search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
add privileges support to ldapsam too
[Samba/bb.git] / source / passdb / pdb_ldap.c
blobda5bfbecbbabc4e57dd88f55f968e7ebcc6b8d24
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23
24 */
25
26 /* TODO:
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
29 *
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
35 *
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
43 * and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 /*
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
58 *
59 */
60
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65 #endif
66
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
71 #endif
72
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
77 #endif
78
79
80 #ifndef SAM_ACCOUNT
81 #define SAM_ACCOUNT struct sam_passwd
82 #endif
83
84 #include "smbldap.h"
85
86 struct ldapsam_privates {
87 struct smbldap_state *smbldap_state;
88
89 /* Former statics */
90 LDAPMessage *result;
91 LDAPMessage *entry;
92 int index;
93
94 const char *domain_name;
95 DOM_SID domain_sid;
96
97 /* configuration items */
98 int schema_ver;
99 };
100
101 /**********************************************************************
102 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
103 **********************************************************************/
104
105 static void private_data_free_fn(void **result)
106 {
107 ldap_msgfree(*result);
108 *result = NULL;
109 }
110
111 /**********************************************************************
112 Get the attribute name given a user schame version.
113 **********************************************************************/
114
115 static const char* get_userattr_key2string( int schema_ver, int key )
116 {
117 switch ( schema_ver ) {
118 case SCHEMAVER_SAMBAACCOUNT:
119 return get_attr_key2string( attrib_map_v22, key );
120
121 case SCHEMAVER_SAMBASAMACCOUNT:
122 return get_attr_key2string( attrib_map_v30, key );
123
124 default:
125 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
126 break;
127 }
128 return NULL;
129 }
130
131 /**********************************************************************
132 Return the list of attribute names given a user schema version.
133 **********************************************************************/
134
135 static char** get_userattr_list( int schema_ver )
136 {
137 switch ( schema_ver ) {
138 case SCHEMAVER_SAMBAACCOUNT:
139 return get_attr_list( attrib_map_v22 );
140
141 case SCHEMAVER_SAMBASAMACCOUNT:
142 return get_attr_list( attrib_map_v30 );
143 default:
144 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
145 break;
146 }
147
148 return NULL;
149 }
150
151 /*******************************************************************
152 Generate the LDAP search filter for the objectclass based on the
153 version of the schema we are using.
154 ******************************************************************/
155
156 static const char* get_objclass_filter( int schema_ver )
157 {
158 static fstring objclass_filter;
159
160 switch( schema_ver ) {
161 case SCHEMAVER_SAMBAACCOUNT:
162 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
163 break;
164 case SCHEMAVER_SAMBASAMACCOUNT:
165 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
166 break;
167 default:
168 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
169 break;
170 }
171
172 return objclass_filter;
173 }
174
175 /*******************************************************************
176 Run the search by name.
177 ******************************************************************/
178
179 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state,
180 const char *user,
181 LDAPMessage ** result, char **attr)
182 {
183 pstring filter;
184 char *escape_user = escape_ldap_string_alloc(user);
185
186 if (!escape_user) {
187 return LDAP_NO_MEMORY;
188 }
189
190 /*
191 * in the filter expression, replace %u with the real name
192 * so in ldap filter, %u MUST exist :-)
193 */
194 pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(),
195 get_objclass_filter(ldap_state->schema_ver));
196
197 /*
198 * have to use this here because $ is filtered out
199 * in pstring_sub
200 */
201
202
203 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
204 SAFE_FREE(escape_user);
205
206 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
207 }
208
209 /*******************************************************************
210 Run the search by rid.
211 ******************************************************************/
212
213 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
214 uint32 rid, LDAPMessage ** result,
215 char **attr)
216 {
217 pstring filter;
218 int rc;
219
220 pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
221 get_objclass_filter(ldap_state->schema_ver));
222
223 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
224
225 return rc;
226 }
227
228 /*******************************************************************
229 Run the search by SID.
230 ******************************************************************/
231
232 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
233 const DOM_SID *sid, LDAPMessage ** result,
234 char **attr)
235 {
236 pstring filter;
237 int rc;
238 fstring sid_string;
239
240 pstr_sprintf(filter, "(&(%s=%s)%s)",
241 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
242 sid_to_string(sid_string, sid),
243 get_objclass_filter(ldap_state->schema_ver));
244
245 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
246
247 return rc;
248 }
249
250 /*******************************************************************
251 Delete complete object or objectclass and attrs from
252 object found in search_result depending on lp_ldap_delete_dn
253 ******************************************************************/
254
255 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
256 LDAPMessage *result,
257 const char *objectclass,
258 char **attrs)
259 {
260 int rc;
261 LDAPMessage *entry = NULL;
262 LDAPMod **mods = NULL;
263 char *name, *dn;
264 BerElement *ptr = NULL;
265
266 rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
267
268 if (rc != 1) {
269 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
270 return NT_STATUS_UNSUCCESSFUL;
271 }
272
273 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
274 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
275 if (!dn) {
276 return NT_STATUS_UNSUCCESSFUL;
277 }
278
279 if (lp_ldap_delete_dn()) {
280 NTSTATUS ret = NT_STATUS_OK;
281 rc = smbldap_delete(ldap_state->smbldap_state, dn);
282
283 if (rc != LDAP_SUCCESS) {
284 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
285 ret = NT_STATUS_UNSUCCESSFUL;
286 }
287 SAFE_FREE(dn);
288 return ret;
289 }
290
291 /* Ok, delete only the SAM attributes */
292
293 for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
294 name != NULL;
295 name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
296 char **attrib;
297
298 /* We are only allowed to delete the attributes that
299 really exist. */
300
301 for (attrib = attrs; *attrib != NULL; attrib++) {
302 if (StrCaseCmp(*attrib, name) == 0) {
303 DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name));
304 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
305 }
306 }
307
308 ldap_memfree(name);
309 }
310
311 if (ptr != NULL) {
312 ber_free(ptr, 0);
313 }
314
315 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
316
317 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
318 ldap_mods_free(mods, True);
319
320 if (rc != LDAP_SUCCESS) {
321 char *ld_error = NULL;
322 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
323 &ld_error);
324
325 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
326 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
327 SAFE_FREE(ld_error);
328 SAFE_FREE(dn);
329 return NT_STATUS_UNSUCCESSFUL;
330 }
331
332 SAFE_FREE(dn);
333 return NT_STATUS_OK;
334 }
335
336 /* New Interface is being implemented here */
337
338 #if 0 /* JERRY - not uesed anymore */
339
340 /**********************************************************************
341 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
342 *********************************************************************/
343 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
344 SAM_ACCOUNT * sampass,
345 LDAPMessage * entry,
346 gid_t *gid)
347 {
348 pstring homedir;
349 pstring temp;
350 char **ldap_values;
351 char **values;
352
353 if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
354 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
355 return False;
356 }
357
358 for (values=ldap_values;*values;values++) {
359 if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
360 break;
361 }
362 }
363
364 if (!*values) { /*end of array, no posixAccount */
365 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
366 ldap_value_free(ldap_values);
367 return False;
368 }
369 ldap_value_free(ldap_values);
370
371 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
372 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
373 {
374 return False;
375 }
376
377 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
378 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
379 {
380 return False;
381 }
382
383 *gid = (gid_t)atol(temp);
384
385 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
386
387 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
388
389 return True;
390 }
391
392 #endif
393
394 static time_t ldapsam_get_entry_timestamp(
395 struct ldapsam_privates *ldap_state,
396 LDAPMessage * entry)
397 {
398 pstring temp;
399 struct tm tm;
400
401 if (!smbldap_get_single_pstring(
402 ldap_state->smbldap_state->ldap_struct, entry,
403 get_userattr_key2string(ldap_state->schema_ver,
404 LDAP_ATTR_MOD_TIMESTAMP),
405 temp))
406 return (time_t) 0;
407
408 strptime(temp, "%Y%m%d%H%M%SZ", &tm);
409 tzset();
410 return (mktime(&tm) - timezone);
411 }
412
413 /**********************************************************************
414 Initialize SAM_ACCOUNT from an LDAP query.
415 (Based on init_sam_from_buffer in pdb_tdb.c)
416 *********************************************************************/
417
418 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
419 SAM_ACCOUNT * sampass,
420 LDAPMessage * entry)
421 {
422 time_t logon_time,
423 logoff_time,
424 kickoff_time,
425 pass_last_set_time,
426 pass_can_change_time,
427 pass_must_change_time,
428 ldap_entry_time,
429 bad_password_time;
430 pstring username,
431 domain,
432 nt_username,
433 fullname,
434 homedir,
435 dir_drive,
436 logon_script,
437 profile_path,
438 acct_desc,
439 workstations;
440 char munged_dial[2048];
441 uint32 user_rid;
442 uint8 smblmpwd[LM_HASH_LEN],
443 smbntpwd[NT_HASH_LEN];
444 uint16 acct_ctrl = 0,
445 logon_divs;
446 uint16 bad_password_count = 0,
447 logon_count = 0;
448 uint32 hours_len;
449 uint8 hours[MAX_HOURS_LEN];
450 pstring temp;
451 LOGIN_CACHE *cache_entry = NULL;
452
453 /*
454 * do a little initialization
455 */
456 username[0] = '\0';
457 domain[0] = '\0';
458 nt_username[0] = '\0';
459 fullname[0] = '\0';
460 homedir[0] = '\0';
461 dir_drive[0] = '\0';
462 logon_script[0] = '\0';
463 profile_path[0] = '\0';
464 acct_desc[0] = '\0';
465 munged_dial[0] = '\0';
466 workstations[0] = '\0';
467
468
469 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
470 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
471 return False;
472 }
473
474 if (ldap_state->smbldap_state->ldap_struct == NULL) {
475 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
476 return False;
477 }
478
479 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
480 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
481 return False;
482 }
483
484 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
485
486 pstrcpy(nt_username, username);
487
488 pstrcpy(domain, ldap_state->domain_name);
489
490 pdb_set_username(sampass, username, PDB_SET);
491
492 pdb_set_domain(sampass, domain, PDB_DEFAULT);
493 pdb_set_nt_username(sampass, nt_username, PDB_SET);
494
495 /* deal with different attributes between the schema first */
496
497 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
498 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
499 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
500 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
501 }
502
503 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
504 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
505 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
506 } else {
507 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
508 }
509 } else {
510 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
511 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
512 user_rid = (uint32)atol(temp);
513 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
514 }
515
516 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
517 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
518 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
519 } else {
520 uint32 group_rid;
521
522 group_rid = (uint32)atol(temp);
523
524 /* for some reason, we often have 0 as a primary group RID.
525 Make sure that we treat this just as a 'default' value */
526
527 if ( group_rid > 0 )
528 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
529 else
530 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
531 }
532 }
533
534 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
535 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
536 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
537 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
538 username));
539 return False;
540 }
541
542
543 #if 0 /* JERRY -- not used anymore */
544 /*
545 * If so configured, try and get the values from LDAP
546 */
547
548 if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid)))
549 {
550 if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
551 {
552 GROUP_MAP map;
553 /* call the mapping code here */
554 if(pdb_getgrgid(&map, gid)) {
555 pdb_set_group_sid(sampass, &map.sid, PDB_SET);
556 }
557 else {
558 pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
559 }
560 }
561 }
562 #endif
563
564 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
565 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
566 /* leave as default */
567 } else {
568 pass_last_set_time = (time_t) atol(temp);
569 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
570 }
571
572 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
573 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
574 /* leave as default */
575 } else {
576 logon_time = (time_t) atol(temp);
577 pdb_set_logon_time(sampass, logon_time, PDB_SET);
578 }
579
580 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
581 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
582 /* leave as default */
583 } else {
584 logoff_time = (time_t) atol(temp);
585 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
586 }
587
588 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
589 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
590 /* leave as default */
591 } else {
592 kickoff_time = (time_t) atol(temp);
593 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
594 }
595
596 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
597 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
598 /* leave as default */
599 } else {
600 pass_can_change_time = (time_t) atol(temp);
601 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
602 }
603
604 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
605 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
606 /* leave as default */
607 } else {
608 pass_must_change_time = (time_t) atol(temp);
609 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
610 }
611
612 /* recommend that 'gecos' and 'displayName' should refer to the same
613 * attribute OID. userFullName depreciated, only used by Samba
614 * primary rules of LDAP: don't make a new attribute when one is already defined
615 * that fits your needs; using cn then displayName rather than 'userFullName'
616 */
617
618 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
619 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
620 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
621 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
622 /* leave as default */
623 } else {
624 pdb_set_fullname(sampass, fullname, PDB_SET);
625 }
626 } else {
627 pdb_set_fullname(sampass, fullname, PDB_SET);
628 }
629
630 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
631 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
632 {
633 pdb_set_dir_drive( sampass,
634 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
635 PDB_DEFAULT );
636 } else {
637 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
638 }
639
640 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
641 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
642 {
643 pdb_set_homedir( sampass,
644 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
645 PDB_DEFAULT );
646 } else {
647 pdb_set_homedir(sampass, homedir, PDB_SET);
648 }
649
650 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
651 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
652 {
653 pdb_set_logon_script( sampass,
654 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
655 PDB_DEFAULT );
656 } else {
657 pdb_set_logon_script(sampass, logon_script, PDB_SET);
658 }
659
660 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
661 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
662 {
663 pdb_set_profile_path( sampass,
664 talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
665 PDB_DEFAULT );
666 } else {
667 pdb_set_profile_path(sampass, profile_path, PDB_SET);
668 }
669
670 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
671 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
672 {
673 /* leave as default */
674 } else {
675 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
676 }
677
678 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
679 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
680 /* leave as default */;
681 } else {
682 pdb_set_workstations(sampass, workstations, PDB_SET);
683 }
684
685 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
686 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
687 /* leave as default */;
688 } else {
689 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
690 }
691
692 /* FIXME: hours stuff should be cleaner */
693
694 logon_divs = 168;
695 hours_len = 21;
696 memset(hours, 0xff, hours_len);
697
698 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
699 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
700 /* leave as default */
701 } else {
702 pdb_gethexpwd(temp, smblmpwd);
703 memset((char *)temp, '\0', strlen(temp)+1);
704 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
705 return False;
706 ZERO_STRUCT(smblmpwd);
707 }
708
709 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
710 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
711 /* leave as default */
712 } else {
713 pdb_gethexpwd(temp, smbntpwd);
714 memset((char *)temp, '\0', strlen(temp)+1);
715 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
716 return False;
717 ZERO_STRUCT(smbntpwd);
718 }
719
720 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
721 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
722 acct_ctrl |= ACB_NORMAL;
723 } else {
724 acct_ctrl = pdb_decode_acct_ctrl(temp);
725
726 if (acct_ctrl == 0)
727 acct_ctrl |= ACB_NORMAL;
728
729 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
730 }
731
732 pdb_set_hours_len(sampass, hours_len, PDB_SET);
733 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
734
735 /* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
736
737 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
738 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
739 /* leave as default */
740 } else {
741 bad_password_count = (uint32) atol(temp);
742 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
743 }
744
745 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
746 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
747 /* leave as default */
748 } else {
749 bad_password_time = (time_t) atol(temp);
750 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
751 }
752
753
754 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
755 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
756 /* leave as default */
757 } else {
758 logon_count = (uint32) atol(temp);
759 pdb_set_logon_count(sampass, logon_count, PDB_SET);
760 }
761
762 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
763
764 pdb_set_hours(sampass, hours, PDB_SET);
765
766 /* check the timestamp of the cache vs ldap entry */
767 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
768 entry)))
769 return True;
770
771 /* see if we have newer updates */
772 if (!(cache_entry = login_cache_read(sampass))) {
773 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
774 (unsigned int)pdb_get_bad_password_count(sampass),
775 (unsigned int)pdb_get_bad_password_time(sampass)));
776 return True;
777 }
778
779 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
780 (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
781 (unsigned int)cache_entry->bad_password_time));
782
783 if (ldap_entry_time > cache_entry->entry_timestamp) {
784 /* cache is older than directory , so
785 we need to delete the entry but allow the
786 fields to be written out */
787 login_cache_delentry(sampass);
788 } else {
789 /* read cache in */
790 pdb_set_acct_ctrl(sampass,
791 pdb_get_acct_ctrl(sampass) |
792 (cache_entry->acct_ctrl & ACB_AUTOLOCK),
793 PDB_SET);
794 pdb_set_bad_password_count(sampass,
795 cache_entry->bad_password_count,
796 PDB_SET);
797 pdb_set_bad_password_time(sampass,
798 cache_entry->bad_password_time,
799 PDB_SET);
800 }
801
802 SAFE_FREE(cache_entry);
803 return True;
804 }
805
806 /**********************************************************************
807 Initialize SAM_ACCOUNT from an LDAP query.
808 (Based on init_buffer_from_sam in pdb_tdb.c)
809 *********************************************************************/
810
811 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
812 LDAPMessage *existing,
813 LDAPMod *** mods, SAM_ACCOUNT * sampass,
814 BOOL (*need_update)(const SAM_ACCOUNT *,
815 enum pdb_elements))
816 {
817 pstring temp;
818 uint32 rid;
819
820 if (mods == NULL || sampass == NULL) {
821 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
822 return False;
823 }
824
825 *mods = NULL;
826
827 /*
828 * took out adding "objectclass: sambaAccount"
829 * do this on a per-mod basis
830 */
831 if (need_update(sampass, PDB_USERNAME))
832 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
833 "uid", pdb_get_username(sampass));
834
835 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
836
837 /* only update the RID if we actually need to */
838 if (need_update(sampass, PDB_USERSID)) {
839 fstring sid_string;
840 fstring dom_sid_string;
841 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
842
843 switch ( ldap_state->schema_ver ) {
844 case SCHEMAVER_SAMBAACCOUNT:
845 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
846 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
847 sid_to_string(sid_string, user_sid),
848 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
849 return False;
850 }
851 slprintf(temp, sizeof(temp) - 1, "%i", rid);
852 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
853 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
854 temp);
855 break;
856
857 case SCHEMAVER_SAMBASAMACCOUNT:
858 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
859 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
860 sid_to_string(sid_string, user_sid));
861 break;
862
863 default:
864 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
865 break;
866 }
867 }
868
869 /* we don't need to store the primary group RID - so leaving it
870 'free' to hang off the unix primary group makes life easier */
871
872 if (need_update(sampass, PDB_GROUPSID)) {
873 fstring sid_string;
874 fstring dom_sid_string;
875 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
876
877 switch ( ldap_state->schema_ver ) {
878 case SCHEMAVER_SAMBAACCOUNT:
879 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
880 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
881 sid_to_string(sid_string, group_sid),
882 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
883 return False;
884 }
885
886 slprintf(temp, sizeof(temp) - 1, "%i", rid);
887 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
888 get_userattr_key2string(ldap_state->schema_ver,
889 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
890 break;
891
892 case SCHEMAVER_SAMBASAMACCOUNT:
893 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
894 get_userattr_key2string(ldap_state->schema_ver,
895 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
896 break;
897
898 default:
899 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
900 break;
901 }
902
903 }
904
905 /* displayName, cn, and gecos should all be the same
906 * most easily accomplished by giving them the same OID
907 * gecos isn't set here b/c it should be handled by the
908 * add-user script
909 * We change displayName only and fall back to cn if
910 * it does not exist.
911 */
912
913 if (need_update(sampass, PDB_FULLNAME))
914 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
915 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
916 pdb_get_fullname(sampass));
917
918 if (need_update(sampass, PDB_ACCTDESC))
919 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
920 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
921 pdb_get_acct_desc(sampass));
922
923 if (need_update(sampass, PDB_WORKSTATIONS))
924 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
925 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
926 pdb_get_workstations(sampass));
927
928 if (need_update(sampass, PDB_MUNGEDDIAL))
929 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
930 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
931 pdb_get_munged_dial(sampass));
932
933 if (need_update(sampass, PDB_SMBHOME))
934 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
935 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
936 pdb_get_homedir(sampass));
937
938 if (need_update(sampass, PDB_DRIVE))
939 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
940 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
941 pdb_get_dir_drive(sampass));
942
943 if (need_update(sampass, PDB_LOGONSCRIPT))
944 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
945 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
946 pdb_get_logon_script(sampass));
947
948 if (need_update(sampass, PDB_PROFILE))
949 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
950 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
951 pdb_get_profile_path(sampass));
952
953 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
954 if (need_update(sampass, PDB_LOGONTIME))
955 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
956 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
957
958 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
959 if (need_update(sampass, PDB_LOGOFFTIME))
960 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
961 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
962
963 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
964 if (need_update(sampass, PDB_KICKOFFTIME))
965 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
966 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
967
968 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
969 if (need_update(sampass, PDB_CANCHANGETIME))
970 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
971 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
972
973 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
974 if (need_update(sampass, PDB_MUSTCHANGETIME))
975 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
976 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
977
978
979 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
980 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
981
982 if (need_update(sampass, PDB_LMPASSWD)) {
983 const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
984 if (lm_pw) {
985 pdb_sethexpwd(temp, lm_pw,
986 pdb_get_acct_ctrl(sampass));
987 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
988 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
989 temp);
990 } else {
991 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
992 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
993 NULL);
994 }
995 }
996 if (need_update(sampass, PDB_NTPASSWD)) {
997 const uchar *nt_pw = pdb_get_nt_passwd(sampass);
998 if (nt_pw) {
999 pdb_sethexpwd(temp, nt_pw,
1000 pdb_get_acct_ctrl(sampass));
1001 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1002 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1003 temp);
1004 } else {
1005 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1006 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1007 NULL);
1008 }
1009 }
1010
1011 if (need_update(sampass, PDB_PASSLASTSET)) {
1012 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
1013 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1014 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1015 temp);
1016 }
1017 }
1018
1019 /* FIXME: Hours stuff goes in LDAP */
1020
1021 if (need_update(sampass, PDB_ACCTCTRL))
1022 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1023 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1024 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1025
1026 /* password lockout cache:
1027 - If we are now autolocking or clearing, we write to ldap
1028 - If we are clearing, we delete the cache entry
1029 - If the count is > 0, we update the cache
1030
1031 This even means when autolocking, we cache, just in case the
1032 update doesn't work, and we have to cache the autolock flag */
1033
1034 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1035 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1036 uint16 badcount = pdb_get_bad_password_count(sampass);
1037 time_t badtime = pdb_get_bad_password_time(sampass);
1038 uint32 pol;
1039 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1040
1041 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1042 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1043
1044 if ((badcount >= pol) || (badcount == 0)) {
1045 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1046 (unsigned int)badcount, (unsigned int)badtime));
1047 slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1048 smbldap_make_mod(
1049 ldap_state->smbldap_state->ldap_struct,
1050 existing, mods,
1051 get_userattr_key2string(
1052 ldap_state->schema_ver,
1053 LDAP_ATTR_BAD_PASSWORD_COUNT),
1054 temp);
1055
1056 slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1057 smbldap_make_mod(
1058 ldap_state->smbldap_state->ldap_struct,
1059 existing, mods,
1060 get_userattr_key2string(
1061 ldap_state->schema_ver,
1062 LDAP_ATTR_BAD_PASSWORD_TIME),
1063 temp);
1064 }
1065 if (badcount == 0) {
1066 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1067 login_cache_delentry(sampass);
1068 } else {
1069 LOGIN_CACHE cache_entry ={time(NULL),
1070 pdb_get_acct_ctrl(sampass),
1071 badcount, badtime};
1072 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1073 login_cache_write(sampass, cache_entry);
1074 }
1075 }
1076
1077 return True;
1078 }
1079
1080 /**********************************************************************
1081 Connect to LDAP server for password enumeration.
1082 *********************************************************************/
1083
1084 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
1085 {
1086 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1087 int rc;
1088 pstring filter;
1089 char **attr_list;
1090
1091 pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(),
1092 get_objclass_filter(ldap_state->schema_ver));
1093 all_string_sub(filter, "%u", "*", sizeof(pstring));
1094
1095 attr_list = get_userattr_list(ldap_state->schema_ver);
1096 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
1097 attr_list, &ldap_state->result);
1098 free_attr_list( attr_list );
1099
1100 if (rc != LDAP_SUCCESS) {
1101 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1102 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter));
1103 ldap_msgfree(ldap_state->result);
1104 ldap_state->result = NULL;
1105 return NT_STATUS_UNSUCCESSFUL;
1106 }
1107
1108 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1109 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1110 ldap_state->result)));
1111
1112 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1113 ldap_state->result);
1114 ldap_state->index = 0;
1115
1116 return NT_STATUS_OK;
1117 }
1118
1119 /**********************************************************************
1120 End enumeration of the LDAP password list.
1121 *********************************************************************/
1122
1123 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1124 {
1125 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1126 if (ldap_state->result) {
1127 ldap_msgfree(ldap_state->result);
1128 ldap_state->result = NULL;
1129 }
1130 }
1131
1132 /**********************************************************************
1133 Get the next entry in the LDAP password database.
1134 *********************************************************************/
1135
1136 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1137 {
1138 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1139 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1140 BOOL bret = False;
1141
1142 while (!bret) {
1143 if (!ldap_state->entry)
1144 return ret;
1145
1146 ldap_state->index++;
1147 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1148
1149 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1150 ldap_state->entry);
1151 }
1152
1153 return NT_STATUS_OK;
1154 }
1155
1156 /**********************************************************************
1157 Get SAM_ACCOUNT entry from LDAP by username.
1158 *********************************************************************/
1159
1160 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1161 {
1162 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1163 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1164 LDAPMessage *result = NULL;
1165 LDAPMessage *entry = NULL;
1166 int count;
1167 char ** attr_list;
1168 int rc;
1169
1170 attr_list = get_userattr_list( ldap_state->schema_ver );
1171 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1172 free_attr_list( attr_list );
1173
1174 if ( rc != LDAP_SUCCESS )
1175 return NT_STATUS_NO_SUCH_USER;
1176
1177 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1178
1179 if (count < 1) {
1180 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1181 ldap_msgfree(result);
1182 return NT_STATUS_NO_SUCH_USER;
1183 } else if (count > 1) {
1184 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1185 ldap_msgfree(result);
1186 return NT_STATUS_NO_SUCH_USER;
1187 }
1188
1189 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1190 if (entry) {
1191 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1192 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1193 ldap_msgfree(result);
1194 return NT_STATUS_NO_SUCH_USER;
1195 }
1196 pdb_set_backend_private_data(user, result,
1197 private_data_free_fn,
1198 my_methods, PDB_CHANGED);
1199 ret = NT_STATUS_OK;
1200 } else {
1201 ldap_msgfree(result);
1202 }
1203 return ret;
1204 }
1205
1206 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1207 const DOM_SID *sid, LDAPMessage **result)
1208 {
1209 int rc = -1;
1210 char ** attr_list;
1211 uint32 rid;
1212
1213 switch ( ldap_state->schema_ver ) {
1214 case SCHEMAVER_SAMBASAMACCOUNT:
1215 attr_list = get_userattr_list(ldap_state->schema_ver);
1216 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1217 free_attr_list( attr_list );
1218
1219 if ( rc != LDAP_SUCCESS )
1220 return rc;
1221 break;
1222
1223 case SCHEMAVER_SAMBAACCOUNT:
1224 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1225 return rc;
1226 }
1227
1228 attr_list = get_userattr_list(ldap_state->schema_ver);
1229 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1230 free_attr_list( attr_list );
1231
1232 if ( rc != LDAP_SUCCESS )
1233 return rc;
1234 break;
1235 }
1236 return rc;
1237 }
1238
1239 /**********************************************************************
1240 Get SAM_ACCOUNT entry from LDAP by SID.
1241 *********************************************************************/
1242
1243 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1244 {
1245 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1246 LDAPMessage *result = NULL;
1247 LDAPMessage *entry = NULL;
1248 int count;
1249 int rc;
1250 fstring sid_string;
1251
1252 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1253 sid, &result);
1254 if (rc != LDAP_SUCCESS)
1255 return NT_STATUS_NO_SUCH_USER;
1256
1257 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1258
1259 if (count < 1) {
1260 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1261 count));
1262 ldap_msgfree(result);
1263 return NT_STATUS_NO_SUCH_USER;
1264 } else if (count > 1) {
1265 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1266 count));
1267 ldap_msgfree(result);
1268 return NT_STATUS_NO_SUCH_USER;
1269 }
1270
1271 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1272 if (!entry) {
1273 ldap_msgfree(result);
1274 return NT_STATUS_NO_SUCH_USER;
1275 }
1276
1277 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1278 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1279 ldap_msgfree(result);
1280 return NT_STATUS_NO_SUCH_USER;
1281 }
1282
1283 pdb_set_backend_private_data(user, result,
1284 private_data_free_fn,
1285 my_methods, PDB_CHANGED);
1286 return NT_STATUS_OK;
1287 }
1288
1289 /********************************************************************
1290 Do the actual modification - also change a plaintext passord if
1291 it it set.
1292 **********************************************************************/
1293
1294 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1295 SAM_ACCOUNT *newpwd, char *dn,
1296 LDAPMod **mods, int ldap_op,
1297 BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
1298 {
1299 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1300 int rc;
1301
1302 if (!my_methods || !newpwd || !dn) {
1303 return NT_STATUS_INVALID_PARAMETER;
1304 }
1305
1306 if (!mods) {
1307 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1308 /* may be password change below however */
1309 } else {
1310 switch(ldap_op) {
1311 case LDAP_MOD_ADD:
1312 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1313 "objectclass",
1314 LDAP_OBJ_ACCOUNT);
1315 rc = smbldap_add(ldap_state->smbldap_state,
1316 dn, mods);
1317 break;
1318 case LDAP_MOD_REPLACE:
1319 rc = smbldap_modify(ldap_state->smbldap_state,
1320 dn ,mods);
1321 break;
1322 default:
1323 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1324 ldap_op));
1325 return NT_STATUS_INVALID_PARAMETER;
1326 }
1327
1328 if (rc!=LDAP_SUCCESS) {
1329 char *ld_error = NULL;
1330 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1331 &ld_error);
1332 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1333 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1334 dn, ldap_err2string(rc),
1335 ld_error?ld_error:"unknown"));
1336 SAFE_FREE(ld_error);
1337 return NT_STATUS_UNSUCCESSFUL;
1338 }
1339 }
1340
1341 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1342 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1343 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1344 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1345 BerElement *ber;
1346 struct berval *bv;
1347 char *retoid;
1348 struct berval *retdata;
1349 char *utf8_password;
1350 char *utf8_dn;
1351
1352 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1353 return NT_STATUS_NO_MEMORY;
1354 }
1355
1356 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1357 return NT_STATUS_NO_MEMORY;
1358 }
1359
1360 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1361 DEBUG(0,("ber_alloc_t returns NULL\n"));
1362 SAFE_FREE(utf8_password);
1363 return NT_STATUS_UNSUCCESSFUL;
1364 }
1365
1366 ber_printf (ber, "{");
1367 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1368 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1369 ber_printf (ber, "N}");
1370
1371 if ((rc = ber_flatten (ber, &bv))<0) {
1372 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1373 ber_free(ber,1);
1374 SAFE_FREE(utf8_dn);
1375 SAFE_FREE(utf8_password);
1376 return NT_STATUS_UNSUCCESSFUL;
1377 }
1378
1379 SAFE_FREE(utf8_dn);
1380 SAFE_FREE(utf8_password);
1381 ber_free(ber, 1);
1382
1383 if ((rc = smbldap_extended_operation(ldap_state->smbldap_state,
1384 LDAP_EXOP_MODIFY_PASSWD,
1385 bv, NULL, NULL, &retoid,
1386 &retdata)) != LDAP_SUCCESS) {
1387 char *ld_error = NULL;
1388 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1389 &ld_error);
1390 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1391 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1392 SAFE_FREE(ld_error);
1393 ber_bvfree(bv);
1394 return NT_STATUS_UNSUCCESSFUL;
1395 } else {
1396 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1397 #ifdef DEBUG_PASSWORD
1398 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1399 #endif
1400 ber_bvfree(retdata);
1401 ber_memfree(retoid);
1402 }
1403 ber_bvfree(bv);
1404 }
1405 return NT_STATUS_OK;
1406 }
1407
1408 /**********************************************************************
1409 Delete entry from LDAP for username.
1410 *********************************************************************/
1411
1412 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1413 {
1414 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1415 const char *sname;
1416 int rc;
1417 LDAPMessage *result = NULL;
1418 NTSTATUS ret;
1419 char **attr_list;
1420 fstring objclass;
1421
1422 if (!sam_acct) {
1423 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1424 return NT_STATUS_INVALID_PARAMETER;
1425 }
1426
1427 sname = pdb_get_username(sam_acct);
1428
1429 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
1430
1431 attr_list= get_userattr_list( ldap_state->schema_ver );
1432 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1433
1434 if (rc != LDAP_SUCCESS) {
1435 free_attr_list( attr_list );
1436 return NT_STATUS_NO_SUCH_USER;
1437 }
1438
1439 switch ( ldap_state->schema_ver ) {
1440 case SCHEMAVER_SAMBASAMACCOUNT:
1441 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1442 break;
1443
1444 case SCHEMAVER_SAMBAACCOUNT:
1445 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1446 break;
1447 default:
1448 fstrcpy( objclass, "UNKNOWN" );
1449 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1450 break;
1451 }
1452
1453 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1454 ldap_msgfree(result);
1455 free_attr_list( attr_list );
1456
1457 return ret;
1458 }
1459
1460 /**********************************************************************
1461 Helper function to determine for update_sam_account whether
1462 we need LDAP modification.
1463 *********************************************************************/
1464
1465 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1466 enum pdb_elements element)
1467 {
1468 return IS_SAM_CHANGED(sampass, element);
1469 }
1470
1471 /**********************************************************************
1472 Update SAM_ACCOUNT.
1473 *********************************************************************/
1474
1475 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1476 {
1477 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1478 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1479 int rc = 0;
1480 char *dn;
1481 LDAPMessage *result = NULL;
1482 LDAPMessage *entry = NULL;
1483 LDAPMod **mods = NULL;
1484 char **attr_list;
1485
1486 result = pdb_get_backend_private_data(newpwd, my_methods);
1487 if (!result) {
1488 attr_list = get_userattr_list(ldap_state->schema_ver);
1489 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1490 free_attr_list( attr_list );
1491 if (rc != LDAP_SUCCESS) {
1492 return NT_STATUS_UNSUCCESSFUL;
1493 }
1494 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1495 }
1496
1497 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1498 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1499 return NT_STATUS_UNSUCCESSFUL;
1500 }
1501
1502 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1503 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1504 if (!dn) {
1505 return NT_STATUS_UNSUCCESSFUL;
1506 }
1507
1508 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1509
1510 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1511 element_is_changed)) {
1512 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1513 SAFE_FREE(dn);
1514 if (mods != NULL)
1515 ldap_mods_free(mods,True);
1516 return NT_STATUS_UNSUCCESSFUL;
1517 }
1518
1519 if (mods == NULL) {
1520 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1521 pdb_get_username(newpwd)));
1522 SAFE_FREE(dn);
1523 return NT_STATUS_OK;
1524 }
1525
1526 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1527 ldap_mods_free(mods,True);
1528 SAFE_FREE(dn);
1529
1530 if (!NT_STATUS_IS_OK(ret)) {
1531 char *ld_error = NULL;
1532 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1533 &ld_error);
1534 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1535 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1536 SAFE_FREE(ld_error);
1537 return ret;
1538 }
1539
1540 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1541 pdb_get_username(newpwd)));
1542 return NT_STATUS_OK;
1543 }
1544
1545 /**********************************************************************
1546 Helper function to determine for update_sam_account whether
1547 we need LDAP modification.
1548 *********************************************************************/
1549
1550 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1551 enum pdb_elements element)
1552 {
1553 return (IS_SAM_SET(sampass, element) ||
1554 IS_SAM_CHANGED(sampass, element));
1555 }
1556
1557 /**********************************************************************
1558 Add SAM_ACCOUNT to LDAP.
1559 *********************************************************************/
1560
1561 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1562 {
1563 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1564 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1565 int rc;
1566 LDAPMessage *result = NULL;
1567 LDAPMessage *entry = NULL;
1568 pstring dn;
1569 LDAPMod **mods = NULL;
1570 int ldap_op = LDAP_MOD_REPLACE;
1571 uint32 num_result;
1572 char **attr_list;
1573 char *escape_user;
1574 const char *username = pdb_get_username(newpwd);
1575 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1576 pstring filter;
1577 fstring sid_string;
1578
1579 if (!username || !*username) {
1580 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1581 return NT_STATUS_INVALID_PARAMETER;
1582 }
1583
1584 /* free this list after the second search or in case we exit on failure */
1585 attr_list = get_userattr_list(ldap_state->schema_ver);
1586
1587 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1588
1589 if (rc != LDAP_SUCCESS) {
1590 free_attr_list( attr_list );
1591 return NT_STATUS_UNSUCCESSFUL;
1592 }
1593
1594 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1595 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1596 username));
1597 ldap_msgfree(result);
1598 free_attr_list( attr_list );
1599 return NT_STATUS_UNSUCCESSFUL;
1600 }
1601 ldap_msgfree(result);
1602 result = NULL;
1603
1604 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1605 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1606 sid, &result);
1607 if (rc == LDAP_SUCCESS) {
1608 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1609 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1610 sid_to_string(sid_string, sid)));
1611 free_attr_list( attr_list );
1612 ldap_msgfree(result);
1613 return NT_STATUS_UNSUCCESSFUL;
1614 }
1615 ldap_msgfree(result);
1616 }
1617 }
1618
1619 /* does the entry already exist but without a samba attributes?
1620 we need to return the samba attributes here */
1621
1622 escape_user = escape_ldap_string_alloc( username );
1623 pstrcpy( filter, lp_ldap_filter() );
1624 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1625 SAFE_FREE( escape_user );
1626
1627 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1628 filter, attr_list, &result);
1629 if ( rc != LDAP_SUCCESS ) {
1630 free_attr_list( attr_list );
1631 return NT_STATUS_UNSUCCESSFUL;
1632 }
1633
1634 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1635
1636 if (num_result > 1) {
1637 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1638 free_attr_list( attr_list );
1639 ldap_msgfree(result);
1640 return NT_STATUS_UNSUCCESSFUL;
1641 }
1642
1643 /* Check if we need to update an existing entry */
1644 if (num_result == 1) {
1645 char *tmp;
1646
1647 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1648 ldap_op = LDAP_MOD_REPLACE;
1649 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1650 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1651 if (!tmp) {
1652 free_attr_list( attr_list );
1653 ldap_msgfree(result);
1654 return NT_STATUS_UNSUCCESSFUL;
1655 }
1656 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1657 SAFE_FREE(tmp);
1658
1659 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1660
1661 /* There might be a SID for this account already - say an idmap entry */
1662
1663 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1664 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1665 sid_to_string(sid_string, sid),
1666 LDAP_OBJ_IDMAP_ENTRY,
1667 LDAP_OBJ_SID_ENTRY);
1668
1669 /* free old result before doing a new search */
1670 if (result != NULL) {
1671 ldap_msgfree(result);
1672 result = NULL;
1673 }
1674 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1675 filter, attr_list, &result);
1676
1677 if ( rc != LDAP_SUCCESS ) {
1678 free_attr_list( attr_list );
1679 return NT_STATUS_UNSUCCESSFUL;
1680 }
1681
1682 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1683
1684 if (num_result > 1) {
1685 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1686 free_attr_list( attr_list );
1687 ldap_msgfree(result);
1688 return NT_STATUS_UNSUCCESSFUL;
1689 }
1690
1691 /* Check if we need to update an existing entry */
1692 if (num_result == 1) {
1693 char *tmp;
1694
1695 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1696 ldap_op = LDAP_MOD_REPLACE;
1697 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1698 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1699 if (!tmp) {
1700 free_attr_list( attr_list );
1701 ldap_msgfree(result);
1702 return NT_STATUS_UNSUCCESSFUL;
1703 }
1704 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1705 SAFE_FREE(tmp);
1706 }
1707 }
1708
1709 free_attr_list( attr_list );
1710
1711 if (num_result == 0) {
1712 /* Check if we need to add an entry */
1713 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1714 ldap_op = LDAP_MOD_ADD;
1715 if (username[strlen(username)-1] == '$') {
1716 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1717 } else {
1718 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1719 }
1720 }
1721
1722 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1723 element_is_set_or_changed)) {
1724 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1725 ldap_msgfree(result);
1726 if (mods != NULL)
1727 ldap_mods_free(mods,True);
1728 return NT_STATUS_UNSUCCESSFUL;
1729 }
1730
1731 ldap_msgfree(result);
1732
1733 if (mods == NULL) {
1734 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
1735 return NT_STATUS_UNSUCCESSFUL;
1736 }
1737 switch ( ldap_state->schema_ver ) {
1738 case SCHEMAVER_SAMBAACCOUNT:
1739 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
1740 break;
1741 case SCHEMAVER_SAMBASAMACCOUNT:
1742 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
1743 break;
1744 default:
1745 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1746 break;
1747 }
1748
1749 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
1750 if (!NT_STATUS_IS_OK(ret)) {
1751 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1752 pdb_get_username(newpwd),dn));
1753 ldap_mods_free(mods, True);
1754 return ret;
1755 }
1756
1757 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
1758 ldap_mods_free(mods, True);
1759
1760 return NT_STATUS_OK;
1761 }
1762
1763 /**********************************************************************
1764 *********************************************************************/
1765
1766 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
1767 const char *filter,
1768 LDAPMessage ** result)
1769 {
1770 int scope = LDAP_SCOPE_SUBTREE;
1771 int rc;
1772 char **attr_list;
1773
1774 attr_list = get_attr_list(groupmap_attr_list);
1775 rc = smbldap_search(ldap_state->smbldap_state,
1776 lp_ldap_group_suffix (), scope,
1777 filter, attr_list, 0, result);
1778 free_attr_list( attr_list );
1779
1780 if (rc != LDAP_SUCCESS) {
1781 char *ld_error = NULL;
1782 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1783 &ld_error);
1784 DEBUG(0, ("ldapsam_search_one_group: "
1785 "Problem during the LDAP search: LDAP error: %s (%s)\n",
1786 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
1787 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1788 lp_ldap_group_suffix(), filter));
1789 SAFE_FREE(ld_error);
1790 }
1791
1792 return rc;
1793 }
1794
1795 /**********************************************************************
1796 *********************************************************************/
1797
1798 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
1799 GROUP_MAP *map, LDAPMessage *entry)
1800 {
1801 pstring temp;
1802
1803 if (ldap_state == NULL || map == NULL || entry == NULL ||
1804 ldap_state->smbldap_state->ldap_struct == NULL) {
1805 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
1806 return False;
1807 }
1808
1809 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1810 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
1811 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1812 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
1813 return False;
1814 }
1815 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
1816
1817 map->gid = (gid_t)atol(temp);
1818
1819 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1820 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
1821 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1822 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
1823 return False;
1824 }
1825
1826 if (!string_to_sid(&map->sid, temp)) {
1827 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
1828 return False;
1829 }
1830
1831 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1832 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
1833 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1834 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
1835 return False;
1836 }
1837 map->sid_name_use = (enum SID_NAME_USE)atol(temp);
1838
1839 if ((map->sid_name_use < SID_NAME_USER) ||
1840 (map->sid_name_use > SID_NAME_UNKNOWN)) {
1841 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
1842 return False;
1843 }
1844
1845 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1846 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
1847 temp[0] = '\0';
1848 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1849 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
1850 {
1851 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
1852 for gidNumber(%lu)\n",(unsigned long)map->gid));
1853 return False;
1854 }
1855 }
1856 fstrcpy(map->nt_name, temp);
1857
1858 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1859 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
1860 temp[0] = '\0';
1861 }
1862 fstrcpy(map->comment, temp);
1863
1864 return True;
1865 }
1866
1867 /**********************************************************************
1868 *********************************************************************/
1869
1870 static BOOL init_ldap_from_group(LDAP *ldap_struct,
1871 LDAPMessage *existing,
1872 LDAPMod ***mods,
1873 const GROUP_MAP *map)
1874 {
1875 pstring tmp;
1876
1877 if (mods == NULL || map == NULL) {
1878 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
1879 return False;
1880 }
1881
1882 *mods = NULL;
1883
1884 sid_to_string(tmp, &map->sid);
1885
1886 smbldap_make_mod(ldap_struct, existing, mods,
1887 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
1888 pstr_sprintf(tmp, "%i", map->sid_name_use);
1889 smbldap_make_mod(ldap_struct, existing, mods,
1890 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
1891
1892 smbldap_make_mod(ldap_struct, existing, mods,
1893 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
1894 smbldap_make_mod(ldap_struct, existing, mods,
1895 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
1896
1897 return True;
1898 }
1899
1900 /**********************************************************************
1901 *********************************************************************/
1902
1903 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
1904 const char *filter,
1905 GROUP_MAP *map)
1906 {
1907 struct ldapsam_privates *ldap_state =
1908 (struct ldapsam_privates *)methods->private_data;
1909 LDAPMessage *result = NULL;
1910 LDAPMessage *entry = NULL;
1911 int count;
1912
1913 if (ldapsam_search_one_group(ldap_state, filter, &result)
1914 != LDAP_SUCCESS) {
1915 return NT_STATUS_NO_SUCH_GROUP;
1916 }
1917
1918 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1919
1920 if (count < 1) {
1921 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
1922 ldap_msgfree(result);
1923 return NT_STATUS_NO_SUCH_GROUP;
1924 }
1925
1926 if (count > 1) {
1927 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
1928 filter, count));
1929 ldap_msgfree(result);
1930 return NT_STATUS_NO_SUCH_GROUP;
1931 }
1932
1933 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1934
1935 if (!entry) {
1936 ldap_msgfree(result);
1937 return NT_STATUS_UNSUCCESSFUL;
1938 }
1939
1940 if (!init_group_from_ldap(ldap_state, map, entry)) {
1941 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
1942 filter));
1943 ldap_msgfree(result);
1944 return NT_STATUS_NO_SUCH_GROUP;
1945 }
1946
1947 ldap_msgfree(result);
1948 return NT_STATUS_OK;
1949 }
1950
1951 /**********************************************************************
1952 *********************************************************************/
1953
1954 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1955 DOM_SID sid)
1956 {
1957 pstring filter;
1958
1959 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
1960 LDAP_OBJ_GROUPMAP,
1961 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
1962 sid_string_static(&sid));
1963
1964 return ldapsam_getgroup(methods, filter, map);
1965 }
1966
1967 /**********************************************************************
1968 *********************************************************************/
1969
1970 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1971 gid_t gid)
1972 {
1973 pstring filter;
1974
1975 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
1976 LDAP_OBJ_GROUPMAP,
1977 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
1978 (unsigned long)gid);
1979
1980 return ldapsam_getgroup(methods, filter, map);
1981 }
1982
1983 /**********************************************************************
1984 *********************************************************************/
1985
1986 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1987 const char *name)
1988 {
1989 pstring filter;
1990 char *escape_name = escape_ldap_string_alloc(name);
1991
1992 if (!escape_name) {
1993 return NT_STATUS_NO_MEMORY;
1994 }
1995
1996 pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
1997 LDAP_OBJ_GROUPMAP,
1998 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
1999 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
2000
2001 SAFE_FREE(escape_name);
2002
2003 return ldapsam_getgroup(methods, filter, map);
2004 }
2005
2006 /**********************************************************************
2007 *********************************************************************/
2008
2009 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
2010 gid_t gid,
2011 LDAPMessage **result)
2012 {
2013 pstring filter;
2014
2015 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
2016 LDAP_OBJ_POSIXGROUP,
2017 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2018 (unsigned long)gid);
2019
2020 return ldapsam_search_one_group(ldap_state, filter, result);
2021 }
2022
2023 /**********************************************************************
2024 *********************************************************************/
2025
2026 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2027 GROUP_MAP *map)
2028 {
2029 struct ldapsam_privates *ldap_state =
2030 (struct ldapsam_privates *)methods->private_data;
2031 LDAPMessage *result = NULL;
2032 LDAPMod **mods = NULL;
2033 int count;
2034
2035 char *tmp;
2036 pstring dn;
2037 LDAPMessage *entry;
2038
2039 GROUP_MAP dummy;
2040
2041 int rc;
2042
2043 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2044 map->gid))) {
2045 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
2046 return NT_STATUS_UNSUCCESSFUL;
2047 }
2048
2049 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2050 if (rc != LDAP_SUCCESS) {
2051 ldap_msgfree(result);
2052 return NT_STATUS_UNSUCCESSFUL;
2053 }
2054
2055 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2056
2057 if ( count == 0 ) {
2058 ldap_msgfree(result);
2059 return NT_STATUS_UNSUCCESSFUL;
2060 }
2061
2062 if (count > 1) {
2063 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2064 (unsigned long)map->gid));
2065 ldap_msgfree(result);
2066 return NT_STATUS_UNSUCCESSFUL;
2067 }
2068
2069 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2070 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2071 if (!tmp) {
2072 ldap_msgfree(result);
2073 return NT_STATUS_UNSUCCESSFUL;
2074 }
2075 pstrcpy(dn, tmp);
2076 SAFE_FREE(tmp);
2077
2078 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2079 result, &mods, map)) {
2080 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2081 ldap_mods_free(mods, True);
2082 ldap_msgfree(result);
2083 return NT_STATUS_UNSUCCESSFUL;
2084 }
2085
2086 ldap_msgfree(result);
2087
2088 if (mods == NULL) {
2089 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2090 return NT_STATUS_UNSUCCESSFUL;
2091 }
2092
2093 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2094
2095 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2096 ldap_mods_free(mods, True);
2097
2098 if (rc != LDAP_SUCCESS) {
2099 char *ld_error = NULL;
2100 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2101 &ld_error);
2102 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid,
2103 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2104 SAFE_FREE(ld_error);
2105 return NT_STATUS_UNSUCCESSFUL;
2106 }
2107
2108 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2109 return NT_STATUS_OK;
2110 }
2111
2112 /**********************************************************************
2113 *********************************************************************/
2114
2115 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2116 GROUP_MAP *map)
2117 {
2118 struct ldapsam_privates *ldap_state =
2119 (struct ldapsam_privates *)methods->private_data;
2120 int rc;
2121 char *dn = NULL;
2122 LDAPMessage *result = NULL;
2123 LDAPMessage *entry = NULL;
2124 LDAPMod **mods = NULL;
2125
2126 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2127
2128 if (rc != LDAP_SUCCESS) {
2129 return NT_STATUS_UNSUCCESSFUL;
2130 }
2131
2132 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2133 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2134 ldap_msgfree(result);
2135 return NT_STATUS_UNSUCCESSFUL;
2136 }
2137
2138 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2139
2140 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2141 result, &mods, map)) {
2142 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2143 ldap_msgfree(result);
2144 if (mods != NULL)
2145 ldap_mods_free(mods,True);
2146 return NT_STATUS_UNSUCCESSFUL;
2147 }
2148
2149 if (mods == NULL) {
2150 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2151 ldap_msgfree(result);
2152 return NT_STATUS_OK;
2153 }
2154
2155 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2156 if (!dn) {
2157 ldap_msgfree(result);
2158 return NT_STATUS_UNSUCCESSFUL;
2159 }
2160 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2161 SAFE_FREE(dn);
2162
2163 ldap_mods_free(mods, True);
2164 ldap_msgfree(result);
2165
2166 if (rc != LDAP_SUCCESS) {
2167 char *ld_error = NULL;
2168 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2169 &ld_error);
2170 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid,
2171 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2172 SAFE_FREE(ld_error);
2173 return NT_STATUS_UNSUCCESSFUL;
2174 }
2175
2176 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2177 return NT_STATUS_OK;
2178 }
2179
2180 /**********************************************************************
2181 *********************************************************************/
2182
2183 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2184 DOM_SID sid)
2185 {
2186 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2187 pstring sidstring, filter;
2188 LDAPMessage *result = NULL;
2189 int rc;
2190 NTSTATUS ret;
2191 char **attr_list;
2192
2193 sid_to_string(sidstring, &sid);
2194
2195 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2196 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2197
2198 rc = ldapsam_search_one_group(ldap_state, filter, &result);
2199
2200 if (rc != LDAP_SUCCESS) {
2201 return NT_STATUS_NO_SUCH_GROUP;
2202 }
2203
2204 attr_list = get_attr_list( groupmap_attr_list_to_delete );
2205 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2206 free_attr_list ( attr_list );
2207
2208 ldap_msgfree(result);
2209
2210 return ret;
2211 }
2212
2213 /**********************************************************************
2214 *********************************************************************/
2215
2216 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2217 {
2218 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2219 fstring filter;
2220 int rc;
2221 char **attr_list;
2222
2223 pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2224 attr_list = get_attr_list( groupmap_attr_list );
2225 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2226 LDAP_SCOPE_SUBTREE, filter,
2227 attr_list, 0, &ldap_state->result);
2228 free_attr_list( attr_list );
2229
2230 if (rc != LDAP_SUCCESS) {
2231 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
2232 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2233 ldap_msgfree(ldap_state->result);
2234 ldap_state->result = NULL;
2235 return NT_STATUS_UNSUCCESSFUL;
2236 }
2237
2238 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2239 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2240 ldap_state->result)));
2241
2242 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2243 ldap_state->index = 0;
2244
2245 return NT_STATUS_OK;
2246 }
2247
2248 /**********************************************************************
2249 *********************************************************************/
2250
2251 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
2252 {
2253 ldapsam_endsampwent(my_methods);
2254 }
2255
2256 /**********************************************************************
2257 *********************************************************************/
2258
2259 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
2260 GROUP_MAP *map)
2261 {
2262 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2263 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2264 BOOL bret = False;
2265
2266 while (!bret) {
2267 if (!ldap_state->entry)
2268 return ret;
2269
2270 ldap_state->index++;
2271 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
2272
2273 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2274 ldap_state->entry);
2275 }
2276
2277 return NT_STATUS_OK;
2278 }
2279
2280 /**********************************************************************
2281 *********************************************************************/
2282
2283 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
2284 enum SID_NAME_USE sid_name_use,
2285 GROUP_MAP **rmap, int *num_entries,
2286 BOOL unix_only)
2287 {
2288 GROUP_MAP map;
2289 GROUP_MAP *mapt;
2290 int entries = 0;
2291
2292 *num_entries = 0;
2293 *rmap = NULL;
2294
2295 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
2296 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2297 return NT_STATUS_ACCESS_DENIED;
2298 }
2299
2300 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
2301 if (sid_name_use != SID_NAME_UNKNOWN &&
2302 sid_name_use != map.sid_name_use) {
2303 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
2304 continue;
2305 }
2306 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
2307 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
2308 continue;
2309 }
2310
2311 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
2312 if (!mapt) {
2313 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2314 SAFE_FREE(*rmap);
2315 return NT_STATUS_UNSUCCESSFUL;
2316 }
2317 else
2318 (*rmap) = mapt;
2319
2320 mapt[entries] = map;
2321
2322 entries += 1;
2323
2324 }
2325 ldapsam_endsamgrent(methods);
2326
2327 *num_entries = entries;
2328
2329 return NT_STATUS_OK;
2330 }
2331
2332 /**********************************************************************
2333 Privileges related functions
2334 *********************************************************************/
2335
2336 static NTSTATUS ldapsam_modify_sid_list_for_privilege(struct pdb_methods *my_methods, const char *privname, const DOM_SID *sid, int ldap_op)
2337 {
2338 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2339 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2340 LDAPMessage *entry = NULL;
2341 LDAPMod **mods = NULL;
2342 fstring sid_str;
2343 fstring filter;
2344 char **attr_list, *dn;
2345 int rc, i;
2346
2347 if ((sid == NULL) || (!sid_to_string(sid_str, sid))) {
2348 DEBUG(3, ("ldapsam_modify_sid_list_for_privilege: Invalid SID\n"));
2349 return NT_STATUS_INVALID_PARAMETER;
2350 }
2351
2352 pstr_sprintf(filter, "(&(objectclass=%s)(sambaPrivName=%s))", LDAP_OBJ_PRIVILEGE, privname);
2353 attr_list = get_attr_list(privilege_attr_list);
2354 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_privilege_suffix(),
2355 LDAP_SCOPE_SUBTREE, filter,
2356 attr_list, 0, &ldap_state->result);
2357 free_attr_list(attr_list);
2358
2359
2360 if (rc != LDAP_SUCCESS) {
2361 DEBUG(0, ("ldapsam_modify_sid_list_for_privilege: LDAP search failed: %s\n", ldap_err2string(rc)));
2362 DEBUG(3, ("ldapsam_modify_sid_list_for_privilege: Query was: %s, %s\n", lp_ldap_privilege_suffix(), filter));
2363 ldap_msgfree(ldap_state->result);
2364 ldap_state->result = NULL;
2365 goto done;
2366 }
2367
2368 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, ldap_state->result) == 0) {
2369 /* if the privilege does not exist and we are adding then
2370 * create it */
2371 if (ldap_op == LDAP_MOD_ADD) {
2372
2373 DEBUG(3, ("Privilege not found on ldap tree, creating a new entry\n"));
2374 if (asprintf(&dn, "sambaPrivName=%s,%s", privname, lp_ldap_privilege_suffix()) < 0) {
2375 DEBUG(0, ("ldapsam_modify_sid_list_for_privilege: Out of memory\n"));
2376 goto done;
2377 }
2378
2379 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaPrivName", privname);
2380
2381 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_PRIVILEGE);
2382
2383 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
2384
2385 if (rc != LDAP_SUCCESS) {
2386 char *ld_error = NULL;
2387
2388 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
2389 DEBUG(1,
2390 ("ldapsam_modify_sid_list_for_privilege:"
2391 "Failed to add privilege (%s) dn= %s with: %s\n\t%s\n",
2392 privname,
2393 dn, ldap_err2string(rc),
2394 ld_error ? ld_error : "unknown")
2395 );
2396
2397 SAFE_FREE(ld_error);
2398 goto done;
2399 }
2400
2401 pstr_sprintf(filter, "(&(objectclass=%s)(sambaPrivName=%s))", LDAP_OBJ_PRIVILEGE, privname);
2402 attr_list = get_attr_list(privilege_attr_list);
2403 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_privilege_suffix(),
2404 LDAP_SCOPE_SUBTREE, filter,
2405 attr_list, 0, &ldap_state->result);
2406 free_attr_list(attr_list);
2407
2408 if (rc != LDAP_SUCCESS) {
2409 DEBUG(0, ("ldapsam_modify_sid_list_for_privilege: LDAP search failed: %s\n", ldap_err2string(rc)));
2410 DEBUG(3, ("ldapsam_modify_sid_list_for_privilege: Query was: %s, %s\n", lp_ldap_privilege_suffix(), filter));
2411 ldap_msgfree(ldap_state->result);
2412 ldap_state->result = NULL;
2413 goto done;
2414 }
2415 } else {
2416 goto done;
2417 }
2418 }
2419 /* entry found */
2420 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2421
2422 /* retrieve the dn */
2423 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2424 if (!dn) {
2425 goto done;
2426 }
2427
2428 /* prepare the modification */
2429 smbldap_set_mod(&mods, ldap_op, "sambaSIDList", sid_str);
2430
2431 /* modify the privilege */
2432 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2433
2434 /* free used structures */
2435 ldap_mods_free(mods, True);
2436
2437 if (rc != LDAP_SUCCESS) {
2438 char *ld_error = NULL;
2439
2440 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
2441 DEBUG(1,
2442 ("ldapsam_modify_sid_list_for_privilege:"
2443 "Failed to %s sid for privilege (%s) dn= %s with: %s\n\t%s\n",
2444 (ldap_op == LDAP_MOD_ADD) ? "add" : "remove",
2445 privname,
2446 dn, ldap_err2string(rc),
2447 ld_error ? ld_error : "unknown")
2448 );
2449 SAFE_FREE(ld_error);
2450 goto done;
2451 }
2452
2453 ret = NT_STATUS_OK;
2454
2455 done:
2456 return ret;
2457 }
2458
2459 static NTSTATUS ldapsam_add_sid_to_privilege(struct pdb_methods *my_methods, const char *privname, const DOM_SID *sid)
2460 {
2461 return ldapsam_modify_sid_list_for_privilege(my_methods, privname, sid, LDAP_MOD_ADD);
2462 }
2463
2464 static NTSTATUS ldapsam_remove_sid_from_privilege(struct pdb_methods *my_methods, const char *privname, const DOM_SID *sid)
2465 {
2466 return ldapsam_modify_sid_list_for_privilege(my_methods, privname, sid, LDAP_MOD_DELETE);
2467 }
2468
2469 static NTSTATUS ldapsam_get_privilege_set(struct pdb_methods *my_methods, NT_USER_TOKEN *token, PRIVILEGE_SET *privset)
2470 {
2471 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2472 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2473 LDAPMessage *entry = NULL;
2474 fstring sid_str;
2475 fstring filter;
2476 char **sid_list;
2477 char **attr_list;
2478 int rc, i;
2479
2480 sid_list = (char **)malloc(sizeof(char *) * (token->num_sids + 1));
2481 for (i = 0; i < token->num_sids; i++) {
2482 sid_to_string(sid_str, &token->user_sids[i]);
2483 sid_list[i] = strdup(sid_str);
2484 if ( ! sid_list[i]) {
2485 ret = NT_STATUS_NO_MEMORY;
2486 goto done;
2487 }
2488 }
2489 sid_list[i] = NULL;
2490
2491 pstr_sprintf(filter, "(objectclass=%s)", LDAP_OBJ_PRIVILEGE);
2492 attr_list = get_attr_list(privilege_attr_list);
2493 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_privilege_suffix(),
2494 LDAP_SCOPE_SUBTREE, filter,
2495 attr_list, 0, &ldap_state->result);
2496 free_attr_list(attr_list);
2497
2498 if (rc != LDAP_SUCCESS) {
2499 DEBUG(0, ("ldapsam_get_privilege_set: LDAP search failed: %s\n", ldap_err2string(rc)));
2500 DEBUG(3, ("ldapsam_get_privilege_set: Query was: %s, %s\n", lp_ldap_privilege_suffix(), filter));
2501 ldap_msgfree(ldap_state->result);
2502 ldap_state->result = NULL;
2503 goto done;
2504 }
2505
2506 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, ldap_state->result) == 0) {
2507 DEBUG(3, ("ldapsam_get_privilege_set: No privileges in ldap tree\n"));
2508 ret = NT_STATUS_OK;
2509 goto done;
2510 }
2511
2512 DEBUG(2, ("ldapsam_get_privilege_set: %d entries in the base!\n",
2513 ldap_count_entries(ldap_state->smbldap_state->ldap_struct, ldap_state->result)));
2514
2515 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2516
2517 while (entry != NULL) {
2518 char **values = NULL;
2519
2520 for(i=0; sid_list[i] != NULL; i++) {
2521 char *c, *s;
2522 pstring privname;
2523 int j;
2524
2525 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, "sambaPrivName", privname, sizeof(pstring))) {
2526 goto loop;
2527 }
2528
2529 if ((values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, LDAP_ATTRIBUTE_SID_LIST)) == NULL) {
2530 DEBUG(10, ("ldapsam_get_privilege_set: SID List not found skipping privilege\n"));
2531 goto loop;
2532 }
2533
2534 j = 0;
2535 while (values[j] != 0) {
2536 if (strcmp(values[j], sid_list[i]) == 0) {
2537 DEBUG(10, ("sid [%s] found in users sid list\n", sid_list[i]));
2538 DEBUG(10, ("adding privilege [%s] to the users privilege list\n", privname));
2539 add_privilege_by_name(privset, privname);
2540 goto loop;
2541 }
2542 j++;
2543 }
2544
2545 if (values) {
2546 ldap_value_free(values);
2547 values = NULL;
2548 }
2549 }
2550 loop:
2551 if (values) {
2552 ldap_value_free(values);
2553 }
2554
2555 entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct, entry);
2556 }
2557
2558 ret = NT_STATUS_OK;
2559
2560 done:
2561 i = 0;
2562 while (sid_list[i]) {
2563 free(sid_list[i]);
2564 i++;
2565 }
2566 free(sid_list);
2567
2568 return ret;
2569 }
2570
2571 static NTSTATUS ldapsam_get_privilege_entry(struct pdb_methods *my_methods, const char *privname,
2572 char **sid_list)
2573 {
2574 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2575 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2576 LDAPMessage *entry = NULL;
2577 fstring sid_str;
2578 fstring filter;
2579 char **attr_list, **values;
2580 int rc, i, len;
2581
2582 *sid_list = NULL;
2583 pstr_sprintf(filter, "(&(objectclass=%s)(sambaPrivName=%s))", LDAP_OBJ_PRIVILEGE, privname);
2584 attr_list = get_attr_list(privilege_attr_list);
2585 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_privilege_suffix(),
2586 LDAP_SCOPE_SUBTREE, filter,
2587 attr_list, 0, &ldap_state->result);
2588 free_attr_list(attr_list);
2589
2590 if (rc != LDAP_SUCCESS) {
2591 DEBUG(0, ("ldapsam_get_privilege_entry: LDAP search failed: %s\n", ldap_err2string(rc)));
2592 DEBUG(3, ("ldapsam_get_privilege_entry: Query was: %s, %s\n", lp_ldap_privilege_suffix(), filter));
2593 ldap_msgfree(ldap_state->result);
2594 ldap_state->result = NULL;
2595 ret = NT_STATUS_UNSUCCESSFUL;
2596 goto done;
2597 }
2598
2599 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, ldap_state->result) == 0) {
2600 DEBUG(3, ("ldapsam_get_privilege_entry: No such privilege (%s) in ldap tree\n", privname));
2601 goto done;
2602 }
2603
2604 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2605
2606 if ((values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, LDAP_ATTRIBUTE_SID_LIST)) == NULL) {
2607 DEBUG(10, ("ldapsam_get_privilege_entry: SID List not found skipping privilege\n"));
2608 ret = NT_STATUS_OK;
2609 goto done;
2610 }
2611
2612 for (i = 0, len = 0; values[i] != 0; i++ ) {
2613 len = len + strlen(values[i]) + 1;
2614 }
2615
2616 *sid_list = (char *)malloc(len);
2617 if ((*sid_list) == NULL) {
2618 DEBUG(0, ("ldapsam_get_privilege_entry: Out of memory!\n"));
2619 ldap_value_free(values);
2620 ret = NT_STATUS_NO_MEMORY;
2621 goto done;
2622 }
2623
2624 (*sid_list)[0] = '\0';
2625
2626 for (i = 0; values[i] != 0; i++ ) {
2627 if (i != 0) {
2628 strlcat(*sid_list, ",", len);
2629 }
2630 DEBUG(0, ("sid_list = [%s]\n", *sid_list));
2631 DEBUG(0, ("values = [%s]\n", values[i]));
2632 DEBUG(0, ("len = [%d]\n", len));
2633 strlcat(*sid_list, values[i], len);
2634 DEBUG(0, ("sid_list = [%s]\n", *sid_list));
2635 }
2636
2637 ldap_value_free(values);
2638 ret = NT_STATUS_OK;
2639 done:
2640 return ret;
2641 }
2642
2643
2644 /**********************************************************************
2645 Housekeeping
2646 *********************************************************************/
2647
2648 static void free_private_data(void **vp)
2649 {
2650 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
2651
2652 smbldap_free_struct(&(*ldap_state)->smbldap_state);
2653
2654 if ((*ldap_state)->result != NULL) {
2655 ldap_msgfree((*ldap_state)->result);
2656 (*ldap_state)->result = NULL;
2657 }
2658
2659 *ldap_state = NULL;
2660
2661 /* No need to free any further, as it is talloc()ed */
2662 }
2663
2664 /**********************************************************************
2665 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2666 *********************************************************************/
2667
2668 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
2669 const char *location)
2670 {
2671 NTSTATUS nt_status;
2672 struct ldapsam_privates *ldap_state;
2673
2674 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
2675 return nt_status;
2676 }
2677
2678 (*pdb_method)->name = "ldapsam";
2679
2680 (*pdb_method)->setsampwent = ldapsam_setsampwent;
2681 (*pdb_method)->endsampwent = ldapsam_endsampwent;
2682 (*pdb_method)->getsampwent = ldapsam_getsampwent;
2683 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
2684 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
2685 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
2686 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
2687 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
2688
2689 (*pdb_method)->getgrsid = ldapsam_getgrsid;
2690 (*pdb_method)->getgrgid = ldapsam_getgrgid;
2691 (*pdb_method)->getgrnam = ldapsam_getgrnam;
2692 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
2693 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
2694 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
2695 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
2696
2697 (*pdb_method)->add_sid_to_privilege = ldapsam_add_sid_to_privilege;
2698 (*pdb_method)->remove_sid_from_privilege = ldapsam_remove_sid_from_privilege;
2699 (*pdb_method)->get_privilege_set = ldapsam_get_privilege_set;
2700 (*pdb_method)->get_privilege_entry = ldapsam_get_privilege_entry;
2701
2702 /* TODO: Setup private data and free */
2703
2704 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
2705 if (!ldap_state) {
2706 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2707 return NT_STATUS_NO_MEMORY;
2708 }
2709
2710 if (!NT_STATUS_IS_OK(nt_status =
2711 smbldap_init(pdb_context->mem_ctx, location,
2712 &ldap_state->smbldap_state)));
2713
2714 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
2715 if (!ldap_state->domain_name) {
2716 return NT_STATUS_NO_MEMORY;
2717 }
2718
2719 (*pdb_method)->private_data = ldap_state;
2720
2721 (*pdb_method)->free_private_data = free_private_data;
2722
2723 return NT_STATUS_OK;
2724 }
2725
2726 /**********************************************************************
2727 Initialise the 'compat' mode for pdb_ldap
2728 *********************************************************************/
2729
2730 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2731 {
2732 NTSTATUS nt_status;
2733 struct ldapsam_privates *ldap_state;
2734
2735 #ifdef WITH_LDAP_SAMCONFIG
2736 if (!location) {
2737 int ldap_port = lp_ldap_port();
2738
2739 /* remap default port if not using SSL (ie clear or TLS) */
2740 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
2741 ldap_port = 389;
2742 }
2743
2744 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
2745 if (!location) {
2746 return NT_STATUS_NO_MEMORY;
2747 }
2748 }
2749 #endif
2750
2751 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2752 return nt_status;
2753 }
2754
2755 (*pdb_method)->name = "ldapsam_compat";
2756
2757 ldap_state = (*pdb_method)->private_data;
2758 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
2759
2760 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2761
2762 return NT_STATUS_OK;
2763 }
2764
2765 /**********************************************************************
2766 Initialise the normal mode for pdb_ldap
2767 *********************************************************************/
2768
2769 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2770 {
2771 NTSTATUS nt_status;
2772 struct ldapsam_privates *ldap_state;
2773 uint32 alg_rid_base;
2774 pstring alg_rid_base_string;
2775 LDAPMessage *result = NULL;
2776 LDAPMessage *entry = NULL;
2777 DOM_SID ldap_domain_sid;
2778 DOM_SID secrets_domain_sid;
2779 pstring domain_sid_string;
2780
2781 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2782 return nt_status;
2783 }
2784
2785 (*pdb_method)->name = "ldapsam";
2786
2787 ldap_state = (*pdb_method)->private_data;
2788 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
2789
2790 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2791
2792 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result,
2793 ldap_state->domain_name, True);
2794
2795 if ( !NT_STATUS_IS_OK(nt_status) ) {
2796 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
2797 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
2798 and will risk BDCs having inconsistant SIDs\n"));
2799 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2800 return NT_STATUS_OK;
2801 }
2802
2803 /* Given that the above might fail, everything below this must be optional */
2804
2805 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2806 if (!entry) {
2807 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
2808 ldap_msgfree(result);
2809 return NT_STATUS_UNSUCCESSFUL;
2810 }
2811
2812 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2813 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2814 domain_sid_string)) {
2815 BOOL found_sid;
2816 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
2817 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string));
2818 return NT_STATUS_INVALID_PARAMETER;
2819 }
2820 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
2821 if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
2822 fstring new_sid_str, old_sid_str;
2823 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
2824 ldap_state->domain_name,
2825 sid_to_string(old_sid_str, &secrets_domain_sid),
2826 sid_to_string(new_sid_str, &ldap_domain_sid)));
2827
2828 /* reset secrets.tdb sid */
2829 secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
2830 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid())));
2831 }
2832 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
2833 }
2834
2835 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2836 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE),
2837 alg_rid_base_string)) {
2838 alg_rid_base = (uint32)atol(alg_rid_base_string);
2839 if (alg_rid_base != algorithmic_rid_base()) {
2840 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2841 "database was initialised. Aborting. \n"));
2842 ldap_msgfree(result);
2843 return NT_STATUS_UNSUCCESSFUL;
2844 }
2845 }
2846 ldap_msgfree(result);
2847
2848 return NT_STATUS_OK;
2849 }
2850
2851 NTSTATUS pdb_ldap_init(void)
2852 {
2853 NTSTATUS nt_status;
2854 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
2855 return nt_status;
2856
2857 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
2858 return nt_status;
2859
2860 return NT_STATUS_OK;
2861 }