search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3 swat: Add XSRF protection to password page
[Samba.git] / source3 / lib / smbldap_util.c
blobf1f0ff613f31f7775ae9cc2ccafcd79d50b40a09
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23 */
24
25 #include "includes.h"
26 #include "smbldap.h"
27 #include "passdb.h"
28
29 /**********************************************************************
30 Add the account-policies below the sambaDomain object to LDAP,
31 *********************************************************************/
32
33 static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state,
34 const char *domain_name)
35 {
36 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
37 int i, rc;
38 uint32 policy_default;
39 const char *policy_attr = NULL;
40 char *dn = NULL;
41 LDAPMod **mods = NULL;
42 char *escape_domain_name;
43
44 DEBUG(3,("add_new_domain_account_policies: Adding new account policies for domain\n"));
45
46 escape_domain_name = escape_rdn_val_string_alloc(domain_name);
47 if (!escape_domain_name) {
48 DEBUG(0, ("Out of memory!\n"));
49 return NT_STATUS_NO_MEMORY;
50 }
51
52 if (asprintf(&dn, "%s=%s,%s",
53 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
54 escape_domain_name, lp_ldap_suffix()) < 0) {
55 SAFE_FREE(escape_domain_name);
56 return NT_STATUS_NO_MEMORY;
57 }
58
59 SAFE_FREE(escape_domain_name);
60
61 for (i=1; decode_account_policy_name(i) != NULL; i++) {
62 char *val = NULL;
63
64 policy_attr = get_account_policy_attr(i);
65 if (!policy_attr) {
66 DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n"));
67 continue;
68 }
69
70 if (!account_policy_get_default(i, &policy_default)) {
71 DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n"));
72 SAFE_FREE(dn);
73 return ntstatus;
74 }
75
76 DEBUG(10,("add_new_domain_account_policies: adding \"%s\" with value: %d\n", policy_attr, policy_default));
77
78 if (asprintf(&val, "%d", policy_default) < 0) {
79 SAFE_FREE(dn);
80 return NT_STATUS_NO_MEMORY;
81 }
82
83 smbldap_set_mod( &mods, LDAP_MOD_REPLACE, policy_attr, val);
84
85 rc = smbldap_modify(ldap_state, dn, mods);
86
87 SAFE_FREE(val);
88
89 if (rc!=LDAP_SUCCESS) {
90 char *ld_error = NULL;
91 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
92 DEBUG(1,("add_new_domain_account_policies: failed to add account policies to dn= %s with: %s\n\t%s\n",
93 dn, ldap_err2string(rc),
94 ld_error ? ld_error : "unknown"));
95 SAFE_FREE(ld_error);
96 SAFE_FREE(dn);
97 ldap_mods_free(mods, True);
98 return ntstatus;
99 }
100 }
101
102 SAFE_FREE(dn);
103 ldap_mods_free(mods, True);
104
105 return NT_STATUS_OK;
106 }
107
108 /**********************************************************************
109 Add the sambaDomain to LDAP, so we don't have to search for this stuff
110 again. This is a once-add operation for now.
111
112 TODO: Add other attributes, and allow modification.
113 *********************************************************************/
114
115 static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
116 const char *domain_name)
117 {
118 fstring sid_string;
119 fstring algorithmic_rid_base_string;
120 char *filter = NULL;
121 char *dn = NULL;
122 LDAPMod **mods = NULL;
123 int rc;
124 LDAPMessage *result = NULL;
125 int num_result;
126 const char **attr_list;
127 char *escape_domain_name;
128
129 /* escape for filter */
130 escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
131 if (!escape_domain_name) {
132 DEBUG(0, ("Out of memory!\n"));
133 return NT_STATUS_NO_MEMORY;
134 }
135
136 if (asprintf(&filter, "(&(%s=%s)(objectclass=%s))",
137 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
138 escape_domain_name, LDAP_OBJ_DOMINFO) < 0) {
139 TALLOC_FREE(escape_domain_name);
140 return NT_STATUS_NO_MEMORY;
141 }
142
143 TALLOC_FREE(escape_domain_name);
144
145 attr_list = get_attr_list(NULL, dominfo_attr_list );
146 rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
147 TALLOC_FREE( attr_list );
148 SAFE_FREE(filter);
149
150 if (rc != LDAP_SUCCESS) {
151 return NT_STATUS_UNSUCCESSFUL;
152 }
153
154 num_result = ldap_count_entries(ldap_state->ldap_struct, result);
155
156 if (num_result > 1) {
157 DEBUG (0, ("add_new_domain_info: More than domain with that name exists: bailing "
158 "out!\n"));
159 ldap_msgfree(result);
160 return NT_STATUS_UNSUCCESSFUL;
161 }
162
163 /* Check if we need to add an entry */
164 DEBUG(3,("add_new_domain_info: Adding new domain\n"));
165
166 /* this time escape for DN */
167 escape_domain_name = escape_rdn_val_string_alloc(domain_name);
168 if (!escape_domain_name) {
169 DEBUG(0, ("Out of memory!\n"));
170 return NT_STATUS_NO_MEMORY;
171 }
172
173 if (asprintf(&dn, "%s=%s,%s",
174 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
175 escape_domain_name, lp_ldap_suffix()) < 0) {
176 SAFE_FREE(escape_domain_name);
177 return NT_STATUS_NO_MEMORY;
178 }
179
180 SAFE_FREE(escape_domain_name);
181
182 /* Free original search */
183 ldap_msgfree(result);
184
185 /* make the changes - the entry *must* not already have samba
186 * attributes */
187
188 smbldap_set_mod(&mods, LDAP_MOD_ADD,
189 get_attr_key2string(dominfo_attr_list,
190 LDAP_ATTR_DOMAIN),
191 domain_name);
192
193 /* If we don't have an entry, then ask secrets.tdb for what it thinks.
194 It may choose to make it up */
195
196 sid_to_fstring(sid_string, get_global_sam_sid());
197 smbldap_set_mod(&mods, LDAP_MOD_ADD,
198 get_attr_key2string(dominfo_attr_list,
199 LDAP_ATTR_DOM_SID),
200 sid_string);
201
202 slprintf(algorithmic_rid_base_string,
203 sizeof(algorithmic_rid_base_string) - 1, "%i",
204 algorithmic_rid_base());
205 smbldap_set_mod(&mods, LDAP_MOD_ADD,
206 get_attr_key2string(dominfo_attr_list,
207 LDAP_ATTR_ALGORITHMIC_RID_BASE),
208 algorithmic_rid_base_string);
209 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
210
211 /* add the sambaNextUserRid attributes. */
212
213 {
214 uint32 rid = BASE_RID;
215 fstring rid_str;
216
217 fstr_sprintf( rid_str, "%i", rid );
218 DEBUG(10,("add_new_domain_info: setting next available user rid [%s]\n", rid_str));
219 smbldap_set_mod(&mods, LDAP_MOD_ADD,
220 get_attr_key2string(dominfo_attr_list,
221 LDAP_ATTR_NEXT_USERRID),
222 rid_str);
223 }
224
225
226 rc = smbldap_add(ldap_state, dn, mods);
227
228 if (rc!=LDAP_SUCCESS) {
229 char *ld_error = NULL;
230 ldap_get_option(ldap_state->ldap_struct,
231 LDAP_OPT_ERROR_STRING, &ld_error);
232 DEBUG(1,("add_new_domain_info: failed to add domain dn= %s with: %s\n\t%s\n",
233 dn, ldap_err2string(rc),
234 ld_error?ld_error:"unknown"));
235 SAFE_FREE(ld_error);
236 SAFE_FREE(dn);
237 ldap_mods_free(mods, True);
238 return NT_STATUS_UNSUCCESSFUL;
239 }
240
241 DEBUG(2,("add_new_domain_info: added: domain = %s in the LDAP database\n", domain_name));
242 ldap_mods_free(mods, True);
243 SAFE_FREE(dn);
244 return NT_STATUS_OK;
245 }
246
247 /**********************************************************************
248 Search for the domain info entry
249 *********************************************************************/
250
251 NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
252 LDAPMessage ** result, const char *domain_name,
253 bool try_add)
254 {
255 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
256 char *filter = NULL;
257 int rc;
258 const char **attr_list;
259 int count;
260 char *escape_domain_name;
261
262 escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
263 if (!escape_domain_name) {
264 DEBUG(0, ("Out of memory!\n"));
265 return NT_STATUS_NO_MEMORY;
266 }
267
268 if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
269 LDAP_OBJ_DOMINFO,
270 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
271 escape_domain_name) < 0) {
272 TALLOC_FREE(escape_domain_name);
273 return NT_STATUS_NO_MEMORY;
274 }
275
276 TALLOC_FREE(escape_domain_name);
277
278 DEBUG(2, ("smbldap_search_domain_info: Searching for:[%s]\n", filter));
279
280 attr_list = get_attr_list( NULL, dominfo_attr_list );
281 rc = smbldap_search_suffix(ldap_state, filter, attr_list , result);
282 TALLOC_FREE( attr_list );
283
284 if (rc != LDAP_SUCCESS) {
285 DEBUG(2,("smbldap_search_domain_info: Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
286 DEBUG(2,("smbldap_search_domain_info: Query was: %s, %s\n", lp_ldap_suffix(), filter));
287 goto failed;
288 }
289
290 SAFE_FREE(filter);
291
292 count = ldap_count_entries(ldap_state->ldap_struct, *result);
293
294 if (count == 1) {
295 return NT_STATUS_OK;
296 }
297
298 ldap_msgfree(*result);
299 *result = NULL;
300
301 if (count < 1) {
302
303 DEBUG(3, ("smbldap_search_domain_info: Got no domain info entries for domain\n"));
304
305 if (!try_add)
306 goto failed;
307
308 status = add_new_domain_info(ldap_state, domain_name);
309 if (!NT_STATUS_IS_OK(status)) {
310 DEBUG(0, ("smbldap_search_domain_info: Adding domain info for %s failed with %s\n",
311 domain_name, nt_errstr(status)));
312 goto failed;
313 }
314
315 status = add_new_domain_account_policies(ldap_state, domain_name);
316 if (!NT_STATUS_IS_OK(status)) {
317 DEBUG(0, ("smbldap_search_domain_info: Adding domain account policies for %s failed with %s\n",
318 domain_name, nt_errstr(status)));
319 goto failed;
320 }
321
322 return smbldap_search_domain_info(ldap_state, result, domain_name, False);
323
324 }
325
326 if (count > 1 ) {
327
328 DEBUG(0, ("smbldap_search_domain_info: Got too many (%d) domain info entries for domain %s\n",
329 count, domain_name));
330 goto failed;
331 }
332
333 failed:
334 return status;
335 }
Samba GIT mirror