param: turn ldap group suffix into a generated function
[Samba.git] / source3 / passdb / pdb_nds.c
blobd7c16daef42e4a28cf34ee3adfdee9384eec88e7
1 /*
2 Unix SMB/CIFS mplementation.
3 NDS LDAP helper functions for SAMBA
4 Copyright (C) Vince Brimhall 2004-2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "passdb.h"
24 #include <lber.h>
25 #include <ldap.h>
27 #include "smbldap.h"
28 #include "passdb/pdb_ldap.h"
29 #include "passdb/pdb_nds.h"
31 #define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
32 #define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
33 #define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
34 #define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
35 #define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
36 #define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
38 #define NMAS_LDAP_EXT_VERSION 1
40 /**********************************************************************
41 Take the request BER value and input data items and BER encodes the
42 data into the BER value
43 **********************************************************************/
45 static int berEncodePasswordData(
46 struct berval **requestBV,
47 const char *objectDN,
48 const char *password,
49 const char *password2)
51 int err = 0, rc=0;
52 BerElement *requestBer = NULL;
54 const char * utf8ObjPtr = NULL;
55 int utf8ObjSize = 0;
56 const char * utf8PwdPtr = NULL;
57 int utf8PwdSize = 0;
58 const char * utf8Pwd2Ptr = NULL;
59 int utf8Pwd2Size = 0;
62 /* Convert objectDN and tag strings from Unicode to UTF-8 */
63 utf8ObjSize = strlen(objectDN)+1;
64 utf8ObjPtr = objectDN;
66 if (password != NULL)
68 utf8PwdSize = strlen(password)+1;
69 utf8PwdPtr = password;
72 if (password2 != NULL)
74 utf8Pwd2Size = strlen(password2)+1;
75 utf8Pwd2Ptr = password2;
78 /* Allocate a BerElement for the request parameters. */
79 if((requestBer = ber_alloc()) == NULL)
81 err = LDAP_ENCODING_ERROR;
82 goto Cleanup;
85 if (password != NULL && password2 != NULL)
87 /* BER encode the NMAS Version, the objectDN, and the password */
88 rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
90 else if (password != NULL)
92 /* BER encode the NMAS Version, the objectDN, and the password */
93 rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
95 else
97 /* BER encode the NMAS Version and the objectDN */
98 rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
101 if (rc < 0)
103 err = LDAP_ENCODING_ERROR;
104 goto Cleanup;
106 else
108 err = 0;
111 /* Convert the BER we just built to a berval that we'll send with the extended request. */
112 if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
114 err = LDAP_ENCODING_ERROR;
115 goto Cleanup;
118 Cleanup:
120 if(requestBer)
122 ber_free(requestBer, 1);
125 return err;
128 /**********************************************************************
129 Take the request BER value and input data items and BER encodes the
130 data into the BER value
131 **********************************************************************/
133 static int berEncodeLoginData(
134 struct berval **requestBV,
135 char *objectDN,
136 unsigned int methodIDLen,
137 unsigned int *methodID,
138 char *tag,
139 size_t putDataLen,
140 void *putData)
142 int err = 0;
143 BerElement *requestBer = NULL;
145 unsigned int i;
146 unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
148 char *utf8ObjPtr=NULL;
149 int utf8ObjSize = 0;
151 char *utf8TagPtr = NULL;
152 int utf8TagSize = 0;
154 utf8ObjPtr = objectDN;
155 utf8ObjSize = strlen(utf8ObjPtr)+1;
157 utf8TagPtr = tag;
158 utf8TagSize = strlen(utf8TagPtr)+1;
160 /* Allocate a BerElement for the request parameters. */
161 if((requestBer = ber_alloc()) == NULL)
163 err = LDAP_ENCODING_ERROR;
164 goto Cleanup;
167 /* BER encode the NMAS Version and the objectDN */
168 err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;
170 /* BER encode the MethodID Length and value */
171 if (!err)
173 err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
176 for (i = 0; !err && i < elemCnt; i++)
178 err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
181 if (!err)
183 err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
186 if(putData)
188 /* BER Encode the the tag and data */
189 err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
191 else
193 /* BER Encode the the tag */
194 err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
197 if (err)
199 goto Cleanup;
202 /* Convert the BER we just built to a berval that we'll send with the extended request. */
203 if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
205 err = LDAP_ENCODING_ERROR;
206 goto Cleanup;
209 Cleanup:
211 if(requestBer)
213 ber_free(requestBer, 1);
216 return err;
219 /**********************************************************************
220 Takes the reply BER Value and decodes the NMAS server version and
221 return code and if a non null retData buffer was supplied, tries to
222 decode the the return data and length
223 **********************************************************************/
225 static int berDecodeLoginData(
226 struct berval *replyBV,
227 int *serverVersion,
228 size_t *retDataLen,
229 void *retData )
231 int err = 0;
232 BerElement *replyBer = NULL;
233 char *retOctStr = NULL;
234 size_t retOctStrLen = 0;
236 if((replyBer = ber_init(replyBV)) == NULL)
238 err = LDAP_OPERATIONS_ERROR;
239 goto Cleanup;
242 if(retData)
244 retOctStrLen = *retDataLen + 1;
245 retOctStr = SMB_MALLOC_ARRAY(char, retOctStrLen);
246 if(!retOctStr)
248 err = LDAP_OPERATIONS_ERROR;
249 goto Cleanup;
252 if(ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != -1)
254 if (*retDataLen >= retOctStrLen)
256 memcpy(retData, retOctStr, retOctStrLen);
258 else if (!err)
260 err = LDAP_NO_MEMORY;
263 *retDataLen = retOctStrLen;
265 else if (!err)
267 err = LDAP_DECODING_ERROR;
270 else
272 if(ber_scanf(replyBer, "{ii}", serverVersion, &err) == -1)
274 if (!err)
276 err = LDAP_DECODING_ERROR;
281 Cleanup:
283 if(replyBer)
285 ber_free(replyBer, 1);
288 if (retOctStr != NULL)
290 memset(retOctStr, 0, retOctStrLen);
291 free(retOctStr);
294 return err;
297 /**********************************************************************
298 Retrieves data in the login configuration of the specified object
299 that is tagged with the specified methodID and tag.
300 **********************************************************************/
302 static int getLoginConfig(
303 LDAP *ld,
304 char *objectDN,
305 unsigned int methodIDLen,
306 unsigned int *methodID,
307 char *tag,
308 size_t *dataLen,
309 void *data )
311 int err = 0;
312 struct berval *requestBV = NULL;
313 char *replyOID = NULL;
314 struct berval *replyBV = NULL;
315 int serverVersion = 0;
317 /* Validate unicode parameters. */
318 if((strlen(objectDN) == 0) || ld == NULL)
320 return LDAP_NO_SUCH_ATTRIBUTE;
323 err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
324 if(err)
326 goto Cleanup;
329 /* Call the ldap_extended_operation (synchronously) */
330 if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
331 requestBV, NULL, NULL, &replyOID, &replyBV)))
333 goto Cleanup;
336 /* Make sure there is a return OID */
337 if(!replyOID)
339 err = LDAP_NOT_SUPPORTED;
340 goto Cleanup;
343 /* Is this what we were expecting to get back. */
344 if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE))
346 err = LDAP_NOT_SUPPORTED;
347 goto Cleanup;
350 /* Do we have a good returned berval? */
351 if(!replyBV)
353 /* No; returned berval means we experienced a rather drastic error. */
354 /* Return operations error. */
355 err = LDAP_OPERATIONS_ERROR;
356 goto Cleanup;
359 err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
361 if(serverVersion != NMAS_LDAP_EXT_VERSION)
363 err = LDAP_OPERATIONS_ERROR;
364 goto Cleanup;
367 Cleanup:
369 if(replyBV)
371 ber_bvfree(replyBV);
374 /* Free the return OID string if one was returned. */
375 if(replyOID)
377 ldap_memfree(replyOID);
380 /* Free memory allocated while building the request ber and berval. */
381 if(requestBV)
383 ber_bvfree(requestBV);
386 /* Return the appropriate error/success code. */
387 return err;
390 /**********************************************************************
391 Attempts to get the Simple Password
392 **********************************************************************/
394 static int nmasldap_get_simple_pwd(
395 LDAP *ld,
396 char *objectDN,
397 size_t pwdLen,
398 char *pwd )
400 int err = 0;
401 unsigned int methodID = 0;
402 unsigned int methodIDLen = sizeof(methodID);
403 char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
404 char *pwdBuf=NULL;
405 size_t pwdBufLen, bufferLen;
407 bufferLen = pwdBufLen = pwdLen+2;
408 pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
409 if(pwdBuf == NULL)
411 return LDAP_NO_MEMORY;
414 err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
415 if (err == 0)
417 if (pwdBufLen !=0)
419 pwdBuf[pwdBufLen] = 0; /* null terminate */
421 switch (pwdBuf[0])
423 case 1: /* cleartext password */
424 break;
425 case 2: /* SHA1 HASH */
426 case 3: /* MD5_ID */
427 case 4: /* UNIXCrypt_ID */
428 case 8: /* SSHA_ID */
429 default: /* Unknown digest */
430 err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */
431 break;
434 if (!err)
436 if (pwdLen >= pwdBufLen-1)
438 memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */
440 else
442 err = LDAP_NO_MEMORY;
448 if (pwdBuf != NULL)
450 memset(pwdBuf, 0, bufferLen);
451 free(pwdBuf);
454 return err;
458 /**********************************************************************
459 Attempts to set the Universal Password
460 **********************************************************************/
462 static int nmasldap_set_password(
463 LDAP *ld,
464 const char *objectDN,
465 const char *pwd )
467 int err = 0;
469 struct berval *requestBV = NULL;
470 char *replyOID = NULL;
471 struct berval *replyBV = NULL;
472 int serverVersion;
474 /* Validate char parameters. */
475 if(objectDN == NULL || (strlen(objectDN) == 0) || pwd == NULL || ld == NULL)
477 return LDAP_NO_SUCH_ATTRIBUTE;
480 err = berEncodePasswordData(&requestBV, objectDN, pwd, NULL);
481 if(err)
483 goto Cleanup;
486 /* Call the ldap_extended_operation (synchronously) */
487 if((err = ldap_extended_operation_s(ld, NMASLDAP_SET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
489 goto Cleanup;
492 /* Make sure there is a return OID */
493 if(!replyOID)
495 err = LDAP_NOT_SUPPORTED;
496 goto Cleanup;
499 /* Is this what we were expecting to get back. */
500 if(strcmp(replyOID, NMASLDAP_SET_PASSWORD_RESPONSE))
502 err = LDAP_NOT_SUPPORTED;
503 goto Cleanup;
506 /* Do we have a good returned berval? */
507 if(!replyBV)
509 /* No; returned berval means we experienced a rather drastic error. */
510 /* Return operations error. */
511 err = LDAP_OPERATIONS_ERROR;
512 goto Cleanup;
515 err = berDecodeLoginData(replyBV, &serverVersion, NULL, NULL);
517 if(serverVersion != NMAS_LDAP_EXT_VERSION)
519 err = LDAP_OPERATIONS_ERROR;
520 goto Cleanup;
523 Cleanup:
525 if(replyBV)
527 ber_bvfree(replyBV);
530 /* Free the return OID string if one was returned. */
531 if(replyOID)
533 ldap_memfree(replyOID);
536 /* Free memory allocated while building the request ber and berval. */
537 if(requestBV)
539 ber_bvfree(requestBV);
542 /* Return the appropriate error/success code. */
543 return err;
546 /**********************************************************************
547 Attempts to get the Universal Password
548 **********************************************************************/
550 static int nmasldap_get_password(
551 LDAP *ld,
552 char *objectDN,
553 size_t *pwdSize, /* in bytes */
554 unsigned char *pwd )
556 int err = 0;
558 struct berval *requestBV = NULL;
559 char *replyOID = NULL;
560 struct berval *replyBV = NULL;
561 int serverVersion;
562 char *pwdBuf;
563 size_t pwdBufLen, bufferLen;
565 /* Validate char parameters. */
566 if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL)
568 return LDAP_NO_SUCH_ATTRIBUTE;
571 bufferLen = pwdBufLen = *pwdSize;
572 pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen+2);
573 if(pwdBuf == NULL)
575 return LDAP_NO_MEMORY;
578 err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
579 if(err)
581 goto Cleanup;
584 /* Call the ldap_extended_operation (synchronously) */
585 if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
587 goto Cleanup;
590 /* Make sure there is a return OID */
591 if(!replyOID)
593 err = LDAP_NOT_SUPPORTED;
594 goto Cleanup;
597 /* Is this what we were expecting to get back. */
598 if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE))
600 err = LDAP_NOT_SUPPORTED;
601 goto Cleanup;
604 /* Do we have a good returned berval? */
605 if(!replyBV)
607 /* No; returned berval means we experienced a rather drastic error. */
608 /* Return operations error. */
609 err = LDAP_OPERATIONS_ERROR;
610 goto Cleanup;
613 err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
615 if(serverVersion != NMAS_LDAP_EXT_VERSION)
617 err = LDAP_OPERATIONS_ERROR;
618 goto Cleanup;
621 if (!err && pwdBufLen != 0)
623 if (*pwdSize >= pwdBufLen+1 && pwd != NULL)
625 memcpy(pwd, pwdBuf, pwdBufLen);
626 pwd[pwdBufLen] = 0; /* add null termination */
628 *pwdSize = pwdBufLen; /* does not include null termination */
631 Cleanup:
633 if(replyBV)
635 ber_bvfree(replyBV);
638 /* Free the return OID string if one was returned. */
639 if(replyOID)
641 ldap_memfree(replyOID);
644 /* Free memory allocated while building the request ber and berval. */
645 if(requestBV)
647 ber_bvfree(requestBV);
650 if (pwdBuf != NULL)
652 memset(pwdBuf, 0, bufferLen);
653 free(pwdBuf);
656 /* Return the appropriate error/success code. */
657 return err;
660 /**********************************************************************
661 Get the user's password from NDS.
662 *********************************************************************/
664 int pdb_nds_get_password(
665 struct smbldap_state *ldap_state,
666 char *object_dn,
667 size_t *pwd_len,
668 char *pwd )
670 LDAP *ld = ldap_state->ldap_struct;
671 int rc = -1;
673 rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
674 if (rc == LDAP_SUCCESS) {
675 #ifdef DEBUG_PASSWORD
676 DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
677 #endif
678 DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
679 } else {
680 DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
683 if (rc != LDAP_SUCCESS) {
684 rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
685 if (rc == LDAP_SUCCESS) {
686 #ifdef DEBUG_PASSWORD
687 DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
688 #endif
689 DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
690 } else {
691 /* We couldn't get the password */
692 DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
693 return LDAP_INVALID_CREDENTIALS;
697 /* We got the password */
698 return LDAP_SUCCESS;
701 /**********************************************************************
702 Set the users NDS, Universal and Simple passwords.
703 ********************************************************************/
705 int pdb_nds_set_password(
706 struct smbldap_state *ldap_state,
707 char *object_dn,
708 const char *pwd )
710 LDAP *ld = ldap_state->ldap_struct;
711 int rc = -1;
712 LDAPMod **tmpmods = NULL;
714 rc = nmasldap_set_password(ld, object_dn, pwd);
715 if (rc == LDAP_SUCCESS) {
716 DEBUG(5,("NDS Universal Password changed for user %s\n", object_dn));
717 } else {
718 char *ld_error = NULL;
719 ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
721 /* This will fail if Universal Password is not enabled for the user's context */
722 DEBUG(3,("NDS Universal Password could not be changed for user %s: %s (%s)\n",
723 object_dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
724 SAFE_FREE(ld_error);
727 /* Set eDirectory Password */
728 smbldap_set_mod(&tmpmods, LDAP_MOD_REPLACE, "userPassword", pwd);
729 rc = smbldap_modify(ldap_state, object_dn, tmpmods);
731 return rc;
734 /**********************************************************************
735 Allow ldap server to update internal login attempt counters by
736 performing a simple bind. If the samba authentication failed attempt
737 the bind with a bogus, randomly generated password to count the
738 failed attempt. If the bind fails even though samba authentication
739 succeeded, this would indicate that the user's account is disabled,
740 time restrictions are in place or some other password policy
741 violation.
742 *********************************************************************/
744 static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods,
745 struct samu *sam_acct, bool success)
747 struct ldapsam_privates *ldap_state;
749 if ((!methods) || (!sam_acct)) {
750 DEBUG(3,("pdb_nds_update_login_attempts: invalid parameter.\n"));
751 return NT_STATUS_MEMORY_NOT_ALLOCATED;
754 ldap_state = (struct ldapsam_privates *)methods->private_data;
756 if (ldap_state) {
757 /* Attempt simple bind with user credentials to update eDirectory
758 password policy */
759 int rc = 0;
760 char *dn;
761 LDAPMessage *result = NULL;
762 LDAPMessage *entry = NULL;
763 const char **attr_list;
764 size_t pwd_len;
765 char clear_text_pw[512];
766 LDAP *ld = NULL;
767 const char *username = pdb_get_username(sam_acct);
768 bool got_clear_text_pw = False;
770 DEBUG(5,("pdb_nds_update_login_attempts: %s login for %s\n",
771 success ? "Successful" : "Failed", username));
773 result = (LDAPMessage *)pdb_get_backend_private_data(sam_acct, methods);
774 if (!result) {
775 attr_list = get_userattr_list(NULL,
776 ldap_state->schema_ver);
777 rc = ldapsam_search_suffix_by_name(ldap_state, username, &result, attr_list );
778 TALLOC_FREE( attr_list );
779 if (rc != LDAP_SUCCESS) {
780 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
782 pdb_set_backend_private_data(sam_acct, result, NULL,
783 methods, PDB_CHANGED);
784 smbldap_talloc_autofree_ldapmsg(sam_acct, result);
787 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
788 DEBUG(0, ("pdb_nds_update_login_attempts: No user to modify!\n"));
789 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
792 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
793 dn = smbldap_talloc_dn(talloc_tos(), ldap_state->smbldap_state->ldap_struct, entry);
794 if (!dn) {
795 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
798 DEBUG(3, ("pdb_nds_update_login_attempts: username %s found dn '%s'\n", username, dn));
800 pwd_len = sizeof(clear_text_pw);
801 if (success == True) {
802 if (pdb_nds_get_password(ldap_state->smbldap_state, dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
803 /* Got clear text password. Use simple ldap bind */
804 got_clear_text_pw = True;
806 } else {
807 generate_random_buffer((unsigned char *)clear_text_pw, 24);
808 clear_text_pw[24] = '\0';
809 DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw));
812 if((success != True) || (got_clear_text_pw == True)) {
814 rc = smbldap_setup_full_conn(&ld, ldap_state->location);
815 if (rc) {
816 TALLOC_FREE(dn);
817 return NT_STATUS_INVALID_CONNECTION;
820 /* Attempt simple bind with real or bogus password */
821 rc = ldap_simple_bind_s(ld, dn, clear_text_pw);
822 ldap_unbind(ld);
823 if (rc == LDAP_SUCCESS) {
824 DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Successful for %s\n", username));
825 } else {
826 NTSTATUS nt_status = NT_STATUS_ACCOUNT_RESTRICTION;
827 DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Failed for %s\n", username));
828 switch(rc) {
829 case LDAP_INVALID_CREDENTIALS:
830 nt_status = NT_STATUS_WRONG_PASSWORD;
831 break;
832 case LDAP_UNWILLING_TO_PERFORM:
833 /* eDir returns this if the account was disabled. */
834 /* The problem is we don't know if the given
835 password was correct for this account or
836 not. We have to return more info than we
837 should and tell the client NT_STATUS_ACCOUNT_DISABLED
838 so they don't think the password was bad. JRA. */
839 nt_status = NT_STATUS_ACCOUNT_DISABLED;
840 break;
841 default:
842 break;
844 return nt_status;
847 TALLOC_FREE(dn);
850 return NT_STATUS_OK;
853 /**********************************************************************
854 Intitalise the parts of the pdb_methods structuire that are common
855 to NDS_ldapsam modes
856 *********************************************************************/
858 static NTSTATUS pdb_init_NDS_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
860 struct ldapsam_privates *ldap_state =
861 (struct ldapsam_privates *)((*pdb_method)->private_data);
863 /* Mark this as eDirectory ldap */
864 ldap_state->is_nds_ldap = True;
866 /* Add pdb_nds specific method for updating login attempts. */
867 (*pdb_method)->update_login_attempts = pdb_nds_update_login_attempts;
869 /* Save location for use in pdb_nds_update_login_attempts */
870 ldap_state->location = SMB_STRDUP(location);
872 return NT_STATUS_OK;
875 /**********************************************************************
876 Initialise the 'nds' normal mode for pdb_ldap
877 *********************************************************************/
879 static NTSTATUS pdb_init_NDS_ldapsam(struct pdb_methods **pdb_method, const char *location)
881 NTSTATUS nt_status = pdb_ldapsam_init_common(pdb_method, location);
883 (*pdb_method)->name = "NDS_ldapsam";
885 pdb_init_NDS_ldapsam_common(pdb_method, location);
887 return nt_status;
890 NTSTATUS pdb_nds_init(void)
892 NTSTATUS nt_status;
893 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "NDS_ldapsam", pdb_init_NDS_ldapsam)))
894 return nt_status;
896 return NT_STATUS_OK;