search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-pdb_ipa: Create DN for new object
[Samba.git] / source3 / passdb / pdb_ipa.c
blobc98f33eb43bf825c0d6c2ffb2b0a97eee16d5e2f
1 /*
2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "passdb.h"
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/samr.h"
26
27 #include "smbldap.h"
28
29 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
30 #define IPA_MAGIC_ID_STR "999"
31
32 #define LDAP_TRUST_CONTAINER "ou=system"
33 #define LDAP_ATTRIBUTE_CN "cn"
34 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
35 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
36 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
37 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
38 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
39 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
40 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
41 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
42 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
43 #define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
44
45 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
46 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
47 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
48
49 #define LDAP_OBJ_IPAOBJECT "ipaObject"
50 #define LDAP_OBJ_IPAHOST "ipaHost"
51 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
52
53 #define LDAP_OBJ_GROUPOFNAMES "groupOfNames"
54 #define LDAP_OBJ_NESTEDGROUP "nestedGroup"
55 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
56 #define LDAP_OBJ_POSIXGROUP "posixGroup"
57
58 #define HAS_KRB_PRINCIPAL (1<<0)
59 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
60 #define HAS_IPAOBJECT (1<<2)
61 #define HAS_IPAHOST (1<<3)
62 #define HAS_POSIXACCOUNT (1<<4)
63 #define HAS_GROUPOFNAMES (1<<5)
64 #define HAS_NESTEDGROUP (1<<6)
65 #define HAS_IPAUSERGROUP (1<<7)
66 #define HAS_POSIXGROUP (1<<8)
67
68 struct ipasam_privates {
69 bool server_is_ipa;
70 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
71 struct samu *sampass);
72 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
73 struct samu *sampass);
74 NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
75 TALLOC_CTX *tmp_ctx, const char *name,
76 uint32_t acb_info, uint32_t *rid);
77 NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
78 TALLOC_CTX *tmp_ctx,
79 const char *name,
80 uint32_t *rid);
81 };
82
83 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
84 const char *domain,
85 char** pwd,
86 struct dom_sid *sid,
87 time_t *pass_last_set_time)
88 {
89 return false;
90 }
91
92 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
93 const char* domain,
94 const char* pwd,
95 const struct dom_sid *sid)
96 {
97 return false;
98 }
99
100 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
101 const char *domain)
102 {
103 return false;
104 }
105
106 static char *get_account_dn(const char *name)
107 {
108 char *escape_name;
109 char *dn;
110
111 escape_name = escape_rdn_val_string_alloc(name);
112 if (!escape_name) {
113 return NULL;
114 }
115
116 if (name[strlen(name)-1] == '$') {
117 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
118 lp_ldap_machine_suffix());
119 } else {
120 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
121 lp_ldap_user_suffix());
122 }
123
124 SAFE_FREE(escape_name);
125
126 return dn;
127 }
128
129 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
130 const char *domain)
131 {
132 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
133 LDAP_ATTRIBUTE_CN, domain,
134 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
135 }
136
137 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
138 {
139 return talloc_asprintf(talloc_tos(), "%s,%s",
140 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
141 }
142
143 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
144 TALLOC_CTX *mem_ctx,
145 const char *filter, LDAPMessage **entry)
146 {
147 int rc;
148 char *base_dn = NULL;
149 LDAPMessage *result = NULL;
150 uint32_t num_result;
151
152 base_dn = trusted_domain_base_dn(ldap_state);
153 if (base_dn == NULL) {
154 return false;
155 }
156
157 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
158 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
159 TALLOC_FREE(base_dn);
160
161 if (result != NULL) {
162 talloc_autofree_ldapmsg(mem_ctx, result);
163 }
164
165 if (rc == LDAP_NO_SUCH_OBJECT) {
166 *entry = NULL;
167 return true;
168 }
169
170 if (rc != LDAP_SUCCESS) {
171 return false;
172 }
173
174 num_result = ldap_count_entries(priv2ld(ldap_state), result);
175
176 if (num_result > 1) {
177 DEBUG(1, ("get_trusted_domain_int: more than one "
178 "%s object with filter '%s'?!\n",
179 LDAP_OBJ_TRUSTED_DOMAIN, filter));
180 return false;
181 }
182
183 if (num_result == 0) {
184 DEBUG(1, ("get_trusted_domain_int: no "
185 "%s object with filter '%s'.\n",
186 LDAP_OBJ_TRUSTED_DOMAIN, filter));
187 *entry = NULL;
188 } else {
189 *entry = ldap_first_entry(priv2ld(ldap_state), result);
190 }
191
192 return true;
193 }
194
195 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
196 TALLOC_CTX *mem_ctx,
197 const char *domain,
198 LDAPMessage **entry)
199 {
200 char *filter = NULL;
201
202 filter = talloc_asprintf(talloc_tos(),
203 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
204 LDAP_OBJ_TRUSTED_DOMAIN,
205 LDAP_ATTRIBUTE_FLAT_NAME, domain,
206 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
207 if (filter == NULL) {
208 return false;
209 }
210
211 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
212 }
213
214 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
215 TALLOC_CTX *mem_ctx,
216 const char *sid, LDAPMessage **entry)
217 {
218 char *filter = NULL;
219
220 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
221 LDAP_OBJ_TRUSTED_DOMAIN,
222 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
223 if (filter == NULL) {
224 return false;
225 }
226
227 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
228 }
229
230 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
231 LDAPMessage *entry,
232 const char *attr,
233 uint32_t *val)
234 {
235 char *dummy;
236 long int l;
237 char *endptr;
238
239 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
240 attr, talloc_tos());
241 if (dummy == NULL) {
242 DEBUG(9, ("Attribute %s not present.\n", attr));
243 *val = 0;
244 return true;
245 }
246
247 l = strtoul(dummy, &endptr, 10);
248 TALLOC_FREE(dummy);
249
250 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
251 return false;
252 }
253
254 *val = l;
255
256 return true;
257 }
258
259 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
260 struct ldapsam_privates *ldap_state,
261 LDAPMessage *entry, const char *attr,
262 DATA_BLOB *_blob)
263 {
264 char *dummy;
265 DATA_BLOB blob;
266
267 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
268 talloc_tos());
269 if (dummy == NULL) {
270 DEBUG(9, ("Attribute %s not present.\n", attr));
271 ZERO_STRUCTP(_blob);
272 } else {
273 blob = base64_decode_data_blob(dummy);
274 if (blob.length == 0) {
275 ZERO_STRUCTP(_blob);
276 } else {
277 _blob->length = blob.length;
278 _blob->data = talloc_steal(mem_ctx, blob.data);
279 }
280 }
281 TALLOC_FREE(dummy);
282 }
283
284 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
285 struct ldapsam_privates *ldap_state,
286 LDAPMessage *entry,
287 struct pdb_trusted_domain **_td)
288 {
289 char *dummy;
290 bool res;
291 struct pdb_trusted_domain *td;
292
293 if (entry == NULL) {
294 return false;
295 }
296
297 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
298 if (td == NULL) {
299 return false;
300 }
301
302 /* All attributes are MAY */
303
304 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
305 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
306 talloc_tos());
307 if (dummy == NULL) {
308 DEBUG(9, ("Attribute %s not present.\n",
309 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
310 ZERO_STRUCT(td->security_identifier);
311 } else {
312 res = string_to_sid(&td->security_identifier, dummy);
313 TALLOC_FREE(dummy);
314 if (!res) {
315 return false;
316 }
317 }
318
319 get_data_blob_from_ldap_msg(td, ldap_state, entry,
320 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
321 &td->trust_auth_incoming);
322
323 get_data_blob_from_ldap_msg(td, ldap_state, entry,
324 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
325 &td->trust_auth_outgoing);
326
327 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
328 entry,
329 LDAP_ATTRIBUTE_FLAT_NAME,
330 td);
331 if (td->netbios_name == NULL) {
332 DEBUG(9, ("Attribute %s not present.\n",
333 LDAP_ATTRIBUTE_FLAT_NAME));
334 }
335
336 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
337 entry,
338 LDAP_ATTRIBUTE_TRUST_PARTNER,
339 td);
340 if (td->domain_name == NULL) {
341 DEBUG(9, ("Attribute %s not present.\n",
342 LDAP_ATTRIBUTE_TRUST_PARTNER));
343 }
344
345 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
346 LDAP_ATTRIBUTE_TRUST_DIRECTION,
347 &td->trust_direction);
348 if (!res) {
349 return false;
350 }
351
352 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
353 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
354 &td->trust_attributes);
355 if (!res) {
356 return false;
357 }
358
359 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
360 LDAP_ATTRIBUTE_TRUST_TYPE,
361 &td->trust_type);
362 if (!res) {
363 return false;
364 }
365
366 get_data_blob_from_ldap_msg(td, ldap_state, entry,
367 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
368 &td->trust_forest_trust_info);
369
370 *_td = td;
371
372 return true;
373 }
374
375 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
376 TALLOC_CTX *mem_ctx,
377 const char *domain,
378 struct pdb_trusted_domain **td)
379 {
380 struct ldapsam_privates *ldap_state =
381 (struct ldapsam_privates *)methods->private_data;
382 LDAPMessage *entry = NULL;
383
384 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
385
386 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
387 &entry)) {
388 return NT_STATUS_UNSUCCESSFUL;
389 }
390 if (entry == NULL) {
391 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
392 "%s\n", domain));
393 return NT_STATUS_NO_SUCH_DOMAIN;
394 }
395
396 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
397 return NT_STATUS_UNSUCCESSFUL;
398 }
399
400 return NT_STATUS_OK;
401 }
402
403 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
404 TALLOC_CTX *mem_ctx,
405 struct dom_sid *sid,
406 struct pdb_trusted_domain **td)
407 {
408 struct ldapsam_privates *ldap_state =
409 (struct ldapsam_privates *)methods->private_data;
410 LDAPMessage *entry = NULL;
411 char *sid_str;
412
413 sid_str = sid_string_tos(sid);
414
415 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
416 sid_str));
417
418 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
419 &entry)) {
420 return NT_STATUS_UNSUCCESSFUL;
421 }
422 if (entry == NULL) {
423 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
424 "with sid: %s\n", sid_str));
425 return NT_STATUS_NO_SUCH_DOMAIN;
426 }
427
428 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
429 return NT_STATUS_UNSUCCESSFUL;
430 }
431
432 return NT_STATUS_OK;
433 }
434
435 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
436 LDAPMod ***mods, const char *attribute,
437 const uint32_t val)
438 {
439 char *dummy;
440
441 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
442 if (dummy == NULL) {
443 return false;
444 }
445 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
446 TALLOC_FREE(dummy);
447
448 return true;
449 }
450
451 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
452 const char* domain,
453 const struct pdb_trusted_domain *td)
454 {
455 struct ldapsam_privates *ldap_state =
456 (struct ldapsam_privates *)methods->private_data;
457 LDAPMessage *entry = NULL;
458 LDAPMod **mods;
459 bool res;
460 char *trusted_dn = NULL;
461 int ret;
462
463 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
464
465 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
466 &entry);
467 if (!res) {
468 return NT_STATUS_UNSUCCESSFUL;
469 }
470
471 mods = NULL;
472 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
473 LDAP_OBJ_TRUSTED_DOMAIN);
474
475 if (td->netbios_name != NULL) {
476 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
477 LDAP_ATTRIBUTE_FLAT_NAME,
478 td->netbios_name);
479 }
480
481 if (td->domain_name != NULL) {
482 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
483 LDAP_ATTRIBUTE_TRUST_PARTNER,
484 td->domain_name);
485 }
486
487 if (!is_null_sid(&td->security_identifier)) {
488 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
489 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
490 sid_string_tos(&td->security_identifier));
491 }
492
493 if (td->trust_type != 0) {
494 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
495 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
496 td->trust_type);
497 if (!res) {
498 return NT_STATUS_UNSUCCESSFUL;
499 }
500 }
501
502 if (td->trust_attributes != 0) {
503 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
504 &mods,
505 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
506 td->trust_attributes);
507 if (!res) {
508 return NT_STATUS_UNSUCCESSFUL;
509 }
510 }
511
512 if (td->trust_direction != 0) {
513 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
514 &mods,
515 LDAP_ATTRIBUTE_TRUST_DIRECTION,
516 td->trust_direction);
517 if (!res) {
518 return NT_STATUS_UNSUCCESSFUL;
519 }
520 }
521
522 if (td->trust_auth_outgoing.data != NULL) {
523 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
524 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
525 &td->trust_auth_outgoing);
526 }
527
528 if (td->trust_auth_incoming.data != NULL) {
529 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
530 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
531 &td->trust_auth_incoming);
532 }
533
534 if (td->trust_forest_trust_info.data != NULL) {
535 smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods,
536 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
537 &td->trust_forest_trust_info);
538 }
539
540 talloc_autofree_ldapmod(talloc_tos(), mods);
541
542 trusted_dn = trusted_domain_dn(ldap_state, domain);
543 if (trusted_dn == NULL) {
544 return NT_STATUS_NO_MEMORY;
545 }
546 if (entry == NULL) {
547 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
548 } else {
549 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
550 }
551
552 if (ret != LDAP_SUCCESS) {
553 DEBUG(1, ("error writing trusted domain data!\n"));
554 return NT_STATUS_UNSUCCESSFUL;
555 }
556 return NT_STATUS_OK;
557 }
558
559 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
560 const char *domain)
561 {
562 int ret;
563 struct ldapsam_privates *ldap_state =
564 (struct ldapsam_privates *)methods->private_data;
565 LDAPMessage *entry = NULL;
566 const char *dn;
567
568 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
569 &entry)) {
570 return NT_STATUS_UNSUCCESSFUL;
571 }
572
573 if (entry == NULL) {
574 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
575 "%s\n", domain));
576 return NT_STATUS_NO_SUCH_DOMAIN;
577 }
578
579 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
580 if (dn == NULL) {
581 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
582 return NT_STATUS_NO_MEMORY;
583 }
584
585 ret = smbldap_delete(ldap_state->smbldap_state, dn);
586 if (ret != LDAP_SUCCESS) {
587 return NT_STATUS_UNSUCCESSFUL;
588 }
589
590 return NT_STATUS_OK;
591 }
592
593 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
594 TALLOC_CTX *mem_ctx,
595 uint32_t *num_domains,
596 struct pdb_trusted_domain ***domains)
597 {
598 int rc;
599 struct ldapsam_privates *ldap_state =
600 (struct ldapsam_privates *)methods->private_data;
601 char *base_dn = NULL;
602 char *filter = NULL;
603 int scope = LDAP_SCOPE_SUBTREE;
604 LDAPMessage *result = NULL;
605 LDAPMessage *entry = NULL;
606
607 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
608 LDAP_OBJ_TRUSTED_DOMAIN);
609 if (filter == NULL) {
610 return NT_STATUS_NO_MEMORY;
611 }
612
613 base_dn = trusted_domain_base_dn(ldap_state);
614 if (base_dn == NULL) {
615 TALLOC_FREE(filter);
616 return NT_STATUS_NO_MEMORY;
617 }
618
619 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
620 NULL, 0, &result);
621 TALLOC_FREE(filter);
622 TALLOC_FREE(base_dn);
623
624 if (result != NULL) {
625 talloc_autofree_ldapmsg(mem_ctx, result);
626 }
627
628 if (rc == LDAP_NO_SUCH_OBJECT) {
629 *num_domains = 0;
630 *domains = NULL;
631 return NT_STATUS_OK;
632 }
633
634 if (rc != LDAP_SUCCESS) {
635 return NT_STATUS_UNSUCCESSFUL;
636 }
637
638 *num_domains = 0;
639 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
640 DEBUG(1, ("talloc failed\n"));
641 return NT_STATUS_NO_MEMORY;
642 }
643
644 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
645 entry != NULL;
646 entry = ldap_next_entry(priv2ld(ldap_state), entry))
647 {
648 struct pdb_trusted_domain *dom_info;
649
650 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
651 &dom_info)) {
652 return NT_STATUS_UNSUCCESSFUL;
653 }
654
655 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
656 domains, num_domains);
657
658 if (*domains == NULL) {
659 DEBUG(1, ("talloc failed\n"));
660 return NT_STATUS_NO_MEMORY;
661 }
662 }
663
664 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
665 return NT_STATUS_OK;
666 }
667
668 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
669 TALLOC_CTX *mem_ctx,
670 uint32_t *num_domains,
671 struct trustdom_info ***domains)
672 {
673 NTSTATUS status;
674 struct pdb_trusted_domain **td;
675 int i;
676
677 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
678 num_domains, &td);
679 if (!NT_STATUS_IS_OK(status)) {
680 return status;
681 }
682
683 if (*num_domains == 0) {
684 return NT_STATUS_OK;
685 }
686
687 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
688 *num_domains))) {
689 DEBUG(1, ("talloc failed\n"));
690 return NT_STATUS_NO_MEMORY;
691 }
692
693 for (i = 0; i < *num_domains; i++) {
694 struct trustdom_info *dom_info;
695
696 dom_info = TALLOC_P(*domains, struct trustdom_info);
697 if (dom_info == NULL) {
698 DEBUG(1, ("talloc failed\n"));
699 return NT_STATUS_NO_MEMORY;
700 }
701
702 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
703 sid_copy(&dom_info->sid, &td[i]->security_identifier);
704
705 (*domains)[i] = dom_info;
706 }
707
708 return NT_STATUS_OK;
709 }
710
711 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
712 {
713 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
714 }
715
716 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
717 TALLOC_CTX *mem_ctx)
718 {
719 struct pdb_domain_info *info;
720 NTSTATUS status;
721 struct ldapsam_privates *ldap_state = pdb_methods->private_data;
722
723 info = talloc(mem_ctx, struct pdb_domain_info);
724 if (info == NULL) {
725 return NULL;
726 }
727
728 info->name = talloc_strdup(info, ldap_state->domain_name);
729 if (info->name == NULL) {
730 goto fail;
731 }
732
733 /* TODO: read dns_domain, dns_forest and guid from LDAP */
734 info->dns_domain = talloc_strdup(info, lp_realm());
735 if (info->dns_domain == NULL) {
736 goto fail;
737 }
738 strlower_m(info->dns_domain);
739 info->dns_forest = talloc_strdup(info, info->dns_domain);
740 sid_copy(&info->sid, &ldap_state->domain_sid);
741
742 status = GUID_from_string("testguid", &info->guid);
743
744 return info;
745
746 fail:
747 TALLOC_FREE(info);
748 return NULL;
749 }
750
751 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
752 struct samu *sampass)
753 {
754 int ret;
755 BerElement *ber = NULL;
756 struct berval *bv = NULL;
757 char *retoid = NULL;
758 struct berval *retdata = NULL;
759 const char *password;
760 char *dn;
761
762 password = pdb_get_plaintext_passwd(sampass);
763 if (password == NULL || *password == '\0') {
764 return NT_STATUS_INVALID_PARAMETER;
765 }
766
767 dn = get_account_dn(pdb_get_username(sampass));
768 if (dn == NULL) {
769 return NT_STATUS_INVALID_PARAMETER;
770 }
771
772 ber = ber_alloc_t( LBER_USE_DER );
773 if (ber == NULL) {
774 DEBUG(7, ("ber_alloc_t failed.\n"));
775 return NT_STATUS_NO_MEMORY;
776 }
777
778 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
779 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
780 if (ret == -1) {
781 DEBUG(7, ("ber_printf failed.\n"));
782 ber_free(ber, 1);
783 return NT_STATUS_UNSUCCESSFUL;
784 }
785
786 ret = ber_flatten(ber, &bv);
787 ber_free(ber, 1);
788 if (ret == -1) {
789 DEBUG(1, ("ber_flatten failed.\n"));
790 return NT_STATUS_UNSUCCESSFUL;
791 }
792
793 ret = smbldap_extended_operation(ldap_state->smbldap_state,
794 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
795 NULL, &retoid, &retdata);
796 ber_bvfree(bv);
797 if (retdata) {
798 ber_bvfree(retdata);
799 }
800 if (retoid) {
801 ldap_memfree(retoid);
802 }
803 if (ret != LDAP_SUCCESS) {
804 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
805 return NT_STATUS_UNSUCCESSFUL;
806 }
807
808 return NT_STATUS_OK;
809 }
810
811 static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
812 const char *dn, LDAPMessage *entry,
813 uint32_t *has_objectclass)
814 {
815 char **objectclasses;
816 size_t c;
817
818 objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
819 LDAP_ATTRIBUTE_OBJECTCLASS);
820 if (objectclasses == NULL) {
821 DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
822 return NT_STATUS_INTERNAL_DB_CORRUPTION;
823 }
824
825 *has_objectclass = 0;
826 for (c = 0; objectclasses[c] != NULL; c++) {
827 if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
828 *has_objectclass |= HAS_KRB_PRINCIPAL;
829 } else if (strequal(objectclasses[c],
830 LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
831 *has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
832 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
833 *has_objectclass |= HAS_IPAOBJECT;
834 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
835 *has_objectclass |= HAS_IPAHOST;
836 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
837 *has_objectclass |= HAS_POSIXACCOUNT;
838 } else if (strequal(objectclasses[c], LDAP_OBJ_GROUPOFNAMES)) {
839 *has_objectclass |= HAS_GROUPOFNAMES;
840 } else if (strequal(objectclasses[c], LDAP_OBJ_NESTEDGROUP)) {
841 *has_objectclass |= HAS_NESTEDGROUP;
842 } else if (strequal(objectclasses[c], LDAP_OBJ_IPAUSERGROUP)) {
843 *has_objectclass |= HAS_IPAUSERGROUP;
844 } else if (strequal(objectclasses[c], LDAP_OBJ_POSIXGROUP)) {
845 *has_objectclass |= HAS_POSIXGROUP;
846 }
847 }
848 ldap_value_free(objectclasses);
849
850 return NT_STATUS_OK;
851 }
852
853 enum obj_type {
854 IPA_NO_OBJ = 0,
855 IPA_USER_OBJ,
856 IPA_GROUP_OBJ
857 };
858
859 static NTSTATUS find_obj(struct ldapsam_privates *ldap_state, const char *name,
860 enum obj_type type, char **_dn,
861 uint32_t *_has_objectclass)
862 {
863 int ret;
864 char *username;
865 char *filter;
866 LDAPMessage *result = NULL;
867 LDAPMessage *entry = NULL;
868 int num_result;
869 char *dn;
870 uint32_t has_objectclass;
871 NTSTATUS status;
872 const char *obj_class = NULL;
873
874 switch (type) {
875 case IPA_USER_OBJ:
876 obj_class = LDAP_OBJ_POSIXACCOUNT;
877 break;
878 case IPA_GROUP_OBJ:
879 obj_class = LDAP_OBJ_POSIXGROUP;
880 break;
881 default:
882 DEBUG(0, ("Unsupported IPA object.\n"));
883 return NT_STATUS_INVALID_PARAMETER;
884 }
885
886 username = escape_ldap_string(talloc_tos(), name);
887 if (username == NULL) {
888 return NT_STATUS_NO_MEMORY;
889 }
890 filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
891 username, obj_class);
892 if (filter == NULL) {
893 return NT_STATUS_NO_MEMORY;
894 }
895 TALLOC_FREE(username);
896
897 ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
898 &result);
899 if (ret != LDAP_SUCCESS) {
900 DEBUG(0, ("smbldap_search_suffix failed.\n"));
901 return NT_STATUS_ACCESS_DENIED;
902 }
903
904 num_result = ldap_count_entries(priv2ld(ldap_state), result);
905
906 if (num_result != 1) {
907 if (num_result == 0) {
908 switch (type) {
909 case IPA_USER_OBJ:
910 status = NT_STATUS_NO_SUCH_USER;
911 break;
912 case IPA_GROUP_OBJ:
913 status = NT_STATUS_NO_SUCH_GROUP;
914 break;
915 default:
916 status = NT_STATUS_INVALID_PARAMETER;
917 }
918 } else {
919 DEBUG (0, ("find_user: More than one object with name [%s] ?!\n",
920 name));
921 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
922 }
923 goto done;
924 }
925
926 entry = ldap_first_entry(priv2ld(ldap_state), result);
927 if (!entry) {
928 DEBUG(0,("find_user: Out of memory!\n"));
929 status = NT_STATUS_UNSUCCESSFUL;
930 goto done;
931 }
932
933 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
934 if (!dn) {
935 DEBUG(0,("find_user: Out of memory!\n"));
936 status = NT_STATUS_NO_MEMORY;
937 goto done;
938 }
939
940 status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
941 if (!NT_STATUS_IS_OK(status)) {
942 goto done;
943 }
944
945 *_dn = dn;
946 *_has_objectclass = has_objectclass;
947
948 status = NT_STATUS_OK;
949
950 done:
951 ldap_msgfree(result);
952
953 return status;
954 }
955
956 static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
957 char **_dn, uint32_t *_has_objectclass)
958 {
959 return find_obj(ldap_state, name, IPA_USER_OBJ, _dn, _has_objectclass);
960 }
961
962 static NTSTATUS find_group(struct ldapsam_privates *ldap_state, const char *name,
963 char **_dn, uint32_t *_has_objectclass)
964 {
965 return find_obj(ldap_state, name, IPA_GROUP_OBJ, _dn, _has_objectclass);
966 }
967
968 static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
969 int ldap_op,
970 const char *dn,
971 const char *username)
972 {
973 int ret;
974 LDAPMod **mods = NULL;
975 NTSTATUS status;
976
977 smbldap_set_mod(&mods, LDAP_MOD_ADD,
978 "objectclass", "posixAccount");
979 smbldap_set_mod(&mods, LDAP_MOD_ADD,
980 "cn", username);
981 smbldap_set_mod(&mods, LDAP_MOD_ADD,
982 "uidNumber", IPA_MAGIC_ID_STR);
983 smbldap_set_mod(&mods, LDAP_MOD_ADD,
984 "gidNumber", "12345");
985 smbldap_set_mod(&mods, LDAP_MOD_ADD,
986 "homeDirectory", "/dev/null");
987
988 if (ldap_op == LDAP_MOD_ADD) {
989 ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
990 } else {
991 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
992 }
993 ldap_mods_free(mods, 1);
994 if (ret != LDAP_SUCCESS) {
995 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
996 username, dn));
997 return status;
998 }
999
1000 return NT_STATUS_OK;
1001 }
1002
1003 static NTSTATUS ipasam_add_ipa_group_objectclasses(struct ldapsam_privates *ldap_state,
1004 const char *dn,
1005 const char *name,
1006 uint32_t has_objectclass)
1007 {
1008 LDAPMod **mods = NULL;
1009 NTSTATUS status;
1010 int ret;
1011
1012 if (!(has_objectclass & HAS_GROUPOFNAMES)) {
1013 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1014 LDAP_ATTRIBUTE_OBJECTCLASS,
1015 LDAP_OBJ_GROUPOFNAMES);
1016 }
1017
1018 if (!(has_objectclass & HAS_NESTEDGROUP)) {
1019 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1020 LDAP_ATTRIBUTE_OBJECTCLASS,
1021 LDAP_OBJ_NESTEDGROUP);
1022 }
1023
1024 if (!(has_objectclass & HAS_IPAUSERGROUP)) {
1025 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1026 LDAP_ATTRIBUTE_OBJECTCLASS,
1027 LDAP_OBJ_IPAUSERGROUP);
1028 }
1029
1030 if (!(has_objectclass & HAS_IPAOBJECT)) {
1031 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1032 LDAP_ATTRIBUTE_OBJECTCLASS,
1033 LDAP_OBJ_IPAOBJECT);
1034 }
1035
1036 if (!(has_objectclass & HAS_POSIXGROUP)) {
1037 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1038 LDAP_ATTRIBUTE_OBJECTCLASS,
1039 LDAP_OBJ_POSIXGROUP);
1040 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1041 LDAP_ATTRIBUTE_CN,
1042 name);
1043 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1044 LDAP_ATTRIBUTE_GIDNUMBER,
1045 IPA_MAGIC_ID_STR);
1046 }
1047
1048 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1049 ldap_mods_free(mods, 1);
1050 if (ret != LDAP_SUCCESS) {
1051 DEBUG(1, ("failed to modify/add group %s (dn = %s)\n",
1052 name, dn));
1053 return status;
1054 }
1055
1056 return NT_STATUS_OK;
1057 }
1058
1059 static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
1060 const char *dn, const char *name,
1061 const char *domain,
1062 uint32_t acct_flags,
1063 uint32_t has_objectclass)
1064 {
1065 LDAPMod **mods = NULL;
1066 NTSTATUS status;
1067 int ret;
1068 char *princ;
1069
1070 if (!(has_objectclass & HAS_KRB_PRINCIPAL)) {
1071 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1072 LDAP_ATTRIBUTE_OBJECTCLASS,
1073 LDAP_OBJ_KRB_PRINCIPAL);
1074
1075 princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
1076 if (princ == NULL) {
1077 return NT_STATUS_NO_MEMORY;
1078 }
1079
1080 smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
1081 }
1082
1083 if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)); {
1084 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1085 LDAP_ATTRIBUTE_OBJECTCLASS,
1086 LDAP_OBJ_KRB_PRINCIPAL_AUX);
1087 }
1088
1089 if (!(has_objectclass & HAS_IPAOBJECT)) {
1090 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1091 LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
1092 }
1093
1094 if ((acct_flags != 0) &&
1095 (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
1096 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
1097
1098 if (!(has_objectclass & HAS_IPAHOST)) {
1099 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1100 LDAP_ATTRIBUTE_OBJECTCLASS,
1101 LDAP_OBJ_IPAHOST);
1102
1103 if (domain == NULL) {
1104 return NT_STATUS_INVALID_PARAMETER;
1105 }
1106
1107 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1108 "fqdn", domain);
1109 }
1110 }
1111
1112 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1113 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1114 "objectclass", "posixAccount");
1115 smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
1116 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1117 "uidNumber", IPA_MAGIC_ID_STR);
1118 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1119 "gidNumber", "12345");
1120 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1121 "homeDirectory", "/dev/null");
1122 }
1123
1124 if (mods != NULL) {
1125 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
1126 ldap_mods_free(mods, 1);
1127 if (ret != LDAP_SUCCESS) {
1128 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
1129 name, dn));
1130 return status;
1131 }
1132 }
1133
1134 return NT_STATUS_OK;
1135 }
1136
1137 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
1138 struct samu *sampass)
1139 {
1140 NTSTATUS status;
1141 struct ldapsam_privates *ldap_state;
1142 const char *name;
1143 char *dn;
1144 uint32_t has_objectclass;
1145 uint32_t rid;
1146 struct dom_sid user_sid;
1147
1148 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1149
1150 if (IS_SAM_SET(sampass, PDB_USERSID) ||
1151 IS_SAM_CHANGED(sampass, PDB_USERSID)) {
1152 if (!pdb_new_rid(&rid)) {
1153 return NT_STATUS_DS_NO_MORE_RIDS;
1154 }
1155 sid_compose(&user_sid, get_global_sam_sid(), rid);
1156 if (!pdb_set_user_sid(sampass, &user_sid, PDB_SET)) {
1157 return NT_STATUS_UNSUCCESSFUL;
1158 }
1159 }
1160
1161 status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
1162 sampass);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 return status;
1165 }
1166
1167 if (ldap_state->ipasam_privates->server_is_ipa) {
1168 name = pdb_get_username(sampass);
1169 if (name == NULL || *name == '\0') {
1170 return NT_STATUS_INVALID_PARAMETER;
1171 }
1172
1173 status = find_user(ldap_state, name, &dn, &has_objectclass);
1174 if (!NT_STATUS_IS_OK(status)) {
1175 return status;
1176 }
1177
1178 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
1179 pdb_get_domain(sampass),
1180 pdb_get_acct_ctrl(sampass),
1181 has_objectclass);
1182 if (!NT_STATUS_IS_OK(status)) {
1183 return status;
1184 }
1185
1186 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1187 status = ipasam_add_posix_account_objectclass(ldap_state,
1188 LDAP_MOD_REPLACE,
1189 dn, name);
1190 if (!NT_STATUS_IS_OK(status)) {
1191 return status;
1192 }
1193 }
1194
1195 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1196 status = modify_ipa_password_exop(ldap_state, sampass);
1197 if (!NT_STATUS_IS_OK(status)) {
1198 return status;
1199 }
1200 }
1201 }
1202
1203 return NT_STATUS_OK;
1204 }
1205
1206 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
1207 struct samu *sampass)
1208 {
1209 NTSTATUS status;
1210 struct ldapsam_privates *ldap_state;
1211 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1212
1213 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
1214 sampass);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 return status;
1217 }
1218
1219 if (ldap_state->ipasam_privates->server_is_ipa) {
1220 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
1221 status = modify_ipa_password_exop(ldap_state, sampass);
1222 if (!NT_STATUS_IS_OK(status)) {
1223 return status;
1224 }
1225 }
1226 }
1227
1228 return NT_STATUS_OK;
1229 }
1230
1231 static NTSTATUS ipasam_create_dom_group(struct pdb_methods *pdb_methods,
1232 TALLOC_CTX *tmp_ctx, const char *name,
1233 uint32_t *rid)
1234 {
1235 NTSTATUS status;
1236 struct ldapsam_privates *ldap_state;
1237 int ldap_op = LDAP_MOD_REPLACE;
1238 char *dn;
1239 uint32_t has_objectclass = 0;
1240
1241 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1242
1243 if (name == NULL || *name == '\0') {
1244 return NT_STATUS_INVALID_PARAMETER;
1245 }
1246
1247 status = find_group(ldap_state, name, &dn, &has_objectclass);
1248 if (NT_STATUS_IS_OK(status)) {
1249 ldap_op = LDAP_MOD_REPLACE;
1250 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1251 ldap_op = LDAP_MOD_ADD;
1252 } else {
1253 return status;
1254 }
1255
1256 if (!(has_objectclass & HAS_POSIXGROUP)) {
1257 status = ipasam_add_ipa_group_objectclasses(ldap_state, dn,
1258 name,
1259 has_objectclass);
1260 if (!NT_STATUS_IS_OK(status)) {
1261 return status;
1262 }
1263 }
1264
1265 status = ldap_state->ipasam_privates->ldapsam_create_dom_group(pdb_methods,
1266 tmp_ctx,
1267 name,
1268 rid);
1269 if (!NT_STATUS_IS_OK(status)) {
1270 return status;
1271 }
1272
1273 return NT_STATUS_OK;
1274 }
1275 static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
1276 TALLOC_CTX *tmp_ctx, const char *name,
1277 uint32_t acb_info, uint32_t *rid)
1278 {
1279 NTSTATUS status;
1280 struct ldapsam_privates *ldap_state;
1281 int ldap_op = LDAP_MOD_REPLACE;
1282 char *dn;
1283 uint32_t has_objectclass = 0;
1284
1285 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
1286
1287 if (name == NULL || *name == '\0') {
1288 return NT_STATUS_INVALID_PARAMETER;
1289 }
1290
1291 status = find_user(ldap_state, name, &dn, &has_objectclass);
1292 if (NT_STATUS_IS_OK(status)) {
1293 ldap_op = LDAP_MOD_REPLACE;
1294 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1295 char *escape_username;
1296 ldap_op = LDAP_MOD_ADD;
1297 escape_username = escape_rdn_val_string_alloc(name);
1298 if (!escape_username) {
1299 return NT_STATUS_NO_MEMORY;
1300 }
1301 if (name[strlen(name)-1] == '$') {
1302 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1303 escape_username,
1304 lp_ldap_machine_suffix());
1305 } else {
1306 dn = talloc_asprintf(tmp_ctx, "uid=%s,%s",
1307 escape_username,
1308 lp_ldap_user_suffix());
1309 }
1310 SAFE_FREE(escape_username);
1311 if (!dn) {
1312 return NT_STATUS_NO_MEMORY;
1313 }
1314 } else {
1315 return status;
1316 }
1317
1318 if (!(has_objectclass & HAS_POSIXACCOUNT)) {
1319 status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
1320 dn, name);
1321 if (!NT_STATUS_IS_OK(status)) {
1322 return status;
1323 }
1324 has_objectclass |= HAS_POSIXACCOUNT;
1325 }
1326
1327 status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
1328 tmp_ctx, name,
1329 acb_info, rid);
1330 if (!NT_STATUS_IS_OK(status)) {
1331 return status;
1332 }
1333
1334 status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
1335 acb_info, has_objectclass);
1336 if (!NT_STATUS_IS_OK(status)) {
1337 return status;
1338 }
1339
1340 return NT_STATUS_OK;
1341 }
1342
1343 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
1344 {
1345 struct ldapsam_privates *ldap_state;
1346 NTSTATUS status;
1347
1348 status = pdb_init_ldapsam(pdb_method, location);
1349 if (!NT_STATUS_IS_OK(status)) {
1350 return status;
1351 }
1352
1353 (*pdb_method)->name = "IPA_ldapsam";
1354
1355 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
1356 ldap_state->ipasam_privates = talloc_zero(ldap_state,
1357 struct ipasam_privates);
1358 if (ldap_state->ipasam_privates == NULL) {
1359 return NT_STATUS_NO_MEMORY;
1360 }
1361 ldap_state->is_ipa_ldap = True;
1362
1363 ldap_state->ipasam_privates->server_is_ipa = smbldap_has_extension(
1364 priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
1365 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
1366 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
1367 ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
1368 ldap_state->ipasam_privates->ldapsam_create_dom_group = (*pdb_method)->create_dom_group;
1369
1370 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
1371 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
1372
1373 if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1374 if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
1375 (*pdb_method)->create_user = ipasam_create_user;
1376 (*pdb_method)->create_dom_group = ipasam_create_dom_group;
1377 }
1378 }
1379
1380 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
1381 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
1382
1383 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
1384 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
1385 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
1386 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
1387
1388 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
1389 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
1390 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
1391 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
1392 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
1393
1394 return NT_STATUS_OK;
1395 }
1396
1397 NTSTATUS pdb_ipa_init(void)
1398 {
1399 NTSTATUS nt_status;
1400
1401 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
1402 return nt_status;
1403
1404 return NT_STATUS_OK;
1405 }
Samba GIT mirror