_FREE(pwhist);
823 return False;
824 }
825 SAFE_FREE(pwhist);
826 }
827
828 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
829 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
830 acct_ctrl |= ACB_NORMAL;
831 } else {
832 acct_ctrl = pdb_decode_acct_ctrl(temp);
833
834 if (acct_ctrl == 0)
835 acct_ctrl |= ACB_NORMAL;
836
837 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
838 }
839
840 pdb_set_hours_len(sampass, hours_len, PDB_SET);
841 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
842
843 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
844 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
845 /* leave as default */
846 } else {
847 bad_password_count = (uint32) atol(temp);
848 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
849 }
850
851 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
852 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
853 /* leave as default */
854 } else {
855 bad_password_time = (time_t) atol(temp);
856 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
857 }
858
859
860 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
861 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
862 /* leave as default */
863 } else {
864 logon_count = (uint32) atol(temp);
865 pdb_set_logon_count(sampass, logon_count, PDB_SET);
866 }
867
868 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
869
870 if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
871 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) {
872 /* leave as default */
873 } else {
874 pdb_gethexhours(temp, hours);
875 memset((char *)temp, '\0', strlen(temp) +1);
876 pdb_set_hours(sampass, hours, PDB_SET);
877 ZERO_STRUCT(hours);
878 }
879
880 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
881 if (smbldap_get_single_pstring(priv2ld(ldap_state), entry,
882 "uidNumber", temp)) {
883 /* We've got a uid, feed the cache */
884 uid_t uid = strtoul(temp, NULL, 10);
885 store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
886 }
887 }
888
889 /* check the timestamp of the cache vs ldap entry */
890 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
891 entry)))
892 return True;
893
894 /* see if we have newer updates */
895 if (!(cache_entry = login_cache_read(sampass))) {
896 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
897 (unsigned int)pdb_get_bad_password_count(sampass),
898 (unsigned int)pdb_get_bad_password_time(sampass)));
899 return True;
900 }
901
902 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
903 (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
904 (unsigned int)cache_entry->bad_password_time));
905
906 if (ldap_entry_time > cache_entry->entry_timestamp) {
907 /* cache is older than directory , so
908 we need to delete the entry but allow the
909 fields to be written out */
910 login_cache_delentry(sampass);
911 } else {
912 /* read cache in */
913 pdb_set_acct_ctrl(sampass,
914 pdb_get_acct_ctrl(sampass) |
915 (cache_entry->acct_ctrl & ACB_AUTOLOCK),
916 PDB_SET);
917 pdb_set_bad_password_count(sampass,
918 cache_entry->bad_password_count,
919 PDB_SET);
920 pdb_set_bad_password_time(sampass,
921 cache_entry->bad_password_time,
922 PDB_SET);
923 }
924
925 SAFE_FREE(cache_entry);
926 return True;
927 }
928
929 /**********************************************************************
930 Initialize the ldap db from a struct samu. Called on update.
931 (Based on init_buffer_from_sam in pdb_tdb.c)
932 *********************************************************************/
933
934 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
935 LDAPMessage *existing,
936 LDAPMod *** mods, struct samu * sampass,
937 BOOL (*need_update)(const struct samu *,
938 enum pdb_elements))
939 {
940 pstring temp;
941 uint32 rid;
942
943 if (mods == NULL || sampass == NULL) {
944 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
945 return False;
946 }
947
948 *mods = NULL;
949
950 /*
951 * took out adding "objectclass: sambaAccount"
952 * do this on a per-mod basis
953 */
954 if (need_update(sampass, PDB_USERNAME)) {
955 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
956 "uid", pdb_get_username(sampass));
957 if (ldap_state->is_nds_ldap) {
958 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
959 "cn", pdb_get_username(sampass));
960 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
961 "sn", pdb_get_username(sampass));
962 }
963 }
964
965 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
966
967 /* only update the RID if we actually need to */
968 if (need_update(sampass, PDB_USERSID)) {
969 fstring sid_string;
970 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
971
972 switch ( ldap_state->schema_ver ) {
973 case SCHEMAVER_SAMBAACCOUNT:
974 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
975 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
976 sid_string_static(user_sid),
977 sid_string_static(&ldap_state->domain_sid)));
978 return False;
979 }
980 slprintf(temp, sizeof(temp) - 1, "%i", rid);
981 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
982 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
983 temp);
984 break;
985
986 case SCHEMAVER_SAMBASAMACCOUNT:
987 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
988 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
989 sid_to_string(sid_string, user_sid));
990 break;
991
992 default:
993 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
994 break;
995 }
996 }
997
998 /* we don't need to store the primary group RID - so leaving it
999 'free' to hang off the unix primary group makes life easier */
1000
1001 if (need_update(sampass, PDB_GROUPSID)) {
1002 fstring sid_string;
1003 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1004
1005 switch ( ldap_state->schema_ver ) {
1006 case SCHEMAVER_SAMBAACCOUNT:
1007 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1008 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1009 sid_string_static(group_sid),
1010 sid_string_static(&ldap_state->domain_sid)));
1011 return False;
1012 }
1013
1014 slprintf(temp, sizeof(temp) - 1, "%i", rid);
1015 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1016 get_userattr_key2string(ldap_state->schema_ver,
1017 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1018 break;
1019
1020 case SCHEMAVER_SAMBASAMACCOUNT:
1021 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1022 get_userattr_key2string(ldap_state->schema_ver,
1023 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
1024 break;
1025
1026 default:
1027 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1028 break;
1029 }
1030
1031 }
1032
1033 /* displayName, cn, and gecos should all be the same
1034 * most easily accomplished by giving them the same OID
1035 * gecos isn't set here b/c it should be handled by the
1036 * add-user script
1037 * We change displayName only and fall back to cn if
1038 * it does not exist.
1039 */
1040
1041 if (need_update(sampass, PDB_FULLNAME))
1042 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1043 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
1044 pdb_get_fullname(sampass));
1045
1046 if (need_update(sampass, PDB_ACCTDESC))
1047 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1048 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
1049 pdb_get_acct_desc(sampass));
1050
1051 if (need_update(sampass, PDB_WORKSTATIONS))
1052 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1053 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
1054 pdb_get_workstations(sampass));
1055
1056 if (need_update(sampass, PDB_MUNGEDDIAL))
1057 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1058 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
1059 pdb_get_munged_dial(sampass));
1060
1061 if (need_update(sampass, PDB_SMBHOME))
1062 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1063 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
1064 pdb_get_homedir(sampass));
1065
1066 if (need_update(sampass, PDB_DRIVE))
1067 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1068 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
1069 pdb_get_dir_drive(sampass));
1070
1071 if (need_update(sampass, PDB_LOGONSCRIPT))
1072 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1073 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
1074 pdb_get_logon_script(sampass));
1075
1076 if (need_update(sampass, PDB_PROFILE))
1077 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1078 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
1079 pdb_get_profile_path(sampass));
1080
1081 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
1082 if (need_update(sampass, PDB_LOGONTIME))
1083 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1084 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1085
1086 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
1087 if (need_update(sampass, PDB_LOGOFFTIME))
1088 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1089 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1090
1091 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
1092 if (need_update(sampass, PDB_KICKOFFTIME))
1093 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1094 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1095
1096 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time_noncalc(sampass));
1097 if (need_update(sampass, PDB_CANCHANGETIME))
1098 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1099 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1100
1101 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
1102 if (need_update(sampass, PDB_MUSTCHANGETIME))
1103 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1104 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1105
1106
1107 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1108 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1109
1110 if (need_update(sampass, PDB_LMPASSWD)) {
1111 const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1112 if (lm_pw) {
1113 pdb_sethexpwd(temp, lm_pw,
1114 pdb_get_acct_ctrl(sampass));
1115 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1116 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1117 temp);
1118 } else {
1119 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1120 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1121 NULL);
1122 }
1123 }
1124 if (need_update(sampass, PDB_NTPASSWD)) {
1125 const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1126 if (nt_pw) {
1127 pdb_sethexpwd(temp, nt_pw,
1128 pdb_get_acct_ctrl(sampass));
1129 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1130 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1131 temp);
1132 } else {
1133 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1134 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1135 NULL);
1136 }
1137 }
1138
1139 if (need_update(sampass, PDB_PWHISTORY)) {
1140 uint32 pwHistLen = 0;
1141 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1142 if (pwHistLen == 0) {
1143 /* Remove any password history from the LDAP store. */
1144 memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1145 temp[64] = '\0';
1146 } else {
1147 int i;
1148 uint32 currHistLen = 0;
1149 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1150 if (pwhist != NULL) {
1151 /* We can only store (sizeof(pstring)-1)/64 password history entries. */
1152 pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
1153 for (i=0; i< pwHistLen && i < currHistLen; i++) {
1154 /* Store the salt. */
1155 pdb_sethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1156 /* Followed by the md5 hash of salt + md4 hash */
1157 pdb_sethexpwd(&temp[(i*64)+32],
1158 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1159 DEBUG(100, ("temp=%s\n", temp));
1160 }
1161 }
1162 }
1163 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1164 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
1165 temp);
1166 }
1167
1168 if (need_update(sampass, PDB_PASSLASTSET)) {
1169 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
1170 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1171 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1172 temp);
1173 }
1174 }
1175
1176 if (need_update(sampass, PDB_HOURS)) {
1177 const uint8 *hours = pdb_get_hours(sampass);
1178 if (hours) {
1179 pdb_sethexhours(temp, hours);
1180 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1181 existing,
1182 mods,
1183 get_userattr_key2string(ldap_state->schema_ver,
1184 LDAP_ATTR_LOGON_HOURS),
1185 temp);
1186 }
1187 }
1188
1189 if (need_update(sampass, PDB_ACCTCTRL))
1190 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1191 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1192 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1193
1194 /* password lockout cache:
1195 - If we are now autolocking or clearing, we write to ldap
1196 - If we are clearing, we delete the cache entry
1197 - If the count is > 0, we update the cache
1198
1199 This even means when autolocking, we cache, just in case the
1200 update doesn't work, and we have to cache the autolock flag */
1201
1202 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1203 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1204 uint16 badcount = pdb_get_bad_password_count(sampass);
1205 time_t badtime = pdb_get_bad_password_time(sampass);
1206 uint32 pol;
1207 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1208
1209 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1210 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1211
1212 if ((badcount >= pol) || (badcount == 0)) {
1213 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1214 (unsigned int)badcount, (unsigned int)badtime));
1215 slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1216 smbldap_make_mod(
1217 ldap_state->smbldap_state->ldap_struct,
1218 existing, mods,
1219 get_userattr_key2string(
1220 ldap_state->schema_ver,
1221 LDAP_ATTR_BAD_PASSWORD_COUNT),
1222 temp);
1223
1224 slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1225 smbldap_make_mod(
1226 ldap_state->smbldap_state->ldap_struct,
1227 existing, mods,
1228 get_userattr_key2string(
1229 ldap_state->schema_ver,
1230 LDAP_ATTR_BAD_PASSWORD_TIME),
1231 temp);
1232 }
1233 if (badcount == 0) {
1234 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1235 login_cache_delentry(sampass);
1236 } else {
1237 LOGIN_CACHE cache_entry;
1238
1239 cache_entry.entry_timestamp = time(NULL);
1240 cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1241 cache_entry.bad_password_count = badcount;
1242 cache_entry.bad_password_time = badtime;
1243
1244 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1245 login_cache_write(sampass, cache_entry);
1246 }
1247 }
1248
1249 return True;
1250 }
1251
1252 /**********************************************************************
1253 Connect to LDAP server for password enumeration.
1254 *********************************************************************/
1255
1256 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update, uint32 acb_mask)
1257 {
1258 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1259 int rc;
1260 pstring filter, suffix;
1261 const char **attr_list;
1262 BOOL machine_mask = False, user_mask = False;
1263
1264 pstr_sprintf( filter, "(&%s%s)", "(uid=%u)",
1265 get_objclass_filter(ldap_state->schema_ver));
1266 all_string_sub(filter, "%u", "*", sizeof(pstring));
1267
1268 machine_mask = ((acb_mask != 0) && (acb_mask & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)));
1269 user_mask = ((acb_mask != 0) && (acb_mask & ACB_NORMAL));
1270
1271 if (machine_mask) {
1272 pstrcpy(suffix, lp_ldap_machine_suffix());
1273 } else if (user_mask) {
1274 pstrcpy(suffix, lp_ldap_user_suffix());
1275 } else {
1276 pstrcpy(suffix, lp_ldap_suffix());
1277 }
1278
1279 DEBUG(10,("ldapsam_setsampwent: LDAP Query for acb_mask 0x%x will use suffix %s\n",
1280 acb_mask, suffix));
1281
1282 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1283 rc = smbldap_search(ldap_state->smbldap_state, suffix, LDAP_SCOPE_SUBTREE, filter,
1284 attr_list, 0, &ldap_state->result);
1285 TALLOC_FREE( attr_list );
1286
1287 if (rc != LDAP_SUCCESS) {
1288 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1289 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", suffix, filter));
1290 ldap_msgfree(ldap_state->result);
1291 ldap_state->result = NULL;
1292 return NT_STATUS_UNSUCCESSFUL;
1293 }
1294
1295 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base %s\n",
1296 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1297 ldap_state->result), suffix));
1298
1299 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1300 ldap_state->result);
1301 ldap_state->index = 0;
1302
1303 return NT_STATUS_OK;
1304 }
1305
1306 /**********************************************************************
1307 End enumeration of the LDAP password list.
1308 *********************************************************************/
1309
1310 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1311 {
1312 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1313 if (ldap_state->result) {
1314 ldap_msgfree(ldap_state->result);
1315 ldap_state->result = NULL;
1316 }
1317 }
1318
1319 /**********************************************************************
1320 Get the next entry in the LDAP password database.
1321 *********************************************************************/
1322
1323 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods,
1324 struct samu *user)
1325 {
1326 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1327 struct ldapsam_privates *ldap_state =
1328 (struct ldapsam_privates *)my_methods->private_data;
1329 BOOL bret = False;
1330
1331 while (!bret) {
1332 if (!ldap_state->entry)
1333 return ret;
1334
1335 ldap_state->index++;
1336 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1337
1338 ldap_state->entry = ldap_next_entry(priv2ld(ldap_state),
1339 ldap_state->entry);
1340 }
1341
1342 return NT_STATUS_OK;
1343 }
1344
1345 static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
1346 const char *new_attr)
1347 {
1348 int i;
1349
1350 if (new_attr == NULL) {
1351 return;
1352 }
1353
1354 for (i=0; (*attr_list)[i] != NULL; i++) {
1355 ;
1356 }
1357
1358 (*attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (*attr_list),
1359 const char *, i+2);
1360 SMB_ASSERT((*attr_list) != NULL);
1361 (*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
1362 (*attr_list)[i+1] = NULL;
1363 }
1364
1365 /**********************************************************************
1366 Get struct samu entry from LDAP by username.
1367 *********************************************************************/
1368
1369 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
1370 {
1371 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1372 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1373 LDAPMessage *result = NULL;
1374 LDAPMessage *entry = NULL;
1375 int count;
1376 const char ** attr_list;
1377 int rc;
1378
1379 attr_list = get_userattr_list( user, ldap_state->schema_ver );
1380 append_attr(user, &attr_list,
1381 get_userattr_key2string(ldap_state->schema_ver,
1382 LDAP_ATTR_MOD_TIMESTAMP));
1383 append_attr(user, &attr_list, "uidNumber");
1384 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1385 attr_list);
1386 TALLOC_FREE( attr_list );
1387
1388 if ( rc != LDAP_SUCCESS )
1389 return NT_STATUS_NO_SUCH_USER;
1390
1391 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1392
1393 if (count < 1) {
1394 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1395 ldap_msgfree(result);
1396 return NT_STATUS_NO_SUCH_USER;
1397 } else if (count > 1) {
1398 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1399 ldap_msgfree(result);
1400 return NT_STATUS_NO_SUCH_USER;
1401 }
1402
1403 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1404 if (entry) {
1405 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1406 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1407 ldap_msgfree(result);
1408 return NT_STATUS_NO_SUCH_USER;
1409 }
1410 pdb_set_backend_private_data(user, result, NULL,
1411 my_methods, PDB_CHANGED);
1412 talloc_autofree_ldapmsg(user, result);
1413 ret = NT_STATUS_OK;
1414 } else {
1415 ldap_msgfree(result);
1416 }
1417 return ret;
1418 }
1419
1420 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1421 const DOM_SID *sid, LDAPMessage **result)
1422 {
1423 int rc = -1;
1424 const char ** attr_list;
1425 uint32 rid;
1426
1427 switch ( ldap_state->schema_ver ) {
1428 case SCHEMAVER_SAMBASAMACCOUNT: {
1429 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1430 if (tmp_ctx == NULL) {
1431 return LDAP_NO_MEMORY;
1432 }
1433
1434 attr_list = get_userattr_list(tmp_ctx,
1435 ldap_state->schema_ver);
1436 append_attr(tmp_ctx, &attr_list,
1437 get_userattr_key2string(
1438 ldap_state->schema_ver,
1439 LDAP_ATTR_MOD_TIMESTAMP));
1440 append_attr(tmp_ctx, &attr_list, "uidNumber");
1441 rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1442 result, attr_list);
1443 TALLOC_FREE(tmp_ctx);
1444
1445 if ( rc != LDAP_SUCCESS )
1446 return rc;
1447 break;
1448 }
1449
1450 case SCHEMAVER_SAMBAACCOUNT:
1451 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1452 return rc;
1453 }
1454
1455 attr_list = get_userattr_list(NULL,
1456 ldap_state->schema_ver);
1457 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1458 TALLOC_FREE( attr_list );
1459
1460 if ( rc != LDAP_SUCCESS )
1461 return rc;
1462 break;
1463 }
1464 return rc;
1465 }
1466
1467 /**********************************************************************
1468 Get struct samu entry from LDAP by SID.
1469 *********************************************************************/
1470
1471 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const DOM_SID *sid)
1472 {
1473 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1474 LDAPMessage *result = NULL;
1475 LDAPMessage *entry = NULL;
1476 int count;
1477 int rc;
1478 fstring sid_string;
1479
1480 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1481 sid, &result);
1482 if (rc != LDAP_SUCCESS)
1483 return NT_STATUS_NO_SUCH_USER;
1484
1485 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1486
1487 if (count < 1) {
1488 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1489 count));
1490 ldap_msgfree(result);
1491 return NT_STATUS_NO_SUCH_USER;
1492 } else if (count > 1) {
1493 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1494 count));
1495 ldap_msgfree(result);
1496 return NT_STATUS_NO_SUCH_USER;
1497 }
1498
1499 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1500 if (!entry) {
1501 ldap_msgfree(result);
1502 return NT_STATUS_NO_SUCH_USER;
1503 }
1504
1505 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1506 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1507 ldap_msgfree(result);
1508 return NT_STATUS_NO_SUCH_USER;
1509 }
1510
1511 pdb_set_backend_private_data(user, result, NULL,
1512 my_methods, PDB_CHANGED);
1513 talloc_autofree_ldapmsg(user, result);
1514 return NT_STATUS_OK;
1515 }
1516
1517 /********************************************************************
1518 Do the actual modification - also change a plaintext passord if
1519 it it set.
1520 **********************************************************************/
1521
1522 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1523 struct samu *newpwd, char *dn,
1524 LDAPMod **mods, int ldap_op,
1525 BOOL (*need_update)(const struct samu *, enum pdb_elements))
1526 {
1527 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1528 int rc;
1529
1530 if (!newpwd || !dn) {
1531 return NT_STATUS_INVALID_PARAMETER;
1532 }
1533
1534 if (!mods) {
1535 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1536 /* may be password change below however */
1537 } else {
1538 switch(ldap_op) {
1539 case LDAP_MOD_ADD:
1540 if (ldap_state->is_nds_ldap) {
1541 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1542 "objectclass",
1543 "inetOrgPerson");
1544 } else {
1545 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1546 "objectclass",
1547 LDAP_OBJ_ACCOUNT);
1548 }
1549 rc = smbldap_add(ldap_state->smbldap_state,
1550 dn, mods);
1551 break;
1552 case LDAP_MOD_REPLACE:
1553 rc = smbldap_modify(ldap_state->smbldap_state,
1554 dn ,mods);
1555 break;
1556 default:
1557 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1558 ldap_op));
1559 return NT_STATUS_INVALID_PARAMETER;
1560 }
1561
1562 if (rc!=LDAP_SUCCESS) {
1563 return NT_STATUS_UNSUCCESSFUL;
1564 }
1565 }
1566
1567 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1568 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1569 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1570 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1571 BerElement *ber;
1572 struct berval *bv;
1573 char *retoid = NULL;
1574 struct berval *retdata = NULL;
1575 char *utf8_password;
1576 char *utf8_dn;
1577
1578 if (!ldap_state->is_nds_ldap) {
1579
1580 if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct,
1581 LDAP_EXOP_MODIFY_PASSWD)) {
1582 DEBUG(2, ("ldap password change requested, but LDAP "
1583 "server does not support it -- ignoring\n"));
1584 return NT_STATUS_OK;
1585 }
1586 }
1587
1588 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1589 return NT_STATUS_NO_MEMORY;
1590 }
1591
1592 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1593 return NT_STATUS_NO_MEMORY;
1594 }
1595
1596 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1597 DEBUG(0,("ber_alloc_t returns NULL\n"));
1598 SAFE_FREE(utf8_password);
1599 return NT_STATUS_UNSUCCESSFUL;
1600 }
1601
1602 ber_printf (ber, "{");
1603 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1604 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1605 ber_printf (ber, "N}");
1606
1607 if ((rc = ber_flatten (ber, &bv))<0) {
1608 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1609 ber_free(ber,1);
1610 SAFE_FREE(utf8_dn);
1611 SAFE_FREE(utf8_password);
1612 return NT_STATUS_UNSUCCESSFUL;
1613 }
1614
1615 SAFE_FREE(utf8_dn);
1616 SAFE_FREE(utf8_password);
1617 ber_free(ber, 1);
1618
1619 if (!ldap_state->is_nds_ldap) {
1620 rc = smbldap_extended_operation(ldap_state->smbldap_state,
1621 LDAP_EXOP_MODIFY_PASSWD,
1622 bv, NULL, NULL, &retoid,
1623 &retdata);
1624 } else {
1625 rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1626 pdb_get_plaintext_passwd(newpwd));
1627 }
1628 if (rc != LDAP_SUCCESS) {
1629 char *ld_error = NULL;
1630
1631 if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1632 DEBUG(3, ("Could not set userPassword "
1633 "attribute due to an objectClass "
1634 "violation -- ignoring\n"));
1635 ber_bvfree(bv);
1636 return NT_STATUS_OK;
1637 }
1638
1639 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1640 &ld_error);
1641 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1642 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1643 SAFE_FREE(ld_error);
1644 ber_bvfree(bv);
1645 return NT_STATUS_UNSUCCESSFUL;
1646 } else {
1647 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1648 #ifdef DEBUG_PASSWORD
1649 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1650 #endif
1651 if (retdata)
1652 ber_bvfree(retdata);
1653 if (retoid)
1654 ldap_memfree(retoid);
1655 }
1656 ber_bvfree(bv);
1657 }
1658 return NT_STATUS_OK;
1659 }
1660
1661 /**********************************************************************
1662 Delete entry from LDAP for username.
1663 *********************************************************************/
1664
1665 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1666 struct samu * sam_acct)
1667 {
1668 struct ldapsam_privates *priv =
1669 (struct ldapsam_privates *)my_methods->private_data;
1670 const char *sname;
1671 int rc;
1672 LDAPMessage *msg, *entry;
1673 NTSTATUS result = NT_STATUS_NO_MEMORY;
1674 const char **attr_list;
1675 TALLOC_CTX *mem_ctx;
1676
1677 if (!sam_acct) {
1678 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1679 return NT_STATUS_INVALID_PARAMETER;
1680 }
1681
1682 sname = pdb_get_username(sam_acct);
1683
1684 DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1685 "LDAP.\n", sname));
1686
1687 mem_ctx = talloc_new(NULL);
1688 if (mem_ctx == NULL) {
1689 DEBUG(0, ("talloc_new failed\n"));
1690 goto done;
1691 }
1692
1693 attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1694 if (attr_list == NULL) {
1695 goto done;
1696 }
1697
1698 rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1699
1700 if ((rc != LDAP_SUCCESS) ||
1701 (ldap_count_entries(priv2ld(priv), msg) != 1) ||
1702 ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1703 DEBUG(5, ("Could not find user %s\n", sname));
1704 result = NT_STATUS_NO_SUCH_USER;
1705 goto done;
1706 }
1707
1708 rc = ldapsam_delete_entry(
1709 priv, mem_ctx, entry,
1710 priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1711 LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT,
1712 attr_list);
1713
1714 result = (rc == LDAP_SUCCESS) ?
1715 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1716
1717 done:
1718 TALLOC_FREE(mem_ctx);
1719 return result;
1720 }
1721
1722 /**********************************************************************
1723 Helper function to determine for update_sam_account whether
1724 we need LDAP modification.
1725 *********************************************************************/
1726
1727 static BOOL element_is_changed(const struct samu *sampass,
1728 enum pdb_elements element)
1729 {
1730 return IS_SAM_CHANGED(sampass, element);
1731 }
1732
1733 /**********************************************************************
1734 Update struct samu.
1735 *********************************************************************/
1736
1737 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1738 {
1739 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1740 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1741 int rc = 0;
1742 char *dn;
1743 LDAPMessage *result = NULL;
1744 LDAPMessage *entry = NULL;
1745 LDAPMod **mods = NULL;
1746 const char **attr_list;
1747
1748 result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1749 if (!result) {
1750 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1751 if (pdb_get_username(newpwd) == NULL) {
1752 return NT_STATUS_INVALID_PARAMETER;
1753 }
1754 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1755 TALLOC_FREE( attr_list );
1756 if (rc != LDAP_SUCCESS) {
1757 return NT_STATUS_UNSUCCESSFUL;
1758 }
1759 pdb_set_backend_private_data(newpwd, result, NULL,
1760 my_methods, PDB_CHANGED);
1761 talloc_autofree_ldapmsg(newpwd, result);
1762 }
1763
1764 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1765 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1766 return NT_STATUS_UNSUCCESSFUL;
1767 }
1768
1769 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1770 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1771 if (!dn) {
1772 return NT_STATUS_UNSUCCESSFUL;
1773 }
1774
1775 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1776
1777 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1778 element_is_changed)) {
1779 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1780 SAFE_FREE(dn);
1781 if (mods != NULL)
1782 ldap_mods_free(mods,True);
1783 return NT_STATUS_UNSUCCESSFUL;
1784 }
1785
1786 if (mods == NULL) {
1787 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1788 pdb_get_username(newpwd)));
1789 SAFE_FREE(dn);
1790 return NT_STATUS_OK;
1791 }
1792
1793 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1794 ldap_mods_free(mods,True);
1795 SAFE_FREE(dn);
1796
1797 /*
1798 * We need to set the backend private data to NULL here. For example
1799 * setuserinfo level 25 does a pdb_update_sam_account twice on the
1800 * same one, and with the explicit delete / add logic for attribute
1801 * values the second time we would use the wrong "old" value which
1802 * does not exist in LDAP anymore. Thus the LDAP server would refuse
1803 * the update.
1804 * The existing LDAPMessage is still being auto-freed by the
1805 * destructor.
1806 */
1807 pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
1808 PDB_CHANGED);
1809
1810 if (!NT_STATUS_IS_OK(ret)) {
1811 return ret;
1812 }
1813
1814 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1815 pdb_get_username(newpwd)));
1816 return NT_STATUS_OK;
1817 }
1818
1819 /***************************************************************************
1820 Renames a struct samu
1821 - The "rename user script" has full responsibility for changing everything
1822 ***************************************************************************/
1823
1824 static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1825 struct samu *old_acct,
1826 const char *newname)
1827 {
1828 const char *oldname;
1829 int rc;
1830 pstring rename_script;
1831 fstring oldname_lower, newname_lower;
1832
1833 if (!old_acct) {
1834 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1835 return NT_STATUS_INVALID_PARAMETER;
1836 }
1837 if (!newname) {
1838 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1839 return NT_STATUS_INVALID_PARAMETER;
1840 }
1841
1842 oldname = pdb_get_username(old_acct);
1843
1844 /* rename the posix user */
1845 pstrcpy(rename_script, lp_renameuser_script());
1846
1847 if (!(*rename_script))
1848 return NT_STATUS_ACCESS_DENIED;
1849
1850 DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
1851 oldname, newname));
1852
1853 /* We have to allow the account name to end with a '$'.
1854 Also, follow the semantics in _samr_create_user() and lower case the
1855 posix name but preserve the case in passdb */
1856
1857 fstrcpy( oldname_lower, oldname );
1858 strlower_m( oldname_lower );
1859 fstrcpy( newname_lower, newname );
1860 strlower_m( newname_lower );
1861 string_sub2(rename_script, "%unew", newname_lower, sizeof(pstring),
1862 True, False, True);
1863 string_sub2(rename_script, "%uold", oldname_lower, sizeof(pstring),
1864 True, False, True);
1865 rc = smbrun(rename_script, NULL);
1866
1867 DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
1868 rename_script, rc));
1869
1870 if (rc == 0) {
1871 smb_nscd_flush_user_cache();
1872 }
1873
1874 if (rc)
1875 return NT_STATUS_UNSUCCESSFUL;
1876
1877 return NT_STATUS_OK;
1878 }
1879
1880 /**********************************************************************
1881 Helper function to determine for update_sam_account whether
1882 we need LDAP modification.
1883 *********************************************************************/
1884
1885 static BOOL element_is_set_or_changed(const struct samu *sampass,
1886 enum pdb_elements element)
1887 {
1888 return (IS_SAM_SET(sampass, element) ||
1889 IS_SAM_CHANGED(sampass, element));
1890 }
1891
1892 /**********************************************************************
1893 Add struct samu to LDAP.
1894 *********************************************************************/
1895
1896 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1897 {
1898 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1899 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1900 int rc;
1901 LDAPMessage *result = NULL;
1902 LDAPMessage *entry = NULL;
1903 pstring dn;
1904 LDAPMod **mods = NULL;
1905 int ldap_op = LDAP_MOD_REPLACE;
1906 uint32 num_result;
1907 const char **attr_list;
1908 char *escape_user;
1909 const char *username = pdb_get_username(newpwd);
1910 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1911 pstring filter;
1912 fstring sid_string;
1913
1914 if (!username || !*username) {
1915 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1916 return NT_STATUS_INVALID_PARAMETER;
1917 }
1918
1919 /* free this list after the second search or in case we exit on failure */
1920 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1921
1922 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1923
1924 if (rc != LDAP_SUCCESS) {
1925 TALLOC_FREE( attr_list );
1926 return NT_STATUS_UNSUCCESSFUL;
1927 }
1928
1929 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1930 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1931 username));
1932 ldap_msgfree(result);
1933 TALLOC_FREE( attr_list );
1934 return NT_STATUS_UNSUCCESSFUL;
1935 }
1936 ldap_msgfree(result);
1937 result = NULL;
1938
1939 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1940 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1941 sid, &result);
1942 if (rc == LDAP_SUCCESS) {
1943 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1944 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1945 sid_to_string(sid_string, sid)));
1946 TALLOC_FREE( attr_list );
1947 ldap_msgfree(result);
1948 return NT_STATUS_UNSUCCESSFUL;
1949 }
1950 ldap_msgfree(result);
1951 }
1952 }
1953
1954 /* does the entry already exist but without a samba attributes?
1955 we need to return the samba attributes here */
1956
1957 escape_user = escape_ldap_string_alloc( username );
1958 pstrcpy( filter, "(uid=%u)" );
1959 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1960 SAFE_FREE( escape_user );
1961
1962 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1963 filter, attr_list, &result);
1964 if ( rc != LDAP_SUCCESS ) {
1965 TALLOC_FREE( attr_list );
1966 return NT_STATUS_UNSUCCESSFUL;
1967 }
1968
1969 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1970
1971 if (num_result > 1) {
1972 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1973 TALLOC_FREE( attr_list );
1974 ldap_msgfree(result);
1975 return NT_STATUS_UNSUCCESSFUL;
1976 }
1977
1978 /* Check if we need to update an existing entry */
1979 if (num_result == 1) {
1980 char *tmp;
1981
1982 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1983 ldap_op = LDAP_MOD_REPLACE;
1984 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1985 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1986 if (!tmp) {
1987 TALLOC_FREE( attr_list );
1988 ldap_msgfree(result);
1989 return NT_STATUS_UNSUCCESSFUL;
1990 }
1991 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1992 SAFE_FREE(tmp);
1993
1994 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1995
1996 /* There might be a SID for this account already - say an idmap entry */
1997
1998 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1999 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2000 sid_to_string(sid_string, sid),
2001 LDAP_OBJ_IDMAP_ENTRY,
2002 LDAP_OBJ_SID_ENTRY);
2003
2004 /* free old result before doing a new search */
2005 if (result != NULL) {
2006 ldap_msgfree(result);
2007 result = NULL;
2008 }
2009 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2010 filter, attr_list, &result);
2011
2012 if ( rc != LDAP_SUCCESS ) {
2013 TALLOC_FREE( attr_list );
2014 return NT_STATUS_UNSUCCESSFUL;
2015 }
2016
2017 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2018
2019 if (num_result > 1) {
2020 DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2021 TALLOC_FREE( attr_list );
2022 ldap_msgfree(result);
2023 return NT_STATUS_UNSUCCESSFUL;
2024 }
2025
2026 /* Check if we need to update an existing entry */
2027 if (num_result == 1) {
2028 char *tmp;
2029
2030 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2031 ldap_op = LDAP_MOD_REPLACE;
2032 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2033 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2034 if (!tmp) {
2035 TALLOC_FREE( attr_list );
2036 ldap_msgfree(result);
2037 return NT_STATUS_UNSUCCESSFUL;
2038 }
2039 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
2040 SAFE_FREE(tmp);
2041 }
2042 }
2043
2044 TALLOC_FREE( attr_list );
2045
2046 if (num_result == 0) {
2047 /* Check if we need to add an entry */
2048 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2049 ldap_op = LDAP_MOD_ADD;
2050 if (username[strlen(username)-1] == '$') {
2051 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
2052 } else {
2053 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
2054 }
2055 }
2056
2057 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2058 element_is_set_or_changed)) {
2059 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2060 ldap_msgfree(result);
2061 if (mods != NULL)
2062 ldap_mods_free(mods,True);
2063 return NT_STATUS_UNSUCCESSFUL;
2064 }
2065
2066 ldap_msgfree(result);
2067
2068 if (mods == NULL) {
2069 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2070 return NT_STATUS_UNSUCCESSFUL;
2071 }
2072 switch ( ldap_state->schema_ver ) {
2073 case SCHEMAVER_SAMBAACCOUNT:
2074 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2075 break;
2076 case SCHEMAVER_SAMBASAMACCOUNT:
2077 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2078 break;
2079 default:
2080 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2081 break;
2082 }
2083
2084 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2085 if (!NT_STATUS_IS_OK(ret)) {
2086 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2087 pdb_get_username(newpwd),dn));
2088 ldap_mods_free(mods, True);
2089 return ret;
2090 }
2091
2092 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2093 ldap_mods_free(mods, True);
2094
2095 return NT_STATUS_OK;
2096 }
2097
2098 /**********************************************************************
2099 *********************************************************************/
2100
2101 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2102 const char *filter,
2103 LDAPMessage ** result)
2104 {
2105 int scope = LDAP_SCOPE_SUBTREE;
2106 int rc;
2107 const char **attr_list;
2108
2109 attr_list = get_attr_list(NULL, groupmap_attr_list);
2110 rc = smbldap_search(ldap_state->smbldap_state,
2111 lp_ldap_group_suffix (), scope,
2112 filter, attr_list, 0, result);
2113 TALLOC_FREE(attr_list);
2114
2115 return rc;
2116 }
2117
2118 /**********************************************************************
2119 *********************************************************************/
2120
2121 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
2122 GROUP_MAP *map, LDAPMessage *entry)
2123 {
2124 pstring temp;
2125
2126 if (ldap_state == NULL || map == NULL || entry == NULL ||
2127 ldap_state->smbldap_state->ldap_struct == NULL) {
2128 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2129 return False;
2130 }
2131
2132 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2133 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
2134 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2135 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2136 return False;
2137 }
2138 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2139
2140 map->gid = (gid_t)atol(temp);
2141
2142 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2143 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
2144 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2145 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2146 return False;
2147 }
2148
2149 if (!string_to_sid(&map->sid, temp)) {
2150 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2151 return False;
2152 }
2153
2154 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2155 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
2156 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2157 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2158 return False;
2159 }
2160 map->sid_name_use = (enum lsa_SidType)atol(temp);
2161
2162 if ((map->sid_name_use < SID_NAME_USER) ||
2163 (map->sid_name_use > SID_NAME_UNKNOWN)) {
2164 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2165 return False;
2166 }
2167
2168 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2169 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
2170 temp[0] = '\0';
2171 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2172 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
2173 {
2174 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2175 for gidNumber(%lu)\n",(unsigned long)map->gid));
2176 return False;
2177 }
2178 }
2179 fstrcpy(map->nt_name, temp);
2180
2181 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2182 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
2183 temp[0] = '\0';
2184 }
2185 fstrcpy(map->comment, temp);
2186
2187 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
2188 store_gid_sid_cache(&map->sid, map->gid);
2189 }
2190
2191 return True;
2192 }
2193
2194 /**********************************************************************
2195 *********************************************************************/
2196
2197 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2198 const char *filter,
2199 GROUP_MAP *map)
2200 {
2201 struct ldapsam_privates *ldap_state =
2202 (struct ldapsam_privates *)methods->private_data;
2203 LDAPMessage *result = NULL;
2204 LDAPMessage *entry = NULL;
2205 int count;
2206
2207 if (ldapsam_search_one_group(ldap_state, filter, &result)
2208 != LDAP_SUCCESS) {
2209 return NT_STATUS_NO_SUCH_GROUP;
2210 }
2211
2212 count = ldap_count_entries(priv2ld(ldap_state), result);
2213
2214 if (count < 1) {
2215 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
2216 ldap_msgfree(result);
2217 return NT_STATUS_NO_SUCH_GROUP;
2218 }
2219
2220 if (count > 1) {
2221 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2222 "count=%d\n", filter, count));
2223 ldap_msgfree(result);
2224 return NT_STATUS_NO_SUCH_GROUP;
2225 }
2226
2227 entry = ldap_first_entry(priv2ld(ldap_state), result);
2228
2229 if (!entry) {
2230 ldap_msgfree(result);
2231 return NT_STATUS_UNSUCCESSFUL;
2232 }
2233
2234 if (!init_group_from_ldap(ldap_state, map, entry)) {
2235 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2236 "group filter %s\n", filter));
2237 ldap_msgfree(result);
2238 return NT_STATUS_NO_SUCH_GROUP;
2239 }
2240
2241 ldap_msgfree(result);
2242 return NT_STATUS_OK;
2243 }
2244
2245 /**********************************************************************
2246 *********************************************************************/
2247
2248 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2249 DOM_SID sid)
2250 {
2251 pstring filter;
2252
2253 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2254 LDAP_OBJ_GROUPMAP,
2255 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2256 sid_string_static(&sid));
2257
2258 return ldapsam_getgroup(methods, filter, map);
2259 }
2260
2261 /**********************************************************************
2262 *********************************************************************/
2263
2264 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2265 gid_t gid)
2266 {
2267 pstring filter;
2268
2269 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
2270 LDAP_OBJ_GROUPMAP,
2271 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2272 (unsigned long)gid);
2273
2274 return ldapsam_getgroup(methods, filter, map);
2275 }
2276
2277 /**********************************************************************
2278 *********************************************************************/
2279
2280 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2281 const char *name)
2282 {
2283 pstring filter;
2284 char *escape_name = escape_ldap_string_alloc(name);
2285
2286 if (!escape_name) {
2287 return NT_STATUS_NO_MEMORY;
2288 }
2289
2290 pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2291 LDAP_OBJ_GROUPMAP,
2292 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2293 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
2294
2295 SAFE_FREE(escape_name);
2296
2297 return ldapsam_getgroup(methods, filter, map);
2298 }
2299
2300 static BOOL ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2301 LDAPMessage *entry,
2302 const DOM_SID *domain_sid,
2303 uint32 *rid)
2304 {
2305 fstring str;
2306 DOM_SID sid;
2307
2308 if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2309 str, sizeof(str)-1)) {
2310 DEBUG(10, ("Could not find sambaSID attribute\n"));
2311 return False;
2312 }
2313
2314 if (!string_to_sid(&sid, str)) {
2315 DEBUG(10, ("Could not convert string %s to sid\n", str));
2316 return False;
2317 }
2318
2319 if (sid_compare_domain(&sid, domain_sid) != 0) {
2320 DEBUG(10, ("SID %s is not in expected domain %s\n",
2321 str, sid_string_static(domain_sid)));
2322 return False;
2323 }
2324
2325 if (!sid_peek_rid(&sid, rid)) {
2326 DEBUG(10, ("Could not peek into RID\n"));
2327 return False;
2328 }
2329
2330 return True;
2331 }
2332
2333 static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2334 TALLOC_CTX *mem_ctx,
2335 const DOM_SID *group,
2336 uint32 **pp_member_rids,
2337 size_t *p_num_members)
2338 {
2339 struct ldapsam_privates *ldap_state =
2340 (struct ldapsam_privates *)methods->private_data;
2341 struct smbldap_state *conn = ldap_state->smbldap_state;
2342 const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2343 const char *sid_attrs[] = { "sambaSID", NULL };
2344 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2345 LDAPMessage *result = NULL;
2346 LDAPMessage *entry;
2347 char *filter;
2348 char **values = NULL;
2349 char **memberuid;
2350 char *gidstr;
2351 int rc, count;
2352
2353 *pp_member_rids = NULL;
2354 *p_num_members = 0;
2355
2356 filter = talloc_asprintf(mem_ctx,
2357 "(&(objectClass=%s)"
2358 "(objectClass=%s)"
2359 "(sambaSID=%s))",
2360 LDAP_OBJ_POSIXGROUP,
2361 LDAP_OBJ_GROUPMAP,
2362 sid_string_static(group));
2363 if (filter == NULL) {
2364 ret = NT_STATUS_NO_MEMORY;
2365 goto done;
2366 }
2367
2368 rc = smbldap_search(conn, lp_ldap_group_suffix(),
2369 LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2370 &result);
2371
2372 if (rc != LDAP_SUCCESS)
2373 goto done;
2374
2375 talloc_autofree_ldapmsg(mem_ctx, result);
2376
2377 count = ldap_count_entries(conn->ldap_struct, result);
2378
2379 if (count > 1) {
2380 DEBUG(1, ("Found more than one groupmap entry for %s\n",
2381 sid_string_static(group)));
2382 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2383 goto done;
2384 }
2385
2386 if (count == 0) {
2387 ret = NT_STATUS_NO_SUCH_GROUP;
2388 goto done;
2389 }
2390
2391 entry = ldap_first_entry(conn->ldap_struct, result);
2392 if (entry == NULL)
2393 goto done;
2394
2395 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2396 if (!gidstr) {
2397 DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2398 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2399 goto done;
2400 }
2401
2402 values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
2403
2404 if (values) {
2405
2406 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
2407 if (filter == NULL) {
2408 ret = NT_STATUS_NO_MEMORY;
2409 goto done;
2410 }
2411
2412 for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2413 filter = talloc_asprintf_append(filter, "(uid=%s)", *memberuid);
2414 if (filter == NULL) {
2415 ret = NT_STATUS_NO_MEMORY;
2416 goto done;
2417 }
2418 }
2419
2420 filter = talloc_asprintf_append(filter, "))");
2421 if (filter == NULL) {
2422 ret = NT_STATUS_NO_MEMORY;
2423 goto done;
2424 }
2425
2426 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2427 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2428 &result);
2429
2430 if (rc != LDAP_SUCCESS)
2431 goto done;
2432
2433 count = ldap_count_entries(conn->ldap_struct, result);
2434 DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2435
2436 talloc_autofree_ldapmsg(mem_ctx, result);
2437
2438 for (entry = ldap_first_entry(conn->ldap_struct, result);
2439 entry != NULL;
2440 entry = ldap_next_entry(conn->ldap_struct, entry))
2441 {
2442 char *sidstr;
2443 DOM_SID sid;
2444 uint32 rid;
2445
2446 sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
2447 entry, "sambaSID",
2448 mem_ctx);
2449 if (!sidstr) {
2450 DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2451 "the sambaSID attribute\n"));
2452 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2453 goto done;
2454 }
2455
2456 if (!string_to_sid(&sid, sidstr))
2457 goto done;
2458
2459 if (!sid_check_is_in_our_domain(&sid)) {
2460 DEBUG(0, ("Inconsistent SAM -- group member uid not "
2461 "in our domain\n"));
2462 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2463 goto done;
2464 }
2465
2466 sid_peek_rid(&sid, &rid);
2467
2468 add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2469 p_num_members);
2470 }
2471 }
2472
2473 filter = talloc_asprintf(mem_ctx,
2474 "(&(objectClass=%s)"
2475 "(gidNumber=%s))",
2476 LDAP_OBJ_SAMBASAMACCOUNT,
2477 gidstr);
2478
2479 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2480 LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2481 &result);
2482
2483 if (rc != LDAP_SUCCESS)
2484 goto done;
2485
2486 talloc_autofree_ldapmsg(mem_ctx, result);
2487
2488 for (entry = ldap_first_entry(conn->ldap_struct, result);
2489 entry != NULL;
2490 entry = ldap_next_entry(conn->ldap_struct, entry))
2491 {
2492 uint32 rid;
2493
2494 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2495 entry,
2496 get_global_sam_sid(),
2497 &rid)) {
2498 DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2499 "the sambaSID attribute\n"));
2500 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2501 goto done;
2502 }
2503
2504 add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2505 p_num_members);
2506 }
2507
2508 ret = NT_STATUS_OK;
2509
2510 done:
2511
2512 if (values)
2513 ldap_value_free(values);
2514
2515 return ret;
2516 }
2517
2518 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2519 TALLOC_CTX *mem_ctx,
2520 struct samu *user,
2521 DOM_SID **pp_sids,
2522 gid_t **pp_gids,
2523 size_t *p_num_groups)
2524 {
2525 struct ldapsam_privates *ldap_state =
2526 (struct ldapsam_privates *)methods->private_data;
2527 struct smbldap_state *conn = ldap_state->smbldap_state;
2528 char *filter;
2529 const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2530 char *escape_name;
2531 int rc, count;
2532 LDAPMessage *result = NULL;
2533 LDAPMessage *entry;
2534 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2535 size_t num_sids, num_gids;
2536 char *gidstr;
2537 gid_t primary_gid = -1;
2538
2539 *pp_sids = NULL;
2540 num_sids = 0;
2541
2542 if (pdb_get_username(user) == NULL) {
2543 return NT_STATUS_INVALID_PARAMETER;
2544 }
2545
2546 escape_name = escape_ldap_string_alloc(pdb_get_username(user));
2547 if (escape_name == NULL)
2548 return NT_STATUS_NO_MEMORY;
2549
2550 /* retrieve the users primary gid */
2551 filter = talloc_asprintf(mem_ctx,
2552 "(&(objectClass=%s)(uid=%s))",
2553 LDAP_OBJ_SAMBASAMACCOUNT,
2554 escape_name);
2555 if (filter == NULL) {
2556 ret = NT_STATUS_NO_MEMORY;
2557 goto done;
2558 }
2559
2560 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2561 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2562
2563 if (rc != LDAP_SUCCESS)
2564 goto done;
2565
2566 talloc_autofree_ldapmsg(mem_ctx, result);
2567
2568 count = ldap_count_entries(priv2ld(ldap_state), result);
2569
2570 switch (count) {
2571 case 0:
2572 DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2573 ret = NT_STATUS_NO_SUCH_USER;
2574 goto done;
2575 case 1:
2576 entry = ldap_first_entry(priv2ld(ldap_state), result);
2577
2578 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2579 if (!gidstr) {
2580 DEBUG (1, ("Unable to find the member's gid!\n"));
2581 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2582 goto done;
2583 }
2584 primary_gid = strtoul(gidstr, NULL, 10);
2585 break;
2586 default:
2587 DEBUG(1, ("found more than one accoutn with the same user name ?!\n"));
2588 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2589 goto done;
2590 }
2591
2592 filter = talloc_asprintf(mem_ctx,
2593 "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%d)))",
2594 LDAP_OBJ_POSIXGROUP, escape_name, primary_gid);
2595 if (filter == NULL) {
2596 ret = NT_STATUS_NO_MEMORY;
2597 goto done;
2598 }
2599
2600 rc = smbldap_search(conn, lp_ldap_group_suffix(),
2601 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2602
2603 if (rc != LDAP_SUCCESS)
2604 goto done;
2605
2606 talloc_autofree_ldapmsg(mem_ctx, result);
2607
2608 num_gids = 0;
2609 *pp_gids = NULL;
2610
2611 num_sids = 0;
2612 *pp_sids = NULL;
2613
2614 /* We need to add the primary group as the first gid/sid */
2615
2616 add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids);
2617
2618 /* This sid will be replaced later */
2619
2620 add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids, &num_sids);
2621
2622 for (entry = ldap_first_entry(conn->ldap_struct, result);
2623 entry != NULL;
2624 entry = ldap_next_entry(conn->ldap_struct, entry))
2625 {
2626 fstring str;
2627 DOM_SID sid;
2628 gid_t gid;
2629 char *end;
2630
2631 if (!smbldap_get_single_attribute(conn->ldap_struct,
2632 entry, "sambaSID",
2633 str, sizeof(str)-1))
2634 continue;
2635
2636 if (!string_to_sid(&sid, str))
2637 goto done;
2638
2639 if (!smbldap_get_single_attribute(conn->ldap_struct,
2640 entry, "gidNumber",
2641 str, sizeof(str)-1))
2642 continue;
2643
2644 gid = strtoul(str, &end, 10);
2645
2646 if (PTR_DIFF(end, str) != strlen(str))
2647 goto done;
2648
2649 if (gid == primary_gid) {
2650 sid_copy(&(*pp_sids)[0], &sid);
2651 } else {
2652 add_gid_to_array_unique(mem_ctx, gid, pp_gids,
2653 &num_gids);
2654 add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
2655 &num_sids);
2656 }
2657 }
2658
2659 if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2660 DEBUG(3, ("primary group of [%s] not found\n",
2661 pdb_get_username(user)));
2662 goto done;
2663 }
2664
2665 *p_num_groups = num_sids;
2666
2667 ret = NT_STATUS_OK;
2668
2669 done:
2670
2671 SAFE_FREE(escape_name);
2672 return ret;
2673 }
2674
2675 /**********************************************************************
2676 * Augment a posixGroup object with a sambaGroupMapping domgroup
2677 *********************************************************************/
2678
2679 static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
2680 struct ldapsam_privates *ldap_state,
2681 GROUP_MAP *map)
2682 {
2683 const char *filter, *dn;
2684 LDAPMessage *msg, *entry;
2685 LDAPMod **mods;
2686 int rc;
2687
2688 filter = talloc_asprintf(mem_ctx,
2689 "(&(objectClass=posixGroup)(gidNumber=%u))",
2690 map->gid);
2691 if (filter == NULL) {
2692 return NT_STATUS_NO_MEMORY;
2693 }
2694
2695 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2696 get_attr_list(mem_ctx, groupmap_attr_list),
2697 &msg);
2698 talloc_autofree_ldapmsg(mem_ctx, msg);
2699
2700 if ((rc != LDAP_SUCCESS) ||
2701 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
2702 ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2703 return NT_STATUS_NO_SUCH_GROUP;
2704 }
2705
2706 dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
2707 if (dn == NULL) {
2708 return NT_STATUS_NO_MEMORY;
2709 }
2710
2711 mods = NULL;
2712 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
2713 "sambaGroupMapping");
2714 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
2715 sid_string_static(&map->sid));
2716 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
2717 talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
2718 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
2719 map->nt_name);
2720 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
2721 map->comment);
2722 talloc_autofree_ldapmod(mem_ctx, mods);
2723
2724 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2725 if (rc != LDAP_SUCCESS) {
2726 return NT_STATUS_ACCESS_DENIED;
2727 }
2728
2729 return NT_STATUS_OK;
2730 }
2731
2732 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2733 GROUP_MAP *map)
2734 {
2735 struct ldapsam_privates *ldap_state =
2736 (struct ldapsam_privates *)methods->private_data;
2737 LDAPMessage *msg = NULL;
2738 LDAPMod **mods = NULL;
2739 const char *attrs[] = { NULL };
2740 char *filter;
2741
2742 char *dn;
2743 TALLOC_CTX *mem_ctx;
2744 NTSTATUS result;
2745
2746 DOM_SID sid;
2747
2748 int rc;
2749
2750 mem_ctx = talloc_new(NULL);
2751 if (mem_ctx == NULL) {
2752 DEBUG(0, ("talloc_new failed\n"));
2753 return NT_STATUS_NO_MEMORY;
2754 }
2755
2756 filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
2757 sid_string_static(&map->sid));
2758 if (filter == NULL) {
2759 result = NT_STATUS_NO_MEMORY;
2760 goto done;
2761 }
2762
2763 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
2764 LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
2765 talloc_autofree_ldapmsg(mem_ctx, msg);
2766
2767 if ((rc == LDAP_SUCCESS) &&
2768 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
2769
2770 DEBUG(3, ("SID %s already present in LDAP, refusing to add "
2771 "group mapping entry\n",
2772 sid_string_static(&map->sid)));
2773 result = NT_STATUS_GROUP_EXISTS;
2774 goto done;
2775 }
2776
2777 switch (map->sid_name_use) {
2778
2779 case SID_NAME_DOM_GRP:
2780 /* To map a domain group we need to have a posix group
2781 to attach to. */
2782 result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
2783 goto done;
2784 break;
2785
2786 case SID_NAME_ALIAS:
2787 if (!sid_check_is_in_our_domain(&map->sid)
2788 && !sid_check_is_in_builtin(&map->sid) )
2789 {
2790 DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
2791 sid_string_static(&map->sid)));
2792 result = NT_STATUS_INVALID_PARAMETER;
2793 goto done;
2794 }
2795 break;
2796
2797 default:
2798 DEBUG(3, ("Got invalid use '%s' for mapping\n",
2799 sid_type_lookup(map->sid_name_use)));
2800 result = NT_STATUS_INVALID_PARAMETER;
2801 goto done;
2802 }
2803
2804 /* Domain groups have been mapped in a separate routine, we have to
2805 * create an alias now */
2806
2807 if (map->gid == -1) {
2808 DEBUG(10, ("Refusing to map gid==-1\n"));
2809 result = NT_STATUS_INVALID_PARAMETER;
2810 goto done;
2811 }
2812
2813 if (pdb_gid_to_sid(map->gid, &sid)) {
2814 DEBUG(3, ("Gid %d is already mapped to SID %s, refusing to "
2815 "add\n", map->gid, sid_string_static(&sid)));
2816 result = NT_STATUS_GROUP_EXISTS;
2817 goto done;
2818 }
2819
2820 /* Ok, enough checks done. It's still racy to go ahead now, but that's
2821 * the best we can get out of LDAP. */
2822
2823 dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
2824 sid_string_static(&map->sid),
2825 lp_ldap_group_suffix());
2826 if (dn == NULL) {
2827 result = NT_STATUS_NO_MEMORY;
2828 goto done;
2829 }
2830
2831 mods = NULL;
2832
2833 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
2834 "sambaSidEntry");
2835 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
2836 "sambaGroupMapping");
2837
2838 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
2839 sid_string_static(&map->sid));
2840 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
2841 talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
2842 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
2843 map->nt_name);
2844 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
2845 map->comment);
2846 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
2847 talloc_asprintf(mem_ctx, "%u", map->gid));
2848 talloc_autofree_ldapmod(mem_ctx, mods);
2849
2850 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
2851
2852 result = (rc == LDAP_SUCCESS) ?
2853 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
2854
2855 done:
2856 TALLOC_FREE(mem_ctx);
2857 return result;
2858 }
2859
2860 /**********************************************************************
2861 * Update a group mapping entry. We're quite strict about what can be changed:
2862 * Only the description and displayname may be changed. It simply does not
2863 * make any sense to change the SID, gid or the type in a mapping.
2864 *********************************************************************/
2865
2866 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2867 GROUP_MAP *map)
2868 {
2869 struct ldapsam_privates *ldap_state =
2870 (struct ldapsam_privates *)methods->private_data;
2871 int rc;
2872 const char *filter, *dn;
2873 LDAPMessage *msg = NULL;
2874 LDAPMessage *entry = NULL;
2875 LDAPMod **mods = NULL;
2876 TALLOC_CTX *mem_ctx;
2877 NTSTATUS result;
2878
2879 mem_ctx = talloc_new(NULL);
2880 if (mem_ctx == NULL) {
2881 DEBUG(0, ("talloc_new failed\n"));
2882 return NT_STATUS_NO_MEMORY;
2883 }
2884
2885 /* Make 100% sure that sid, gid and type are not changed by looking up
2886 * exactly the values we're given in LDAP. */
2887
2888 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
2889 "(sambaSid=%s)(gidNumber=%u)"
2890 "(sambaGroupType=%d))",
2891 LDAP_OBJ_GROUPMAP,
2892 sid_string_static(&map->sid), map->gid,
2893 map->sid_name_use);
2894 if (filter == NULL) {
2895 result = NT_STATUS_NO_MEMORY;
2896 goto done;
2897 }
2898
2899 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2900 get_attr_list(mem_ctx, groupmap_attr_list),
2901 &msg);
2902 talloc_autofree_ldapmsg(mem_ctx, msg);
2903
2904 if ((rc != LDAP_SUCCESS) ||
2905 (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
2906 ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2907 result = NT_STATUS_NO_SUCH_GROUP;
2908 goto done;
2909 }
2910
2911 dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
2912
2913 if (dn == NULL) {
2914 result = NT_STATUS_NO_MEMORY;
2915 goto done;
2916 }
2917
2918 mods = NULL;
2919 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
2920 map->nt_name);
2921 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
2922 map->comment);
2923 talloc_autofree_ldapmod(mem_ctx, mods);
2924
2925 if (mods == NULL) {
2926 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
2927 "nothing to do\n"));
2928 result = NT_STATUS_OK;
2929 goto done;
2930 }
2931
2932 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2933
2934 if (rc != LDAP_SUCCESS) {
2935 result = NT_STATUS_ACCESS_DENIED;
2936 goto done;
2937 }
2938
2939 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
2940 "group %lu in LDAP\n", (unsigned long)map->gid));
2941
2942 result = NT_STATUS_OK;
2943
2944 done:
2945 TALLOC_FREE(mem_ctx);
2946 return result;
2947 }
2948
2949 /**********************************************************************
2950 *********************************************************************/
2951
2952 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2953 DOM_SID sid)
2954 {
2955 struct ldapsam_privates *priv =
2956 (struct ldapsam_privates *)methods->private_data;
2957 LDAPMessage *msg, *entry;
2958 int rc;
2959 NTSTATUS result;
2960 TALLOC_CTX *mem_ctx;
2961 char *filter;
2962
2963 mem_ctx = talloc_new(NULL);
2964 if (mem_ctx == NULL) {
2965 DEBUG(0, ("talloc_new failed\n"));
2966 return NT_STATUS_NO_MEMORY;
2967 }
2968
2969 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
2970 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
2971 sid_string_static(&sid));
2972 if (filter == NULL) {
2973 result = NT_STATUS_NO_MEMORY;
2974 goto done;
2975 }
2976 rc = smbldap_search_suffix(priv->smbldap_state, filter,
2977 get_attr_list(mem_ctx, groupmap_attr_list),
2978 &msg);
2979 talloc_autofree_ldapmsg(mem_ctx, msg);
2980
2981 if ((rc != LDAP_SUCCESS) ||
2982 (ldap_count_entries(priv2ld(priv), msg) != 1) ||
2983 ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
2984 result = NT_STATUS_NO_SUCH_GROUP;
2985 goto done;
2986 }
2987
2988 rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
2989 get_attr_list(mem_ctx,
2990 groupmap_attr_list_to_delete));
2991
2992 if ((rc == LDAP_NAMING_VIOLATION) ||
2993 (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
2994 const char *attrs[] = { "sambaGroupType", "description",
2995 "displayName", "sambaSIDList",
2996 NULL };
2997
2998 /* Second try. Don't delete the sambaSID attribute, this is
2999 for "old" entries that are tacked on a winbind
3000 sambaIdmapEntry. */
3001
3002 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3003 LDAP_OBJ_GROUPMAP, attrs);
3004 }
3005
3006 if ((rc == LDAP_NAMING_VIOLATION) ||
3007 (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3008 const char *attrs[] = { "sambaGroupType", "description",
3009 "displayName", "sambaSIDList",
3010 "gidNumber", NULL };
3011
3012 /* Third try. This is a post-3.0.21 alias (containing only
3013 * sambaSidEntry and sambaGroupMapping classes), we also have
3014 * to delete the gidNumber attribute, only the sambaSidEntry
3015 * remains */
3016
3017 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3018 LDAP_OBJ_GROUPMAP, attrs);
3019 }
3020
3021 result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3022
3023 done:
3024 TALLOC_FREE(mem_ctx);
3025 return result;
3026 }
3027
3028 /**********************************************************************
3029 *********************************************************************/
3030
3031 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
3032 BOOL update)
3033 {
3034 struct ldapsam_privates *ldap_state =
3035 (struct ldapsam_privates *)my_methods->private_data;
3036 fstring filter;
3037 int rc;
3038 const char **attr_list;
3039
3040 pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
3041 attr_list = get_attr_list( NULL, groupmap_attr_list );
3042 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3043 LDAP_SCOPE_SUBTREE, filter,
3044 attr_list, 0, &ldap_state->result);
3045 TALLOC_FREE(attr_list);
3046
3047 if (rc != LDAP_SUCCESS) {
3048 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
3049 ldap_err2string(rc)));
3050 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
3051 lp_ldap_group_suffix(), filter));
3052 ldap_msgfree(ldap_state->result);
3053 ldap_state->result = NULL;
3054 return NT_STATUS_UNSUCCESSFUL;
3055 }
3056
3057 DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
3058 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3059 ldap_state->result)));
3060
3061 ldap_state->entry =
3062 ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3063 ldap_state->result);
3064 ldap_state->index = 0;
3065
3066 return NT_STATUS_OK;
3067 }
3068
3069 /**********************************************************************
3070 *********************************************************************/
3071
3072 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3073 {
3074 ldapsam_endsampwent(my_methods);
3075 }
3076
3077 /**********************************************************************
3078 *********************************************************************/
3079
3080 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3081 GROUP_MAP *map)
3082 {
3083 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3084 struct ldapsam_privates *ldap_state =
3085 (struct ldapsam_privates *)my_methods->private_data;
3086 BOOL bret = False;
3087
3088 while (!bret) {
3089 if (!ldap_state->entry)
3090 return ret;
3091
3092 ldap_state->index++;
3093 bret = init_group_from_ldap(ldap_state, map,
3094 ldap_state->entry);
3095
3096 ldap_state->entry =
3097 ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
3098 ldap_state->entry);
3099 }
3100
3101 return NT_STATUS_OK;
3102 }
3103
3104 /**********************************************************************
3105 *********************************************************************/
3106
3107 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3108 const DOM_SID *domsid, enum lsa_SidType sid_name_use,
3109 GROUP_MAP **pp_rmap,
3110 size_t *p_num_entries,
3111 BOOL unix_only)
3112 {
3113 GROUP_MAP map;
3114 size_t entries = 0;
3115
3116 *p_num_entries = 0;
3117 *pp_rmap = NULL;
3118
3119 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3120 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
3121 "passdb\n"));
3122 return NT_STATUS_ACCESS_DENIED;
3123 }
3124
3125 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
3126 if (sid_name_use != SID_NAME_UNKNOWN &&
3127 sid_name_use != map.sid_name_use) {
3128 DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3129 "not of the requested type\n", map.nt_name));
3130 continue;
3131 }
3132 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3133 DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3134 "non mapped\n", map.nt_name));
3135 continue;
3136 }
3137
3138 (*pp_rmap)=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
3139 if (!(*pp_rmap)) {
3140 DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
3141 "enlarge group map!\n"));
3142 return NT_STATUS_UNSUCCESSFUL;
3143 }
3144
3145 (*pp_rmap)[entries] = map;
3146
3147 entries += 1;
3148
3149 }
3150 ldapsam_endsamgrent(methods);
3151
3152 *p_num_entries = entries;
3153
3154 return NT_STATUS_OK;
3155 }
3156
3157 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3158 const DOM_SID *alias,
3159 const DOM_SID *member,
3160 int modop)
3161 {
3162 struct ldapsam_privates *ldap_state =
3163 (struct ldapsam_privates *)methods->private_data;
3164 char *dn;
3165 LDAPMessage *result = NULL;
3166 LDAPMessage *entry = NULL;
3167 int count;
3168 LDAPMod **mods = NULL;
3169 int rc;
3170 enum lsa_SidType type = SID_NAME_USE_NONE;
3171
3172 pstring filter;
3173
3174 if (sid_check_is_in_builtin(alias)) {
3175 type = SID_NAME_ALIAS;
3176 }
3177
3178 if (sid_check_is_in_our_domain(alias)) {
3179 type = SID_NAME_ALIAS;
3180 }
3181
3182 if (type == SID_NAME_USE_NONE) {
3183 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3184 sid_string_static(alias)));
3185 return NT_STATUS_NO_SUCH_ALIAS;
3186 }
3187
3188 pstr_sprintf(filter,
3189 "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3190 LDAP_OBJ_GROUPMAP, sid_string_static(alias),
3191 type);
3192
3193 if (ldapsam_search_one_group(ldap_state, filter,
3194 &result) != LDAP_SUCCESS)
3195 return NT_STATUS_NO_SUCH_ALIAS;
3196
3197 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3198 result);
3199
3200 if (count < 1) {
3201 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3202 ldap_msgfree(result);
3203 return NT_STATUS_NO_SUCH_ALIAS;
3204 }
3205
3206 if (count > 1) {
3207 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
3208 "filter %s: count=%d\n", filter, count));
3209 ldap_msgfree(result);
3210 return NT_STATUS_NO_SUCH_ALIAS;
3211 }
3212
3213 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3214 result);
3215
3216 if (!entry) {
3217 ldap_msgfree(result);
3218 return NT_STATUS_UNSUCCESSFUL;
3219 }
3220
3221 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
3222 if (!dn) {
3223 ldap_msgfree(result);
3224 return NT_STATUS_UNSUCCESSFUL;
3225 }
3226
3227 smbldap_set_mod(&mods, modop,
3228 get_attr_key2string(groupmap_attr_list,
3229 LDAP_ATTR_SID_LIST),
3230 sid_string_static(member));
3231
3232 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3233
3234 ldap_mods_free(mods, True);
3235 ldap_msgfree(result);
3236 SAFE_FREE(dn);
3237
3238 if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
3239 return NT_STATUS_MEMBER_IN_ALIAS;
3240 }
3241
3242 if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
3243 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3244 }
3245
3246 if (rc != LDAP_SUCCESS) {
3247 return NT_STATUS_UNSUCCESSFUL;
3248 }
3249
3250 return NT_STATUS_OK;
3251 }
3252
3253 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3254 const DOM_SID *alias,
3255 const DOM_SID *member)
3256 {
3257 return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3258 }
3259
3260 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3261 const DOM_SID *alias,
3262 const DOM_SID *member)
3263 {
3264 return ldapsam_modify_aliasmem(methods, alias, member,
3265 LDAP_MOD_DELETE);
3266 }
3267
3268 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3269 const DOM_SID *alias,
3270 DOM_SID **pp_members,
3271 size_t *p_num_members)
3272 {
3273 struct ldapsam_privates *ldap_state =
3274 (struct ldapsam_privates *)methods->private_data;
3275 LDAPMessage *result = NULL;
3276 LDAPMessage *entry = NULL;
3277 int count;
3278 char **values;
3279 int i;
3280 pstring filter;
3281 size_t num_members = 0;
3282 enum lsa_SidType type = SID_NAME_USE_NONE;
3283
3284 *pp_members = NULL;
3285 *p_num_members = 0;
3286
3287 if (sid_check_is_in_builtin(alias)) {
3288 type = SID_NAME_ALIAS;
3289 }
3290
3291 if (sid_check_is_in_our_domain(alias)) {
3292 type = SID_NAME_ALIAS;
3293 }
3294
3295 if (type == SID_NAME_USE_NONE) {
3296 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3297 sid_string_static(alias)));
3298 return NT_STATUS_NO_SUCH_ALIAS;
3299 }
3300
3301 pstr_sprintf(filter,
3302 "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3303 LDAP_OBJ_GROUPMAP, sid_string_static(alias),
3304 type);
3305
3306 if (ldapsam_search_one_group(ldap_state, filter,
3307 &result) != LDAP_SUCCESS)
3308 return NT_STATUS_NO_SUCH_ALIAS;
3309
3310 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3311 result);
3312
3313 if (count < 1) {
3314 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3315 ldap_msgfree(result);
3316 return NT_STATUS_NO_SUCH_ALIAS;
3317 }
3318
3319 if (count > 1) {
3320 DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
3321 "filter %s: count=%d\n", filter, count));
3322 ldap_msgfree(result);
3323 return NT_STATUS_NO_SUCH_ALIAS;
3324 }
3325
3326 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3327 result);
3328
3329 if (!entry) {
3330 ldap_msgfree(result);
3331 return NT_STATUS_UNSUCCESSFUL;
3332 }
3333
3334 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
3335 entry,
3336 get_attr_key2string(groupmap_attr_list,
3337 LDAP_ATTR_SID_LIST));
3338
3339 if (values == NULL) {
3340 ldap_msgfree(result);
3341 return NT_STATUS_OK;
3342 }
3343
3344 count = ldap_count_values(values);
3345
3346 for (i=0; i<count; i++) {
3347 DOM_SID member;
3348
3349 if (!string_to_sid(&member, values[i]))
3350 continue;
3351
3352 add_sid_to_array(NULL, &member, pp_members, &num_members);
3353 }
3354
3355 *p_num_members = num_members;
3356 ldap_value_free(values);
3357 ldap_msgfree(result);
3358
3359 return NT_STATUS_OK;
3360 }
3361
3362 static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
3363 TALLOC_CTX *mem_ctx,
3364 const DOM_SID *domain_sid,
3365 const DOM_SID *members,
3366 size_t num_members,
3367 uint32 **pp_alias_rids,
3368 size_t *p_num_alias_rids)
3369 {
3370 struct ldapsam_privates *ldap_state =
3371 (struct ldapsam_privates *)methods->private_data;
3372 LDAP *ldap_struct;
3373
3374 const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
3375
3376 LDAPMessage *result = NULL;
3377 LDAPMessage *entry = NULL;
3378 int i;
3379 int rc;
3380 char *filter;
3381 enum lsa_SidType type = SID_NAME_USE_NONE;
3382
3383 if (sid_check_is_builtin(domain_sid)) {
3384 type = SID_NAME_ALIAS;
3385 }
3386
3387 if (sid_check_is_domain(domain_sid)) {
3388 type = SID_NAME_ALIAS;
3389 }
3390
3391 if (type == SID_NAME_USE_NONE) {
3392 DEBUG(5, ("SID %s is neither builtin nor domain!\n",
3393 sid_string_static(domain_sid)));
3394 return NT_STATUS_UNSUCCESSFUL;
3395 }
3396
3397 filter = talloc_asprintf(mem_ctx,
3398 "(&(|(objectclass=%s)(sambaGroupType=%d))(|",
3399 LDAP_OBJ_GROUPMAP, type);
3400
3401 for (i=0; i<num_members; i++)
3402 filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
3403 filter,
3404 sid_string_static(&members[i]));
3405
3406 filter = talloc_asprintf(mem_ctx, "%s))", filter);
3407
3408 if (filter == NULL) {
3409 return NT_STATUS_NO_MEMORY;
3410 }
3411
3412 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3413 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
3414
3415 if (rc != LDAP_SUCCESS)
3416 return NT_STATUS_UNSUCCESSFUL;
3417
3418 ldap_struct = ldap_state->smbldap_state->ldap_struct;
3419
3420 for (entry = ldap_first_entry(ldap_struct, result);
3421 entry != NULL;
3422 entry = ldap_next_entry(ldap_struct, entry))
3423 {
3424 fstring sid_str;
3425 DOM_SID sid;
3426 uint32 rid;
3427
3428 if (!smbldap_get_single_attribute(ldap_struct, entry,
3429 LDAP_ATTRIBUTE_SID,
3430 sid_str,
3431 sizeof(sid_str)-1))
3432 continue;
3433
3434 if (!string_to_sid(&sid, sid_str))
3435 continue;
3436
3437 if (!sid_peek_check_rid(domain_sid, &sid, &rid))
3438 continue;
3439
3440 add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
3441 p_num_alias_rids);
3442 }
3443
3444 ldap_msgfree(result);
3445 return NT_STATUS_OK;
3446 }
3447
3448 static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods,
3449 int policy_index,
3450 uint32 value)
3451 {
3452 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3453 int rc;
3454 LDAPMod **mods = NULL;
3455 fstring value_string;
3456 const char *policy_attr = NULL;
3457
3458 struct ldapsam_privates *ldap_state =
3459 (struct ldapsam_privates *)methods->private_data;
3460
3461 DEBUG(10,("ldapsam_set_account_policy_in_ldap\n"));
3462
3463 if (!ldap_state->domain_dn) {
3464 return NT_STATUS_INVALID_PARAMETER;
3465 }
3466
3467 policy_attr = get_account_policy_attr(policy_index);
3468 if (policy_attr == NULL) {
3469 DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid "
3470 "policy\n"));
3471 return ntstatus;
3472 }
3473
3474 slprintf(value_string, sizeof(value_string) - 1, "%i", value);
3475
3476 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
3477
3478 rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn,
3479 mods);
3480
3481 ldap_mods_free(mods, True);
3482
3483 if (rc != LDAP_SUCCESS) {
3484 return ntstatus;
3485 }
3486
3487 if (!cache_account_policy_set(policy_index, value)) {
3488 DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to "
3489 "update local tdb cache\n"));
3490 return ntstatus;
3491 }
3492
3493 return NT_STATUS_OK;
3494 }
3495
3496 static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods,
3497 int policy_index, uint32 value)
3498 {
3499 return ldapsam_set_account_policy_in_ldap(methods, policy_index,
3500 value);
3501 }
3502
3503 static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods,
3504 int policy_index,
3505 uint32 *value)
3506 {
3507 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3508 LDAPMessage *result = NULL;
3509 LDAPMessage *entry = NULL;
3510 int count;
3511 int rc;
3512 char **vals = NULL;
3513 const char *policy_attr = NULL;
3514
3515 struct ldapsam_privates *ldap_state =
3516 (struct ldapsam_privates *)methods->private_data;
3517
3518 const char *attrs[2];
3519
3520 DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
3521
3522 if (!ldap_state->domain_dn) {
3523 return NT_STATUS_INVALID_PARAMETER;
3524 }
3525
3526 policy_attr = get_account_policy_attr(policy_index);
3527 if (!policy_attr) {
3528 DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid "
3529 "policy index: %d\n", policy_index));
3530 return ntstatus;
3531 }
3532
3533 attrs[0] = policy_attr;
3534 attrs[1] = NULL;
3535
3536 rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
3537 LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0,
3538 &result);
3539
3540 if (rc != LDAP_SUCCESS) {
3541 return ntstatus;
3542 }
3543
3544 count = ldap_count_entries(priv2ld(ldap_state), result);
3545 if (count < 1) {
3546 goto out;
3547 }
3548
3549 entry = ldap_first_entry(priv2ld(ldap_state), result);
3550 if (entry == NULL) {
3551 goto out;
3552 }
3553
3554 vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr);
3555 if (vals == NULL) {
3556 goto out;
3557 }
3558
3559 *value = (uint32)atol(vals[0]);
3560
3561 ntstatus = NT_STATUS_OK;
3562
3563 out:
3564 if (vals)
3565 ldap_value_free(vals);
3566 ldap_msgfree(result);
3567
3568 return ntstatus;
3569 }
3570
3571 /* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
3572
3573 - if user hasn't decided to use account policies inside LDAP just reuse the
3574 old tdb values
3575
3576 - if there is a valid cache entry, return that
3577 - if there is an LDAP entry, update cache and return
3578 - otherwise set to default, update cache and return
3579
3580 Guenther
3581 */
3582 static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods,
3583 int policy_index, uint32 *value)
3584 {
3585 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3586
3587 if (cache_account_policy_get(policy_index, value)) {
3588 DEBUG(11,("ldapsam_get_account_policy: got valid value from "
3589 "cache\n"));
3590 return NT_STATUS_OK;
3591 }
3592
3593 ntstatus = ldapsam_get_account_policy_from_ldap(methods, policy_index,
3594 value);
3595 if (NT_STATUS_IS_OK(ntstatus)) {
3596 goto update_cache;
3597 }
3598
3599 DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from "
3600 "ldap\n"));
3601
3602 #if 0
3603 /* should we automagically migrate old tdb value here ? */
3604 if (account_policy_get(policy_index, value))
3605 goto update_ldap;
3606
3607 DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying "
3608 "default\n", policy_index));
3609 #endif
3610
3611 if (!account_policy_get_default(policy_index, value)) {
3612 return ntstatus;
3613 }
3614
3615 /* update_ldap: */
3616
3617 ntstatus = ldapsam_set_account_policy(methods, policy_index, *value);
3618 if (!NT_STATUS_IS_OK(ntstatus)) {
3619 return ntstatus;
3620 }
3621
3622 update_cache:
3623
3624 if (!cache_account_policy_set(policy_index, *value)) {
3625 DEBUG(0,("ldapsam_get_account_policy: failed to update local "
3626 "tdb as a cache\n"));
3627 return NT_STATUS_UNSUCCESSFUL;
3628 }
3629
3630 return NT_STATUS_OK;
3631 }
3632
3633 static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
3634 const DOM_SID *domain_sid,
3635 int num_rids,
3636 uint32 *rids,
3637 const char **names,
3638 enum lsa_SidType *attrs)
3639 {
3640 struct ldapsam_privates *ldap_state =
3641 (struct ldapsam_privates *)methods->private_data;
3642 LDAPMessage *msg = NULL;
3643 LDAPMessage *entry;
3644 char *allsids = NULL;
3645 int i, rc, num_mapped;
3646 NTSTATUS result = NT_STATUS_NO_MEMORY;
3647 TALLOC_CTX *mem_ctx;
3648 LDAP *ld;
3649 BOOL is_builtin;
3650
3651 mem_ctx = talloc_new(NULL);
3652 if (mem_ctx == NULL) {
3653 DEBUG(0, ("talloc_new failed\n"));
3654 goto done;
3655 }
3656
3657 if (!sid_check_is_builtin(domain_sid) &&
3658 !sid_check_is_domain(domain_sid)) {
3659 result = NT_STATUS_INVALID_PARAMETER;
3660 goto done;
3661 }
3662
3663 for (i=0; i<num_rids; i++)
3664 attrs[i] = SID_NAME_UNKNOWN;
3665
3666 allsids = talloc_strdup(mem_ctx, "");
3667 if (allsids == NULL) {
3668 goto done;
3669 }
3670
3671 for (i=0; i<num_rids; i++) {
3672 DOM_SID sid;
3673 sid_compose(&sid, domain_sid, rids[i]);
3674 allsids = talloc_asprintf_append(allsids, "(sambaSid=%s)",
3675 sid_string_static(&sid));
3676 if (allsids == NULL) {
3677 goto done;
3678 }
3679 }
3680
3681 /* First look for users */
3682
3683 {
3684 char *filter;
3685 const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
3686
3687 filter = talloc_asprintf(
3688 mem_ctx, ("(&(objectClass=%s)(|%s))"),
3689 LDAP_OBJ_SAMBASAMACCOUNT, allsids);
3690
3691 if (filter == NULL) {
3692 goto done;
3693 }
3694
3695 rc = smbldap_search(ldap_state->smbldap_state,
3696 lp_ldap_user_suffix(),
3697 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
3698 &msg);
3699 talloc_autofree_ldapmsg(mem_ctx, msg);
3700 }
3701
3702 if (rc != LDAP_SUCCESS)
3703 goto done;
3704
3705 ld = ldap_state->smbldap_state->ldap_struct;
3706 num_mapped = 0;
3707
3708 for (entry = ldap_first_entry(ld, msg);
3709 entry != NULL;
3710 entry = ldap_next_entry(ld, entry)) {
3711 uint32 rid;
3712 int rid_index;
3713 const char *name;
3714
3715 if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
3716 &rid)) {
3717 DEBUG(2, ("Could not find sid from ldap entry\n"));
3718 continue;
3719 }
3720
3721 name = smbldap_talloc_single_attribute(ld, entry, "uid",
3722 names);
3723 if (name == NULL) {
3724 DEBUG(2, ("Could not retrieve uid attribute\n"));
3725 continue;
3726 }
3727
3728 for (rid_index = 0; rid_index < num_rids; rid_index++) {
3729 if (rid == rids[rid_index])
3730 break;
3731 }
3732
3733 if (rid_index == num_rids) {
3734 DEBUG(2, ("Got a RID not asked for: %d\n", rid));
3735 continue;
3736 }
3737
3738 attrs[rid_index] = SID_NAME_USER;
3739 names[rid_index] = name;
3740 num_mapped += 1;
3741 }
3742
3743 if (num_mapped == num_rids) {
3744 /* No need to look for groups anymore -- we're done */
3745 result = NT_STATUS_OK;
3746 goto done;
3747 }
3748
3749 /* Same game for groups */
3750
3751 {
3752 char *filter;
3753 const char *ldap_attrs[] = { "cn", "displayName", "sambaSid",
3754 "sambaGroupType", NULL };
3755
3756 filter = talloc_asprintf(
3757 mem_ctx, "(&(objectClass=%s)(|%s))",
3758 LDAP_OBJ_GROUPMAP, allsids);
3759 if (filter == NULL) {
3760 goto done;
3761 }
3762
3763 rc = smbldap_search(ldap_state->smbldap_state,
3764 lp_ldap_group_suffix(),
3765 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
3766 &msg);
3767 talloc_autofree_ldapmsg(mem_ctx, msg);
3768 }
3769
3770 if (rc != LDAP_SUCCESS)
3771 goto done;
3772
3773 /* ldap_struct might have changed due to a reconnect */
3774
3775 ld = ldap_state->smbldap_state->ldap_struct;
3776
3777 /* For consistency checks, we already checked we're only domain or builtin */
3778
3779 is_builtin = sid_check_is_builtin(domain_sid);
3780
3781 for (entry = ldap_first_entry(ld, msg);
3782 entry != NULL;
3783 entry = ldap_next_entry(ld, entry))
3784 {
3785 uint32 rid;
3786 int rid_index;
3787 const char *attr;
3788 enum lsa_SidType type;
3789 const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry);
3790
3791 attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType",
3792 mem_ctx);
3793 if (attr == NULL) {
3794 DEBUG(2, ("Could not extract type from ldap entry %s\n",
3795 dn));
3796 continue;
3797 }
3798
3799 type = (enum lsa_SidType)atol(attr);
3800
3801 /* Consistency checks */
3802 if ((is_builtin && (type != SID_NAME_ALIAS)) ||
3803 (!is_builtin && ((type != SID_NAME_ALIAS) &&
3804 (type != SID_NAME_DOM_GRP)))) {
3805 DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
3806 }
3807
3808 if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
3809 &rid)) {
3810 DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
3811 continue;
3812 }
3813
3814 attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names);
3815
3816 if (attr == NULL) {
3817 DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n",
3818 dn));
3819 attr = smbldap_talloc_single_attribute(ld, entry, "cn", names);
3820 }
3821
3822 if (attr == NULL) {
3823 DEBUG(2, ("Could not retrieve naming attribute from %s\n",
3824 dn));
3825 continue;
3826 }
3827
3828 for (rid_index = 0; rid_index < num_rids; rid_index++) {
3829 if (rid == rids[rid_index])
3830 break;
3831 }
3832
3833 if (rid_index == num_rids) {
3834 DEBUG(2, ("Got a RID not asked for: %d\n", rid));
3835 continue;
3836 }
3837
3838 attrs[rid_index] = type;
3839 names[rid_index] = attr;
3840 num_mapped += 1;
3841 }
3842
3843 result = NT_STATUS_NONE_MAPPED;
3844
3845 if (num_mapped > 0)
3846 result = (num_mapped == num_rids) ?
3847 NT_STATUS_OK : STATUS_SOME_UNMAPPED;
3848 done:
3849 TALLOC_FREE(mem_ctx);
3850 return result;
3851 }
3852
3853 static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
3854 {
3855 char *filter = NULL;
3856 char *escaped = NULL;
3857 char *result = NULL;
3858
3859 asprintf(&filter, "(&%s(objectclass=sambaSamAccount))",
3860 "(uid=%u)");
3861 if (filter == NULL) goto done;
3862
3863 escaped = escape_ldap_string_alloc(username);
3864 if (escaped == NULL) goto done;
3865
3866 result = talloc_string_sub(mem_ctx, filter, "%u", username);
3867
3868 done:
3869 SAFE_FREE(filter);
3870 SAFE_FREE(escaped);
3871
3872 return result;
3873 }
3874
3875 const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...)
3876 {
3877 int i, num = 0;
3878 va_list ap;
3879 const char **result;
3880
3881 va_start(ap, mem_ctx);
3882 while (va_arg(ap, const char *) != NULL)
3883 num += 1;
3884 va_end(ap);
3885
3886 if ((result = TALLOC_ARRAY(mem_ctx, const char *, num+1)) == NULL) {
3887 return NULL;
3888 }
3889
3890 va_start(ap, mem_ctx);
3891 for (i=0; i<num; i++) {
3892 result[i] = talloc_strdup(result, va_arg(ap, const char*));
3893 if (result[i] == NULL) {
3894 talloc_free(result);
3895 return NULL;
3896 }
3897 }
3898 va_end(ap);
3899
3900 result[num] = NULL;
3901 return result;
3902 }
3903
3904 struct ldap_search_state {
3905 struct smbldap_state *connection;
3906
3907 uint32 acct_flags;
3908 uint16 group_type;
3909
3910 const char *base;
3911 int scope;
3912 const char *filter;
3913 const char **attrs;
3914 int attrsonly;
3915 void *pagedresults_cookie;
3916
3917 LDAPMessage *entries, *current_entry;
3918 BOOL (*ldap2displayentry)(struct ldap_search_state *state,
3919 TALLOC_CTX *mem_ctx,
3920 LDAP *ld, LDAPMessage *entry,
3921 struct samr_displayentry *result);
3922 };
3923
3924 static BOOL ldapsam_search_firstpage(struct pdb_search *search)
3925 {
3926 struct ldap_search_state *state =
3927 (struct ldap_search_state *)search->private_data;
3928 LDAP *ld;
3929 int rc = LDAP_OPERATIONS_ERROR;
3930
3931 state->entries = NULL;
3932
3933 if (state->connection->paged_results) {
3934 rc = smbldap_search_paged(state->connection, state->base,
3935 state->scope, state->filter,
3936 state->attrs, state->attrsonly,
3937 lp_ldap_page_size(), &state->entries,
3938 &state->pagedresults_cookie);
3939 }
3940
3941 if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) {
3942
3943 if (state->entries != NULL) {
3944 /* Left over from unsuccessful paged attempt */
3945 ldap_msgfree(state->entries);
3946 state->entries = NULL;
3947 }
3948
3949 rc = smbldap_search(state->connection, state->base,
3950 state->scope, state->filter, state->attrs,
3951 state->attrsonly, &state->entries);
3952
3953 if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
3954 return False;
3955
3956 /* Ok, the server was lying. It told us it could do paged
3957 * searches when it could not. */
3958 state->connection->paged_results = False;
3959 }
3960
3961 ld = state->connection->ldap_struct;
3962 if ( ld == NULL) {
3963 DEBUG(5, ("Don't have an LDAP connection right after a "
3964 "search\n"));
3965 return False;
3966 }
3967 state->current_entry = ldap_first_entry(ld, state->entries);
3968
3969 if (state->current_entry == NULL) {
3970 ldap_msgfree(state->entries);
3971 state->entries = NULL;
3972 }
3973
3974 return True;
3975 }
3976
3977 static BOOL ldapsam_search_nextpage(struct pdb_search *search)
3978 {
3979 struct ldap_search_state *state =
3980 (struct ldap_search_state *)search->private_data;
3981 int rc;
3982
3983 if (!state->connection->paged_results) {
3984 /* There is no next page when there are no paged results */
3985 return False;
3986 }
3987
3988 rc = smbldap_search_paged(state->connection, state->base,
3989 state->scope, state->filter, state->attrs,
3990 state->attrsonly, lp_ldap_page_size(),
3991 &state->entries,
3992 &state->pagedresults_cookie);
3993
3994 if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
3995 return False;
3996
3997 state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries);
3998
3999 if (state->current_entry == NULL) {
4000 ldap_msgfree(state->entries);
4001 state->entries = NULL;
4002 }
4003
4004 return True;
4005 }
4006
4007 static BOOL ldapsam_search_next_entry(struct pdb_search *search,
4008 struct samr_displayentry *entry)
4009 {
4010 struct ldap_search_state *state =
4011 (struct ldap_search_state *)search->private_data;
4012 BOOL result;
4013
4014 retry:
4015 if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
4016 return False;
4017
4018 if ((state->entries == NULL) &&
4019 !ldapsam_search_nextpage(search))
4020 return False;
4021
4022 result = state->ldap2displayentry(state, search->mem_ctx, state->connection->ldap_struct,
4023 state->current_entry, entry);
4024
4025 if (!result) {
4026 char *dn;
4027 dn = ldap_get_dn(state->connection->ldap_struct, state->current_entry);
4028 DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
4029 if (dn != NULL) ldap_memfree(dn);
4030 }
4031
4032 state->current_entry = ldap_next_entry(state->connection->ldap_struct, state->current_entry);
4033
4034 if (state->current_entry == NULL) {
4035 ldap_msgfree(state->entries);
4036 state->entries = NULL;
4037 }
4038
4039 if (!result) goto retry;
4040
4041 return True;
4042 }
4043
4044 static void ldapsam_search_end(struct pdb_search *search)
4045 {
4046 struct ldap_search_state *state =
4047 (struct ldap_search_state *)search->private_data;
4048 int rc;
4049
4050 if (state->pagedresults_cookie == NULL)
4051 return;
4052
4053 if (state->entries != NULL)
4054 ldap_msgfree(state->entries);
4055
4056 state->entries = NULL;
4057 state->current_entry = NULL;
4058
4059 if (!state->connection->paged_results)
4060 return;
4061
4062 /* Tell the LDAP server we're not interested in the rest anymore. */
4063
4064 rc = smbldap_search_paged(state->connection, state->base, state->scope,
4065 state->filter, state->attrs,
4066 state->attrsonly, 0, &state->entries,
4067 &state->pagedresults_cookie);
4068
4069 if (rc != LDAP_SUCCESS)
4070 DEBUG(5, ("Could not end search properly\n"));
4071
4072 return;
4073 }
4074
4075 static BOOL ldapuser2displayentry(struct ldap_search_state *state,
4076 TALLOC_CTX *mem_ctx,
4077 LDAP *ld, LDAPMessage *entry,
4078 struct samr_displayentry *result)
4079 {
4080 char **vals;
4081 DOM_SID sid;
4082 uint32 acct_flags;
4083
4084 vals = ldap_get_values(ld, entry, "sambaAcctFlags");
4085 if ((vals == NULL) || (vals[0] == NULL)) {
4086 DEBUG(5, ("\"sambaAcctFlags\" not found\n"));
4087 return False;
4088 }
4089 acct_flags = pdb_decode_acct_ctrl(vals[0]);
4090 ldap_value_free(vals);
4091
4092 if ((state->acct_flags != 0) &&
4093 ((state->acct_flags & acct_flags) == 0))
4094 return False;
4095
4096 result->acct_flags = acct_flags;
4097 result->account_name = "";
4098 result->fullname = "";
4099 result->description = "";
4100
4101 vals = ldap_get_values(ld, entry, "uid");
4102 if ((vals == NULL) || (vals[0] == NULL)) {
4103 DEBUG(5, ("\"uid\" not found\n"));
4104 return False;
4105 }
4106 pull_utf8_talloc(mem_ctx,
4107 CONST_DISCARD(char **, &result->account_name),
4108 vals[0]);
4109 ldap_value_free(vals);
4110
4111 vals = ldap_get_values(ld, entry, "displayName");
4112 if ((vals == NULL) || (vals[0] == NULL))
4113 DEBUG(8, ("\"displayName\" not found\n"));
4114 else
4115 pull_utf8_talloc(mem_ctx,
4116 CONST_DISCARD(char **, &result->fullname),
4117 vals[0]);
4118 ldap_value_free(vals);
4119
4120 vals = ldap_get_values(ld, entry, "description");
4121 if ((vals == NULL) || (vals[0] == NULL))
4122 DEBUG(8, ("\"description\" not found\n"));
4123 else
4124 pull_utf8_talloc(mem_ctx,
4125 CONST_DISCARD(char **, &result->description),
4126 vals[0]);
4127 ldap_value_free(vals);
4128
4129 if ((result->account_name == NULL) ||
4130 (result->fullname == NULL) ||
4131 (result->description == NULL)) {
4132 DEBUG(0, ("talloc failed\n"));
4133 return False;
4134 }
4135
4136 vals = ldap_get_values(ld, entry, "sambaSid");
4137 if ((vals == NULL) || (vals[0] == NULL)) {
4138 DEBUG(0, ("\"objectSid\" not found\n"));
4139 return False;
4140 }
4141
4142 if (!string_to_sid(&sid, vals[0])) {
4143 DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4144 ldap_value_free(vals);
4145 return False;
4146 }
4147 ldap_value_free(vals);
4148
4149 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
4150 DEBUG(0, ("sid %s does not belong to our domain\n",
4151 sid_string_static(&sid)));
4152 return False;
4153 }
4154
4155 return True;
4156 }
4157
4158
4159 static BOOL ldapsam_search_users(struct pdb_methods *methods,
4160 struct pdb_search *search,
4161 uint32 acct_flags)
4162 {
4163 struct ldapsam_privates *ldap_state =
4164 (struct ldapsam_privates *)methods->private_data;
4165 struct ldap_search_state *state;
4166
4167 state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4168 if (state == NULL) {
4169 DEBUG(0, ("talloc failed\n"));
4170 return False;
4171 }
4172
4173 state->connection = ldap_state->smbldap_state;
4174
4175 if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
4176 state->base = lp_ldap_user_suffix();
4177 else if ((acct_flags != 0) &&
4178 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
4179 state->base = lp_ldap_machine_suffix();
4180 else
4181 state->base = lp_ldap_suffix();
4182
4183 state->acct_flags = acct_flags;
4184 state->base = talloc_strdup(search->mem_ctx, state->base);
4185 state->scope = LDAP_SCOPE_SUBTREE;
4186 state->filter = get_ldap_filter(search->mem_ctx, "*");
4187 state->attrs = talloc_attrs(search->mem_ctx, "uid", "sambaSid",
4188 "displayName", "description",
4189 "sambaAcctFlags", NULL);
4190 state->attrsonly = 0;
4191 state->pagedresults_cookie = NULL;
4192 state->entries = NULL;
4193 state->ldap2displayentry = ldapuser2displayentry;
4194
4195 if ((state->filter == NULL) || (state->attrs == NULL)) {
4196 DEBUG(0, ("talloc failed\n"));
4197 return False;
4198 }
4199
4200 search->private_data = state;
4201 search->next_entry = ldapsam_search_next_entry;
4202 search->search_end = ldapsam_search_end;
4203
4204 return ldapsam_search_firstpage(search);
4205 }
4206
4207 static BOOL ldapgroup2displayentry(struct ldap_search_state *state,
4208 TALLOC_CTX *mem_ctx,
4209 LDAP *ld, LDAPMessage *entry,
4210 struct samr_displayentry *result)
4211 {
4212 char **vals;
4213 DOM_SID sid;
4214 uint16 group_type;
4215
4216 result->account_name = "";
4217 result->fullname = "";
4218 result->description = "";
4219
4220
4221 vals = ldap_get_values(ld, entry, "sambaGroupType");
4222 if ((vals == NULL) || (vals[0] == NULL)) {
4223 DEBUG(5, ("\"sambaGroupType\" not found\n"));
4224 if (vals != NULL) {
4225 ldap_value_free(vals);
4226 }
4227 return False;
4228 }
4229
4230 group_type = atoi(vals[0]);
4231
4232 if ((state->group_type != 0) &&
4233 ((state->group_type != group_type))) {
4234 ldap_value_free(vals);
4235 return False;
4236 }
4237
4238 ldap_value_free(vals);
4239
4240 /* display name is the NT group name */
4241
4242 vals = ldap_get_values(ld, entry, "displayName");
4243 if ((vals == NULL) || (vals[0] == NULL)) {
4244 DEBUG(8, ("\"displayName\" not found\n"));
4245
4246 /* fallback to the 'cn' attribute */
4247 vals = ldap_get_values(ld, entry, "cn");
4248 if ((vals == NULL) || (vals[0] == NULL)) {
4249 DEBUG(5, ("\"cn\" not found\n"));
4250 return False;
4251 }
4252 pull_utf8_talloc(mem_ctx,
4253 CONST_DISCARD(char **, &result->account_name),
4254 vals[0]);
4255 }
4256 else {
4257 pull_utf8_talloc(mem_ctx,
4258 CONST_DISCARD(char **, &result->account_name),
4259 vals[0]);
4260 }
4261
4262 ldap_value_free(vals);
4263
4264 vals = ldap_get_values(ld, entry, "description");
4265 if ((vals == NULL) || (vals[0] == NULL))
4266 DEBUG(8, ("\"description\" not found\n"));
4267 else
4268 pull_utf8_talloc(mem_ctx,
4269 CONST_DISCARD(char **, &result->description),
4270 vals[0]);
4271 ldap_value_free(vals);
4272
4273 if ((result->account_name == NULL) ||
4274 (result->fullname == NULL) ||
4275 (result->description == NULL)) {
4276 DEBUG(0, ("talloc failed\n"));
4277 return False;
4278 }
4279
4280 vals = ldap_get_values(ld, entry, "sambaSid");
4281 if ((vals == NULL) || (vals[0] == NULL)) {
4282 DEBUG(0, ("\"objectSid\" not found\n"));
4283 if (vals != NULL) {
4284 ldap_value_free(vals);
4285 }
4286 return False;
4287 }
4288
4289 if (!string_to_sid(&sid, vals[0])) {
4290 DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4291 return False;
4292 }
4293
4294 ldap_value_free(vals);
4295
4296 switch (group_type) {
4297 case SID_NAME_DOM_GRP:
4298 case SID_NAME_ALIAS:
4299
4300 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
4301 && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
4302 {
4303 DEBUG(0, ("%s is not in our domain\n",
4304 sid_string_static(&sid)));
4305 return False;
4306 }
4307 break;
4308
4309 default:
4310 DEBUG(0,("unkown group type: %d\n", group_type));
4311 return False;
4312 }
4313
4314 return True;
4315 }
4316
4317 static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
4318 struct pdb_search *search,
4319 const DOM_SID *sid,
4320 enum lsa_SidType type)
4321 {
4322 struct ldapsam_privates *ldap_state =
4323 (struct ldapsam_privates *)methods->private_data;
4324 struct ldap_search_state *state;
4325
4326 state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4327 if (state == NULL) {
4328 DEBUG(0, ("talloc failed\n"));
4329 return False;
4330 }
4331
4332 state->connection = ldap_state->smbldap_state;
4333
4334 state->base = talloc_strdup(search->mem_ctx, lp_ldap_group_suffix());
4335 state->connection = ldap_state->smbldap_state;
4336 state->scope = LDAP_SCOPE_SUBTREE;
4337 state->filter = talloc_asprintf(search->mem_ctx,
4338 "(&(objectclass=sambaGroupMapping)"
4339 "(sambaGroupType=%d)(sambaSID=%s*))",
4340 type, sid_string_static(sid));
4341 state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
4342 "displayName", "description",
4343 "sambaGroupType", NULL);
4344 state->attrsonly = 0;
4345 state->pagedresults_cookie = NULL;
4346 state->entries = NULL;
4347 state->group_type = type;
4348 state->ldap2displayentry = ldapgroup2displayentry;
4349
4350 if ((state->filter == NULL) || (state->attrs == NULL)) {
4351 DEBUG(0, ("talloc failed\n"));
4352 return False;
4353 }
4354
4355 search->private_data = state;
4356 search->next_entry = ldapsam_search_next_entry;
4357 search->search_end = ldapsam_search_end;
4358
4359 return ldapsam_search_firstpage(search);
4360 }
4361
4362 static BOOL ldapsam_search_groups(struct pdb_methods *methods,
4363 struct pdb_search *search)
4364 {
4365 return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
4366 }
4367
4368 static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
4369 struct pdb_search *search,
4370 const DOM_SID *sid)
4371 {
4372 return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
4373 }
4374
4375 static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods)
4376 {
4377 return False;
4378 }
4379
4380 static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv,
4381 uint32 *rid)
4382 {
4383 struct smbldap_state *smbldap_state = priv->smbldap_state;
4384
4385 LDAPMessage *result = NULL;
4386 LDAPMessage *entry = NULL;
4387 LDAPMod **mods = NULL;
4388 NTSTATUS status;
4389 char *value;
4390 int rc;
4391 uint32 nextRid = 0;
4392 const char *dn;
4393
4394 TALLOC_CTX *mem_ctx;
4395
4396 mem_ctx = talloc_new(NULL);
4397 if (mem_ctx == NULL) {
4398 DEBUG(0, ("talloc_new failed\n"));
4399 return NT_STATUS_NO_MEMORY;
4400 }
4401
4402 status = smbldap_search_domain_info(smbldap_state, &result,
4403 get_global_sam_name(), False);
4404 if (!NT_STATUS_IS_OK(status)) {
4405 DEBUG(3, ("Could not get domain info: %s\n",
4406 nt_errstr(status)));
4407 goto done;
4408 }
4409
4410 talloc_autofree_ldapmsg(mem_ctx, result);
4411
4412 entry = ldap_first_entry(priv2ld(priv), result);
4413 if (entry == NULL) {
4414 DEBUG(0, ("Could not get domain info entry\n"));
4415 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
4416 goto done;
4417 }
4418
4419 /* Find the largest of the three attributes "sambaNextRid",
4420 "sambaNextGroupRid" and "sambaNextUserRid". I gave up on the
4421 concept of differentiating between user and group rids, and will
4422 use only "sambaNextRid" in the future. But for compatibility
4423 reasons I look if others have chosen different strategies -- VL */
4424
4425 value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4426 "sambaNextRid", mem_ctx);
4427 if (value != NULL) {
4428 uint32 tmp = (uint32)strtoul(value, NULL, 10);
4429 nextRid = MAX(nextRid, tmp);
4430 }
4431
4432 value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4433 "sambaNextUserRid", mem_ctx);
4434 if (value != NULL) {
4435 uint32 tmp = (uint32)strtoul(value, NULL, 10);
4436 nextRid = MAX(nextRid, tmp);
4437 }
4438
4439 value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4440 "sambaNextGroupRid", mem_ctx);
4441 if (value != NULL) {
4442 uint32 tmp = (uint32)strtoul(value, NULL, 10);
4443 nextRid = MAX(nextRid, tmp);
4444 }
4445
4446 if (nextRid == 0) {
4447 nextRid = BASE_RID-1;
4448 }
4449
4450 nextRid += 1;
4451
4452 smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid",
4453 talloc_asprintf(mem_ctx, "%d", nextRid));
4454 talloc_autofree_ldapmod(mem_ctx, mods);
4455
4456 if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) {
4457 status = NT_STATUS_NO_MEMORY;
4458 goto done;
4459 }
4460
4461 rc = smbldap_modify(smbldap_state, dn, mods);
4462
4463 /* ACCESS_DENIED is used as a placeholder for "the modify failed,
4464 * please retry" */
4465
4466 status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
4467
4468 done:
4469 if (NT_STATUS_IS_OK(status)) {
4470 *rid = nextRid;
4471 }
4472
4473 TALLOC_FREE(mem_ctx);
4474 return status;
4475 }
4476
4477 static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods *methods, uint32 *rid)
4478 {
4479 int i;
4480
4481 for (i=0; i<10; i++) {
4482 NTSTATUS result = ldapsam_get_new_rid(
4483 (struct ldapsam_privates *)methods->private_data, rid);
4484 if (NT_STATUS_IS_OK(result)) {
4485 return result;
4486 }
4487
4488 if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
4489 return result;
4490 }
4491
4492 /* The ldap update failed (maybe a race condition), retry */
4493 }
4494
4495 /* Tried 10 times, fail. */
4496 return NT_STATUS_ACCESS_DENIED;
4497 }
4498
4499 static BOOL ldapsam_new_rid(struct pdb_methods *methods, uint32 *rid)
4500 {
4501 NTSTATUS result = ldapsam_new_rid_internal(methods, rid);
4502 return NT_STATUS_IS_OK(result) ? True : False;
4503 }
4504
4505 static BOOL ldapsam_sid_to_id(struct pdb_methods *methods,
4506 const DOM_SID *sid,
4507 union unid_t *id, enum lsa_SidType *type)
4508 {
4509 struct ldapsam_privates *priv =
4510 (struct ldapsam_privates *)methods->private_data;
4511 char *filter;
4512 const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
4513 NULL };
4514 LDAPMessage *result = NULL;
4515 LDAPMessage *entry = NULL;
4516 BOOL ret = False;
4517 char *value;
4518 int rc;
4519
4520 TALLOC_CTX *mem_ctx;
4521
4522 mem_ctx = talloc_new(NULL);
4523 if (mem_ctx == NULL) {
4524 DEBUG(0, ("talloc_new failed\n"));
4525 return False;
4526 }
4527
4528 filter = talloc_asprintf(mem_ctx,
4529 "(&(sambaSid=%s)"
4530 "(|(objectClass=%s)(objectClass=%s)))",
4531 sid_string_static(sid),
4532 LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
4533 if (filter == NULL) {
4534 DEBUG(5, ("talloc_asprintf failed\n"));
4535 goto done;
4536 }
4537
4538 rc = smbldap_search_suffix(priv->smbldap_state, filter,
4539 attrs, &result);
4540 if (rc != LDAP_SUCCESS) {
4541 goto done;
4542 }
4543 talloc_autofree_ldapmsg(mem_ctx, result);
4544
4545 if (ldap_count_entries(priv2ld(priv), result) != 1) {
4546 DEBUG(10, ("Got %d entries, expected one\n",
4547 ldap_count_entries(priv2ld(priv), result)));
4548 goto done;
4549 }
4550
4551 entry = ldap_first_entry(priv2ld(priv), result);
4552
4553 value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4554 "sambaGroupType", mem_ctx);
4555
4556 if (value != NULL) {
4557 const char *gid_str;
4558 /* It's a group */
4559
4560 gid_str = smbldap_talloc_single_attribute(
4561 priv2ld(priv), entry, "gidNumber", mem_ctx);
4562 if (gid_str == NULL) {
4563 DEBUG(1, ("%s has sambaGroupType but no gidNumber\n",
4564 smbldap_talloc_dn(mem_ctx, priv2ld(priv),
4565 entry)));
4566 goto done;
4567 }
4568
4569 id->gid = strtoul(gid_str, NULL, 10);
4570 *type = (enum lsa_SidType)strtoul(value, NULL, 10);
4571 ret = True;
4572 goto done;
4573 }
4574
4575 /* It must be a user */
4576
4577 value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4578 "uidNumber", mem_ctx);
4579 if (value == NULL) {
4580 DEBUG(1, ("Could not find uidNumber in %s\n",
4581 smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)));
4582 goto done;
4583 }
4584
4585 id->uid = strtoul(value, NULL, 10);
4586 *type = SID_NAME_USER;
4587
4588 ret = True;
4589 done:
4590 TALLOC_FREE(mem_ctx);
4591 return ret;
4592 }
4593
4594 /*
4595 * The following functions is called only if
4596 * ldapsam:trusted and ldapsam:editposix are
4597 * set to true
4598 */
4599
4600 /*
4601 * ldapsam_create_user creates a new
4602 * posixAccount and sambaSamAccount object
4603 * in the ldap users subtree
4604 *
4605 * The uid is allocated by winbindd.
4606 */
4607
4608 static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
4609 TALLOC_CTX *tmp_ctx, const char *name,
4610 uint32 acb_info, uint32 *rid)
4611 {
4612 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
4613 LDAPMessage *entry = NULL;
4614 LDAPMessage *result = NULL;
4615 uint32 num_result;
4616 BOOL is_machine = False;
4617 BOOL add_posix = False;
4618 LDAPMod **mods = NULL;
4619 struct samu *user;
4620 char *filter;
4621 char *username;
4622 char *homedir;
4623 char *gidstr;
4624 char *uidstr;
4625 char *shell;
4626 const char *dn = NULL;
4627 DOM_SID group_sid;
4628 DOM_SID user_sid;
4629 gid_t gid = -1;
4630 uid_t uid = -1;
4631 NTSTATUS ret;
4632 int rc;
4633
4634 if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
4635 acb_info & ACB_WSTRUST ||
4636 acb_info & ACB_SVRTRUST ||
4637 acb_info & ACB_DOMTRUST) {
4638 is_machine = True;
4639 }
4640
4641 username = escape_ldap_string_alloc(name);
4642 filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))",
4643 username, LDAP_OBJ_POSIXACCOUNT);
4644 SAFE_FREE(username);
4645
4646 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
4647 if (rc != LDAP_SUCCESS) {
4648 DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
4649 return NT_STATUS_UNSUCCESSFUL;
4650 }
4651 talloc_autofree_ldapmsg(tmp_ctx, result);
4652
4653 num_result = ldap_count_entries(priv2ld(ldap_state), result);
4654
4655 if (num_result > 1) {
4656 DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name));
4657 return NT_STATUS_INTERNAL_DB_CORRUPTION;
4658 }
4659
4660 if (num_result == 1) {
4661 char *tmp;
4662 /* check if it is just a posix account.
4663 * or if there is a sid attached to this entry
4664 */
4665
4666 entry = ldap_first_entry(priv2ld(ldap_state), result);
4667 if (!entry) {
4668 return NT_STATUS_UNSUCCESSFUL;
4669 }
4670
4671 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
4672 if (tmp) {
4673 DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
4674 return NT_STATUS_USER_EXISTS;
4675 }
4676
4677 /* it is just a posix account, retrieve the dn for later use */
4678 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
4679 if (!dn) {
4680 DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
4681 return NT_STATUS_NO_MEMORY;
4682 }
4683 }
4684
4685 if (num_result == 0) {
4686 add_posix = True;
4687 }
4688
4689 /* Create the basic samu structure and generate the mods for the ldap commit */
4690 if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
4691 DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
4692 return ret;
4693 }
4694
4695 sid_compose(&user_sid, get_global_sam_sid(), *rid);
4696
4697 user = samu_new(tmp_ctx);
4698 if (!user) {
4699 DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n"));
4700 return NT_STATUS_NO_MEMORY;
4701 }
4702
4703 if (!pdb_set_username(user, name, PDB_SET)) {
4704 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4705 return NT_STATUS_UNSUCCESSFUL;
4706 }
4707 if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) {
4708 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4709 return NT_STATUS_UNSUCCESSFUL;
4710 }
4711 if (is_machine) {
4712 if (acb_info & ACB_NORMAL) {
4713 if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) {
4714 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4715 return NT_STATUS_UNSUCCESSFUL;
4716 }
4717 } else {
4718 if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) {
4719 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4720 return NT_STATUS_UNSUCCESSFUL;
4721 }
4722 }
4723 } else {
4724 if (!pdb_set_acct_ctrl(user, ACB_NORMAL | ACB_DISABLED, PDB_SET)) {
4725 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4726 return NT_STATUS_UNSUCCESSFUL;
4727 }
4728 }
4729
4730 if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) {
4731 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4732 return NT_STATUS_UNSUCCESSFUL;
4733 }
4734
4735 if (!init_ldap_from_sam(ldap_state, NULL, &mods, user, element_is_set_or_changed)) {
4736 DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
4737 return NT_STATUS_UNSUCCESSFUL;
4738 }
4739
4740 if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) {
4741 DEBUG(1,("ldapsam_create_user: Unsupported schema version\n"));
4742 }
4743 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
4744
4745 if (add_posix) {
4746 DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
4747
4748 /* retrieve the Domain Users group gid */
4749 if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) ||
4750 !sid_to_gid(&group_sid, &gid)) {
4751 DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
4752 return NT_STATUS_INVALID_PRIMARY_GROUP;
4753 }
4754
4755 /* lets allocate a new userid for this user */
4756 if (!winbind_allocate_uid(&uid)) {
4757 DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
4758 return NT_STATUS_UNSUCCESSFUL;
4759 }
4760
4761
4762 if (is_machine) {
4763 /* TODO: choose a more appropriate default for machines */
4764 homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid);
4765 shell = talloc_strdup(tmp_ctx, "/bin/false");
4766 } else {
4767 homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
4768 shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid);
4769 }
4770 uidstr = talloc_asprintf(tmp_ctx, "%d", uid);
4771 gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
4772 if (is_machine) {
4773 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, lp_ldap_machine_suffix ());
4774 } else {
4775 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, lp_ldap_user_suffix ());
4776 }
4777
4778 if (!homedir || !shell || !uidstr || !gidstr || !dn) {
4779 DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
4780 return NT_STATUS_NO_MEMORY;
4781 }
4782
4783 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
4784 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
4785 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
4786 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
4787 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
4788 smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
4789 smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
4790 }
4791
4792 talloc_autofree_ldapmod(tmp_ctx, mods);
4793
4794 if (add_posix) {
4795 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
4796 } else {
4797 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
4798 }
4799
4800 if (rc != LDAP_SUCCESS) {
4801 DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
4802 return NT_STATUS_UNSUCCESSFUL;
4803 }
4804
4805 DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name));
4806
4807 flush_pwnam_cache();
4808
4809 return NT_STATUS_OK;
4810 }
4811
4812 static NTSTATUS ldapsam_delete_user(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, struct samu *sam_acct)
4813 {
4814 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
4815 LDAPMessage *result = NULL;
4816 LDAPMessage *entry = NULL;
4817 int num_result;
4818 const char *dn;
4819 char *filter;
4820 int rc;
4821
4822 DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct)));
4823
4824 filter = talloc_asprintf(tmp_ctx,
4825 "(&(uid=%s)"
4826 "(objectClass=%s)"
4827 "(objectClass=%s))",
4828 pdb_get_username(sam_acct),
4829 LDAP_OBJ_POSIXACCOUNT,
4830 LDAP_OBJ_SAMBASAMACCOUNT);
4831 if (filter == NULL) {
4832 return NT_STATUS_NO_MEMORY;
4833 }
4834
4835 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
4836 if (rc != LDAP_SUCCESS) {
4837 DEBUG(0,("ldapsam_delete_user: user search failed!\n"));
4838 return NT_STATUS_UNSUCCESSFUL;
4839 }
4840 talloc_autofree_ldapmsg(tmp_ctx, result);
4841
4842 num_result = ldap_count_entries(priv2ld(ldap_state), result);
4843
4844 if (num_result == 0) {
4845 DEBUG(0,("ldapsam_delete_user: user not found!\n"));
4846 return NT_STATUS_NO_SUCH_USER;
4847 }
4848
4849 if (num_result > 1) {
4850 DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct)));
4851 return NT_STATUS_INTERNAL_DB_CORRUPTION;
4852 }
4853
4854 entry = ldap_first_entry(priv2ld(ldap_state), result);
4855 if (!entry) {
4856 return NT_STATUS_UNSUCCESSFUL;
4857 }
4858
4859 /* it is just a posix account, retrieve the dn for later use */
4860 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
4861 if (!dn) {
4862 DEBUG(0,("ldapsam_delete_user: Out of memory!\n"));
4863 return NT_STATUS_NO_MEMORY;
4864 }
4865
4866 rc = smbldap_delete(ldap_state->smbldap_state, dn);
4867 if (rc != LDAP_SUCCESS) {
4868 return NT_STATUS_UNSUCCESSFUL;
4869 }
4870
4871 flush_pwnam_cache();
4872
4873 return NT_STATUS_OK;
4874 }
4875
4876 /*
4877 * ldapsam_create_group creates a new
4878 * posixGroup and sambaGroupMapping object
4879 * in the ldap groups subtree
4880 *
4881 * The gid is allocated by winbindd.
4882 */
4883
4884 static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods,
4885 TALLOC_CTX *tmp_ctx,
4886 const char *name,
4887 uint32 *rid)
4888 {
4889 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
4890 NTSTATUS ret;
4891 LDAPMessage *entry = NULL;
4892 LDAPMessage *result = NULL;
4893 uint32 num_result;
4894 BOOL is_new_entry = False;
4895 LDAPMod **mods = NULL;
4896 char *filter;
4897 char *groupsidstr;
4898 char *groupname;
4899 char *grouptype;
4900 char *gidstr;
4901 const char *dn = NULL;
4902 DOM_SID group_sid;
4903 gid_t gid = -1;
4904 int rc;
4905
4906 groupname = escape_ldap_string_alloc(name);
4907 filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))",
4908 groupname, LDAP_OBJ_POSIXGROUP);
4909 SAFE_FREE(groupname);
4910
4911 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
4912 if (rc != LDAP_SUCCESS) {
4913 DEBUG(0,("ldapsam_create_group: ldap search failed!\n"));
4914 return NT_STATUS_UNSUCCESSFUL;
4915 }
4916 talloc_autofree_ldapmsg(tmp_ctx, result);
4917
4918 num_result = ldap_count_entries(priv2ld(ldap_state), result);
4919
4920 if (num_result > 1) {
4921 DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name));
4922 return NT_STATUS_INTERNAL_DB_CORRUPTION;
4923 }
4924
4925 if (num_result == 1) {
4926 char *tmp;
4927 /* check if it is just a posix group.
4928 * or if there is a sid attached to this entry
4929 */
4930
4931 entry = ldap_first_entry(priv2ld(ldap_state), result);
4932 if (!entry) {
4933 return NT_STATUS_UNSUCCESSFUL;
4934 }
4935
4936 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
4937 if (tmp) {
4938 DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name));
4939 return NT_STATUS_GROUP_EXISTS;
4940 }
4941
4942 /* it is just a posix group, retrieve the gid and the dn for later use */
4943 tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
4944 if (!tmp) {
4945 DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
4946 return NT_STATUS_INTERNAL_DB_CORRUPTION;
4947 }
4948
4949 gid = strtoul(tmp, NULL, 10);
4950
4951 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
4952 if (!dn) {
4953 DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
4954 return NT_STATUS_NO_MEMORY;
4955 }
4956 }
4957
4958 if (num_result == 0) {
4959 DEBUG(3,("ldapsam_create_user: Creating new posix group\n"));
4960
4961 is_new_entry = True;
4962
4963 /* lets allocate a new groupid for this group */
4964 if (!winbind_allocate_gid(&gid)) {
4965 DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n"));
4966 return NT_STATUS_UNSUCCESSFUL;
4967 }
4968
4969 gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
4970 dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", name, lp_ldap_group_suffix());
4971
4972 if (!gidstr || !dn) {
4973 DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
4974 return NT_STATUS_NO_MEMORY;
4975 }
4976
4977 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
4978 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
4979 smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
4980 }
4981
4982 if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
4983 DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n"));
4984 return ret;
4985 }
4986
4987 sid_compose(&group_sid, get_global_sam_sid(), *rid);
4988
4989 groupsidstr = talloc_strdup(tmp_ctx, sid_string_static(&group_sid));
4990 grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP);
4991
4992 if (!groupsidstr || !grouptype) {
4993 DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
4994 return NT_STATUS_NO_MEMORY;
4995 }
4996
4997 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
4998 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", groupsidstr);
4999 smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype);
5000 smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
5001 talloc_autofree_ldapmod(tmp_ctx, mods);
5002
5003 if (is_new_entry) {
5004 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5005 #if 0
5006 if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
5007 /* This call may fail with rfc2307bis schema */
5008 /* Retry adding a structural class */
5009 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????");
5010 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5011 }
5012 #endif
5013 } else {
5014 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5015 }
5016
5017 if (rc != LDAP_SUCCESS) {
5018 DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
5019 return NT_STATUS_UNSUCCESSFUL;
5020 }
5021
5022 DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name));
5023
5024 return NT_STATUS_OK;
5025 }
5026
5027 static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, uint32 rid)
5028 {
5029 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5030 LDAPMessage *result = NULL;
5031 LDAPMessage *entry = NULL;
5032 int num_result;
5033 const char *dn;
5034 char *gidstr;
5035 char *filter;
5036 DOM_SID group_sid;
5037 int rc;
5038
5039 /* get the group sid */
5040 sid_compose(&group_sid, get_global_sam_sid(), rid);
5041
5042 filter = talloc_asprintf(tmp_ctx,
5043 "(&(sambaSID=%s)"
5044 "(objectClass=%s)"
5045 "(objectClass=%s))",
5046 sid_string_static(&group_sid),
5047 LDAP_OBJ_POSIXGROUP,
5048 LDAP_OBJ_GROUPMAP);
5049 if (filter == NULL) {
5050 return NT_STATUS_NO_MEMORY;
5051 }
5052
5053 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5054 if (rc != LDAP_SUCCESS) {
5055 DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n"));
5056 return NT_STATUS_UNSUCCESSFUL;
5057 }
5058 talloc_autofree_ldapmsg(tmp_ctx, result);
5059
5060 num_result = ldap_count_entries(priv2ld(ldap_state), result);
5061
5062 if (num_result == 0) {
5063 DEBUG(1,("ldapsam_delete_dom_group: group not found!\n"));
5064 return NT_STATUS_NO_SUCH_GROUP;
5065 }
5066
5067 if (num_result > 1) {
5068 DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n"));
5069 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5070 }
5071
5072 entry = ldap_first_entry(priv2ld(ldap_state), result);
5073 if (!entry) {
5074 return NT_STATUS_UNSUCCESSFUL;
5075 }
5076
5077 /* here it is, retrieve the dn for later use */
5078 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5079 if (!dn) {
5080 DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n"));
5081 return NT_STATUS_NO_MEMORY;
5082 }
5083
5084 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5085 if (!gidstr) {
5086 DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n"));
5087 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5088 }
5089
5090 /* check no user have this group marked as primary group */
5091 filter = talloc_asprintf(tmp_ctx,
5092 "(&(gidNumber=%s)"
5093 "(objectClass=%s)"
5094 "(objectClass=%s))",
5095 gidstr,
5096 LDAP_OBJ_POSIXACCOUNT,
5097 LDAP_OBJ_SAMBASAMACCOUNT);
5098
5099 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5100 if (rc != LDAP_SUCCESS) {
5101 DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n"));
5102 return NT_STATUS_UNSUCCESSFUL;
5103 }
5104 talloc_autofree_ldapmsg(tmp_ctx, result);
5105
5106 num_result = ldap_count_entries(priv2ld(ldap_state), result);
5107
5108 if (num_result != 0) {
5109 DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result));
5110 return NT_STATUS_MEMBERS_PRIMARY_GROUP;
5111 }
5112
5113 rc = smbldap_delete(ldap_state->smbldap_state, dn);
5114 if (rc != LDAP_SUCCESS) {
5115 return NT_STATUS_UNSUCCESSFUL;
5116 }
5117
5118 return NT_STATUS_OK;
5119 }
5120
5121 static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods,
5122 TALLOC_CTX *tmp_ctx,
5123 uint32 group_rid,
5124 uint32 member_rid,
5125 int modop)
5126 {
5127 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5128 LDAPMessage *entry = NULL;
5129 LDAPMessage *result = NULL;
5130 uint32 num_result;
5131 LDAPMod **mods = NULL;
5132 char *filter;
5133 char *uidstr;
5134 const char *dn = NULL;
5135 DOM_SID group_sid;
5136 DOM_SID member_sid;
5137 int rc;
5138
5139 switch (modop) {
5140 case LDAP_MOD_ADD:
5141 DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)", member_rid, group_rid));
5142 break;
5143 case LDAP_MOD_DELETE:
5144 DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)", member_rid, group_rid));
5145 break;
5146 default:
5147 return NT_STATUS_UNSUCCESSFUL;
5148 }
5149
5150 /* get member sid */
5151 sid_compose(&member_sid, get_global_sam_sid(), member_rid);
5152
5153 /* get the group sid */
5154 sid_compose(&group_sid, get_global_sam_sid(), group_rid);
5155
5156 filter = talloc_asprintf(tmp_ctx,
5157 "(&(sambaSID=%s)"
5158 "(objectClass=%s)"
5159 "(objectClass=%s))",
5160 sid_string_static(&member_sid),
5161 LDAP_OBJ_POSIXACCOUNT,
5162 LDAP_OBJ_SAMBASAMACCOUNT);
5163 if (filter == NULL) {
5164 return NT_STATUS_NO_MEMORY;
5165 }
5166
5167 /* get the member uid */
5168 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5169 if (rc != LDAP_SUCCESS) {
5170 DEBUG(1,("ldapsam_change_groupmem: member search failed!\n"));
5171 return NT_STATUS_UNSUCCESSFUL;
5172 }
5173 talloc_autofree_ldapmsg(tmp_ctx, result);
5174
5175 num_result = ldap_count_entries(priv2ld(ldap_state), result);
5176
5177 if (num_result == 0) {
5178 DEBUG(1,("ldapsam_change_groupmem: member not found!\n"));
5179 return NT_STATUS_NO_SUCH_MEMBER;
5180 }
5181
5182 if (num_result > 1) {
5183 DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n"));
5184 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5185 }
5186
5187 entry = ldap_first_entry(priv2ld(ldap_state), result);
5188 if (!entry) {
5189 return NT_STATUS_UNSUCCESSFUL;
5190 }
5191
5192 if (modop == LDAP_MOD_DELETE) {
5193 /* check if we are trying to remove the member from his primary group */
5194 char *gidstr;
5195 gid_t user_gid, group_gid;
5196
5197 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5198 if (!gidstr) {
5199 DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n"));
5200 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5201 }
5202
5203 user_gid = strtoul(gidstr, NULL, 10);
5204
5205 if (!sid_to_gid(&group_sid, &group_gid)) {
5206 DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
5207 return NT_STATUS_UNSUCCESSFUL;
5208 }
5209
5210 if (user_gid == group_gid) {
5211 DEBUG (3, ("ldapsam_change_groupmem: can't remove user from it's own primary group!\n"));
5212 return NT_STATUS_MEMBERS_PRIMARY_GROUP;
5213 }
5214 }
5215
5216 /* here it is, retrieve the uid for later use */
5217 uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx);
5218 if (!uidstr) {
5219 DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n"));
5220 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5221 }
5222
5223 filter = talloc_asprintf(tmp_ctx,
5224 "(&(sambaSID=%s)"
5225 "(objectClass=%s)"
5226 "(objectClass=%s))",
5227 sid_string_static(&group_sid),
5228 LDAP_OBJ_POSIXGROUP,
5229 LDAP_OBJ_GROUPMAP);
5230
5231 /* get the group */
5232 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5233 if (rc != LDAP_SUCCESS) {
5234 DEBUG(1,("ldapsam_change_groupmem: group search failed!\n"));
5235 return NT_STATUS_UNSUCCESSFUL;
5236 }
5237 talloc_autofree_ldapmsg(tmp_ctx, result);
5238
5239 num_result = ldap_count_entries(priv2ld(ldap_state), result);
5240
5241 if (num_result == 0) {
5242 DEBUG(1,("ldapsam_change_groupmem: group not found!\n"));
5243 return NT_STATUS_NO_SUCH_GROUP;
5244 }
5245
5246 if (num_result > 1) {
5247 DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n"));
5248 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5249 }
5250
5251 entry = ldap_first_entry(priv2ld(ldap_state), result);
5252 if (!entry) {
5253 return NT_STATUS_UNSUCCESSFUL;
5254 }
5255
5256 /* here it is, retrieve the dn for later use */
5257 dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5258 if (!dn) {
5259 DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n"));
5260 return NT_STATUS_NO_MEMORY;
5261 }
5262
5263 smbldap_set_mod(&mods, modop, "memberUid", uidstr);
5264
5265 talloc_autofree_ldapmod(tmp_ctx, mods);
5266
5267 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5268 if (rc != LDAP_SUCCESS) {
5269 if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) {
5270 DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n"));
5271 return NT_STATUS_MEMBER_IN_GROUP;
5272 }
5273 if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) {
5274 DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n"));
5275 return NT_STATUS_MEMBER_NOT_IN_GROUP;
5276 }
5277 return NT_STATUS_UNSUCCESSFUL;
5278 }
5279
5280 return NT_STATUS_OK;
5281 }
5282
5283 static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods,
5284 TALLOC_CTX *tmp_ctx,
5285 uint32 group_rid,
5286 uint32 member_rid)
5287 {
5288 return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD);
5289 }
5290 static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
5291 TALLOC_CTX *tmp_ctx,
5292 uint32 group_rid,
5293 uint32 member_rid)
5294 {
5295 return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE);
5296 }
5297
5298 static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods,
5299 TALLOC_CTX *mem_ctx,
5300 struct samu *sampass)
5301 {
5302 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
5303 LDAPMessage *entry = NULL;
5304 LDAPMessage *result = NULL;
5305 uint32 num_result;
5306 LDAPMod **mods = NULL;
5307 char *filter;
5308 char *gidstr;
5309 const char *dn = NULL;
5310 gid_t gid;
5311 int rc;
5312
5313 DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass)));
5314
5315 if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
5316 DEBUG(0,("ldapsam_set_primary_group: failed to retieve gid from user's group SID!\n"));
5317 return NT_STATUS_UNSUCCESSFUL;
5318 }
5319 gidstr = talloc_asprintf(mem_ctx, "%d", gid);
5320 if (!gidstr) {
5321 DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n"));
5322 return NT_STATUS_NO_MEMORY;
5323 }
5324
5325 filter = talloc_asprintf(mem_ctx,
5326 "(&(uid=%s)"
5327 "(objectClass=%s)"
5328 "(objectClass=%s))",
5329 pdb_get_username(sampass),
5330 LDAP_OBJ_POSIXACCOUNT,
5331 LDAP_OBJ_SAMBASAMACCOUNT);
5332 if (filter == NULL) {
5333 return NT_STATUS_NO_MEMORY;
5334 }
5335
5336 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5337 if (rc != LDAP_SUCCESS) {
5338 DEBUG(0,("ldapsam_set_primary_group: user search failed!\n"));
5339 return NT_STATUS_UNSUCCESSFUL;
5340 }
5341 talloc_autofree_ldapmsg(mem_ctx, result);
5342
5343 num_result = ldap_count_entries(priv2ld(ldap_state), result);
5344
5345 if (num_result == 0) {
5346 DEBUG(0,("ldapsam_set_primary_group: user not found!\n"));
5347 return NT_STATUS_NO_SUCH_USER;
5348 }
5349
5350 if (num_result > 1) {
5351 DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass)));
5352 return NT_STATUS_INTERNAL_DB_CORRUPTION;
5353 }
5354
5355 entry = ldap_first_entry(priv2ld(ldap_state), result);
5356 if (!entry) {
5357 return NT_STATUS_UNSUCCESSFUL;
5358 }
5359
5360 /* retrieve the dn for later use */
5361 dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry);
5362 if (!dn) {
5363 DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n"));
5364 return NT_STATUS_NO_MEMORY;
5365 }
5366
5367 /* remove the old one, and add the new one, this way we do not risk races */
5368 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr);
5369
5370 if (mods == NULL) {
5371 return NT_STATUS_OK;
5372 }
5373
5374 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5375
5376 if (rc != LDAP_SUCCESS) {
5377 DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n",
5378 pdb_get_username(sampass), gidstr));
5379 return NT_STATUS_UNSUCCESSFUL;
5380 }
5381
5382 flush_pwnam_cache();
5383
5384 return NT_STATUS_OK;
5385 }
5386
5387 /**********************************************************************
5388 Housekeeping
5389 *********************************************************************/
5390
5391 static void free_private_data(void **vp)
5392 {
5393 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
5394
5395 smbldap_free_struct(&(*ldap_state)->smbldap_state);
5396
5397 if ((*ldap_state)->result != NULL) {
5398 ldap_msgfree((*ldap_state)->result);
5399 (*ldap_state)->result = NULL;
5400 }
5401 if ((*ldap_state)->domain_dn != NULL) {
5402 SAFE_FREE((*ldap_state)->domain_dn);
5403 }
5404
5405 *ldap_state = NULL;
5406
5407 /* No need to free any further, as it is talloc()ed */
5408 }
5409
5410 /*********************************************************************
5411 Intitalise the parts of the pdb_methods structure that are common to
5412 all pdb_ldap modes
5413 *********************************************************************/
5414
5415 static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
5416 {
5417 NTSTATUS nt_status;
5418 struct ldapsam_privates *ldap_state;
5419
5420 if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) {
5421 return nt_status;
5422 }
5423
5424 (*pdb_method)->name = "ldapsam";
5425
5426 (*pdb_method)->setsampwent = ldapsam_setsampwent;
5427 (*pdb_method)->endsampwent = ldapsam_endsampwent;
5428 (*pdb_method)->getsampwent = ldapsam_getsampwent;
5429 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
5430 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
5431 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
5432 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
5433 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
5434 (*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
5435
5436 (*pdb_method)->getgrsid = ldapsam_getgrsid;
5437 (*pdb_method)->getgrgid = ldapsam_getgrgid;
5438 (*pdb_method)->getgrnam = ldapsam_getgrnam;
5439 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
5440 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
5441 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
5442 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
5443
5444 (*pdb_method)->get_account_policy = ldapsam_get_account_policy;
5445 (*pdb_method)->set_account_policy = ldapsam_set_account_policy;
5446
5447 (*pdb_method)->get_seq_num = ldapsam_get_seq_num;
5448
5449 (*pdb_method)->rid_algorithm = ldapsam_rid_algorithm;
5450 (*pdb_method)->new_rid = ldapsam_new_rid;
5451
5452 /* TODO: Setup private data and free */
5453
5454 if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct ldapsam_privates)) ) {
5455 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
5456 return NT_STATUS_NO_MEMORY;
5457 }
5458
5459 nt_status = smbldap_init(*pdb_method, location, &ldap_state->smbldap_state);
5460
5461 if ( !NT_STATUS_IS_OK(nt_status) ) {
5462 return nt_status;
5463 }
5464
5465 if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) {
5466 return NT_STATUS_NO_MEMORY;
5467 }
5468
5469 (*pdb_method)->private_data = ldap_state;
5470
5471 (*pdb_method)->free_private_data = free_private_data;
5472
5473 return NT_STATUS_OK;
5474 }
5475
5476 /**********************************************************************
5477 Initialise the 'compat' mode for pdb_ldap
5478 *********************************************************************/
5479
5480 NTSTATUS pdb_init_ldapsam_compat(struct pdb_methods **pdb_method, const char *location)
5481 {
5482 NTSTATUS nt_status;
5483 struct ldapsam_privates *ldap_state;
5484 char *uri = talloc_strdup( NULL, location );
5485
5486 trim_char( uri, '\"', '\"' );
5487 nt_status = pdb_init_ldapsam_common( pdb_method, uri );
5488 if ( uri )
5489 TALLOC_FREE( uri );
5490
5491 if ( !NT_STATUS_IS_OK(nt_status) ) {
5492 return nt_status;
5493 }
5494
5495 (*pdb_method)->name = "ldapsam_compat";
5496
5497 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
5498 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
5499
5500 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
5501
5502 return NT_STATUS_OK;
5503 }
5504
5505 /**********************************************************************
5506 Initialise the normal mode for pdb_ldap
5507 *********************************************************************/
5508
5509 NTSTATUS pdb_init_ldapsam(struct pdb_methods **pdb_method, const char *location)
5510 {
5511 NTSTATUS nt_status;
5512 struct ldapsam_privates *ldap_state;
5513 uint32 alg_rid_base;
5514 pstring alg_rid_base_string;
5515 LDAPMessage *result = NULL;
5516 LDAPMessage *entry = NULL;
5517 DOM_SID ldap_domain_sid;
5518 DOM_SID secrets_domain_sid;
5519 pstring domain_sid_string;
5520 char *dn;
5521 char *uri = talloc_strdup( NULL, location );
5522
5523 trim_char( uri, '\"', '\"' );
5524 nt_status = pdb_init_ldapsam_common(pdb_method, uri);
5525 if ( uri )
5526 TALLOC_FREE( uri );
5527
5528 if (!NT_STATUS_IS_OK(nt_status)) {
5529 return nt_status;
5530 }
5531
5532 (*pdb_method)->name = "ldapsam";
5533
5534 (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
5535 (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
5536 (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
5537 (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
5538 (*pdb_method)->search_users = ldapsam_search_users;
5539 (*pdb_method)->search_groups = ldapsam_search_groups;
5540 (*pdb_method)->search_aliases = ldapsam_search_aliases;
5541
5542 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
5543 (*pdb_method)->enum_group_members = ldapsam_enum_group_members;
5544 (*pdb_method)->enum_group_memberships =
5545 ldapsam_enum_group_memberships;
5546 (*pdb_method)->lookup_rids = ldapsam_lookup_rids;
5547 (*pdb_method)->sid_to_id = ldapsam_sid_to_id;
5548
5549 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
5550 (*pdb_method)->create_user = ldapsam_create_user;
5551 (*pdb_method)->delete_user = ldapsam_delete_user;
5552 (*pdb_method)->create_dom_group = ldapsam_create_dom_group;
5553 (*pdb_method)->delete_dom_group = ldapsam_delete_dom_group;
5554 (*pdb_method)->add_groupmem = ldapsam_add_groupmem;
5555 (*pdb_method)->del_groupmem = ldapsam_del_groupmem;
5556 (*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group;
5557 }
5558 }
5559
5560 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
5561 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
5562
5563 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
5564
5565 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state,
5566 &result,
5567 ldap_state->domain_name, True);
5568
5569 if ( !NT_STATUS_IS_OK(nt_status) ) {
5570 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain "
5571 "info, nor add one to the domain\n"));
5572 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, "
5573 "will be unable to allocate new users/groups, "
5574 "and will risk BDCs having inconsistant SIDs\n"));
5575 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
5576 return NT_STATUS_OK;
5577 }
5578
5579 /* Given that the above might fail, everything below this must be
5580 * optional */
5581
5582 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
5583 result);
5584 if (!entry) {
5585 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info "
5586 "entry\n"));
5587 ldap_msgfree(result);
5588 return NT_STATUS_UNSUCCESSFUL;
5589 }
5590
5591 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
5592 if (!dn) {
5593 return NT_STATUS_UNSUCCESSFUL;
5594 }
5595
5596 ldap_state->domain_dn = smb_xstrdup(dn);
5597 ldap_memfree(dn);
5598
5599 if (smbldap_get_single_pstring(
5600 ldap_state->smbldap_state->ldap_struct,
5601 entry,
5602 get_userattr_key2string(ldap_state->schema_ver,
5603 LDAP_ATTR_USER_SID),
5604 domain_sid_string)) {
5605 BOOL found_sid;
5606 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
5607 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
5608 "read as a valid SID\n", domain_sid_string));
5609 return NT_STATUS_INVALID_PARAMETER;
5610 }
5611 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name,
5612 &secrets_domain_sid);
5613 if (!found_sid || !sid_equal(&secrets_domain_sid,
5614 &ldap_domain_sid)) {
5615 fstring new_sid_str, old_sid_str;
5616 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
5617 "%s based on pdb_ldap results %s -> %s\n",
5618 ldap_state->domain_name,
5619 sid_to_string(old_sid_str,
5620 &secrets_domain_sid),
5621 sid_to_string(new_sid_str,
5622 &ldap_domain_sid)));
5623
5624 /* reset secrets.tdb sid */
5625 secrets_store_domain_sid(ldap_state->domain_name,
5626 &ldap_domain_sid);
5627 DEBUG(1, ("New global sam SID: %s\n",
5628 sid_to_string(new_sid_str,
5629 get_global_sam_sid())));
5630 }
5631 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
5632 }
5633
5634 if (smbldap_get_single_pstring(
5635 ldap_state->smbldap_state->ldap_struct,
5636 entry,
5637 get_attr_key2string( dominfo_attr_list,
5638 LDAP_ATTR_ALGORITHMIC_RID_BASE ),
5639 alg_rid_base_string)) {
5640 alg_rid_base = (uint32)atol(alg_rid_base_string);
5641 if (alg_rid_base != algorithmic_rid_base()) {
5642 DEBUG(0, ("The value of 'algorithmic RID base' has "
5643 "changed since the LDAP\n"
5644 "database was initialised. Aborting. \n"));
5645 ldap_msgfree(result);
5646 return NT_STATUS_UNSUCCESSFUL;
5647 }
5648 }
5649 ldap_msgfree(result);
5650
5651 return NT_STATUS_OK;
5652 }
5653
5654 NTSTATUS pdb_ldap_init(void)
5655 {
5656 NTSTATUS nt_status;
5657 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
5658 return nt_status;
5659
5660 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
5661 return nt_status;
5662
5663 /* Let pdb_nds register backends */
5664 pdb_nds_init();
5665
5666 return NT_STATUS_OK;
5667 }
Samba GIT mirror