r22801: Pass down the token to add_gplink_to_gpo_list().
[Samba/bb.git] / source3 / libgpo / gpo_ldap.c
blobfbed60b11d1b5d0cdf53b3b8dd73685e9f7e1439
1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 #include "includes.h"
23 #ifdef HAVE_LDAP
25 /****************************************************************
26 parse the raw extension string into a GP_EXT structure
27 ****************************************************************/
29 ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
30 const char *extension_raw,
31 struct GP_EXT *gp_ext)
33 char **ext_list;
34 char **ext_strings = NULL;
35 int i;
37 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
39 ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
40 if (ext_list == NULL) {
41 goto parse_error;
44 for (i = 0; ext_list[i] != NULL; i++) {
45 /* no op */
48 gp_ext->num_exts = i;
50 if (gp_ext->num_exts) {
51 gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
52 gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
53 gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
54 gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
55 } else {
56 gp_ext->extensions = NULL;
57 gp_ext->extensions_guid = NULL;
58 gp_ext->snapins = NULL;
59 gp_ext->snapins_guid = NULL;
62 if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL ||
63 gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL ||
64 gp_ext->gp_extension == NULL) {
65 goto parse_error;
68 gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
70 for (i = 0; ext_list[i] != NULL; i++) {
72 int k;
73 char *p, *q;
75 DEBUGADD(10,("extension #%d\n", i));
77 p = ext_list[i];
79 if (p[0] == '[') {
80 p++;
83 ext_strings = str_list_make_talloc(mem_ctx, p, "}");
84 if (ext_strings == NULL) {
85 goto parse_error;
88 for (k = 0; ext_strings[k] != NULL; k++) {
89 /* no op */
92 q = ext_strings[0];
94 if (q[0] == '{') {
95 q++;
98 gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
99 gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
101 /* we might have no name for the guid */
102 if (gp_ext->extensions_guid[i] == NULL) {
103 goto parse_error;
106 for (k = 1; ext_strings[k] != NULL; k++) {
108 char *m = ext_strings[k];
110 if (m[0] == '{') {
111 m++;
114 /* FIXME: theoretically there could be more than one snapin per extension */
115 gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
116 gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
118 /* we might have no name for the guid */
119 if (gp_ext->snapins_guid[i] == NULL) {
120 goto parse_error;
125 if (ext_list) {
126 str_list_free_talloc(mem_ctx, &ext_list);
128 if (ext_strings) {
129 str_list_free_talloc(mem_ctx, &ext_strings);
132 return ADS_ERROR(LDAP_SUCCESS);
134 parse_error:
135 if (ext_list) {
136 str_list_free_talloc(mem_ctx, &ext_list);
138 if (ext_strings) {
139 str_list_free_talloc(mem_ctx, &ext_strings);
142 return ADS_ERROR(LDAP_NO_MEMORY);
145 /****************************************************************
146 parse the raw link string into a GP_LINK structure
147 ****************************************************************/
149 ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx,
150 const char *gp_link_raw,
151 uint32 options,
152 struct GP_LINK *gp_link)
154 char **link_list;
155 int i;
157 DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw));
159 link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
160 if (link_list == NULL) {
161 goto parse_error;
164 for (i = 0; link_list[i] != NULL; i++) {
165 /* no op */
168 gp_link->gp_opts = options;
169 gp_link->num_links = i;
171 if (gp_link->num_links) {
172 gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
173 gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
174 } else {
175 gp_link->link_names = NULL;
176 gp_link->link_opts = NULL;
179 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
181 if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
182 goto parse_error;
185 for (i = 0; link_list[i] != NULL; i++) {
187 char *p, *q;
189 DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i));
191 q = link_list[i];
192 if (q[0] == '[') {
193 q++;
196 p = strchr(q, ';');
198 if (p == NULL) {
199 goto parse_error;
202 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
203 if (gp_link->link_names[i] == NULL) {
204 goto parse_error;
206 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
208 gp_link->link_opts[i] = atoi(p + 1);
210 DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i]));
211 DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
215 if (link_list) {
216 str_list_free_talloc(mem_ctx, &link_list);
219 return ADS_ERROR(LDAP_SUCCESS);
221 parse_error:
222 if (link_list) {
223 str_list_free_talloc(mem_ctx, &link_list);
226 return ADS_ERROR(LDAP_NO_MEMORY);
229 /****************************************************************
230 helper call to get a GP_LINK structure from a linkdn
231 ****************************************************************/
233 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
234 TALLOC_CTX *mem_ctx,
235 const char *link_dn,
236 struct GP_LINK *gp_link_struct)
238 ADS_STATUS status;
239 const char *attrs[] = {"gPLink", "gPOptions", NULL};
240 LDAPMessage *res = NULL;
241 const char *gp_link;
242 uint32 gp_options;
244 ZERO_STRUCTP(gp_link_struct);
246 status = ads_search_dn(ads, &res, link_dn, attrs);
247 if (!ADS_ERR_OK(status)) {
248 DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
249 return status;
252 if (ads_count_replies(ads, res) != 1) {
253 DEBUG(10,("ads_get_gpo_link: no result\n"));
254 ads_msgfree(ads, res);
255 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
258 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
259 if (gp_link == NULL) {
260 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
261 ads_msgfree(ads, res);
262 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
265 /* perfectly leggal to have no options */
266 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
267 DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
268 gp_options = 0;
271 ads_msgfree(ads, res);
273 return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
276 /****************************************************************
277 helper call to add a gp link
278 ****************************************************************/
280 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
281 TALLOC_CTX *mem_ctx,
282 const char *link_dn,
283 const char *gpo_dn,
284 uint32 gpo_opt)
286 ADS_STATUS status;
287 const char *attrs[] = {"gPLink", NULL};
288 LDAPMessage *res = NULL;
289 const char *gp_link, *gp_link_new;
290 ADS_MODLIST mods;
292 /* although ADS allows to set anything here, we better check here if
293 * the gpo_dn is sane */
295 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
296 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
299 status = ads_search_dn(ads, &res, link_dn, attrs);
300 if (!ADS_ERR_OK(status)) {
301 DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
302 return status;
305 if (ads_count_replies(ads, res) != 1) {
306 DEBUG(10,("ads_add_gpo_link: no result\n"));
307 ads_msgfree(ads, res);
308 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
311 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
312 if (gp_link == NULL) {
313 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
314 } else {
315 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
318 ads_msgfree(ads, res);
319 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
321 mods = ads_init_mods(mem_ctx);
322 ADS_ERROR_HAVE_NO_MEMORY(mods);
324 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
325 if (!ADS_ERR_OK(status)) {
326 return status;
329 return ads_gen_mod(ads, link_dn, mods);
332 /****************************************************************
333 helper call to delete add a gp link
334 ****************************************************************/
336 /* untested & broken */
337 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
338 TALLOC_CTX *mem_ctx,
339 const char *link_dn,
340 const char *gpo_dn)
342 ADS_STATUS status;
343 const char *attrs[] = {"gPLink", NULL};
344 LDAPMessage *res = NULL;
345 const char *gp_link, *gp_link_new = NULL;
346 ADS_MODLIST mods;
348 /* check for a sane gpo_dn */
349 if (gpo_dn[0] != '[') {
350 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
351 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
354 if (gpo_dn[strlen(gpo_dn)] != ']') {
355 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
356 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
359 status = ads_search_dn(ads, &res, link_dn, attrs);
360 if (!ADS_ERR_OK(status)) {
361 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
362 return status;
365 if (ads_count_replies(ads, res) != 1) {
366 DEBUG(10,("ads_delete_gpo_link: no result\n"));
367 ads_msgfree(ads, res);
368 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
371 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
372 if (gp_link == NULL) {
373 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
376 /* find link to delete */
377 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
379 ads_msgfree(ads, res);
380 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
382 mods = ads_init_mods(mem_ctx);
383 ADS_ERROR_HAVE_NO_MEMORY(mods);
385 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
386 if (!ADS_ERR_OK(status)) {
387 return status;
390 return ads_gen_mod(ads, link_dn, mods);
393 /****************************************************************
394 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
395 ****************************************************************/
397 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
398 TALLOC_CTX *mem_ctx,
399 LDAPMessage *res,
400 const char *gpo_dn,
401 struct GROUP_POLICY_OBJECT *gpo)
403 ZERO_STRUCTP(gpo);
405 ADS_ERROR_HAVE_NO_MEMORY(res);
407 if (gpo_dn) {
408 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
409 } else {
410 gpo->ds_path = ads_get_dn(ads, res);
413 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
415 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
416 return ADS_ERROR(LDAP_NO_MEMORY);
419 /* sure ??? */
420 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
421 return ADS_ERROR(LDAP_NO_MEMORY);
424 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
425 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
427 gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
428 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
430 gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
431 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
433 /* ???, this is optional to have and what does it depend on, the 'flags' ?) */
434 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
435 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
437 ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor);
438 ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
440 return ADS_ERROR(LDAP_SUCCESS);
443 /****************************************************************
444 get a GROUP_POLICY_OBJECT structure based on different input paramters
445 ****************************************************************/
447 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
448 TALLOC_CTX *mem_ctx,
449 const char *gpo_dn,
450 const char *display_name,
451 const char *guid_name,
452 struct GROUP_POLICY_OBJECT *gpo)
454 ADS_STATUS status;
455 LDAPMessage *res = NULL;
456 char *dn;
457 const char *filter;
458 const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath",
459 "gPCFunctionalityVersion", "gPCMachineExtensionNames",
460 "gPCUserExtensionNames", "gPCWQLFilter", "name",
461 "versionNumber", "ntSecurityDescriptor", NULL};
462 uint32 sd_flags = DACL_SECURITY_INFORMATION;
464 ZERO_STRUCTP(gpo);
466 if (!gpo_dn && !display_name && !guid_name) {
467 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
470 if (gpo_dn) {
472 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
473 gpo_dn = gpo_dn + strlen("LDAP://");
476 status = ads_search_retry_dn_sd_flags(ads, &res,
477 sd_flags,
478 gpo_dn, attrs);
480 } else if (display_name || guid_name) {
482 filter = talloc_asprintf(mem_ctx,
483 "(&(objectclass=groupPolicyContainer)(%s=%s))",
484 display_name ? "displayName" : "name",
485 display_name ? display_name : guid_name);
486 ADS_ERROR_HAVE_NO_MEMORY(filter);
488 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
489 LDAP_SCOPE_SUBTREE, filter,
490 attrs, sd_flags, &res);
493 if (!ADS_ERR_OK(status)) {
494 DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
495 return status;
498 if (ads_count_replies(ads, res) != 1) {
499 DEBUG(10,("ads_get_gpo: no result\n"));
500 ads_msgfree(ads, res);
501 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
504 dn = ads_get_dn(ads, res);
505 if (dn == NULL) {
506 ads_msgfree(ads, res);
507 return ADS_ERROR(LDAP_NO_MEMORY);
510 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
511 ads_msgfree(ads, res);
512 ads_memfree(ads, dn);
514 return status;
517 /****************************************************************
518 add a gplink to the GROUP_POLICY_OBJECT linked list
519 ****************************************************************/
521 ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
522 TALLOC_CTX *mem_ctx,
523 struct GROUP_POLICY_OBJECT **gpo_list,
524 const char *link_dn,
525 struct GP_LINK *gp_link,
526 enum GPO_LINK_TYPE link_type,
527 BOOL only_add_forced_gpos,
528 struct GPO_SID_TOKEN *token)
530 ADS_STATUS status;
531 int i;
533 for (i = 0; i < gp_link->num_links; i++) {
535 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
537 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
538 DEBUG(10,("skipping disabled GPO\n"));
539 continue;
542 if (only_add_forced_gpos) {
544 if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
545 DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
546 continue;
547 } else {
548 DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
552 new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT);
553 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
555 ZERO_STRUCTP(new_gpo);
557 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
558 if (!ADS_ERR_OK(status)) {
559 return status;
562 new_gpo->link = link_dn;
563 new_gpo->link_type = link_type;
565 DLIST_ADD(*gpo_list, new_gpo);
567 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n",
568 i, gp_link->link_names[i]));
571 return ADS_ERROR(LDAP_SUCCESS);
574 /****************************************************************
575 ****************************************************************/
577 ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
578 TALLOC_CTX *mem_ctx,
579 const char *dn,
580 struct GPO_SID_TOKEN **token)
582 ADS_STATUS status;
583 DOM_SID object_sid;
584 DOM_SID primary_group_sid;
585 DOM_SID *ad_token_sids;
586 size_t num_ad_token_sids = 0;
587 DOM_SID *token_sids;
588 size_t num_token_sids = 0;
589 struct GPO_SID_TOKEN *new_token = NULL;
590 int i;
592 new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
593 ADS_ERROR_HAVE_NO_MEMORY(new_token);
595 status = ads_get_tokensids(ads, mem_ctx, dn,
596 &object_sid, &primary_group_sid,
597 &ad_token_sids, &num_ad_token_sids);
598 if (!ADS_ERR_OK(status)) {
599 return status;
602 new_token->object_sid = object_sid;
603 new_token->primary_group_sid = primary_group_sid;
605 token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
606 ADS_ERROR_HAVE_NO_MEMORY(token_sids);
608 for (i = 0; i < num_ad_token_sids; i++) {
610 if (sid_check_is_in_builtin(&ad_token_sids[i])) {
611 continue;
614 if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
615 &token_sids, &num_token_sids)) {
616 return ADS_ERROR(LDAP_NO_MEMORY);
620 /* Add S-1-5-11 to token */
621 if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
622 &token_sids, &num_token_sids)) {
623 return ADS_ERROR(LDAP_NO_MEMORY);
627 new_token->token_sids = token_sids;
628 new_token->num_token_sids = num_token_sids;
630 *token = new_token;
632 return ADS_ERROR_LDAP(LDAP_SUCCESS);
636 /****************************************************************
637 get the full list of GROUP_POLICY_OBJECTs for a given dn
638 ****************************************************************/
640 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
641 TALLOC_CTX *mem_ctx,
642 const char *dn,
643 uint32 flags,
644 struct GROUP_POLICY_OBJECT **gpo_list)
646 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
648 ADS_STATUS status;
649 struct GP_LINK gp_link;
650 struct GPO_SID_TOKEN *token = NULL;
651 const char *parent_dn, *site_dn, *tmp_dn;
652 BOOL add_only_forced_gpos = False;
654 ZERO_STRUCTP(gpo_list);
656 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
658 status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
659 if (!ADS_ERR_OK(status)) {
660 return status;
663 /* (L)ocal */
664 /* not yet... */
666 /* (S)ite */
668 /* are site GPOs valid for users as well ??? */
669 if (flags & GPO_LIST_FLAG_MACHINE) {
671 status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
672 if (!ADS_ERR_OK(status)) {
673 return status;
676 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
678 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
679 if (ADS_ERR_OK(status)) {
681 if (DEBUGLEVEL >= 100) {
682 dump_gplink(ads, mem_ctx, &gp_link);
685 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
686 site_dn, &gp_link, GP_LINK_SITE,
687 add_only_forced_gpos,
688 token);
689 if (!ADS_ERR_OK(status)) {
690 return status;
693 if (flags & GPO_LIST_FLAG_SITEONLY) {
694 return ADS_ERROR(LDAP_SUCCESS);
697 /* inheritance can't be blocked at the site level */
701 tmp_dn = dn;
703 while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
704 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
706 /* (D)omain */
708 /* An account can just be a member of one domain */
709 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
711 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
713 status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
714 if (ADS_ERR_OK(status)) {
716 if (DEBUGLEVEL >= 100) {
717 dump_gplink(ads, mem_ctx, &gp_link);
720 /* block inheritance from now on */
721 if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
722 add_only_forced_gpos = True;
725 status = add_gplink_to_gpo_list(ads, mem_ctx,
726 gpo_list, parent_dn,
727 &gp_link, GP_LINK_DOMAIN,
728 add_only_forced_gpos,
729 token);
730 if (!ADS_ERR_OK(status)) {
731 return status;
736 tmp_dn = parent_dn;
739 /* reset dn again */
740 tmp_dn = dn;
742 while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
743 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
746 /* (O)rganizational(U)nit */
748 /* An account can be a member of more OUs */
749 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
751 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
753 status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
754 if (ADS_ERR_OK(status)) {
756 if (DEBUGLEVEL >= 100) {
757 dump_gplink(ads, mem_ctx, &gp_link);
760 /* block inheritance from now on */
761 if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
762 add_only_forced_gpos = True;
765 status = add_gplink_to_gpo_list(ads, mem_ctx,
766 gpo_list, parent_dn,
767 &gp_link, GP_LINK_OU,
768 add_only_forced_gpos,
769 token);
770 if (!ADS_ERR_OK(status)) {
771 return status;
776 tmp_dn = parent_dn;
780 return ADS_ERROR(LDAP_SUCCESS);
783 #endif /* HAVE_LDAP */