search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13644: Do not shift anything inside the for loop away. We ineterate over $@.
[Samba/ekacnet.git] / examples / misc / adssearch.pl
blob3651564ec22c1ebb043fb7ed02e33a158160ed5b
1 #!/usr/bin/perl -w
2 #
3 # adssearch.pl - query an Active Directory server and
4 # display objects in a human readable format
5 #
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2005
7 #
8 # TODO: add range retrieval
9 # write sddl-converter, decode userParameters
10 # chase referrals
11 # apparently only win2k3 allows simple-binds with machine-accounts.
12 # make sasl support independent from Authen::SASL::Cyrus v >0.11
13 use strict;
14
15 use Net::LDAP;
16 use Net::LDAP::Control;
17 use Convert::ASN1;
18 use Time::Local;
19 use POSIX qw(strftime);
20 use Getopt::Long;
21
22 my $have_sasl;
23 my $works_sasl;
24 my $pref_version;
25 BEGIN {
26 my $class = 'Authen::SASL';
27 $pref_version = "0.32";
28 if ( eval "require $class;" ) {
29 $have_sasl = 1;
30 }
31 if ( eval "Net::LDAP->VERSION($pref_version);" ) {
32 $works_sasl = 1;
33 }
34 }
35
36 # users may set defaults here
37 my $base = "";
38 my $binddn = "";
39 my $password = "";
40 my $server = "";
41
42 my $tdbdump = "/usr/bin/tdbdump";
43 my $testparm = "/usr/bin/testparm";
44 my $net = "/usr/bin/net";
45 my $dig = "/usr/bin/dig";
46 my $nmblookup = "/usr/bin/nmblookup";
47 my $secrets_tdb = "/etc/samba/secrets.tdb";
48 my $klist = "/usr/bin/klist";
49 my $kinit = "/usr/bin/kinit";
50 my $ads_h = "/home/gd/ads.h";
51 my $page_size = "1000";
52 my $workgroup = "";
53 my $machine = "";
54 my $realm = "";
55
56 # parse input
57 my (
58 $opt_asq,
59 $opt_base,
60 $opt_binddn,
61 $opt_debug,
62 $opt_display_extendeddn,
63 $opt_display_metadata,
64 $opt_display_raw,
65 $opt_dump_rootdse,
66 $opt_dump_schema,
67 $opt_dump_wknguid,
68 $opt_help,
69 $opt_host,
70 $opt_machine,
71 $opt_notify,
72 $opt_notify_nodiffs,
73 $opt_password,
74 $opt_port,
75 $opt_realm,
76 $opt_saslmech,
77 $opt_scope,
78 $opt_simpleauth,
79 $opt_starttls,
80 $opt_user,
81 $opt_verbose,
82 $opt_workgroup,
83 );
84
85 GetOptions(
86 'asq=s' => \$opt_asq,
87 'base|b=s' => \$opt_base,
88 'D|DN=s' => \$opt_binddn,
89 'debug=i' => \$opt_debug,
90 'extendeddn|e' => \$opt_display_extendeddn,
91 'help' => \$opt_help,
92 'host|h=s' => \$opt_host,
93 'machine|P' => \$opt_machine,
94 'metadata|m' => \$opt_display_metadata,
95 'nodiffs' => \$opt_notify_nodiffs,
96 'notify|n' => \$opt_notify,
97 'password|w=s' => \$opt_password,
98 'port=i' => \$opt_port,
99 'rawdisplay' => \$opt_display_raw,
100 'realm|R=s' => \$opt_realm,
101 'rootDSE' => \$opt_dump_rootdse,
102 'saslmech|Y=s' => \$opt_saslmech,
103 'schema|c' => \$opt_dump_schema,
104 'scope|s=s' => \$opt_scope,
105 'simpleauth|x' => \$opt_simpleauth,
106 'tls|Z' => \$opt_starttls,
107 'user|U=s' => \$opt_user,
108 'verbose|v' => \$opt_verbose,
109 'wknguid' => \$opt_dump_wknguid,
110 'workgroup|k=s' => \$opt_workgroup,
111 );
112
113
114 # activate controls
115 my $paging = 1 if !$opt_notify;
116
117 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
118 usage();
119 exit 1;
120 }
121
122 # get the query
123 my $query = shift;
124 my @attrs = @ARGV;
125
126 # some global vars
127 my ($filter, $dse, $uri);
128 my ($attr, $value);
129 my (@ctrls, @ctrls_s);
130 my ($ctl_paged, $cookie);
131 my ($page_count, $total_entry_count);
132 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
133 my ($mesg, $usn);
134 my (%entry_store);
135 my $async_search;
136 my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf);
137
138 # fixed values and vars
139 my $set = "X";
140 my $unset = "-";
141 my $tabsize = "\t\t\t";
142
143 # get defaults
144 my $scope = $opt_scope || "sub";
145 my $port = $opt_port;
146
147 my %ads_controls = (
148 "LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
149 "LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
150 "LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
151 "LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
152 "LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
153 "LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
154 "LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
155 "LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
156 "LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
157 "LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
158 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
159 "LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
160 "LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
161 "LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
162 "LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
163 "LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
164 "LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
165 "LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
166 "LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
167 "NONE (Get stats control)" => "1.2.840.113556.1.4.970",
168 "LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
169 );
170
171 my %ads_capabilities = (
172 "LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
173 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
174 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
175 );
176
177 my %ads_extensions = (
178 "LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
179 "LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
180 "LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
181 "NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
182 );
183
184 my %ads_matching_rules = (
185 "LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
186 "LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
187 );
188
189 my %wknguids = (
190 "WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
191 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
192 "WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
193 "WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
194 );
195
196 my %ads_systemflags = (
197 "FLAG_DONT_REPLICATE" => 0x00000001, # 1
198 "FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
199 "FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
200 "FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
201 "FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
202 "FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
203 "FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
204 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
205 #"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
206 #"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
207 "FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
208 );
209
210 my %ads_mixed_domain = (
211 "NATIVE_LEVEL_DOMAIN" => 0,
212 "MIXED_LEVEL_DOMAIN" => 1,
213 );
214
215 my %ads_ds_func = (
216 "DS_BEHAVIOR_WIN2000" => 0, # untested
217 "DS_BEHAVIOR_WIN2003" => 2,
218 );
219
220 my %ads_instance_type = (
221 "DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
222 "IT_WRITE" => 0x4,
223 "IT_NC_ABOVE" => 0x8,
224 );
225
226 my %ads_uacc = (
227 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
228 "ACCOUNT_OK" => 0x800000, # 8388608
229 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
230 );
231
232 my %ads_gpoptions = (
233 "GPOPTIONS_INHERIT" => 0,
234 "GPOPTIONS_BLOCK_INHERITANCE" => 1,
235 );
236
237 my %ads_gplink_opts = (
238 "GPLINK_OPT_NONE" => 0,
239 "GPLINK_OPT_DISABLED" => 1,
240 "GPLINK_OPT_ENFORCED" => 2,
241 );
242
243 my %ads_gpflags = (
244 "GPFLAGS_ALL_ENABLED" => 0,
245 "GPFLAGS_USER_SETTINGS_DISABLED" => 1,
246 "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
247 "GPFLAGS_ALL_DISABLED" => 3,
248 );
249
250 my %ads_serverstate = (
251 "SERVER_ENABLED" => 1,
252 "SERVER_DISABLED" => 2,
253 );
254
255 my %ads_sdeffective = (
256 "OWNER_SECURITY_INFORMATION" => 0x01,
257 "DACL_SECURITY_INFORMATION" => 0x04,
258 "SACL_SECURITY_INFORMATION" => 0x10,
259 );
260
261 my %ads_trustattrs = (
262 "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
263 "TRUST_ATTRIBUTE_TREE_PARENT" => 2,
264 "TRUST_ATTRIBUTE_TREE_ROOT" => 3,
265 "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
266 );
267
268 my %ads_trustdirection = (
269 "TRUST_DIRECTION_INBOUND" => 1,
270 "TRUST_DIRECTION_OUTBOUND" => 2,
271 "TRUST_DIRECTION_BIDIRECTIONAL" => 3,
272 );
273
274 my %ads_trusttype = (
275 "TRUST_TYPE_DOWNLEVEL" => 1,
276 "TRUST_TYPE_UPLEVEL" => 2,
277 "TRUST_TYPE_KERBEROS" => 3,
278 "TRUST_TYPE_DCE" => 4,
279 );
280
281 my %ads_pwdproperties = (
282 "DOMAIN_PASSWORD_COMPLEX" => 1,
283 "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
284 "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
285 "DOMAIN_LOCKOUT_ADMINS" => 8,
286 "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
287 "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
288 );
289
290 my %ads_uascompat = (
291 "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
292 "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
293 );
294
295 my %ads_frstypes = (
296 "REPLICA_SET_SYSVOL" => 2, # unsure
297 "REPLICA_SET_DFS" => 1, # unsure
298 "REPLICA_SET_OTHER" => 0, # unsure
299 );
300
301 my %ads_gp_cse_extensions = (
302 "Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
303 "Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
304 "EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
305 "Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
306 "IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
307 "Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
308 "QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
309 "Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
310 "Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
311 "Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
312 );
313
314 # guess work
315 my %ads_gpcextensions = (
316 "Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
317 "Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
318 "EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
319 "Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
320 "Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
321 "Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
322 "Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
323 "Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
324 "Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
325 "unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
326 "unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
327 );
328
329 my %ads_gpo_default_guids = (
330 "Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
331 "Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
332 "mist" => "61718096-3D3F-4398-8318-203A48976F9E",
333 );
334
335 my %munged_dial = (
336 "CtxCfgPresent" => \&dump_int,
337 "CtxCfgFlags1" => \&dump_int,
338 "CtxCallback" => \&dump_string,
339 "CtxShadow" => \&dump_string,
340 "CtxMaxConnectionTime" => \&dump_int,
341 "CtxMaxDisconnectionTime"=> \&dump_int,
342 "CtxMaxIdleTime" => \&dump_int,
343 "CtxKeyboardLayout" => \&dump_int,
344 "CtxMinEncryptionLevel" => \&dump_int,
345 "CtxWorkDirectory" => \&dump_string,
346 "CtxNWLogonServer" => \&dump_string,
347 "CtxWFHomeDir" => \&dump_string,
348 "CtxWFHomeDirDrive" => \&dump_string,
349 "CtxWFProfilePath" => \&dump_string,
350 "CtxInitialProgram" => \&dump_string,
351 "CtxCallbackNumber" => \&dump_string,
352 );
353
354 $SIG{__WARN__} = sub {
355 use Carp;
356 Carp::cluck (shift);
357 };
358
359 # parse ads.h
360 parse_ads_h();
361
362 # if there is data missing, we try to autodetect with samba-tools (if installed)
363 # this might fill up workgroup, machine, realm
364 get_samba_info();
365
366 # get a workgroup
367 $workgroup = $workgroup || $opt_workgroup || "";
368
369 # get the server
370 $server = process_servername($opt_host) ||
371 detect_server($workgroup,$opt_realm) ||
372 die "please define server to query with -h host\n";
373
374
375 # get the base
376 $base = $opt_base ||
377 get_base_from_rootdse($server,$dse);
378
379 # get the realm
380 $realm = $opt_realm ||
381 get_realm_from_rootdse($server,$dse);
382
383 # get sasl mechs
384 my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
385 my $sasl_mech = "GSSAPI";
386 if ($opt_saslmech) {
387 $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
388 }
389
390 # set bind type
391 my $sasl_bind = 1 if (!$opt_simpleauth);
392
393 # get username
394 my $user = check_user($opt_user) || $ENV{'USER'} || "";
395
396 # gen upn
397 my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
398
399 # get binddn
400 $binddn = $opt_binddn || $upn;
401
402 # get the password
403 $password = $password || $opt_password;
404 if (!$password) {
405 $password = $opt_machine ? get_machine_password($workgroup) : get_password();
406 }
407
408 my %attr_handler = (
409 "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
410 "accountExpires" => \&dump_nttime,
411 "badPasswordTime" => \&dump_nttime,
412 "creationTime" => \&dump_nttime,
413 "currentTime" => \&dump_timestr,
414 "domainControllerFunctionality" => \&dump_ds_func,
415 "domainFunctionality" => \&dump_ds_func,
416 "fRSReplicaSetGUID" => \&dump_guid,
417 "fRSReplicaSetType" => \&dump_frstype,
418 "fRSVersionGUID" => \&dump_guid,
419 "flags" => \&dump_gpflags, # fixme: possibly only on gpos!
420 "forceLogoff" => \&dump_nttime_abs,
421 "forestFunctionality" => \&dump_ds_func,
422 # "gPCMachineExtensionNames" => \&dump_gpcextensions,
423 # "gPCUserExtensionNames" => \&dump_gpcextensions,
424 "gPLink" => \&dump_gplink,
425 "gPOptions" => \&dump_gpoptions,
426 "groupType" => \&dump_gtype,
427 "instanceType" => \&dump_instance_type,
428 "lastLogon" => \&dump_nttime,
429 "lastLogonTimestamp" => \&dump_nttime,
430 "lockOutObservationWindow" => \&dump_nttime_abs,
431 "lockoutDuration" => \&dump_nttime_abs,
432 "lockoutTime" => \&dump_nttime,
433 # "logonHours" => \&dump_logonhours,
434 "maxPwdAge" => \&dump_nttime_abs,
435 "minPwdAge" => \&dump_nttime_abs,
436 "modifyTimeStamp" => \&dump_timestr,
437 "msDS-Behavior-Version" => \&dump_ds_func, #unsure
438 "msDS-User-Account-Control-Computed" => \&dump_uacc,
439 # "msRADIUSFramedIPAddress" => \&dump_ipaddr,
440 # "msRASSavedFramedIPAddress" => \&dump_ipaddr,
441 "netbootGUID" => \&dump_guid,
442 "nTMixedDomain" => \&dump_mixed_domain,
443 "nTSecurityDescriptor" => \&dump_secdesc,
444 "objectGUID" => \&dump_guid,
445 "objectSid" => \&dump_sid,
446 "pKT" => \&dump_pkt,
447 "pKTGuid" => \&dump_guid,
448 "pwdLastSet" => \&dump_nttime,
449 "pwdProperties" => \&dump_pwdproperties,
450 "sAMAccountType" => \&dump_atype,
451 "sDRightsEffective" => \&dump_sdeffective,
452 "securityIdentifier" => \&dump_sid,
453 "serverState" => \&dump_serverstate,
454 "supportedCapabilities", => \&dump_capabilities,
455 "supportedControl", => \&dump_controls,
456 "supportedExtension", => \&dump_extension,
457 "systemFlags" => \&dump_systemflags,
458 "tokenGroups", => \&dump_sid,
459 "tokenGroupsGlobalAndUniversal" => \&dump_sid,
460 "trustAttributes" => \&dump_trustattr,
461 "trustDirection" => \&dump_trustdirection,
462 "trustType" => \&dump_trusttype,
463 "uASCompat" => \&dump_uascompat,
464 "userAccountControl" => \&dump_uac,
465 "userCertificate" => \&dump_cert,
466 "userFlags" => \&dump_uf,
467 "userParameters" => \&dump_munged_dial,
468 "whenChanged" => \&dump_timestr,
469 "whenCreated" => \&dump_timestr,
470 # "dSCorePropagationData" => \&dump_timestr,
471 );
472
473
474
475 ################
476 # subfunctions #
477 ################
478
479 sub usage {
480 print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
481 print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
482 print "\t--base|-b [base]\n\t\tUse base [base]\n";
483 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
484 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
485 print "\t--extendeddn|-e\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
486 print "\t--help\n\t\tDisplay help page\n";
487 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
488 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
489 print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
490 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
491 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
492 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
493 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
494 print "\t--rawdisplay\n\t\tDo not interpret values\n";
495 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
496 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
497 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
498 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
499 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
500 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
501 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
502 print "\t--user|-U [user]\n\t\tUse [user]\n";
503 print "\t--wknguid\n\t\tDisplay well known guids\n";
504 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
505 }
506
507 sub write_ads_list {
508 my ($mod,$attr,$value) = @_;
509 my $ofh = select(STDOUT);
510 $~ = "ADS_LIST";
511 select($ofh);
512 write();
513
514 format ADS_LIST =
515 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
516 $mod, $attr, $value
517 .
518 }
519
520 sub write_ads {
521 my ($mod,$attr,$value) = @_;
522 my $ofh = select(STDOUT);
523 $~ = "ADS";
524 select($ofh);
525 write();
526
527 format ADS =
528 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
529 $mod, $attr, $value
530 ~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
531 $value
532 .
533 }
534
535 sub detect_server {
536
537 my $workgroup = shift;
538 my $realm = shift;
539 my $result;
540 my $found;
541
542 # try net cache (nbt records)
543 if ( -x $net && $workgroup ) {
544 my $key = sprintf("NBT/%s#1C", uc($workgroup));
545 chomp($result = `$net cache search $key 2>&1 /dev/null`);
546 $result =~ s/^.*Value: //;
547 $result =~ s/:.*//;
548 return $result if $result;
549 printf("%10s query failed for [%s]\n", "net cache", $key);
550 }
551
552 # try dns SRV entries
553 if ( -x $dig && $realm ) {
554 my $key = sprintf("_ldap._tcp.%s", lc($realm));
555 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
556 $result =~ s/.* //g;
557 $result =~ s/.$//g;
558 return $result if $result;
559 printf("%10s query failed for [%s]\n", "dns", $key);
560 }
561
562 # try netbios broadcast query
563 if ( -x $nmblookup && $workgroup ) {
564 my $key = sprintf("%s#1C", uc($workgroup));
565 my $pattern = sprintf("%s<1c>", uc($workgroup));
566 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
567 $result =~ s/\s.*//;
568 return $result if $result;
569 printf("%10s query failed for [%s]\n", "nmblookup", $key);
570 }
571
572 return "";
573 }
574
575 sub get_samba_info {
576
577 if (! -x $testparm) { return -1; }
578
579 my $tmp;
580 open(TESTPARM, "$testparm -s -v 2> /dev/null |");
581 while (my $line = <TESTPARM>) {
582 chomp($line);
583 if ($line =~ /netbios name/) {
584 ($tmp, $machine) = split(/=/, $line);
585 $machine =~ s/\s+|\t+//g;
586 }
587 if ($line =~ /realm/) {
588 ($tmp, $realm) = split(/=/, $line);
589 $realm =~ s/\s+|\t+//g;
590 }
591 if ($line =~ /workgroup/) {
592 ($tmp, $workgroup) = split(/=/, $line);
593 $workgroup =~ s/\s+|\t+//g;
594 }
595 }
596 close(TESTPARM);
597 return 0;
598 }
599
600 sub gen_upn {
601 my $machine = shift;
602 my $realm = shift;
603 if ($machine && $realm) {
604 return sprintf("%s\@%s", lc($machine), uc($realm));
605 };
606 return undef;
607 }
608
609 sub get_password {
610 if (!$password && $opt_simpleauth && check_ticket($user)) {
611 return prompt_password($user);
612 }
613 return "";
614 }
615
616 sub get_user {
617 my $user = shift || prompt_user();
618 return $user;
619 }
620
621 sub get_machine_password {
622
623 my $workgroup = shift || "";
624 $workgroup = uc($workgroup);
625
626 my ($found, $tmp);
627 -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
628 -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
629
630 # get machine-password
631 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
632 open(SECRETS,"$tdbdump $secrets_tdb |");
633 while(my $line = <SECRETS>) {
634 chomp($line);
635 if ($found) {
636 $line =~ s/\\00//;
637 ($line,$password) = split(/"/, $line);
638 last;
639 }
640 if ($line =~ /$key/) {
641 $found = 1;
642 }
643 }
644 close(SECRETS);
645
646 if ($found) {
647 print "Successfully autodetected machine password for workgroup: $workgroup\n";
648 return $password;
649 } else {
650 warn "No machine password available for $workgroup\n";
651 }
652 return "";
653 }
654
655 sub prompt_password {
656
657 my $acct = shift || "";
658 if ($acct =~ /\%/) {
659 ($acct, $password) = split(/\%/, $acct);
660 return $password;
661 }
662 system "stty -echo";
663 print "Enter password for $acct:";
664 my $password = <STDIN>;
665 chomp($password);
666 print "\n";
667 system "stty echo";
668 return $password;
669 }
670
671 sub prompt_user {
672
673 print "Enter Username:";
674 my $user = <STDIN>;
675 chomp($user);
676 print "\n";
677 return $user;
678 }
679
680 sub check_ticket {
681 return 0;
682 # works only for heimdal
683 return system("$klist -t");
684 }
685
686 sub get_ticket {
687
688 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
689
690 open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
691 printf KRB5CONF "# autogenerated by $0\n";
692 printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
693 printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
694 close(KRB5CONF);
695
696 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
697 return -1;
698 }
699
700 return 0;
701 }
702
703 sub check_user {
704 my $acct = shift || "";
705 if ($acct =~ /\%/) {
706 ($acct, $password) = split(/\%/, $acct);
707 }
708 return $acct;
709 }
710
711 sub check_ctrls ($$@) {
712
713 # bogus function??
714 my $server = shift || "";
715 $dse = shift || get_dse($server) || return -1;
716 my @ctrls = @_;
717
718 my $dse_controls = $dse->get_value('supportedControl', asref => '1');
719 my @dse_controls = @$dse_controls;
720
721 foreach my $i (@ctrls) {
722 # we could use -> supported_control but this
723 # is only available in newer versions of perl-ldap
724 # if ( ! $dse->supported_control( $i ) ) {
725 if ( grep(/$i->type()/, @dse_controls) ) {
726 printf("required control: %s is not supported by ADS-server.\n", $i->type());
727 return -1;
728 }
729 }
730 return 0;
731 }
732
733 sub get_base_from_rootdse {
734
735 my $server = shift || "";
736 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
737 return $dse->get_value('defaultNamingContext');
738 }
739
740 sub get_realm_from_rootdse {
741
742 my $server = shift || "";
743 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
744 my $service = $dse->get_value('ldapServiceName') || "";
745 if ($service) {
746 my ($t,$realm) = split(/\@/, $service);
747 return $realm;
748 } else {
749 die "very odd: could not get realm";
750 }
751 }
752
753 sub get_sasl_mechs_from_rootdse {
754
755 my $server = shift || "";
756 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
757 my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
758 return @$mechs;
759 }
760
761 sub get_dse {
762
763 my $server = shift || return undef;
764 $async_ldap_hd = shift || get_ldap_hd($server,1);
765 if (!$async_ldap_hd) {
766 print "oh, no connection\n";
767 return undef;
768 }
769 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
770 if ($mesg->code) { die "failed to bind\n"; };
771 my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
772
773 return $dse;
774 }
775
776 sub process_servername {
777
778 my $name = shift || return "";
779 if ($name =~ /^ldaps:\/\//i ) {
780 $name =~ s#^ldaps://##i;
781 $uri = sprintf("%s://%s", "ldaps", $name);
782 } else {
783 $name =~ s#^ldap://##i;
784 $uri = sprintf("%s://%s", "ldap", $name);
785 }
786 return $name;
787 }
788
789 sub get_ldap_hd {
790
791 my $server = shift || return undef;
792 my $async = shift || "0";
793 my $hd;
794 die "uri unavailable" if (!$uri);
795 if ($uri =~ /^ldaps:\/\//i ) {
796 $port = $port || 636;
797 use Net::LDAPS;
798 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
799 die "host $server not available: $!";
800 } else {
801 $port = $port || 389;
802 $hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
803 die "host $server not available: $!";
804 }
805 $hd->debug($opt_debug);
806 if ($opt_starttls) {
807 $hd->start_tls( verify => 'none' );
808 }
809
810 return $hd;
811 }
812
813 sub get_sasl_hd {
814
815 if (!$have_sasl) {
816 print "no sasl support\n";
817 return undef;
818 }
819
820 my $hd;
821 if ($sasl_mech && $sasl_mech eq "GSSAPI") {
822 my $user = sprintf("%s\@%s", $user, uc($realm));
823 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
824 print "Could not get Kerberos ticket for user [$user]\n";
825 return undef;
826 }
827
828 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
829 my $conn = $hd->client_new("ldap", $server);
830
831 if ($conn->code == -1) {
832 printf "%s\n", $conn->error();
833 return undef;
834 };
835
836 } elsif ($sasl_mech) {
837
838 # here comes generic sasl code
839 $hd = Authen::SASL->new( mechanism => $sasl_mech,
840 callback => {
841 user => \&get_user,
842 pass => \&get_password
843 }
844 ) || die "nope";
845 } else {
846 $sasl_bind = 0;
847 print "no supported SASL mechanism found (@sasl_mechs).\n";
848 print "falling back to simple bind.\n";
849 return undef;
850 }
851
852 return $hd;
853 }
854
855 sub check_sasl_mech {
856 my $mech_check = shift;
857 my $have_mech = 0;
858 foreach my $mech (@sasl_mechs) {
859 $have_mech = 1 if ($mech eq uc($mech_check));
860 }
861 if (!$have_mech) {
862 return -1;
863 }
864 return 0;
865 }
866
867
868 sub parse_ads_h {
869
870 -e "$ads_h" || die "cannot open samba3 ads.h ($ads_h): $!";
871 open(ADSH,"$ads_h");
872 while (my $line = <ADSH>) {
873 chomp($line);
874 if ($line =~ /#define.UF.*0x/) {
875 my ($tmp, $name, $val) = split(/\s+/,$line);
876 next if ($name =~ /UNUSED/);
877 # $ads_uf{$name} = sprintf("%d", hex $val);
878 $ads_uf{$name} = hex $val;
879 }
880 if ($line =~ /#define.GROUP_TYPE.*0x/) {
881 my ($tmp, $name, $val) = split(/\s+/,$line);
882 $ads_grouptype{$name} = hex $val;
883 }
884 if ($line =~ /#define.ATYPE.*0x/) {
885 my ($tmp, $name, $val) = split(/\s+/,$line);
886 $ads_atype{$name} =
887 (exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val;
888 }
889 if ($line =~ /#define.GTYPE.*0x/) {
890 my ($val, $i);
891 my ($tmp, $name, @val) = split(/\s+/,$line);
892 foreach my $tempval (@val) {
893 if ($tempval =~ /^0x/) {
894 $val = $tempval;
895 last;
896 }
897 }
898 next if (!$val);
899 $ads_gtype{$name} = sprintf("%d", hex $val);
900 }
901
902 }
903 close(ADSH);
904 }
905
906 sub store_result ($) {
907
908 my $entry = shift;
909 return if (!$entry);
910 $entry_store{$entry->dn} = $entry;
911 }
912
913 sub display_result_diff ($) {
914
915 my $entry_new = shift;
916 return if ( !$entry_new);
917
918 if ( !exists $entry_store{$entry_new->dn}) {
919 print "can't display any differences yet. full dump...\n";
920 display_entry_generic($entry_new);
921 return;
922 }
923
924 my $entry_old = $entry_store{$entry_new->dn};
925
926 foreach my $attr (sort $entry_new->attributes) {
927 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
928 display_attr_generic("add:\t", $entry_new, $attr);
929 next;
930 }
931 }
932
933 foreach my $attr (sort $entry_old->attributes) {
934 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
935 display_attr_generic("del:\t", $entry_old, $attr);
936 next;
937 }
938
939 # now check for all values if they have changed, display changes
940 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
941
942 $old_vals = $entry_old->get_value($attr, asref => 1);
943 @old_vals = @$old_vals;
944 $new_vals = $entry_new->get_value($attr, asref => 1);
945 @new_vals = @$new_vals;
946
947 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
948 if ($old_vals[0] ne $new_vals[0]) {
949 display_attr_generic("old:\t", $entry_old, $attr);
950 display_attr_generic("new:\t", $entry_new, $attr);
951 }
952 next;
953 }
954
955 # handle multivalued diffs
956 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
957 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
958 foreach my $val (sort keys %new) {
959 if (!exists $old{$val}) {
960 display_value_generic("add:\t", $attr, $val);
961 }
962 }
963 foreach my $val (sort keys %old) {
964 if (!exists $new{$val}) {
965 display_value_generic("del:\t", $attr, $val);
966 }
967 }
968 }
969 print "\n";
970
971 }
972
973 sub sid2string ($) {
974
975 # Fix from Michael James <michael@james.st>
976 my $binary_sid = shift;
977 my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
978 my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
979 return $sid_string;
980
981 }
982
983 sub string_to_guid {
984 my $string = shift;
985 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
986
987 return pack("I", hex $1) .
988 pack("S", hex $2) .
989 pack("S", hex $3) .
990 pack("C", hex $4) .
991 pack("C", hex $5) .
992 pack("C", hex $6) .
993 pack("C", hex $7) .
994 pack("C", hex $8) .
995 pack("C", hex $9) .
996 pack("C", hex $10) .
997 pack("C", hex $11);
998
999 # print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1000 }
1001
1002 sub bindstring_to_guid {
1003 my $str = shift;
1004 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
1005 substr($str,0,2),
1006 substr($str,2,2),
1007 substr($str,4,2),
1008 substr($str,6,2),
1009 substr($str,8,2),
1010 substr($str,10,2),
1011 substr($str,12,2),
1012 substr($str,14,2),
1013 substr($str,16,2),
1014 substr($str,18,2),
1015 substr($str,20,2),
1016 substr($str,22,2),
1017 substr($str,24,2),
1018 substr($str,26,2),
1019 substr($str,28,2),
1020 substr($str,30,2));
1021 }
1022
1023 sub guid_to_string {
1024 my $guid = shift;
1025 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
1026 unpack("I", $guid),
1027 unpack("S", substr($guid, 4, 2)),
1028 unpack("S", substr($guid, 6, 2)),
1029 unpack("C", substr($guid, 8, 1)),
1030 unpack("C", substr($guid, 9, 1)),
1031 unpack("C", substr($guid, 10, 1)),
1032 unpack("C", substr($guid, 11, 1)),
1033 unpack("C", substr($guid, 12, 1)),
1034 unpack("C", substr($guid, 13, 1)),
1035 unpack("C", substr($guid, 14, 1)),
1036 unpack("C", substr($guid, 15, 1));
1037 return lc($string);
1038 }
1039
1040 sub guid_to_bindstring {
1041 my $guid = shift;
1042 return unpack("H" . 2 * length($guid), $guid),
1043 }
1044
1045 sub dump_wknguid {
1046 print "Dumping Well known GUIDs:\n";
1047 foreach my $wknguid (keys %wknguids) {
1048
1049 my $guid = bindstring_to_guid($wknguids{$wknguid});
1050 my $str = guid_to_string($guid);
1051 my $back = guid_to_bindstring($guid);
1052
1053 printf "wkguid: %s\n", $wknguid;
1054 printf "bind_string format: %s\n", $wknguids{$wknguid};
1055 printf "string format: %s\n", guid_to_string($guid);
1056 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1057
1058 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1059 }
1060 }
1061
1062 sub gen_bitmask_string_format($%) {
1063 my $mod = shift;
1064 my (%tmp) = @_;
1065 my @list;
1066 foreach my $key (sort keys %tmp) {
1067 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1068 }
1069 return join("\n$mod$tabsize",@list);
1070 }
1071
1072
1073 sub nt_to_unixtime ($) {
1074 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1075 my $t64 = shift;
1076 $t64 =~ s/(.+).{7,7}/$1/;
1077 $t64 -= 11644473600;
1078 return $t64;
1079 }
1080
1081 sub dump_equal {
1082 my $val = shift;
1083 my $mod = shift || die "no mod";
1084 my (%header) = @_;
1085 my %tmp;
1086 my $found = 0;
1087 foreach my $key (keys %header) {
1088 if ($header{$key} eq $val) {
1089 $tmp{"($val)"} = $key;
1090 $found = 1;
1091 last;
1092 }
1093 }
1094 if (!$found) { $tmp{$val} = ""; };
1095 return gen_bitmask_string_format($mod,%tmp);
1096 }
1097
1098 sub dump_bitmask {
1099 my $op = shift || die "no op";
1100 my $val = shift;
1101 my $mod = shift || die "no mod";
1102 my (%header) = @_;
1103 my %tmp;
1104 $tmp{""} = $val;
1105 foreach my $key (sort keys %header) { # sort by val !
1106 if ($op eq "&") {
1107 $tmp{$key} = ( $val & $header{$key} ) ? $set:$unset;
1108 } elsif ($op eq "==") {
1109 $tmp{$key} = ( $val == $header{$key} ) ? $set:$unset;
1110 } else {
1111 print "unknown operator: $op\n";
1112 return;
1113 }
1114 }
1115 return gen_bitmask_string_format($mod,%tmp);
1116 }
1117
1118 sub dump_bitmask_and {
1119 return dump_bitmask("&",@_);
1120 }
1121
1122 sub dump_bitmask_equal {
1123 return dump_bitmask("==",@_);
1124 }
1125
1126 sub dump_uac {
1127 return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1128 }
1129
1130 sub dump_uascompat {
1131 return dump_bitmask_equal(@_,%ads_uascompat);
1132 }
1133
1134 sub dump_gpoptions {
1135 return dump_bitmask_equal(@_,%ads_gpoptions);
1136 }
1137
1138 sub dump_gpflags {
1139 return dump_bitmask_equal(@_,%ads_gpflags);
1140 }
1141
1142 sub dump_uacc {
1143 return dump_bitmask_equal(@_,%ads_uacc);
1144 }
1145
1146 sub dump_uf {
1147 return dump_bitmask_and(@_,%ads_uf);
1148 }
1149
1150 sub dump_gtype {
1151 my $ret = dump_bitmask_and(@_,%ads_grouptype);
1152 $ret .= "\n$tabsize\t";
1153 $ret .= dump_bitmask_equal(@_,%ads_gtype);
1154 return $ret;
1155 }
1156
1157 sub dump_atype {
1158 return dump_bitmask_equal(@_,%ads_atype);
1159 }
1160
1161 sub dump_controls {
1162 return dump_equal(@_,%ads_controls);
1163 }
1164
1165 sub dump_capabilities {
1166 return dump_equal(@_,%ads_capabilities);
1167 }
1168
1169 sub dump_extension {
1170 return dump_equal(@_,%ads_extensions);
1171 }
1172
1173 sub dump_systemflags {
1174 return dump_bitmask_and(@_,%ads_systemflags);
1175 }
1176
1177 sub dump_instance_type {
1178 return dump_bitmask_and(@_,%ads_instance_type);
1179 }
1180
1181 sub dump_ds_func {
1182 return dump_bitmask_equal(@_,%ads_ds_func);
1183 }
1184
1185 sub dump_serverstate {
1186 return dump_bitmask_equal(@_,%ads_serverstate);
1187 }
1188
1189 sub dump_sdeffective {
1190 return dump_bitmask_and(@_,%ads_sdeffective);
1191 }
1192
1193 sub dump_trustattr {
1194 return dump_bitmask_equal(@_,%ads_trustattrs);
1195 }
1196
1197 sub dump_trusttype {
1198 return dump_bitmask_equal(@_,%ads_trusttype);
1199 }
1200
1201 sub dump_trustdirection {
1202 return dump_bitmask_equal(@_,%ads_trustdirection);
1203 }
1204
1205 sub dump_pwdproperties {
1206 return dump_bitmask_and(@_,%ads_pwdproperties);
1207 }
1208
1209 sub dump_frstype {
1210 return dump_bitmask_equal(@_,%ads_frstypes)
1211 }
1212
1213 sub dump_mixed_domain {
1214 return dump_bitmask_equal(@_,%ads_mixed_domain);
1215 }
1216
1217 sub dump_sid {
1218 my $bin_sid = shift;
1219 return sid2string($bin_sid);
1220 }
1221
1222 sub dump_guid {
1223 my $guid = shift;
1224 return guid_to_string($guid);
1225 }
1226
1227 sub dump_secdesc {
1228 my $val = shift;
1229 return "FIXME: write sddl-converter!";
1230 }
1231
1232 sub dump_nttime {
1233 my $nttime = shift;
1234 if ($nttime == 0) {
1235 return sprintf("%s (%s)", "never", $nttime);
1236 }
1237 my $localtime = localtime(nt_to_unixtime($nttime));
1238 return sprintf("%s (%s)", $localtime, $nttime);
1239 }
1240
1241 sub dump_nttime_abs {
1242 if ($_[0] == 9223372036854775807) {
1243 return sprintf("%s (%s)", "now", $_[0]);
1244 }
1245 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1246 return sprintf("%s (%s)", "never", $_[0]);
1247 }
1248 # FIXME: actually *do* abs time !
1249 return dump_nttime($_[0]);
1250 }
1251
1252 sub dump_timestr {
1253 my $time = shift;
1254 if ($time eq "16010101000010.0Z") {
1255 return sprintf("%s (%s)", "never", $time);
1256 }
1257 my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1258 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1259 $mon -= 1;
1260 my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1261 return sprintf("%s (%s)", $localtime, $time);
1262 }
1263
1264 sub dump_string {
1265 return $_[0];
1266 }
1267
1268 sub dump_int {
1269 return sprintf("%d", $_[0]);
1270 }
1271
1272 sub dump_munged_dial {
1273 my $dial = shift;
1274 return "FIXME! decode this";
1275 }
1276
1277 sub dump_cert {
1278
1279 my $cert = shift;
1280 open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1281 print OPENSSL $cert;
1282 close(OPENSSL);
1283 return "";
1284 }
1285
1286 sub dump_pkt {
1287 my $pkt = shift;
1288 return "not yet";
1289 printf("%s: ", $pkt);
1290 printf("%02X", $pkt);
1291
1292 }
1293
1294 sub dump_gplink {
1295
1296 my $gplink = shift;
1297 my $gplink_mod = $gplink;
1298 my @links = split("\\]\\[", $gplink_mod);
1299 foreach my $link (@links) {
1300 $link =~ s/^\[|\]$//g;
1301 my ($ldap_link, $opt) = split(";", $link);
1302 my @array = ( "$opt", "\t" );
1303 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1304 }
1305 return $gplink;
1306 }
1307
1308 sub construct_filter {
1309
1310 my $tmp = shift;
1311
1312 if (!$tmp || $opt_notify) {
1313 return "(objectclass=*)";
1314 }
1315
1316 if ($tmp && $tmp !~ /^.*\=/) {
1317 return "(ANR=$tmp)";
1318 }
1319
1320 return $tmp;
1321 # (&(objectCategory=person)
1322 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1323 }
1324
1325 sub construct_attrs {
1326
1327 my @attrs = @_;
1328
1329 if (!@attrs) {
1330 push(@attrs,"*");
1331 }
1332
1333 if ($opt_notify) {
1334 push(@attrs,"uSNChanged");
1335 }
1336
1337 if ($opt_display_metadata) {
1338 push(@attrs,"msDS-ReplAttributeMetaData");
1339 push(@attrs,"replPropertyMetaData");
1340 }
1341
1342 if ($opt_verbose) {
1343 push(@attrs,"nTSecurityDescriptor");
1344 push(@attrs,"msDS-KeyVersionNumber");
1345 push(@attrs,"msDS-User-Account-Control-Computed");
1346 push(@attrs,"modifyTimeStamp");
1347 }
1348
1349 return sort @attrs;
1350 }
1351
1352 sub print_header {
1353
1354 print "\n";
1355 printf "%10s: %s\n", "uri", $uri;
1356 printf "%10s: %s\n", "port", $port;
1357 printf "%10s: %s\n", "base", $base;
1358 printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1359 printf "%10s: %s\n", "password", $password;
1360 printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1361 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1362 printf "%10s: %s\n", "filter", $filter;
1363 printf "%10s: %s\n", "scope", $scope;
1364 printf "%10s: %s\n", "attrs", join(", ", @attrs);
1365 printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1366 printf "%10s: %s\n", "page_size", $page_size if ($paging);
1367 printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1368 printf "\n";
1369 }
1370
1371 sub gen_controls {
1372
1373 # setup attribute-scoped query control
1374 my $asq_asn = Convert::ASN1->new;
1375 $asq_asn->prepare(
1376 q< asq ::= SEQUENCE {
1377 sourceAttribute OCTET_STRING
1378 }
1379 >
1380 );
1381 my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1382 my $ctl_asq = Net::LDAP::Control->new(
1383 type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1384 critical => 'true',
1385 value => $ctl_asq_val);
1386
1387
1388 # setup extended dn control
1389 my $asn_extended_dn = Convert::ASN1->new;
1390 $asn_extended_dn->prepare(
1391 q< ExtendedDn ::= SEQUENCE {
1392 mode INTEGER
1393 }
1394 >
1395 );
1396
1397 my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => '1');
1398 my $ctl_extended_dn =Net::LDAP::Control->new(
1399 type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1400 critical => 'true',
1401 value => $ctl_extended_dn_val);
1402
1403
1404 # setup notify control
1405 my $ctl_notification = Net::LDAP::Control->new(
1406 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1407 critical => 'true');
1408
1409
1410 # setup paging control
1411 $ctl_paged = Net::LDAP::Control->new(
1412 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1413 critical => 'true',
1414 size => $page_size);
1415
1416
1417 if ($paging) {
1418 push(@ctrls, $ctl_paged);
1419 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1420 }
1421
1422 if ($opt_display_extendeddn) {
1423 push(@ctrls, $ctl_extended_dn);
1424 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1425 }
1426 if ($opt_notify) {
1427 push(@ctrls, $ctl_notification);
1428 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1429 }
1430
1431 if ($opt_asq) {
1432 push(@ctrls, $ctl_asq);
1433 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1434 }
1435
1436 return @ctrls;
1437 }
1438
1439 sub display_value_generic ($$$) {
1440
1441 my ($mod,$attr,$value) = @_;
1442 return unless (defined($value) and defined($attr));
1443
1444 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1445 $value = $attr_handler{$attr}($value,$mod);
1446 write_ads_list($mod,$attr,$value);
1447 return;
1448 }
1449 write_ads($mod,$attr,$value);
1450 }
1451
1452 sub display_attr_generic ($$$) {
1453
1454 my ($mod,$entry,$attr) = @_;
1455 return if (!$attr || !$entry);
1456
1457 my $ref = $entry->get_value($attr, asref => 1);
1458 my @values = @$ref;
1459
1460 foreach my $value ( sort @values) {
1461 display_value_generic($mod,$attr,$value);
1462 }
1463 }
1464
1465 sub display_entry_generic ($) {
1466
1467 my $entry = shift;
1468 return if (!$entry);
1469
1470 foreach my $attr ( sort $entry->attributes) {
1471 display_attr_generic("\t",$entry,$attr);
1472 }
1473 }
1474
1475 sub display_ldap_err ($) {
1476
1477 my $msg = shift;
1478 print_header();
1479 my ($package, $filename, $line, $subroutine) = caller(0);
1480
1481 print "got error from ADS:\n";
1482 printf("%s(%d): ERROR (%s): %s\n",
1483 $subroutine, $line, $msg->code, $msg->error);
1484
1485 }
1486
1487 sub process_result {
1488
1489 my ($msg,$entry) = @_;
1490
1491 if (!defined($msg)) {
1492 return;
1493 }
1494
1495 if ($msg->code) {
1496 display_ldap_err($msg);
1497 exit 1;
1498 }
1499
1500 if (!defined($entry)) {
1501 return;
1502 }
1503
1504 if ($entry->isa('Net::LDAP::Reference')) {
1505 foreach my $ref ($entry->references) {
1506 print "\ngot Reference: [$ref]\n";
1507 }
1508 return;
1509 }
1510
1511 print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1512
1513 display_entry_generic($entry);
1514 }
1515
1516 sub default_callback {
1517
1518 my ($res,$obj) = @_;
1519
1520 if (!$opt_notify) {
1521 return process_result($res,$obj);
1522 }
1523 }
1524
1525 sub error_callback {
1526
1527 my ($msg,$entry) = @_;
1528
1529 if (!$msg) {
1530 return;
1531 }
1532
1533 if ($msg->code) {
1534 display_ldap_err($msg);
1535 exit(1);
1536 }
1537 return;
1538 }
1539
1540 sub notify_callback {
1541
1542 my ($msg, $obj) = @_;
1543
1544 if (! defined($obj)) {
1545 return;
1546 }
1547
1548 if ($obj->isa('Net::LDAP::Reference')) {
1549 foreach my $ref ($obj->references) {
1550 print "\ngot Reference: [$ref]\n";
1551 }
1552 return;
1553 }
1554
1555 while (1) {
1556
1557 my $async_entry = $async_search->pop_entry;
1558
1559 if (!$async_entry->dn) {
1560 print "very weird. entry has no dn\n";
1561 next;
1562 }
1563
1564 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1565
1566 my $new_usn = $async_entry->get_value('uSNChanged');
1567 if (!$usn || $new_usn > $usn) {
1568 $usn = $new_usn;
1569 if ($opt_notify_nodiffs) {
1570 display_entry_generic($async_entry);
1571 } else {
1572 display_result_diff($async_entry);
1573 }
1574 }
1575 store_result($async_entry);
1576 }
1577 }
1578
1579 sub do_bind($$) {
1580
1581 my $async_ldap_hd = shift || return undef;
1582 my $sasl_bind = shift;
1583
1584 if ($sasl_bind) {
1585 if (!$works_sasl) {
1586 print "this version of Net::LDAP does not have proper SASL support.\n";
1587 print "Need at least perl-ldap V. $pref_version\n";
1588 }
1589 $sasl_hd = get_sasl_hd();
1590 if (!$sasl_hd) {
1591 print "failed to create SASL handle\n";
1592 return -1;
1593 }
1594 $mesg = $async_ldap_hd->bind(
1595 sasl => $sasl_hd,
1596 callback => \&error_callback
1597 ) || die "doesnt work";
1598 } else {
1599 $sasl_mech = "";
1600 $mesg = $async_ldap_hd->bind(
1601 $binddn,
1602 password => $password,
1603 callback => \&error_callback
1604 ) || die "doesnt work";
1605 };
1606 if ($mesg->code) {
1607 display_ldap_err($mesg);
1608 return -1;
1609 }
1610 return 0;
1611 }
1612
1613 sub do_unbind() {
1614 if ($async_ldap_hd) {
1615 $async_ldap_hd->unbind;
1616 }
1617 if ($sync_ldap_hd) {
1618 $sync_ldap_hd->unbind;
1619 }
1620 }
1621
1622 ###############################################################################
1623
1624 sub main () {
1625
1626 $filter = construct_filter($query);
1627 @attrs = construct_attrs(@attrs);
1628 @ctrls = gen_controls();
1629 if (check_ctrls($server,$dse,@ctrls) == -1) {
1630 print "not all required LDAP Controls are supported by this server\n";
1631 exit 1;
1632 }
1633
1634 if ($opt_dump_rootdse) {
1635 print "Dumping Root-DSE:\n";
1636 display_entry_generic($dse);
1637 exit 0;
1638 }
1639
1640 if ($opt_dump_wknguid) {
1641 dump_wknguid();
1642 exit 0;
1643 }
1644
1645 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1646 exit 1;
1647 }
1648
1649 print_header();
1650
1651 if ($opt_dump_schema) {
1652 print "Dumping Schema:\n";
1653 my $ads_schema = $async_ldap_hd->schema;
1654 $ads_schema->dump;
1655 exit 0;
1656 }
1657
1658 while (1) {
1659
1660 $async_search = $async_ldap_hd->search(
1661 base => $base,
1662 filter => $filter,
1663 attrs => [ @attrs ],
1664 control => [ @ctrls ],
1665 callback => \&default_callback,
1666 scope => $scope,
1667 ) || die "cannot search";
1668
1669 if ($opt_notify) {
1670
1671 print "Base [$base] is registered now for change-notify\n";
1672 print "\nWaiting for change-notify...\n";
1673
1674 my $sync_ldap_hd = get_ldap_hd($server,0);
1675 if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1676 exit 2;
1677 }
1678
1679 my $sync_search = $sync_ldap_hd->search(
1680 base => $base,
1681 filter => $filter,
1682 attrs => [ @attrs ],
1683 callback => \&notify_callback,
1684 scope => $scope,
1685 ) || die "cannot search";
1686
1687 }
1688
1689 $total_entry_count += $async_search->count;
1690 ++$page_count;
1691 print "-" x 80 . "\n";
1692 printf("Got %d Entries in Page %d \n\n",
1693 $async_search->count, $page_count);
1694 my ($resp) = $async_search->control(
1695 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1696 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1697 }
1698
1699 if ($async_search->entries == 0) {
1700 print "No entries found with filter $filter\n";
1701 } else {
1702 print "Got $total_entry_count Entries in $page_count Pages\n" if ($paging);
1703 }
1704
1705 do_unbind()
1706 }
1707
1708 main();
1709
1710 exit 0;