search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix bug 118; replace hard coded 'next[User|Group]Rid' attribute names
[Samba/ekacnet.git] / source / passdb / pdb_ldap.c
blob1c305a361c63d95e3d6b866104d8e4e70bd84258
1 /*
2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Stefan (metze) Metzmacher 2002
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23
24 */
25
26 /* TODO:
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
29 *
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
35 *
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
43 * and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 #ifndef LDAP_OPT_SUCCESS
55 #define LDAP_OPT_SUCCESS 0
56 #endif
57
58 #ifndef SAM_ACCOUNT
59 #define SAM_ACCOUNT struct sam_passwd
60 #endif
61
62 struct ldapsam_privates {
63 /* Former statics */
64 LDAP *ldap_struct;
65 LDAPMessage *result;
66 LDAPMessage *entry;
67 int index;
68
69 time_t last_ping;
70 /* retrive-once info */
71 const char *uri;
72 const char *domain_name;
73 DOM_SID domain_sid;
74
75 /* configuration items */
76 int schema_ver;
77
78 BOOL permit_non_unix_accounts;
79
80 uint32 low_allocated_user_rid;
81 uint32 high_allocated_user_rid;
82
83 uint32 low_allocated_group_rid;
84 uint32 high_allocated_group_rid;
85
86 char *bind_dn;
87 char *bind_secret;
88
89 unsigned int num_failures;
90 };
91
92 #define LDAPSAM_DONT_PING_TIME 10 /* ping only all 10 seconds */
93
94 static struct ldapsam_privates *static_ldap_state;
95
96 /* specify schema versions between 2.2. and 3.0 */
97
98 #define SCHEMAVER_SAMBAACCOUNT 1
99 #define SCHEMAVER_SAMBASAMACCOUNT 2
100
101 /* objectclass names */
102
103 #define LDAP_OBJ_SAMBASAMACCOUNT "sambaSamAccount"
104 #define LDAP_OBJ_SAMBAACCOUNT "sambaAccount"
105 #define LDAP_OBJ_GROUPMAP "sambaGroupMapping"
106 #define LDAP_OBJ_DOMINFO "sambaDomain"
107
108 #define LDAP_OBJ_ACCOUNT "account"
109 #define LDAP_OBJ_POSIXACCOUNT "posixAccount"
110 #define LDAP_OBJ_POSIXGROUP "posixGroup"
111
112 /* some generic attributes that get reused a lot */
113
114 #define LDAP_ATTRIBUTE_SID "sambaSID"
115
116 /* attribute map table indexes */
117
118 #define LDAP_ATTR_LIST_END 0
119 #define LDAP_ATTR_UID 1
120 #define LDAP_ATTR_UIDNUMBER 2
121 #define LDAP_ATTR_GIDNUMBER 3
122 #define LDAP_ATTR_UNIX_HOME 4
123 #define LDAP_ATTR_PWD_LAST_SET 5
124 #define LDAP_ATTR_PWD_CAN_CHANGE 6
125 #define LDAP_ATTR_PWD_MUST_CHANGE 7
126 #define LDAP_ATTR_LOGON_TIME 8
127 #define LDAP_ATTR_LOGOFF_TIME 9
128 #define LDAP_ATTR_KICKOFF_TIME 10
129 #define LDAP_ATTR_CN 11
130 #define LDAP_ATTR_DISPLAY_NAME 12
131 #define LDAP_ATTR_HOME_PATH 13
132 #define LDAP_ATTR_LOGON_SCRIPT 14
133 #define LDAP_ATTR_PROFILE_PATH 15
134 #define LDAP_ATTR_DESC 16
135 #define LDAP_ATTR_USER_WKS 17
136 #define LDAP_ATTR_USER_SID 18
137 #define LDAP_ATTR_USER_RID 18
138 #define LDAP_ATTR_PRIMARY_GROUP_SID 19
139 #define LDAP_ATTR_PRIMARY_GROUP_RID 20
140 #define LDAP_ATTR_LMPW 21
141 #define LDAP_ATTR_NTPW 22
142 #define LDAP_ATTR_DOMAIN 23
143 #define LDAP_ATTR_OBJCLASS 24
144 #define LDAP_ATTR_ACB_INFO 25
145 #define LDAP_ATTR_NEXT_USERRID 26
146 #define LDAP_ATTR_NEXT_GROUPRID 27
147 #define LDAP_ATTR_DOM_SID 28
148 #define LDAP_ATTR_HOME_DRIVE 29
149 #define LDAP_ATTR_GROUP_SID 30
150 #define LDAP_ATTR_GROUP_TYPE 31
151
152
153 typedef struct _attrib_map_entry {
154 int attrib;
155 const char *name;
156 } ATTRIB_MAP_ENTRY;
157
158
159 /* attributes used by Samba 2.2 */
160
161 static ATTRIB_MAP_ENTRY attrib_map_v22[] = {
162 { LDAP_ATTR_UID, "uid" },
163 { LDAP_ATTR_UIDNUMBER, "uidNumber" },
164 { LDAP_ATTR_GIDNUMBER, "gidNumber" },
165 { LDAP_ATTR_UNIX_HOME, "homeDirectory" },
166 { LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
167 { LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
168 { LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
169 { LDAP_ATTR_LOGON_TIME, "logonTime" },
170 { LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
171 { LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
172 { LDAP_ATTR_CN, "cn" },
173 { LDAP_ATTR_DISPLAY_NAME, "displayName" },
174 { LDAP_ATTR_HOME_PATH, "smbHome" },
175 { LDAP_ATTR_HOME_DRIVE, "homeDrives" },
176 { LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
177 { LDAP_ATTR_PROFILE_PATH, "profilePath" },
178 { LDAP_ATTR_DESC, "description" },
179 { LDAP_ATTR_USER_WKS, "userWorkstations"},
180 { LDAP_ATTR_USER_RID, "rid" },
181 { LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
182 { LDAP_ATTR_LMPW, "lmPassword" },
183 { LDAP_ATTR_NTPW, "ntPassword" },
184 { LDAP_ATTR_DOMAIN, "domain" },
185 { LDAP_ATTR_OBJCLASS, "objectClass" },
186 { LDAP_ATTR_ACB_INFO, "acctFlags" },
187 { LDAP_ATTR_LIST_END, NULL }
188 };
189
190 /* attributes used by Samba 3.0's sambaSamAccount */
191
192 static ATTRIB_MAP_ENTRY attrib_map_v30[] = {
193 { LDAP_ATTR_UID, "uid" },
194 { LDAP_ATTR_UIDNUMBER, "uidNumber" },
195 { LDAP_ATTR_GIDNUMBER, "gidNumber" },
196 { LDAP_ATTR_UNIX_HOME, "homeDirectory" },
197 { LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
198 { LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
199 { LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
200 { LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
201 { LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
202 { LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
203 { LDAP_ATTR_CN, "cn" },
204 { LDAP_ATTR_DISPLAY_NAME, "displayName" },
205 { LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
206 { LDAP_ATTR_HOME_PATH, "sambaHomePath" },
207 { LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
208 { LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
209 { LDAP_ATTR_DESC, "description" },
210 { LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
211 { LDAP_ATTR_USER_SID, "sambaSID" },
212 { LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
213 { LDAP_ATTR_LMPW, "sambaLMPassword" },
214 { LDAP_ATTR_NTPW, "sambaNTPassword" },
215 { LDAP_ATTR_DOMAIN, "sambaDomainName" },
216 { LDAP_ATTR_OBJCLASS, "objectClass" },
217 { LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
218 { LDAP_ATTR_LIST_END, NULL }
219 };
220
221 /* attributes used for alalocating RIDs */
222
223 static ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
224 { LDAP_ATTR_DOMAIN, "sambaDomainName" },
225 { LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
226 { LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
227 { LDAP_ATTR_DOM_SID, "sambaSID" },
228 { LDAP_ATTR_LIST_END, NULL },
229 };
230
231 /* Samba 3.0 group mapping attributes */
232
233 static ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
234 { LDAP_ATTR_GIDNUMBER, "gidNumber" },
235 { LDAP_ATTR_GROUP_SID, "sambaSID" },
236 { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
237 { LDAP_ATTR_DESC, "description" },
238 { LDAP_ATTR_DISPLAY_NAME, "displayName" },
239 { LDAP_ATTR_CN, "cn" },
240 { LDAP_ATTR_LIST_END, NULL }
241 };
242
243 static ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
244 { LDAP_ATTR_GROUP_SID, "sambaSID" },
245 { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
246 { LDAP_ATTR_DESC, "description" },
247 { LDAP_ATTR_DISPLAY_NAME, "displayName" },
248 { LDAP_ATTR_LIST_END, NULL }
249 };
250
251 /**********************************************************************
252 perform a simple table lookup and return the attribute name
253 **********************************************************************/
254
255 static const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
256 {
257 int i = 0;
258
259 while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
260 if ( table[i].attrib == key )
261 return table[i].name;
262 i++;
263 }
264
265 return NULL;
266 }
267
268 /**********************************************************************
269 get the attribute name given a user schame version
270 **********************************************************************/
271
272 static const char* get_userattr_key2string( int schema_ver, int key )
273 {
274 switch ( schema_ver )
275 {
276 case SCHEMAVER_SAMBAACCOUNT:
277 return get_attr_key2string( attrib_map_v22, key );
278
279 case SCHEMAVER_SAMBASAMACCOUNT:
280 return get_attr_key2string( attrib_map_v30, key );
281
282 default:
283 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
284 break;
285 }
286 return NULL;
287 }
288
289 /**********************************************************************
290 Return the list of attribute names from a mapping table
291 **********************************************************************/
292
293 static char** get_attr_list( ATTRIB_MAP_ENTRY table[] )
294 {
295 char **names;
296 int i = 0;
297
298 while ( table[i].attrib != LDAP_ATTR_LIST_END )
299 i++;
300 i++;
301
302 names = (char**)malloc( sizeof(char*)*i );
303 if ( !names ) {
304 DEBUG(0,("get_attr_list: out of memory\n"));
305 return NULL;
306 }
307
308 i = 0;
309 while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
310 names[i] = strdup( table[i].name );
311 i++;
312 }
313 names[i] = NULL;
314
315 return names;
316 }
317
318 /*********************************************************************
319 Cleanup
320 ********************************************************************/
321
322 static void free_attr_list( char **list )
323 {
324 int i = 0;
325
326 if ( !list )
327 return;
328
329 while ( list[i] )
330 SAFE_FREE( list[i] );
331
332 SAFE_FREE( list );
333 }
334
335 /**********************************************************************
336 return the list of attribute names given a user schema version
337 **********************************************************************/
338
339 static char** get_userattr_list( int schema_ver )
340 {
341 switch ( schema_ver )
342 {
343 case SCHEMAVER_SAMBAACCOUNT:
344 return get_attr_list( attrib_map_v22 );
345
346 case SCHEMAVER_SAMBASAMACCOUNT:
347 return get_attr_list( attrib_map_v30 );
348 default:
349 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
350 break;
351 }
352
353 return NULL;
354 }
355
356 /*******************************************************************
357 find the ldap password
358 ******************************************************************/
359 static BOOL fetch_ldapsam_pw(char **dn, char** pw)
360 {
361 char *key = NULL;
362 size_t size;
363
364 *dn = smb_xstrdup(lp_ldap_admin_dn());
365
366 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
367 SAFE_FREE(*dn);
368 DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n"));
369 }
370
371 *pw=secrets_fetch(key, &size);
372 SAFE_FREE(key);
373
374 if (!size) {
375 /* Upgrade 2.2 style entry */
376 char *p;
377 char* old_style_key = strdup(*dn);
378 char *data;
379 fstring old_style_pw;
380
381 if (!old_style_key) {
382 DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n"));
383 return False;
384 }
385
386 for (p=old_style_key; *p; p++)
387 if (*p == ',') *p = '/';
388
389 data=secrets_fetch(old_style_key, &size);
390 if (!size && size < sizeof(old_style_pw)) {
391 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
392 SAFE_FREE(old_style_key);
393 SAFE_FREE(*dn);
394 return False;
395 }
396
397 strncpy(old_style_pw, data, size);
398 old_style_pw[size] = 0;
399
400 SAFE_FREE(data);
401
402 if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
403 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
404 SAFE_FREE(old_style_key);
405 SAFE_FREE(*dn);
406 return False;
407 }
408 if (!secrets_delete(old_style_key)) {
409 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
410 }
411
412 SAFE_FREE(old_style_key);
413
414 *pw = smb_xstrdup(old_style_pw);
415 }
416
417 return True;
418 }
419
420 /*******************************************************************
421 open a connection to the ldap server.
422 ******************************************************************/
423 static int ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
424 {
425 int rc = LDAP_SUCCESS;
426 int version;
427 BOOL ldap_v3 = False;
428
429 #ifdef HAVE_LDAP_INITIALIZE
430 DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
431
432 if ((rc = ldap_initialize(ldap_struct, ldap_state->uri)) != LDAP_SUCCESS) {
433 DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
434 return rc;
435 }
436
437 #else
438
439 /* Parse the string manually */
440
441 {
442 int port = 0;
443 fstring protocol;
444 fstring host;
445 const char *p = ldap_state->uri;
446 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
447
448 /* skip leading "URL:" (if any) */
449 if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
450 p += 4;
451 }
452
453 sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
454
455 if (port == 0) {
456 if (strequal(protocol, "ldap")) {
457 port = LDAP_PORT;
458 } else if (strequal(protocol, "ldaps")) {
459 port = LDAPS_PORT;
460 } else {
461 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
462 }
463 }
464
465 if ((*ldap_struct = ldap_init(host, port)) == NULL) {
466 DEBUG(0, ("ldap_init failed !\n"));
467 return LDAP_OPERATIONS_ERROR;
468 }
469
470 if (strequal(protocol, "ldaps")) {
471 #ifdef LDAP_OPT_X_TLS
472 int tls = LDAP_OPT_X_TLS_HARD;
473 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
474 {
475 DEBUG(0, ("Failed to setup a TLS session\n"));
476 }
477
478 DEBUG(3,("LDAPS option set...!\n"));
479 #else
480 DEBUG(0,("ldapsam_open_connection: Secure connection not supported by LDAP client libraries!\n"));
481 return LDAP_OPERATIONS_ERROR;
482 #endif
483 }
484 }
485 #endif
486
487 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
488 {
489 if (version != LDAP_VERSION3)
490 {
491 version = LDAP_VERSION3;
492 if (ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
493 ldap_v3 = True;
494 }
495 } else {
496 ldap_v3 = True;
497 }
498 }
499
500 if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
501 #ifdef LDAP_OPT_X_TLS
502 if (ldap_v3) {
503 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
504 {
505 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
506 ldap_err2string(rc)));
507 return rc;
508 }
509 DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
510 } else {
511
512 DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
513 return LDAP_OPERATIONS_ERROR;
514 }
515 #else
516 DEBUG(0,("ldapsam_open_connection: StartTLS not supported by LDAP client libraries!\n"));
517 return LDAP_OPERATIONS_ERROR;
518 #endif
519 }
520
521 DEBUG(2, ("ldapsam_open_connection: connection opened\n"));
522 return rc;
523 }
524
525
526 /*******************************************************************
527 a rebind function for authenticated referrals
528 This version takes a void* that we can shove useful stuff in :-)
529 ******************************************************************/
530 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
531 #else
532 static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
533 int *methodp, int freeit, void *arg)
534 {
535 struct ldapsam_privates *ldap_state = arg;
536
537 /** @TODO Should we be doing something to check what servers we rebind to?
538 Could we get a referral to a machine that we don't want to give our
539 username and password to? */
540
541 if (freeit) {
542 SAFE_FREE(*whop);
543 memset(*credp, '\0', strlen(*credp));
544 SAFE_FREE(*credp);
545 } else {
546 DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
547 ldap_state->bind_dn));
548
549 *whop = strdup(ldap_state->bind_dn);
550 if (!*whop) {
551 return LDAP_NO_MEMORY;
552 }
553 *credp = strdup(ldap_state->bind_secret);
554 if (!*credp) {
555 SAFE_FREE(*whop);
556 return LDAP_NO_MEMORY;
557 }
558 *methodp = LDAP_AUTH_SIMPLE;
559 }
560 return 0;
561 }
562 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
563
564 /*******************************************************************
565 a rebind function for authenticated referrals
566 This version takes a void* that we can shove useful stuff in :-)
567 and actually does the connection.
568 ******************************************************************/
569 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
570 static int rebindproc_connect_with_state (LDAP *ldap_struct,
571 LDAP_CONST char *url,
572 ber_tag_t request,
573 ber_int_t msgid, void *arg)
574 {
575 struct ldapsam_privates *ldap_state = arg;
576 int rc;
577 DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
578 ldap_state->bind_dn));
579
580 /** @TODO Should we be doing something to check what servers we rebind to?
581 Could we get a referral to a machine that we don't want to give our
582 username and password to? */
583
584 rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
585
586 return rc;
587 }
588 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
589
590 /*******************************************************************
591 Add a rebind function for authenticated referrals
592 ******************************************************************/
593 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
594 #else
595 # if LDAP_SET_REBIND_PROC_ARGS == 2
596 static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
597 int *method, int freeit )
598 {
599 return rebindproc_with_state(ldap_struct, whop, credp,
600 method, freeit, static_ldap_state);
601
602 }
603 # endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
604 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
605
606 /*******************************************************************
607 a rebind function for authenticated referrals
608 this also does the connection, but no void*.
609 ******************************************************************/
610 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
611 # if LDAP_SET_REBIND_PROC_ARGS == 2
612 static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
613 ber_int_t msgid)
614 {
615 return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
616 static_ldap_state);
617 }
618 # endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
619 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
620
621 /*******************************************************************
622 connect to the ldap server under system privilege.
623 ******************************************************************/
624 static int ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
625 {
626 int rc;
627 char *ldap_dn;
628 char *ldap_secret;
629
630 /* The rebind proc needs this *HACK*. We are not multithreaded, so
631 this will work, but it's not nice. */
632 static_ldap_state = ldap_state;
633
634 /* get the password */
635 if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret))
636 {
637 DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
638 return LDAP_INVALID_CREDENTIALS;
639 }
640
641 ldap_state->bind_dn = ldap_dn;
642 ldap_state->bind_secret = ldap_secret;
643
644 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
645 (OpenLDAP) doesnt' seem to support it */
646
647 DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
648 ldap_state->uri, ldap_dn));
649
650 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
651 # if LDAP_SET_REBIND_PROC_ARGS == 2
652 ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
653 # endif
654 # if LDAP_SET_REBIND_PROC_ARGS == 3
655 ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
656 # endif
657 #else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
658 # if LDAP_SET_REBIND_PROC_ARGS == 2
659 ldap_set_rebind_proc(ldap_struct, &rebindproc);
660 # endif
661 # if LDAP_SET_REBIND_PROC_ARGS == 3
662 ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
663 # endif
664 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
665
666 rc = ldap_simple_bind_s(ldap_struct, ldap_dn, ldap_secret);
667
668 if (rc != LDAP_SUCCESS) {
669 char *ld_error = NULL;
670 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
671 &ld_error);
672 DEBUG(ldap_state->num_failures ? 2 : 0,
673 ("failed to bind to server with dn= %s Error: %s\n\t%s\n",
674 ldap_dn ? ld_error : "(unknown)", ldap_err2string(rc),
675 ld_error));
676 SAFE_FREE(ld_error);
677 ldap_state->num_failures++;
678 return rc;
679 }
680
681 ldap_state->num_failures = 0;
682
683 DEBUG(3, ("ldap_connect_system: succesful connection to the LDAP server\n"));
684 return rc;
685 }
686
687 /**********************************************************************
688 Connect to LDAP server
689 *********************************************************************/
690 static int ldapsam_open(struct ldapsam_privates *ldap_state)
691 {
692 int rc;
693 SMB_ASSERT(ldap_state);
694
695 #ifndef NO_LDAP_SECURITY
696 if (geteuid() != 0) {
697 DEBUG(0, ("ldapsam_open: cannot access LDAP when not root..\n"));
698 return LDAP_INSUFFICIENT_ACCESS;
699 }
700 #endif
701
702 if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + LDAPSAM_DONT_PING_TIME) < time(NULL))) {
703 struct sockaddr_un addr;
704 socklen_t len = sizeof(addr);
705 int sd;
706 if (ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd) == 0 &&
707 getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
708 /* the other end has died. reopen. */
709 ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
710 ldap_state->ldap_struct = NULL;
711 ldap_state->last_ping = (time_t)0;
712 } else {
713 ldap_state->last_ping = time(NULL);
714 }
715 }
716
717 if (ldap_state->ldap_struct != NULL) {
718 DEBUG(5,("ldapsam_open: already connected to the LDAP server\n"));
719 return LDAP_SUCCESS;
720 }
721
722 if ((rc = ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))) {
723 return rc;
724 }
725
726 if ((rc = ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))) {
727 ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
728 ldap_state->ldap_struct = NULL;
729 return rc;
730 }
731
732
733 ldap_state->last_ping = time(NULL);
734 DEBUG(4,("The LDAP server is succesful connected\n"));
735
736 return LDAP_SUCCESS;
737 }
738
739 /**********************************************************************
740 Disconnect from LDAP server
741 *********************************************************************/
742 static NTSTATUS ldapsam_close(struct ldapsam_privates *ldap_state)
743 {
744 if (!ldap_state)
745 return NT_STATUS_INVALID_PARAMETER;
746
747 if (ldap_state->ldap_struct != NULL) {
748 ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
749 ldap_state->ldap_struct = NULL;
750 }
751
752 DEBUG(5,("The connection to the LDAP server was closed\n"));
753 /* maybe free the results here --metze */
754
755 return NT_STATUS_OK;
756 }
757
758 static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts)
759 {
760 int rc;
761
762 SMB_ASSERT(ldap_state && attempts);
763
764 if (*attempts != 0) {
765 unsigned int sleep_time;
766 uint8 rand_byte;
767
768 /* Sleep for a random timeout */
769 rand_byte = (char)(sys_random());
770
771 sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2;
772 /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds
773 on average.
774 */
775 DEBUG(3, ("Sleeping for %u milliseconds before reconnecting\n",
776 sleep_time));
777 msleep(sleep_time);
778 }
779 (*attempts)++;
780
781 if ((rc = ldapsam_open(ldap_state))) {
782 DEBUG(1,("Connection to LDAP Server failed for the %d try!\n",*attempts));
783 return rc;
784 }
785
786 return LDAP_SUCCESS;
787 }
788
789
790 /*********************************************************************
791 ********************************************************************/
792
793 static int ldapsam_search(struct ldapsam_privates *ldap_state,
794 const char *base, int scope, const char *filter,
795 char *attrs[], int attrsonly,
796 LDAPMessage **res)
797 {
798 int rc = LDAP_SERVER_DOWN;
799 int attempts = 0;
800 char *utf8_filter;
801
802 SMB_ASSERT(ldap_state);
803
804 if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) {
805 return LDAP_NO_MEMORY;
806 }
807
808 while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
809
810 if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
811 continue;
812
813 rc = ldap_search_s(ldap_state->ldap_struct, base, scope,
814 utf8_filter, attrs, attrsonly, res);
815 }
816
817 if (rc == LDAP_SERVER_DOWN) {
818 DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
819 ldapsam_close(ldap_state);
820 }
821
822 SAFE_FREE(utf8_filter);
823 return rc;
824 }
825
826 static int ldapsam_modify(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
827 {
828 int rc = LDAP_SERVER_DOWN;
829 int attempts = 0;
830 char *utf8_dn;
831
832 SMB_ASSERT(ldap_state);
833
834 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
835 return LDAP_NO_MEMORY;
836 }
837
838 while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
839
840 if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
841 continue;
842
843 rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
844 }
845
846 if (rc == LDAP_SERVER_DOWN) {
847 DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
848 ldapsam_close(ldap_state);
849 }
850
851 SAFE_FREE(utf8_dn);
852 return rc;
853 }
854
855 static int ldapsam_add(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
856 {
857 int rc = LDAP_SERVER_DOWN;
858 int attempts = 0;
859 char *utf8_dn;
860
861 SMB_ASSERT(ldap_state);
862
863 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
864 return LDAP_NO_MEMORY;
865 }
866
867 while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
868
869 if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
870 continue;
871
872 rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
873 }
874
875 if (rc == LDAP_SERVER_DOWN) {
876 DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
877 ldapsam_close(ldap_state);
878 }
879
880 SAFE_FREE(utf8_dn);
881 return rc;
882 }
883
884 static int ldapsam_delete(struct ldapsam_privates *ldap_state, char *dn)
885 {
886 int rc = LDAP_SERVER_DOWN;
887 int attempts = 0;
888 char *utf8_dn;
889
890 SMB_ASSERT(ldap_state);
891
892 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
893 return LDAP_NO_MEMORY;
894 }
895
896 while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
897
898 if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
899 continue;
900
901 rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
902 }
903
904 if (rc == LDAP_SERVER_DOWN) {
905 DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
906 ldapsam_close(ldap_state);
907 }
908
909 SAFE_FREE(utf8_dn);
910 return rc;
911 }
912
913 #ifdef LDAP_EXOP_X_MODIFY_PASSWD
914 static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_CONST char *reqoid, struct berval *reqdata, LDAPControl **serverctrls, LDAPControl **clientctrls, char **retoidp, struct berval **retdatap)
915 {
916 int rc = LDAP_SERVER_DOWN;
917 int attempts = 0;
918
919 if (!ldap_state)
920 return (-1);
921
922 while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
923
924 if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
925 continue;
926
927 rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid, reqdata, serverctrls, clientctrls, retoidp, retdatap);
928 }
929
930 if (rc == LDAP_SERVER_DOWN) {
931 DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
932 ldapsam_close(ldap_state);
933 }
934
935 return rc;
936 }
937 #endif
938
939 /*******************************************************************
940 run the search by name.
941 ******************************************************************/
942 static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const char *filter,
943 char **search_attr, LDAPMessage ** result)
944 {
945 int scope = LDAP_SCOPE_SUBTREE;
946 int rc;
947
948 DEBUG(2, ("ldapsam_search_suffix: searching for:[%s]\n", filter));
949
950 rc = ldapsam_search(ldap_state, lp_ldap_suffix(), scope, filter, search_attr, 0, result);
951
952 if (rc != LDAP_SUCCESS) {
953 char *ld_error = NULL;
954 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
955 &ld_error);
956 DEBUG(0,("ldapsam_search_suffix: Problem during the LDAP search: %s (%s)\n",
957 ld_error?ld_error:"(unknown)", ldap_err2string (rc)));
958 DEBUG(3,("ldapsam_search_suffix: Query was: %s, %s\n", lp_ldap_suffix(),
959 filter));
960 SAFE_FREE(ld_error);
961 }
962
963 return rc;
964 }
965
966 /*******************************************************************
967 generate the LDAP search filter for the objectclass based on the
968 version of the schema we are using
969 ******************************************************************/
970
971 static const char* get_objclass_filter( int schema_ver )
972 {
973 static fstring objclass_filter;
974
975 switch( schema_ver )
976 {
977 case SCHEMAVER_SAMBAACCOUNT:
978 snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
979 break;
980 case SCHEMAVER_SAMBASAMACCOUNT:
981 snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
982 break;
983 default:
984 DEBUG(0,("ldapsam_search_suffix_by_name(): Invalid schema version specified!\n"));
985 break;
986 }
987
988 return objclass_filter;
989 }
990
991 /*******************************************************************
992 run the search by name.
993 ******************************************************************/
994 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, const char *user,
995 LDAPMessage ** result, char **attr)
996 {
997 pstring filter;
998 char *escape_user = escape_ldap_string_alloc(user);
999
1000 if (!escape_user) {
1001 return LDAP_NO_MEMORY;
1002 }
1003
1004 /*
1005 * in the filter expression, replace %u with the real name
1006 * so in ldap filter, %u MUST exist :-)
1007 */
1008 snprintf(filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(),
1009 get_objclass_filter(ldap_state->schema_ver));
1010
1011 /*
1012 * have to use this here because $ is filtered out
1013 * in pstring_sub
1014 */
1015
1016
1017 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
1018 SAFE_FREE(escape_user);
1019
1020 return ldapsam_search_suffix(ldap_state, filter, attr, result);
1021 }
1022
1023 /*******************************************************************
1024 run the search by rid.
1025 ******************************************************************/
1026 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
1027 uint32 rid, LDAPMessage ** result,
1028 char **attr)
1029 {
1030 pstring filter;
1031 int rc;
1032
1033 /* check if the user rid exists, if not, try searching on the uid */
1034
1035 snprintf(filter, sizeof(filter)-1, "(&(rid=%i)%s)", rid,
1036 get_objclass_filter(ldap_state->schema_ver));
1037
1038 rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
1039
1040 return rc;
1041 }
1042
1043 /*******************************************************************
1044 run the search by SID.
1045 ******************************************************************/
1046 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
1047 const DOM_SID *sid, LDAPMessage ** result,
1048 char **attr)
1049 {
1050 pstring filter;
1051 int rc;
1052 fstring sid_string;
1053
1054 /* check if the user rid exsists, if not, try searching on the uid */
1055
1056 snprintf(filter, sizeof(filter)-1, "(&(%s=%s)%s)",
1057 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1058 sid_to_string(sid_string, sid),
1059 get_objclass_filter(ldap_state->schema_ver));
1060
1061 rc = ldapsam_search_suffix(ldap_state, filter, attr, result);
1062
1063 return rc;
1064 }
1065
1066 /*******************************************************************
1067 search an attribute and return the first value found.
1068 ******************************************************************/
1069 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
1070 const char *attribute, pstring value)
1071 {
1072 char **values;
1073
1074 if ( !attribute )
1075 return False;
1076
1077 value[0] = '\0';
1078
1079 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
1080 DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
1081
1082 return False;
1083 }
1084
1085 if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, sizeof(pstring)) == (size_t)-1)
1086 {
1087 DEBUG(1, ("get_single_attribute: string conversion of [%s] = [%s] failed!\n",
1088 attribute, values[0]));
1089 ldap_value_free(values);
1090 return False;
1091 }
1092
1093 ldap_value_free(values);
1094 #ifdef DEBUG_PASSWORDS
1095 DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
1096 #endif
1097 return True;
1098 }
1099
1100 /************************************************************************
1101 Routine to manage the LDAPMod structure array
1102 manage memory used by the array, by each struct, and values
1103
1104 ************************************************************************/
1105 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
1106 {
1107 LDAPMod **mods;
1108 int i;
1109 int j;
1110
1111 mods = *modlist;
1112
1113 /* sanity checks on the mod values */
1114
1115 if (attribute == NULL || *attribute == '\0')
1116 return;
1117 #if 0 /* commented out after discussion with abartlet. Do not reenable.
1118 left here so other so re-add similar code --jerry */
1119 if (value == NULL || *value == '\0')
1120 return;
1121 #endif
1122
1123 if (mods == NULL)
1124 {
1125 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
1126 if (mods == NULL)
1127 {
1128 DEBUG(0, ("make_a_mod: out of memory!\n"));
1129 return;
1130 }
1131 mods[0] = NULL;
1132 }
1133
1134 for (i = 0; mods[i] != NULL; ++i) {
1135 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
1136 break;
1137 }
1138
1139 if (mods[i] == NULL)
1140 {
1141 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
1142 if (mods == NULL)
1143 {
1144 DEBUG(0, ("make_a_mod: out of memory!\n"));
1145 return;
1146 }
1147 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
1148 if (mods[i] == NULL)
1149 {
1150 DEBUG(0, ("make_a_mod: out of memory!\n"));
1151 return;
1152 }
1153 mods[i]->mod_op = modop;
1154 mods[i]->mod_values = NULL;
1155 mods[i]->mod_type = strdup(attribute);
1156 mods[i + 1] = NULL;
1157 }
1158
1159 if (value != NULL)
1160 {
1161 char *utf8_value = NULL;
1162
1163 j = 0;
1164 if (mods[i]->mod_values != NULL) {
1165 for (; mods[i]->mod_values[j] != NULL; j++);
1166 }
1167 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
1168 (j + 2) * sizeof (char *));
1169
1170 if (mods[i]->mod_values == NULL) {
1171 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
1172 return;
1173 }
1174
1175 if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
1176 DEBUG (0, ("make_a_mod: String conversion failure!\n"));
1177 return;
1178 }
1179
1180 mods[i]->mod_values[j] = utf8_value;
1181
1182 mods[i]->mod_values[j + 1] = NULL;
1183 }
1184 *modlist = mods;
1185 }
1186
1187 /**********************************************************************
1188 Set attribute to newval in LDAP, regardless of what value the
1189 attribute had in LDAP before.
1190 *********************************************************************/
1191 static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
1192 LDAPMod ***mods,
1193 const char *attribute, const char *newval)
1194 {
1195 char **values = NULL;
1196
1197 if (existing != NULL) {
1198 values = ldap_get_values(ldap_struct, existing, attribute);
1199 }
1200
1201 /* all of our string attributes are case insensitive */
1202
1203 if ((values != NULL) && (values[0] != NULL) &&
1204 StrCaseCmp(values[0], newval) == 0)
1205 {
1206
1207 /* Believe it or not, but LDAP will deny a delete and
1208 an add at the same time if the values are the
1209 same... */
1210
1211 ldap_value_free(values);
1212 return;
1213 }
1214
1215 /* Regardless of the real operation (add or modify)
1216 we add the new value here. We rely on deleting
1217 the old value, should it exist. */
1218
1219 if ((newval != NULL) && (strlen(newval) > 0)) {
1220 make_a_mod(mods, LDAP_MOD_ADD, attribute, newval);
1221 }
1222
1223 if (values == NULL) {
1224 /* There has been no value before, so don't delete it.
1225 Here's a possible race: We might end up with
1226 duplicate attributes */
1227 return;
1228 }
1229
1230 /* By deleting exactly the value we found in the entry this
1231 should be race-free in the sense that the LDAP-Server will
1232 deny the complete operation if somebody changed the
1233 attribute behind our back. */
1234
1235 make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
1236 ldap_value_free(values);
1237 }
1238
1239 /*******************************************************************
1240 Delete complete object or objectclass and attrs from
1241 object found in search_result depending on lp_ldap_delete_dn
1242 ******************************************************************/
1243 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
1244 LDAPMessage *result,
1245 const char *objectclass,
1246 char **attrs)
1247 {
1248 int rc;
1249 LDAPMessage *entry;
1250 LDAPMod **mods = NULL;
1251 char *name, *dn;
1252 BerElement *ptr = NULL;
1253
1254 rc = ldap_count_entries(ldap_state->ldap_struct, result);
1255
1256 if (rc != 1) {
1257 DEBUG(0, ("Entry must exist exactly once!\n"));
1258 return NT_STATUS_UNSUCCESSFUL;
1259 }
1260
1261 entry = ldap_first_entry(ldap_state->ldap_struct, result);
1262 dn = ldap_get_dn(ldap_state->ldap_struct, entry);
1263
1264 if (lp_ldap_delete_dn()) {
1265 NTSTATUS ret = NT_STATUS_OK;
1266 rc = ldapsam_delete(ldap_state, dn);
1267
1268 if (rc != LDAP_SUCCESS) {
1269 DEBUG(0, ("Could not delete object %s\n", dn));
1270 ret = NT_STATUS_UNSUCCESSFUL;
1271 }
1272 ldap_memfree(dn);
1273 return ret;
1274 }
1275
1276 /* Ok, delete only the SAM attributes */
1277
1278 for (name = ldap_first_attribute(ldap_state->ldap_struct, entry, &ptr);
1279 name != NULL;
1280 name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr))
1281 {
1282 char **attrib;
1283
1284 /* We are only allowed to delete the attributes that
1285 really exist. */
1286
1287 for (attrib = attrs; *attrib != NULL; attrib++)
1288 {
1289 if (StrCaseCmp(*attrib, name) == 0) {
1290 DEBUG(10, ("deleting attribute %s\n", name));
1291 make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
1292 }
1293 }
1294
1295 ldap_memfree(name);
1296 }
1297
1298 if (ptr != NULL) {
1299 ber_free(ptr, 0);
1300 }
1301
1302 make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
1303
1304 rc = ldapsam_modify(ldap_state, dn, mods);
1305 ldap_mods_free(mods, 1);
1306
1307 if (rc != LDAP_SUCCESS) {
1308 char *ld_error = NULL;
1309 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1310 &ld_error);
1311
1312 DEBUG(0, ("could not delete attributes for %s, error: %s (%s)\n",
1313 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
1314 SAFE_FREE(ld_error);
1315 ldap_memfree(dn);
1316 return NT_STATUS_UNSUCCESSFUL;
1317 }
1318
1319 ldap_memfree(dn);
1320 return NT_STATUS_OK;
1321 }
1322
1323 /**********************************************************************
1324 Search for the domain info entry
1325 *********************************************************************/
1326 static int ldapsam_search_domain_info(struct ldapsam_privates *ldap_state,
1327 LDAPMessage ** result)
1328 {
1329 pstring filter;
1330 int rc;
1331 char **attr_list;
1332
1333 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
1334 LDAP_OBJ_DOMINFO,
1335 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
1336 ldap_state->domain_name);
1337
1338 DEBUG(2, ("Searching for:[%s]\n", filter));
1339
1340
1341 attr_list = get_attr_list( dominfo_attr_list );
1342 rc = ldapsam_search_suffix(ldap_state, filter, attr_list , result);
1343 free_attr_list( attr_list );
1344
1345 if (rc != LDAP_SUCCESS) {
1346 DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
1347 DEBUG(2,("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1348 }
1349
1350 return rc;
1351 }
1352
1353 /**********************************************************************
1354 If this entry is is the 'allocated' range, extract the RID and return
1355 it, so we can find the 'next' rid to allocate.
1356
1357 Do this, no matter what type of object holds the RID - be it a user,
1358 group or somthing else.
1359 *********************************************************************/
1360 static uint32 entry_to_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, int rid_type)
1361 {
1362 pstring sid_string;
1363 DOM_SID dom_sid;
1364 uint32 rid;
1365
1366 if (!get_single_attribute(ldap_state->ldap_struct, entry,
1367 LDAP_ATTRIBUTE_SID, sid_string))
1368 {
1369 return 0;
1370 }
1371
1372 if (!string_to_sid(&dom_sid, sid_string)) {
1373 return 0;
1374 }
1375
1376 if (!sid_peek_check_rid(&dom_sid, get_global_sam_sid(), &rid)) {
1377 /* not our domain, so we don't care */
1378 return 0;
1379 }
1380
1381 switch (rid_type) {
1382 case USER_RID_TYPE:
1383 if (rid >= ldap_state->low_allocated_user_rid &&
1384 rid <= ldap_state->high_allocated_user_rid) {
1385 return rid;
1386 }
1387 break;
1388 case GROUP_RID_TYPE:
1389 if (rid >= ldap_state->low_allocated_group_rid &&
1390 rid <= ldap_state->high_allocated_group_rid) {
1391 return rid;
1392 }
1393 break;
1394 }
1395 return 0;
1396 }
1397
1398
1399 /**********************************************************************
1400 Connect to LDAP server and find the next available 'allocated' RID.
1401
1402 The search is done 'per type' as we allocate seperate pools for the
1403 EVEN and ODD (user and group) RIDs.
1404
1405 This is only done once, so that we can fill out the sambaDomain.
1406 *********************************************************************/
1407 static uint32 search_next_allocated_rid(struct ldapsam_privates *ldap_state, int rid_type)
1408 {
1409 int rc;
1410 LDAPMessage *result;
1411 LDAPMessage *entry;
1412 uint32 top_rid = 0;
1413 uint32 next_rid;
1414 uint32 count;
1415 uint32 rid;
1416 char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
1417 fstring filter;
1418
1419 snprintf( filter, sizeof(filter)-1, "(%s=*)", LDAP_ATTRIBUTE_SID );
1420
1421 DEBUG(2, ("search_top_allocated_rid: searching for:[%s]\n", filter));
1422
1423 rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result);
1424
1425 if (rc != LDAP_SUCCESS) {
1426 DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
1427 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1428
1429 result = NULL;
1430 return 0;
1431 }
1432
1433 count = ldap_count_entries(ldap_state->ldap_struct, result);
1434 DEBUG(2, ("search_top_allocated_rid: %d entries in the base!\n", count));
1435
1436 if (count == 0) {
1437 DEBUG(3, ("LDAP search returned no records, assuming no allocated RIDs present!: %s\n", ldap_err2string(rc)));
1438 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1439 } else {
1440 entry = ldap_first_entry(ldap_state->ldap_struct,result);
1441
1442 top_rid = entry_to_rid(ldap_state, entry, rid_type);
1443
1444 while ((entry = ldap_next_entry(ldap_state->ldap_struct, entry))) {
1445
1446 rid = entry_to_rid(ldap_state, entry, rid_type);
1447 if (((rid & ~RID_TYPE_MASK) == rid_type) && (rid > top_rid)) {
1448 top_rid = rid;
1449 }
1450 }
1451 }
1452
1453 switch (rid_type) {
1454 case USER_RID_TYPE:
1455 if (top_rid < ldap_state->low_allocated_user_rid) {
1456 return ldap_state->low_allocated_user_rid;
1457 }
1458 break;
1459 case GROUP_RID_TYPE:
1460 if (top_rid < ldap_state->low_allocated_group_rid)
1461 return ldap_state->low_allocated_group_rid;
1462 break;
1463 }
1464
1465 next_rid = (top_rid & ~RID_TYPE_MASK) + rid_type + RID_MULTIPLIER;
1466
1467 switch (rid_type) {
1468 case USER_RID_TYPE:
1469 if (next_rid > ldap_state->high_allocated_user_rid) {
1470 return 0;
1471 }
1472 break;
1473 case GROUP_RID_TYPE:
1474 if (next_rid > ldap_state->high_allocated_group_rid) {
1475 return 0;
1476 }
1477 break;
1478 }
1479 return next_rid;
1480 }
1481
1482 /**********************************************************************
1483 Add the sambaDomain to LDAP, so we don't have to search for this stuff
1484 again. This is a once-add operation for now.
1485
1486 TODO: Add other attributes, and allow modification.
1487 *********************************************************************/
1488 static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
1489 {
1490 pstring tmp;
1491 pstring filter;
1492 LDAPMod **mods = NULL;
1493 int rc;
1494 int ldap_op;
1495 LDAPMessage *result = NULL;
1496 char *dn = NULL;
1497 int num_result;
1498 char **attr_list;
1499
1500 uint32 next_allocated_user_rid;
1501 uint32 next_allocated_group_rid;
1502
1503 next_allocated_user_rid = search_next_allocated_rid(ldap_state, USER_RID_TYPE);
1504 if (!next_allocated_user_rid) {
1505 return NT_STATUS_UNSUCCESSFUL;
1506 }
1507
1508 next_allocated_group_rid = search_next_allocated_rid(ldap_state, GROUP_RID_TYPE);
1509 if (!next_allocated_group_rid) {
1510 return NT_STATUS_UNSUCCESSFUL;
1511 }
1512
1513 slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))",
1514 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
1515 ldap_state->domain_name, LDAP_OBJ_DOMINFO);
1516
1517 attr_list = get_attr_list( dominfo_attr_list );
1518 rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result);
1519 free_attr_list( attr_list );
1520
1521 if (rc != LDAP_SUCCESS) {
1522 return NT_STATUS_UNSUCCESSFUL;
1523 }
1524
1525 num_result = ldap_count_entries(ldap_state->ldap_struct, result);
1526
1527 if (num_result > 1) {
1528 DEBUG (0, ("More than domain with that name exists: bailing out!\n"));
1529 ldap_msgfree(result);
1530 return NT_STATUS_UNSUCCESSFUL;
1531 }
1532
1533 /* Check if we need to add an entry */
1534 DEBUG(3,("Adding new domain\n"));
1535 ldap_op = LDAP_MOD_ADD;
1536 asprintf (&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
1537 ldap_state->domain_name, lp_ldap_suffix());
1538
1539 /* Free original search */
1540 ldap_msgfree(result);
1541
1542 if (!dn)
1543 return NT_STATUS_NO_MEMORY;
1544
1545 /* make the changes - the entry *must* not already have samba attributes */
1546 make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
1547 ldap_state->domain_name);
1548
1549 sid_to_string(tmp, &ldap_state->domain_sid);
1550 make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp);
1551
1552 snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid);
1553 make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp);
1554
1555 snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid);
1556 make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp);
1557
1558 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
1559
1560 switch(ldap_op)
1561 {
1562 case LDAP_MOD_ADD:
1563 rc = ldapsam_add(ldap_state, dn, mods);
1564 break;
1565 case LDAP_MOD_REPLACE:
1566 rc = ldapsam_modify(ldap_state, dn, mods);
1567 break;
1568 default:
1569 DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
1570 return NT_STATUS_INVALID_PARAMETER;
1571 }
1572
1573 if (rc!=LDAP_SUCCESS) {
1574 char *ld_error = NULL;
1575 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1576 &ld_error);
1577 DEBUG(1,
1578 ("failed to %s domain dn= %s with: %s\n\t%s\n",
1579 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1580 dn, ldap_err2string(rc),
1581 ld_error?ld_error:"unknown"));
1582 SAFE_FREE(ld_error);
1583
1584 ldap_mods_free(mods,1);
1585 return NT_STATUS_UNSUCCESSFUL;
1586 }
1587
1588 DEBUG(2,("added: domain = %s in the LDAP database\n", ldap_state->domain_name));
1589 ldap_mods_free(mods, 1);
1590 return NT_STATUS_OK;
1591 }
1592
1593 /**********************************************************************
1594 Even if the sambaAccount attribute in LDAP tells us that this RID is
1595 safe to use, always check before use.
1596 *********************************************************************/
1597 static BOOL sid_in_use(struct ldapsam_privates *ldap_state,
1598 const DOM_SID *sid, int *error)
1599 {
1600 fstring filter;
1601 fstring sid_string;
1602 LDAPMessage *result = NULL;
1603 int count;
1604 int rc;
1605 char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
1606
1607 slprintf(filter, sizeof(filter)-1, "(%s=%s)", LDAP_ATTRIBUTE_SID, sid_to_string(sid_string, sid));
1608
1609 rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result);
1610
1611 if (rc != LDAP_SUCCESS) {
1612 char *ld_error = NULL;
1613 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1614 DEBUG(2, ("Failed to check if sid %s is alredy in use: %s\n",
1615 sid_string, ld_error));
1616 SAFE_FREE(ld_error);
1617
1618 *error = rc;
1619 return True;
1620 }
1621
1622 if ((count = ldap_count_entries(ldap_state->ldap_struct, result)) > 0) {
1623 DEBUG(3, ("Sid %s already in use - trying next RID\n",
1624 sid_string));
1625 ldap_msgfree(result);
1626 return True;
1627 }
1628
1629 ldap_msgfree(result);
1630
1631 /* good, sid is not in use */
1632 return False;
1633 }
1634
1635 /**********************************************************************
1636 Set the new nextRid attribute, and return one we can use.
1637
1638 This also checks that this RID is actually free - in case the admin
1639 manually stole it :-).
1640 *********************************************************************/
1641 static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *rid, int rid_type)
1642 {
1643 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1644 int rc;
1645 LDAPMessage *result = NULL;
1646 LDAPMessage *entry = NULL;
1647 char *dn;
1648 LDAPMod **mods = NULL;
1649 int count;
1650 fstring old_rid_string;
1651 fstring next_rid_string;
1652 uint32 next_rid;
1653 int attempts = 0;
1654
1655 if ( ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT ) {
1656 DEBUG(0, ("Allocated RIDs require the %s objectclass used by 'ldapsam'\n",
1657 LDAP_OBJ_SAMBASAMACCOUNT));
1658 return NT_STATUS_UNSUCCESSFUL;
1659 }
1660
1661 while (attempts < 10)
1662 {
1663 char *ld_error;
1664 if (ldapsam_search_domain_info(ldap_state, &result)) {
1665 return ret;
1666 }
1667
1668 if (ldap_count_entries(ldap_state->ldap_struct, result) < 1) {
1669 DEBUG(3, ("Got no domain info entries for domain %s\n",
1670 ldap_state->domain_name));
1671 ldap_msgfree(result);
1672 if (NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state))) {
1673 continue;
1674 } else {
1675 DEBUG(0, ("Adding domain info failed with %s\n", nt_errstr(ret)));
1676 return ret;
1677 }
1678 }
1679
1680 if ((count = ldap_count_entries(ldap_state->ldap_struct, result)) > 1) {
1681 DEBUG(0, ("Got too many (%d) domain info entries for domain %s\n",
1682 count, ldap_state->domain_name));
1683 ldap_msgfree(result);
1684 return ret;
1685 }
1686
1687 entry = ldap_first_entry(ldap_state->ldap_struct, result);
1688 if (!entry) {
1689 ldap_msgfree(result);
1690 return ret;
1691 }
1692
1693 if ((dn = ldap_get_dn(ldap_state->ldap_struct, entry)) == NULL) {
1694 DEBUG(0, ("Could not get domain info DN\n"));
1695 ldap_msgfree(result);
1696 return ret;
1697 }
1698
1699 /* yes, we keep 2 seperate counters, to avoid stomping on the two
1700 different sets of algorithmic RIDs */
1701
1702 switch (rid_type) {
1703 case USER_RID_TYPE:
1704 if (!get_single_attribute(ldap_state->ldap_struct, entry,
1705 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
1706 old_rid_string))
1707 {
1708 ldap_memfree(dn);
1709 ldap_msgfree(result);
1710 return ret;
1711 }
1712 break;
1713 case GROUP_RID_TYPE:
1714 if (!get_single_attribute(ldap_state->ldap_struct, entry,
1715 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
1716 old_rid_string))
1717 {
1718 ldap_memfree(dn);
1719 ldap_msgfree(result);
1720 return ret;
1721 }
1722 break;
1723 }
1724
1725 /* This is the core of the whole routine. If we had
1726 scheme-style closures, there would be a *lot* less code
1727 duplication... */
1728 *rid = (uint32)atol(old_rid_string);
1729 next_rid = *rid+RID_MULTIPLIER;
1730
1731 slprintf(next_rid_string, sizeof(next_rid_string)-1, "%d", next_rid);
1732
1733 switch (rid_type) {
1734 case USER_RID_TYPE:
1735 if (next_rid > ldap_state->high_allocated_user_rid) {
1736 return NT_STATUS_UNSUCCESSFUL;
1737 }
1738
1739 /* Try to make the modification atomically by enforcing the
1740 old value in the delete mod. */
1741 make_ldap_mod(ldap_state->ldap_struct, entry, &mods,
1742 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID),
1743 next_rid_string);
1744 break;
1745
1746 case GROUP_RID_TYPE:
1747 if (next_rid > ldap_state->high_allocated_group_rid) {
1748 return NT_STATUS_UNSUCCESSFUL;
1749 }
1750
1751 /* Try to make the modification atomically by enforcing the
1752 old value in the delete mod. */
1753 make_ldap_mod(ldap_state->ldap_struct, entry, &mods,
1754 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
1755 next_rid_string);
1756 break;
1757 }
1758
1759 if ((rc = ldap_modify_s(ldap_state->ldap_struct, dn, mods)) == LDAP_SUCCESS) {
1760 DOM_SID dom_sid;
1761 DOM_SID sid;
1762 pstring domain_sid_string;
1763 int error = 0;
1764
1765 if (!get_single_attribute(ldap_state->ldap_struct, result,
1766 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID),
1767 domain_sid_string))
1768 {
1769 ldap_mods_free(mods, 1);
1770 ldap_memfree(dn);
1771 ldap_msgfree(result);
1772 return ret;
1773 }
1774
1775 if (!string_to_sid(&dom_sid, domain_sid_string)) {
1776 ldap_mods_free(mods, 1);
1777 ldap_memfree(dn);
1778 ldap_msgfree(result);
1779 return ret;
1780 }
1781
1782 ldap_mods_free(mods, 1);
1783 mods = NULL;
1784 ldap_memfree(dn);
1785 ldap_msgfree(result);
1786
1787 sid_copy(&sid, &dom_sid);
1788 sid_append_rid(&sid, *rid);
1789
1790 /* check RID is not in use */
1791 if (sid_in_use(ldap_state, &sid, &error)) {
1792 if (error) {
1793 return ret;
1794 }
1795 continue;
1796 }
1797
1798 return NT_STATUS_OK;
1799 }
1800
1801 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1802 DEBUG(2, ("Failed to modify rid: %s\n", ld_error));
1803 SAFE_FREE(ld_error);
1804
1805 ldap_mods_free(mods, 1);
1806 mods = NULL;
1807
1808 ldap_memfree(dn);
1809 dn = NULL;
1810
1811 ldap_msgfree(result);
1812 result = NULL;
1813
1814 {
1815 /* Sleep for a random timeout */
1816 unsigned sleeptime = (sys_random()*sys_getpid()*attempts);
1817 attempts += 1;
1818
1819 sleeptime %= 100;
1820 msleep(sleeptime);
1821 }
1822 }
1823
1824 DEBUG(0, ("Failed to set new RID\n"));
1825 return ret;
1826 }
1827
1828 /* New Interface is being implemented here */
1829
1830 /**********************************************************************
1831 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
1832 *********************************************************************/
1833 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
1834 SAM_ACCOUNT * sampass,
1835 LDAPMessage * entry,
1836 gid_t *gid)
1837 {
1838 pstring homedir;
1839 pstring temp;
1840 char **ldap_values;
1841 char **values;
1842
1843 if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
1844 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
1845 return False;
1846 }
1847
1848 for (values=ldap_values;*values;values++) {
1849 if (strcasecmp(*values, LDAP_OBJ_POSIXACCOUNT ) == 0) {
1850 break;
1851 }
1852 }
1853
1854 if (!*values) { /*end of array, no posixAccount */
1855 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
1856 ldap_value_free(ldap_values);
1857 return False;
1858 }
1859 ldap_value_free(ldap_values);
1860
1861 if ( !get_single_attribute(ldap_state->ldap_struct, entry,
1862 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
1863 {
1864 return False;
1865 }
1866
1867 if ( !get_single_attribute(ldap_state->ldap_struct, entry,
1868 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
1869 {
1870 return False;
1871 }
1872
1873 *gid = (gid_t)atol(temp);
1874
1875 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
1876
1877 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
1878
1879 return True;
1880 }
1881
1882
1883 /**********************************************************************
1884 Initialize SAM_ACCOUNT from an LDAP query
1885 (Based on init_sam_from_buffer in pdb_tdb.c)
1886 *********************************************************************/
1887 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
1888 SAM_ACCOUNT * sampass,
1889 LDAPMessage * entry)
1890 {
1891 time_t logon_time,
1892 logoff_time,
1893 kickoff_time,
1894 pass_last_set_time,
1895 pass_can_change_time,
1896 pass_must_change_time;
1897 pstring username,
1898 domain,
1899 nt_username,
1900 fullname,
1901 homedir,
1902 dir_drive,
1903 logon_script,
1904 profile_path,
1905 acct_desc,
1906 munged_dial,
1907 workstations;
1908 uint32 user_rid;
1909 uint8 smblmpwd[LM_HASH_LEN],
1910 smbntpwd[NT_HASH_LEN];
1911 uint16 acct_ctrl = 0,
1912 logon_divs;
1913 uint32 hours_len;
1914 uint8 hours[MAX_HOURS_LEN];
1915 pstring temp;
1916 uid_t uid = -1;
1917 gid_t gid = getegid();
1918
1919 /*
1920 * do a little initialization
1921 */
1922 username[0] = '\0';
1923 domain[0] = '\0';
1924 nt_username[0] = '\0';
1925 fullname[0] = '\0';
1926 homedir[0] = '\0';
1927 dir_drive[0] = '\0';
1928 logon_script[0] = '\0';
1929 profile_path[0] = '\0';
1930 acct_desc[0] = '\0';
1931 munged_dial[0] = '\0';
1932 workstations[0] = '\0';
1933
1934
1935 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
1936 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
1937 return False;
1938 }
1939
1940 if (ldap_state->ldap_struct == NULL) {
1941 DEBUG(0, ("init_sam_from_ldap: ldap_state->ldap_struct is NULL!\n"));
1942 return False;
1943 }
1944
1945 if (!get_single_attribute(ldap_state->ldap_struct, entry, "uid", username)) {
1946 DEBUG(1, ("No uid attribute found for this user!\n"));
1947 return False;
1948 }
1949
1950 DEBUG(2, ("Entry found for user: %s\n", username));
1951
1952 pstrcpy(nt_username, username);
1953
1954 pstrcpy(domain, ldap_state->domain_name);
1955
1956 pdb_set_username(sampass, username, PDB_SET);
1957
1958 pdb_set_domain(sampass, domain, PDB_DEFAULT);
1959 pdb_set_nt_username(sampass, nt_username, PDB_SET);
1960
1961 /* deal with different attributes between the schema first */
1962
1963 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT )
1964 {
1965 if (get_single_attribute(ldap_state->ldap_struct, entry,
1966 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp))
1967 {
1968 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
1969 }
1970
1971 if (get_single_attribute(ldap_state->ldap_struct, entry,
1972 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp))
1973 {
1974 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
1975 }
1976 else
1977 {
1978 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
1979 }
1980
1981
1982 }
1983 else
1984 {
1985 if (get_single_attribute(ldap_state->ldap_struct, entry,
1986 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp))
1987 {
1988 user_rid = (uint32)atol(temp);
1989 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
1990 }
1991
1992 if (!get_single_attribute(ldap_state->ldap_struct, entry,
1993 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp))
1994 {
1995 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
1996 } else {
1997 uint32 group_rid;
1998
1999 group_rid = (uint32)atol(temp);
2000
2001 /* for some reason, we often have 0 as a primary group RID.
2002 Make sure that we treat this just as a 'default' value */
2003
2004 if ( group_rid > 0 )
2005 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
2006 else
2007 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
2008 }
2009 }
2010
2011 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
2012 DEBUG(1, ("no %s or %s attribute found for this user %s\n",
2013 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2014 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
2015 username));
2016 return False;
2017 }
2018
2019
2020 /*
2021 * If so configured, try and get the values from LDAP
2022 */
2023
2024 if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid)))
2025 {
2026 if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
2027 {
2028 GROUP_MAP map;
2029 /* call the mapping code here */
2030 if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
2031 pdb_set_group_sid(sampass, &map.sid, PDB_SET);
2032 }
2033 else {
2034 pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
2035 }
2036 }
2037 }
2038
2039 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2040 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp))
2041 {
2042 /* leave as default */
2043 } else {
2044 pass_last_set_time = (time_t) atol(temp);
2045 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
2046 }
2047
2048 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2049 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp))
2050 {
2051 /* leave as default */
2052 } else {
2053 logon_time = (time_t) atol(temp);
2054 pdb_set_logon_time(sampass, logon_time, PDB_SET);
2055 }
2056
2057 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2058 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp))
2059 {
2060 /* leave as default */
2061 } else {
2062 logoff_time = (time_t) atol(temp);
2063 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
2064 }
2065
2066 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2067 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp))
2068 {
2069 /* leave as default */
2070 } else {
2071 kickoff_time = (time_t) atol(temp);
2072 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
2073 }
2074
2075 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2076 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp))
2077 {
2078 /* leave as default */
2079 } else {
2080 pass_can_change_time = (time_t) atol(temp);
2081 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
2082 }
2083
2084 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2085 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp))
2086 {
2087 /* leave as default */
2088 } else {
2089 pass_must_change_time = (time_t) atol(temp);
2090 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
2091 }
2092
2093 /* recommend that 'gecos' and 'displayName' should refer to the same
2094 * attribute OID. userFullName depreciated, only used by Samba
2095 * primary rules of LDAP: don't make a new attribute when one is already defined
2096 * that fits your needs; using cn then displayName rather than 'userFullName'
2097 */
2098
2099 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2100 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname))
2101 {
2102 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2103 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname))
2104 {
2105 /* leave as default */
2106 } else {
2107 pdb_set_fullname(sampass, fullname, PDB_SET);
2108 }
2109 } else {
2110 pdb_set_fullname(sampass, fullname, PDB_SET);
2111 }
2112
2113 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2114 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
2115 {
2116 pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx,
2117 lp_logon_drive(),
2118 username, domain,
2119 uid, gid),
2120 PDB_DEFAULT);
2121 } else {
2122 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
2123 }
2124
2125 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2126 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
2127 {
2128 pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx,
2129 lp_logon_home(),
2130 username, domain,
2131 uid, gid),
2132 PDB_DEFAULT);
2133 } else {
2134 pdb_set_homedir(sampass, homedir, PDB_SET);
2135 }
2136
2137 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2138 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
2139 {
2140 pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx,
2141 lp_logon_script(),
2142 username, domain,
2143 uid, gid),
2144 PDB_DEFAULT);
2145 } else {
2146 pdb_set_logon_script(sampass, logon_script, PDB_SET);
2147 }
2148
2149 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2150 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
2151 {
2152 pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx,
2153 lp_logon_path(),
2154 username, domain,
2155 uid, gid),
2156 PDB_DEFAULT);
2157 } else {
2158 pdb_set_profile_path(sampass, profile_path, PDB_SET);
2159 }
2160
2161 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2162 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
2163 {
2164 /* leave as default */
2165 } else {
2166 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
2167 }
2168
2169 if (!get_single_attribute(ldap_state->ldap_struct, entry,
2170 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations))
2171 {
2172 /* leave as default */;
2173 } else {
2174 pdb_set_workstations(sampass, workstations, PDB_SET);
2175 }
2176
2177 /* FIXME: hours stuff should be cleaner */
2178
2179 logon_divs = 168;
2180 hours_len = 21;
2181 memset(hours, 0xff, hours_len);
2182
2183 if (!get_single_attribute (ldap_state->ldap_struct, entry,
2184 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp))
2185 {
2186 /* leave as default */
2187 } else {
2188 pdb_gethexpwd(temp, smblmpwd);
2189 memset((char *)temp, '\0', strlen(temp)+1);
2190 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
2191 return False;
2192 ZERO_STRUCT(smblmpwd);
2193 }
2194
2195 if (!get_single_attribute (ldap_state->ldap_struct, entry,
2196 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp))
2197 {
2198 /* leave as default */
2199 } else {
2200 pdb_gethexpwd(temp, smbntpwd);
2201 memset((char *)temp, '\0', strlen(temp)+1);
2202 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
2203 return False;
2204 ZERO_STRUCT(smbntpwd);
2205 }
2206
2207 if (!get_single_attribute (ldap_state->ldap_struct, entry,
2208 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp))
2209 {
2210 acct_ctrl |= ACB_NORMAL;
2211 } else {
2212 acct_ctrl = pdb_decode_acct_ctrl(temp);
2213
2214 if (acct_ctrl == 0)
2215 acct_ctrl |= ACB_NORMAL;
2216
2217 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
2218 }
2219
2220 pdb_set_hours_len(sampass, hours_len, PDB_SET);
2221 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
2222
2223 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
2224
2225 /* pdb_set_unknown_3(sampass, unknown3, PDB_SET); */
2226 /* pdb_set_unknown_5(sampass, unknown5, PDB_SET); */
2227 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
2228
2229 pdb_set_hours(sampass, hours, PDB_SET);
2230
2231 return True;
2232 }
2233
2234 /**********************************************************************
2235 Initialize SAM_ACCOUNT from an LDAP query
2236 (Based on init_buffer_from_sam in pdb_tdb.c)
2237 *********************************************************************/
2238 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
2239 LDAPMessage *existing,
2240 LDAPMod *** mods, SAM_ACCOUNT * sampass,
2241 BOOL (*need_update)(const SAM_ACCOUNT *,
2242 enum pdb_elements))
2243 {
2244 pstring temp;
2245 uint32 rid;
2246
2247 if (mods == NULL || sampass == NULL) {
2248 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
2249 return False;
2250 }
2251
2252 *mods = NULL;
2253
2254 /*
2255 * took out adding "objectclass: sambaAccount"
2256 * do this on a per-mod basis
2257 */
2258 if (need_update(sampass, PDB_USERNAME))
2259 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2260 "uid", pdb_get_username(sampass));
2261
2262 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
2263
2264 if (pdb_get_init_flags(sampass, PDB_USERSID) == PDB_DEFAULT) {
2265 if (ldap_state->permit_non_unix_accounts) {
2266 if (!NT_STATUS_IS_OK(ldapsam_next_rid(ldap_state, &rid, USER_RID_TYPE))) {
2267 DEBUG(0, ("NO user RID specified on account %s, and "
2268 "finding next available NUA RID failed, "
2269 "cannot store!\n",
2270 pdb_get_username(sampass)));
2271 ldap_mods_free(*mods, 1);
2272 return False;
2273 }
2274 } else {
2275 DEBUG(0, ("NO user RID specified on account %s, "
2276 "cannot store!\n", pdb_get_username(sampass)));
2277 ldap_mods_free(*mods, 1);
2278 return False;
2279 }
2280
2281 /* now that we have figured out the RID, always store it, as
2282 the schema requires it (either as a SID or a RID) */
2283
2284 if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
2285 DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n",
2286 pdb_get_username(sampass)));
2287 ldap_mods_free(*mods, 1);
2288 return False;
2289 }
2290 }
2291
2292 /* only update the RID if we actually need to */
2293 if (need_update(sampass, PDB_USERSID))
2294 {
2295 fstring sid_string;
2296 fstring dom_sid_string;
2297 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
2298
2299 switch ( ldap_state->schema_ver )
2300 {
2301 case SCHEMAVER_SAMBAACCOUNT:
2302 if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
2303 DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
2304 sid_to_string(sid_string, user_sid),
2305 sid_to_string(dom_sid_string, get_global_sam_sid())));
2306 return False;
2307 }
2308 slprintf(temp, sizeof(temp) - 1, "%i", rid);
2309 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2310 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
2311 temp);
2312 break;
2313
2314 case SCHEMAVER_SAMBASAMACCOUNT:
2315 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2316 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2317 sid_to_string(sid_string, user_sid));
2318 break;
2319
2320 default:
2321 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
2322 break;
2323 }
2324 }
2325
2326 /* we don't need to store the primary group RID - so leaving it
2327 'free' to hang off the unix primary group makes life easier */
2328
2329 if (need_update(sampass, PDB_GROUPSID))
2330 {
2331 fstring sid_string;
2332 fstring dom_sid_string;
2333 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
2334
2335 switch ( ldap_state->schema_ver )
2336 {
2337 case SCHEMAVER_SAMBAACCOUNT:
2338 if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) {
2339 DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
2340 sid_to_string(sid_string, group_sid),
2341 sid_to_string(dom_sid_string, get_global_sam_sid())));
2342 return False;
2343 }
2344
2345 slprintf(temp, sizeof(temp) - 1, "%i", rid);
2346 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2347 get_userattr_key2string(ldap_state->schema_ver,
2348 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
2349 break;
2350
2351 case SCHEMAVER_SAMBASAMACCOUNT:
2352 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2353 get_userattr_key2string(ldap_state->schema_ver,
2354 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
2355 break;
2356
2357 default:
2358 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
2359 break;
2360 }
2361
2362 }
2363
2364 /* displayName, cn, and gecos should all be the same
2365 * most easily accomplished by giving them the same OID
2366 * gecos isn't set here b/c it should be handled by the
2367 * add-user script
2368 * We change displayName only and fall back to cn if
2369 * it does not exist.
2370 */
2371
2372 if (need_update(sampass, PDB_FULLNAME))
2373 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2374 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
2375 pdb_get_fullname(sampass));
2376
2377 if (need_update(sampass, PDB_ACCTDESC))
2378 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2379 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
2380 pdb_get_acct_desc(sampass));
2381
2382 if (need_update(sampass, PDB_WORKSTATIONS))
2383 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2384 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
2385 pdb_get_workstations(sampass));
2386
2387 if (need_update(sampass, PDB_SMBHOME))
2388 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2389 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
2390 pdb_get_homedir(sampass));
2391
2392 if (need_update(sampass, PDB_DRIVE))
2393 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2394 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
2395 pdb_get_dir_drive(sampass));
2396
2397 if (need_update(sampass, PDB_LOGONSCRIPT))
2398 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2399 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
2400 pdb_get_logon_script(sampass));
2401
2402 if (need_update(sampass, PDB_PROFILE))
2403 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2404 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
2405 pdb_get_profile_path(sampass));
2406
2407 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
2408 if (need_update(sampass, PDB_LOGONTIME))
2409 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2410 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
2411
2412 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
2413 if (need_update(sampass, PDB_LOGOFFTIME))
2414 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2415 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
2416
2417 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
2418 if (need_update(sampass, PDB_KICKOFFTIME))
2419 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2420 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
2421
2422 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
2423 if (need_update(sampass, PDB_CANCHANGETIME))
2424 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2425 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
2426
2427 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
2428 if (need_update(sampass, PDB_MUSTCHANGETIME))
2429 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2430 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
2431
2432 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
2433 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY))
2434 {
2435
2436 pdb_sethexpwd(temp, pdb_get_lanman_passwd(sampass),
2437 pdb_get_acct_ctrl(sampass));
2438
2439 if (need_update(sampass, PDB_LMPASSWD))
2440 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2441 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
2442 temp);
2443
2444 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass),
2445 pdb_get_acct_ctrl(sampass));
2446
2447 if (need_update(sampass, PDB_NTPASSWD))
2448 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2449 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
2450 temp);
2451
2452 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
2453 if (need_update(sampass, PDB_PASSLASTSET))
2454 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2455 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
2456 temp);
2457 }
2458
2459 /* FIXME: Hours stuff goes in LDAP */
2460
2461 if (need_update(sampass, PDB_ACCTCTRL))
2462 make_ldap_mod(ldap_state->ldap_struct, existing, mods,
2463 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
2464 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
2465
2466 return True;
2467 }
2468
2469
2470
2471 /**********************************************************************
2472 Connect to LDAP server for password enumeration
2473 *********************************************************************/
2474 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
2475 {
2476 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2477 int rc;
2478 pstring filter;
2479 char **attr_list;
2480
2481 snprintf( filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(),
2482 get_objclass_filter(ldap_state->schema_ver));
2483 all_string_sub(filter, "%u", "*", sizeof(pstring));
2484
2485 attr_list = get_userattr_list(ldap_state->schema_ver);
2486 rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &ldap_state->result);
2487 free_attr_list( attr_list );
2488
2489 if (rc != LDAP_SUCCESS) {
2490 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
2491 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
2492 ldap_msgfree(ldap_state->result);
2493 ldap_state->result = NULL;
2494 return NT_STATUS_UNSUCCESSFUL;
2495 }
2496
2497 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2498 ldap_count_entries(ldap_state->ldap_struct,
2499 ldap_state->result)));
2500
2501 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
2502 ldap_state->result);
2503 ldap_state->index = 0;
2504
2505 return NT_STATUS_OK;
2506 }
2507
2508 /**********************************************************************
2509 End enumeration of the LDAP password list
2510 *********************************************************************/
2511 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
2512 {
2513 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2514 if (ldap_state->result) {
2515 ldap_msgfree(ldap_state->result);
2516 ldap_state->result = NULL;
2517 }
2518 }
2519
2520 /**********************************************************************
2521 Get the next entry in the LDAP password database
2522 *********************************************************************/
2523 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
2524 {
2525 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2526 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2527 BOOL bret = False;
2528
2529 /* The rebind proc needs this *HACK*. We are not multithreaded, so
2530 this will work, but it's not nice. */
2531 static_ldap_state = ldap_state;
2532
2533 while (!bret) {
2534 if (!ldap_state->entry)
2535 return ret;
2536
2537 ldap_state->index++;
2538 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
2539
2540 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
2541 ldap_state->entry);
2542 }
2543
2544 return NT_STATUS_OK;
2545 }
2546
2547 /**********************************************************************
2548 Get SAM_ACCOUNT entry from LDAP by username
2549 *********************************************************************/
2550 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
2551 {
2552 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2553 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2554 LDAPMessage *result;
2555 LDAPMessage *entry;
2556 int count;
2557 char ** attr_list;
2558 int rc;
2559
2560 attr_list = get_userattr_list( ldap_state->schema_ver );
2561 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
2562 free_attr_list( attr_list );
2563
2564 if ( rc != LDAP_SUCCESS )
2565 return NT_STATUS_NO_SUCH_USER;
2566
2567 count = ldap_count_entries(ldap_state->ldap_struct, result);
2568
2569 if (count < 1) {
2570 DEBUG(4,
2571 ("Unable to locate user [%s] count=%d\n", sname,
2572 count));
2573 return NT_STATUS_NO_SUCH_USER;
2574 } else if (count > 1) {
2575 DEBUG(1,
2576 ("Duplicate entries for this user [%s] Failing. count=%d\n", sname,
2577 count));
2578 return NT_STATUS_NO_SUCH_USER;
2579 }
2580
2581 entry = ldap_first_entry(ldap_state->ldap_struct, result);
2582 if (entry) {
2583 if (!init_sam_from_ldap(ldap_state, user, entry)) {
2584 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
2585 ldap_msgfree(result);
2586 return NT_STATUS_NO_SUCH_USER;
2587 }
2588 ldap_msgfree(result);
2589 ret = NT_STATUS_OK;
2590 } else {
2591 ldap_msgfree(result);
2592 }
2593 return ret;
2594 }
2595
2596 /**********************************************************************
2597 Get SAM_ACCOUNT entry from LDAP by SID
2598 *********************************************************************/
2599 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
2600 {
2601 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2602 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2603 LDAPMessage *result;
2604 LDAPMessage *entry;
2605 fstring sid_string;
2606 int count;
2607 int rc;
2608 char ** attr_list;
2609
2610 switch ( ldap_state->schema_ver )
2611 {
2612 case SCHEMAVER_SAMBASAMACCOUNT:
2613 attr_list = get_userattr_list(ldap_state->schema_ver);
2614 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, &result, attr_list);
2615 free_attr_list( attr_list );
2616
2617 if ( rc != LDAP_SUCCESS )
2618 return NT_STATUS_NO_SUCH_USER;
2619 break;
2620
2621 case SCHEMAVER_SAMBAACCOUNT:
2622 {
2623 uint32 rid;
2624 if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
2625 return NT_STATUS_NO_SUCH_USER;
2626 }
2627
2628 attr_list = get_userattr_list(ldap_state->schema_ver);
2629 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, &result, attr_list );
2630 free_attr_list( attr_list );
2631
2632 if ( rc != LDAP_SUCCESS )
2633 return NT_STATUS_NO_SUCH_USER;
2634 }
2635 break;
2636 }
2637
2638 count = ldap_count_entries(ldap_state->ldap_struct, result);
2639
2640 if (count < 1)
2641 {
2642 DEBUG(4,
2643 ("Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
2644 count));
2645 return NT_STATUS_NO_SUCH_USER;
2646 }
2647 else if (count > 1)
2648 {
2649 DEBUG(1,
2650 ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
2651 count));
2652 return NT_STATUS_NO_SUCH_USER;
2653 }
2654
2655 entry = ldap_first_entry(ldap_state->ldap_struct, result);
2656 if (entry)
2657 {
2658 if (!init_sam_from_ldap(ldap_state, user, entry)) {
2659 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
2660 ldap_msgfree(result);
2661 return NT_STATUS_NO_SUCH_USER;
2662 }
2663 ldap_msgfree(result);
2664 ret = NT_STATUS_OK;
2665 } else {
2666 ldap_msgfree(result);
2667 }
2668 return ret;
2669 }
2670
2671 /********************************************************************
2672 Do the actual modification - also change a plaittext passord if
2673 it it set.
2674 **********************************************************************/
2675
2676 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
2677 SAM_ACCOUNT *newpwd, char *dn,
2678 LDAPMod **mods, int ldap_op,
2679 BOOL (*need_update)(const SAM_ACCOUNT *,
2680 enum pdb_elements))
2681 {
2682 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2683 int rc;
2684
2685 if (!my_methods || !newpwd || !dn) {
2686 return NT_STATUS_INVALID_PARAMETER;
2687 }
2688
2689 if (!mods) {
2690 DEBUG(5,("mods is empty: nothing to modify\n"));
2691 /* may be password change below however */
2692 } else {
2693 switch(ldap_op)
2694 {
2695 case LDAP_MOD_ADD:
2696 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT);
2697 rc = ldapsam_add(ldap_state, dn, mods);
2698 break;
2699 case LDAP_MOD_REPLACE:
2700 rc = ldapsam_modify(ldap_state, dn ,mods);
2701 break;
2702 default:
2703 DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
2704 return NT_STATUS_INVALID_PARAMETER;
2705 }
2706
2707 if (rc!=LDAP_SUCCESS) {
2708 char *ld_error = NULL;
2709 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2710 &ld_error);
2711 DEBUG(1,
2712 ("failed to %s user dn= %s with: %s\n\t%s\n",
2713 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
2714 dn, ldap_err2string(rc),
2715 ld_error?ld_error:"unknown"));
2716 SAFE_FREE(ld_error);
2717 return NT_STATUS_UNSUCCESSFUL;
2718 }
2719 }
2720
2721 #ifdef LDAP_EXOP_X_MODIFY_PASSWD
2722 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
2723 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
2724 need_update(newpwd, PDB_PLAINTEXT_PW) &&
2725 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
2726 BerElement *ber;
2727 struct berval *bv;
2728 char *retoid;
2729 struct berval *retdata;
2730 char *utf8_password;
2731 char *utf8_dn;
2732
2733 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
2734 return NT_STATUS_NO_MEMORY;
2735 }
2736
2737 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
2738 return NT_STATUS_NO_MEMORY;
2739 }
2740
2741 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
2742 DEBUG(0,("ber_alloc_t returns NULL\n"));
2743 SAFE_FREE(utf8_password);
2744 return NT_STATUS_UNSUCCESSFUL;
2745 }
2746
2747 ber_printf (ber, "{");
2748 ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID, utf8_dn);
2749 ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, utf8_password);
2750 ber_printf (ber, "N}");
2751
2752 if ((rc = ber_flatten (ber, &bv))<0) {
2753 DEBUG(0,("ber_flatten returns a value <0\n"));
2754 ber_free(ber,1);
2755 SAFE_FREE(utf8_dn);
2756 SAFE_FREE(utf8_password);
2757 return NT_STATUS_UNSUCCESSFUL;
2758 }
2759
2760 SAFE_FREE(utf8_dn);
2761 SAFE_FREE(utf8_password);
2762 ber_free(ber, 1);
2763
2764 if ((rc = ldapsam_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
2765 bv, NULL, NULL, &retoid, &retdata))!=LDAP_SUCCESS) {
2766 DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
2767 pdb_get_username(newpwd),ldap_err2string(rc)));
2768 } else {
2769 DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
2770 #ifdef DEBUG_PASSWORD
2771 DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
2772 #endif
2773 ber_bvfree(retdata);
2774 ber_memfree(retoid);
2775 }
2776 ber_bvfree(bv);
2777 }
2778 #else
2779 DEBUG(10,("LDAP PASSWORD SYNC is not supported!\n"));
2780 #endif /* LDAP_EXOP_X_MODIFY_PASSWD */
2781 return NT_STATUS_OK;
2782 }
2783
2784 /**********************************************************************
2785 Delete entry from LDAP for username
2786 *********************************************************************/
2787 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
2788 {
2789 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2790 const char *sname;
2791 int rc;
2792 LDAPMessage *result;
2793 NTSTATUS ret;
2794 char **attr_list;
2795 fstring objclass;
2796
2797 if (!sam_acct) {
2798 DEBUG(0, ("sam_acct was NULL!\n"));
2799 return NT_STATUS_INVALID_PARAMETER;
2800 }
2801
2802 sname = pdb_get_username(sam_acct);
2803
2804 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
2805
2806 attr_list= get_userattr_list( ldap_state->schema_ver );
2807 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
2808
2809 if (rc != LDAP_SUCCESS) {
2810 free_attr_list( attr_list );
2811 return NT_STATUS_NO_SUCH_USER;
2812 }
2813
2814 switch ( ldap_state->schema_ver )
2815 {
2816 case SCHEMAVER_SAMBASAMACCOUNT:
2817 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
2818 break;
2819
2820 case SCHEMAVER_SAMBAACCOUNT:
2821 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
2822 break;
2823 default:
2824 fstrcpy( objclass, "UNKNOWN" );
2825 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
2826 break;
2827 }
2828
2829 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
2830 ldap_msgfree(result);
2831 free_attr_list( attr_list );
2832
2833 return ret;
2834 }
2835
2836 /**********************************************************************
2837 Helper function to determine for update_sam_account whether
2838 we need LDAP modification.
2839 *********************************************************************/
2840 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
2841 enum pdb_elements element)
2842 {
2843 return IS_SAM_CHANGED(sampass, element);
2844 }
2845
2846 /**********************************************************************
2847 Update SAM_ACCOUNT
2848 *********************************************************************/
2849 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
2850 {
2851 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2852 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2853 int rc;
2854 char *dn;
2855 LDAPMessage *result;
2856 LDAPMessage *entry;
2857 LDAPMod **mods;
2858 char **attr_list;
2859
2860 attr_list = get_userattr_list(ldap_state->schema_ver);
2861 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
2862 free_attr_list( attr_list );
2863 if (rc != LDAP_SUCCESS)
2864 return NT_STATUS_UNSUCCESSFUL;
2865
2866 if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
2867 DEBUG(0, ("No user to modify!\n"));
2868 ldap_msgfree(result);
2869 return NT_STATUS_UNSUCCESSFUL;
2870 }
2871
2872 entry = ldap_first_entry(ldap_state->ldap_struct, result);
2873 dn = ldap_get_dn(ldap_state->ldap_struct, entry);
2874
2875 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2876 element_is_changed)) {
2877 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
2878 ldap_msgfree(result);
2879 return NT_STATUS_UNSUCCESSFUL;
2880 }
2881
2882 ldap_msgfree(result);
2883
2884 if (mods == NULL) {
2885 DEBUG(4,("mods is empty: nothing to update for user: %s\n",
2886 pdb_get_username(newpwd)));
2887 ldap_mods_free(mods, 1);
2888 return NT_STATUS_OK;
2889 }
2890
2891 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
2892 ldap_mods_free(mods,1);
2893
2894 if (!NT_STATUS_IS_OK(ret)) {
2895 char *ld_error = NULL;
2896 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2897 &ld_error);
2898 DEBUG(0,("failed to modify user with uid = %s, error: %s (%s)\n",
2899 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
2900 SAFE_FREE(ld_error);
2901 return ret;
2902 }
2903
2904 DEBUG(2, ("successfully modified uid = %s in the LDAP database\n",
2905 pdb_get_username(newpwd)));
2906 return NT_STATUS_OK;
2907 }
2908
2909 /**********************************************************************
2910 Helper function to determine for update_sam_account whether
2911 we need LDAP modification.
2912 *********************************************************************/
2913 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
2914 enum pdb_elements element)
2915 {
2916 return (IS_SAM_SET(sampass, element) ||
2917 IS_SAM_CHANGED(sampass, element));
2918 }
2919
2920 /**********************************************************************
2921 Add SAM_ACCOUNT to LDAP
2922 *********************************************************************/
2923
2924 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
2925 {
2926 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2927 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2928 int rc;
2929 LDAPMessage *result = NULL;
2930 LDAPMessage *entry = NULL;
2931 pstring dn;
2932 LDAPMod **mods = NULL;
2933 int ldap_op;
2934 uint32 num_result;
2935 char **attr_list;
2936 char *escape_user;
2937 const char *username = pdb_get_username(newpwd);
2938 pstring filter;
2939
2940 if (!username || !*username) {
2941 DEBUG(0, ("Cannot add user without a username!\n"));
2942 return NT_STATUS_INVALID_PARAMETER;
2943 }
2944
2945 /* free this list after the second search or in case we exit on failure */
2946
2947 attr_list = get_userattr_list(ldap_state->schema_ver);
2948 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2949
2950 if (rc != LDAP_SUCCESS) {
2951 free_attr_list( attr_list );
2952 return NT_STATUS_UNSUCCESSFUL;
2953 }
2954
2955 if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
2956 DEBUG(0,("User '%s' already in the base, with samba attributes\n",
2957 username));
2958 ldap_msgfree(result);
2959 free_attr_list( attr_list );
2960 return NT_STATUS_UNSUCCESSFUL;
2961 }
2962 ldap_msgfree(result);
2963
2964 /* does the entry already exist but without a samba rttibutes?
2965 we don't really care what attributes are returned here */
2966
2967 escape_user = escape_ldap_string_alloc( username );
2968 pstrcpy( filter, lp_ldap_filter() );
2969 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
2970 SAFE_FREE( escape_user );
2971
2972 rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result);
2973 free_attr_list( attr_list );
2974
2975 if ( rc != LDAP_SUCCESS )
2976 return NT_STATUS_UNSUCCESSFUL;
2977
2978 num_result = ldap_count_entries(ldap_state->ldap_struct, result);
2979
2980 if (num_result > 1) {
2981 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
2982 ldap_msgfree(result);
2983 return NT_STATUS_UNSUCCESSFUL;
2984 }
2985
2986 /* Check if we need to update an existing entry */
2987 if (num_result == 1) {
2988 char *tmp;
2989
2990 DEBUG(3,("User exists without samba attributes: adding them\n"));
2991 ldap_op = LDAP_MOD_REPLACE;
2992 entry = ldap_first_entry (ldap_state->ldap_struct, result);
2993 tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
2994 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
2995 ldap_memfree (tmp);
2996 } else {
2997 /* Check if we need to add an entry */
2998 DEBUG(3,("Adding new user\n"));
2999 ldap_op = LDAP_MOD_ADD;
3000 if (username[strlen(username)-1] == '$') {
3001 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
3002 } else {
3003 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
3004 }
3005 }
3006
3007 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
3008 element_is_set_or_changed)) {
3009 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
3010 ldap_msgfree(result);
3011 return NT_STATUS_UNSUCCESSFUL;
3012 }
3013
3014 ldap_msgfree(result);
3015
3016 if (mods == NULL) {
3017 DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
3018 return NT_STATUS_UNSUCCESSFUL;
3019 }
3020 switch ( ldap_state->schema_ver )
3021 {
3022 case SCHEMAVER_SAMBAACCOUNT:
3023 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
3024 break;
3025 case SCHEMAVER_SAMBASAMACCOUNT:
3026 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
3027 break;
3028 default:
3029 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
3030 break;
3031 }
3032
3033 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
3034 if (NT_STATUS_IS_ERR(ret)) {
3035 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
3036 pdb_get_username(newpwd),dn));
3037 ldap_mods_free(mods,1);
3038 return ret;
3039 }
3040
3041 DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
3042 ldap_mods_free(mods, 1);
3043
3044 return NT_STATUS_OK;
3045 }
3046
3047 /**********************************************************************
3048 Housekeeping
3049 *********************************************************************/
3050
3051 static void free_private_data(void **vp)
3052 {
3053 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
3054
3055 ldapsam_close(*ldap_state);
3056
3057 if ((*ldap_state)->bind_secret) {
3058 memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
3059 }
3060
3061 ldapsam_close(*ldap_state);
3062
3063 SAFE_FREE((*ldap_state)->bind_dn);
3064 SAFE_FREE((*ldap_state)->bind_secret);
3065
3066 *ldap_state = NULL;
3067
3068 /* No need to free any further, as it is talloc()ed */
3069 }
3070
3071 /**********************************************************************
3072 *********************************************************************/
3073
3074 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
3075 const char *filter,
3076 LDAPMessage ** result)
3077 {
3078 int scope = LDAP_SCOPE_SUBTREE;
3079 int rc;
3080 char **attr_list;
3081
3082 DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
3083
3084
3085 attr_list = get_attr_list(groupmap_attr_list);
3086 rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
3087 filter, attr_list, 0, result);
3088 free_attr_list( attr_list );
3089
3090 if (rc != LDAP_SUCCESS) {
3091 char *ld_error = NULL;
3092 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
3093 &ld_error);
3094 DEBUG(0, ("ldapsam_search_one_group: "
3095 "Problem during the LDAP search: LDAP error: %s (%s)",
3096 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
3097 DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
3098 lp_ldap_suffix(), filter));
3099 SAFE_FREE(ld_error);
3100 }
3101
3102 return rc;
3103 }
3104
3105 /**********************************************************************
3106 *********************************************************************/
3107
3108 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
3109 GROUP_MAP *map, LDAPMessage *entry)
3110 {
3111 pstring temp;
3112
3113 if (ldap_state == NULL || map == NULL || entry == NULL ||
3114 ldap_state->ldap_struct == NULL)
3115 {
3116 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
3117 return False;
3118 }
3119
3120 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3121 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp))
3122 {
3123 DEBUG(0, ("Mandatory attribute %s not found\n",
3124 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
3125 return False;
3126 }
3127 DEBUG(2, ("Entry found for group: %s\n", temp));
3128
3129 map->gid = (gid_t)atol(temp);
3130
3131 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3132 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp))
3133 {
3134 DEBUG(0, ("Mandatory attribute %s not found\n",
3135 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
3136 return False;
3137 }
3138 string_to_sid(&map->sid, temp);
3139
3140 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3141 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp))
3142 {
3143 DEBUG(0, ("Mandatory attribute %s not found\n",
3144 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
3145 return False;
3146 }
3147 map->sid_name_use = (uint32)atol(temp);
3148
3149 if ((map->sid_name_use < SID_NAME_USER) ||
3150 (map->sid_name_use > SID_NAME_UNKNOWN)) {
3151 DEBUG(0, ("Unknown Group type: %d\n", map->sid_name_use));
3152 return False;
3153 }
3154
3155 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3156 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp))
3157 {
3158 temp[0] = '\0';
3159 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3160 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
3161 {
3162 DEBUG(0, ("Attributes cn not found either "
3163 "for gidNumber(%i)\n",map->gid));
3164 return False;
3165 }
3166 }
3167 fstrcpy(map->nt_name, temp);
3168
3169 if (!get_single_attribute(ldap_state->ldap_struct, entry,
3170 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp))
3171 {
3172 temp[0] = '\0';
3173 }
3174 fstrcpy(map->comment, temp);
3175
3176 map->systemaccount = 0;
3177 init_privilege(&map->priv_set);
3178
3179 return True;
3180 }
3181
3182 /**********************************************************************
3183 *********************************************************************/
3184
3185 static BOOL init_ldap_from_group(LDAP *ldap_struct,
3186 LDAPMessage *existing,
3187 LDAPMod ***mods,
3188 const GROUP_MAP *map)
3189 {
3190 pstring tmp;
3191
3192 if (mods == NULL || map == NULL) {
3193 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
3194 return False;
3195 }
3196
3197 *mods = NULL;
3198
3199 sid_to_string(tmp, &map->sid);
3200 make_ldap_mod(ldap_struct, existing, mods,
3201 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
3202 snprintf(tmp, sizeof(tmp)-1, "%i", map->sid_name_use);
3203 make_ldap_mod(ldap_struct, existing, mods,
3204 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
3205
3206 make_ldap_mod(ldap_struct, existing, mods,
3207 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
3208 make_ldap_mod(ldap_struct, existing, mods,
3209 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
3210
3211 return True;
3212 }
3213
3214 /**********************************************************************
3215 *********************************************************************/
3216
3217 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
3218 const char *filter,
3219 GROUP_MAP *map)
3220 {
3221 struct ldapsam_privates *ldap_state =
3222 (struct ldapsam_privates *)methods->private_data;
3223 LDAPMessage *result;
3224 LDAPMessage *entry;
3225 int count;
3226
3227 if (ldapsam_search_one_group(ldap_state, filter, &result)
3228 != LDAP_SUCCESS) {
3229 return NT_STATUS_NO_SUCH_GROUP;
3230 }
3231
3232 count = ldap_count_entries(ldap_state->ldap_struct, result);
3233
3234 if (count < 1) {
3235 DEBUG(4, ("Did not find group for filter %s\n", filter));
3236 return NT_STATUS_NO_SUCH_GROUP;
3237 }
3238
3239 if (count > 1) {
3240 DEBUG(1, ("Duplicate entries for filter %s: count=%d\n",
3241 filter, count));
3242 return NT_STATUS_NO_SUCH_GROUP;
3243 }
3244
3245 entry = ldap_first_entry(ldap_state->ldap_struct, result);
3246
3247 if (!entry) {
3248 ldap_msgfree(result);
3249 return NT_STATUS_UNSUCCESSFUL;
3250 }
3251
3252 if (!init_group_from_ldap(ldap_state, map, entry)) {
3253 DEBUG(1, ("init_group_from_ldap failed for group filter %s\n",
3254 filter));
3255 ldap_msgfree(result);
3256 return NT_STATUS_NO_SUCH_GROUP;
3257 }
3258
3259 ldap_msgfree(result);
3260 return NT_STATUS_OK;
3261 }
3262
3263 /**********************************************************************
3264 *********************************************************************/
3265
3266 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
3267 DOM_SID sid, BOOL with_priv)
3268 {
3269 pstring filter;
3270
3271 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
3272 LDAP_OBJ_GROUPMAP,
3273 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
3274 sid_string_static(&sid));
3275
3276 return ldapsam_getgroup(methods, filter, map);
3277 }
3278
3279 /**********************************************************************
3280 *********************************************************************/
3281
3282 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
3283 gid_t gid, BOOL with_priv)
3284 {
3285 pstring filter;
3286
3287 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%d))",
3288 LDAP_OBJ_GROUPMAP,
3289 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
3290 gid);
3291
3292 return ldapsam_getgroup(methods, filter, map);
3293 }
3294
3295 /**********************************************************************
3296 *********************************************************************/
3297
3298 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
3299 char *name, BOOL with_priv)
3300 {
3301 pstring filter;
3302
3303 /* TODO: Escaping of name? */
3304
3305 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
3306 LDAP_OBJ_GROUPMAP,
3307 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), name,
3308 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), name);
3309
3310 return ldapsam_getgroup(methods, filter, map);
3311 }
3312
3313 /**********************************************************************
3314 *********************************************************************/
3315
3316 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
3317 gid_t gid,
3318 LDAPMessage **result)
3319 {
3320 pstring filter;
3321
3322 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%i))",
3323 LDAP_OBJ_POSIXGROUP,
3324 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
3325 gid);
3326
3327 return ldapsam_search_one_group(ldap_state, filter, result);
3328 }
3329
3330 /**********************************************************************
3331 *********************************************************************/
3332
3333 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3334 GROUP_MAP *map)
3335 {
3336 struct ldapsam_privates *ldap_state =
3337 (struct ldapsam_privates *)methods->private_data;
3338 LDAPMessage *result = NULL;
3339 LDAPMod **mods = NULL;
3340
3341 char *tmp;
3342 pstring dn;
3343 LDAPMessage *entry;
3344
3345 GROUP_MAP dummy;
3346
3347 int rc;
3348
3349 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
3350 map->gid, False))) {
3351 DEBUG(0, ("Group %i already exists in LDAP\n", map->gid));
3352 return NT_STATUS_UNSUCCESSFUL;
3353 }
3354
3355 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
3356 if (rc != LDAP_SUCCESS) {
3357 return NT_STATUS_UNSUCCESSFUL;
3358 }
3359
3360 if (ldap_count_entries(ldap_state->ldap_struct, result) != 1) {
3361 DEBUG(2, ("Group %i must exist exactly once in LDAP\n",
3362 map->gid));
3363 ldap_msgfree(result);
3364 return NT_STATUS_UNSUCCESSFUL;
3365 }
3366
3367 entry = ldap_first_entry(ldap_state->ldap_struct, result);
3368 tmp = ldap_get_dn(ldap_state->ldap_struct, entry);
3369 pstrcpy(dn, tmp);
3370 ldap_memfree(tmp);
3371
3372 if (!init_ldap_from_group(ldap_state->ldap_struct,
3373 result, &mods, map)) {
3374 DEBUG(0, ("init_ldap_from_group failed!\n"));
3375 ldap_mods_free(mods, 1);
3376 ldap_msgfree(result);
3377 return NT_STATUS_UNSUCCESSFUL;
3378 }
3379
3380 ldap_msgfree(result);
3381
3382 if (mods == NULL) {
3383 DEBUG(0, ("mods is empty\n"));
3384 return NT_STATUS_UNSUCCESSFUL;
3385 }
3386
3387 make_a_mod(&mods, LDAP_MOD_ADD, "objectClass",
3388 "sambaGroupMapping");
3389
3390 rc = ldapsam_modify(ldap_state, dn, mods);
3391 ldap_mods_free(mods, 1);
3392
3393 if (rc != LDAP_SUCCESS) {
3394 char *ld_error = NULL;
3395 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
3396 &ld_error);
3397 DEBUG(0, ("failed to add group %i error: %s (%s)\n", map->gid,
3398 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
3399 SAFE_FREE(ld_error);
3400 return NT_STATUS_UNSUCCESSFUL;
3401 }
3402
3403 DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
3404 return NT_STATUS_OK;
3405 }
3406
3407 /**********************************************************************
3408 *********************************************************************/
3409
3410 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
3411 GROUP_MAP *map)
3412 {
3413 struct ldapsam_privates *ldap_state =
3414 (struct ldapsam_privates *)methods->private_data;
3415 int rc;
3416 char *dn;
3417 LDAPMessage *result;
3418 LDAPMessage *entry;
3419 LDAPMod **mods;
3420
3421 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
3422
3423 if (rc != LDAP_SUCCESS) {
3424 return NT_STATUS_UNSUCCESSFUL;
3425 }
3426
3427 if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
3428 DEBUG(0, ("No group to modify!\n"));
3429 ldap_msgfree(result);
3430 return NT_STATUS_UNSUCCESSFUL;
3431 }
3432
3433 entry = ldap_first_entry(ldap_state->ldap_struct, result);
3434 dn = ldap_get_dn(ldap_state->ldap_struct, entry);
3435
3436 if (!init_ldap_from_group(ldap_state->ldap_struct,
3437 result, &mods, map)) {
3438 DEBUG(0, ("init_ldap_from_group failed\n"));
3439 ldap_msgfree(result);
3440 return NT_STATUS_UNSUCCESSFUL;
3441 }
3442
3443 ldap_msgfree(result);
3444
3445 if (mods == NULL) {
3446 DEBUG(4, ("mods is empty: nothing to do\n"));
3447 return NT_STATUS_UNSUCCESSFUL;
3448 }
3449
3450 rc = ldapsam_modify(ldap_state, dn, mods);
3451
3452 ldap_mods_free(mods, 1);
3453
3454 if (rc != LDAP_SUCCESS) {
3455 char *ld_error = NULL;
3456 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
3457 &ld_error);
3458 DEBUG(0, ("failed to modify group %i error: %s (%s)\n", map->gid,
3459 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
3460 SAFE_FREE(ld_error);
3461 }
3462
3463 DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
3464 return NT_STATUS_OK;
3465 }
3466
3467 /**********************************************************************
3468 *********************************************************************/
3469
3470 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
3471 DOM_SID sid)
3472 {
3473 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
3474 pstring sidstring, filter;
3475 LDAPMessage *result;
3476 int rc;
3477 NTSTATUS ret;
3478 char **attr_list;
3479
3480 sid_to_string(sidstring, &sid);
3481
3482 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
3483 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
3484
3485 rc = ldapsam_search_one_group(ldap_state, filter, &result);
3486
3487 if (rc != LDAP_SUCCESS) {
3488 return NT_STATUS_NO_SUCH_GROUP;
3489 }
3490
3491 attr_list = get_attr_list( groupmap_attr_list_to_delete );
3492 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
3493 free_attr_list ( attr_list );
3494
3495 ldap_msgfree(result);
3496
3497 return ret;
3498 }
3499
3500 /**********************************************************************
3501 *********************************************************************/
3502
3503 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
3504 {
3505 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
3506 fstring filter;
3507 int rc;
3508 char **attr_list;
3509
3510 snprintf( filter, sizeof(filter)-1, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
3511 attr_list = get_attr_list( groupmap_attr_list );
3512 rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
3513 LDAP_SCOPE_SUBTREE, filter,
3514 attr_list, 0, &ldap_state->result);
3515 free_attr_list( attr_list );
3516
3517 if (rc != LDAP_SUCCESS) {
3518 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
3519 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
3520 ldap_msgfree(ldap_state->result);
3521 ldap_state->result = NULL;
3522 return NT_STATUS_UNSUCCESSFUL;
3523 }
3524
3525 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
3526 ldap_count_entries(ldap_state->ldap_struct,
3527 ldap_state->result)));
3528
3529 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, ldap_state->result);
3530 ldap_state->index = 0;
3531
3532 return NT_STATUS_OK;
3533 }
3534
3535 /**********************************************************************
3536 *********************************************************************/
3537
3538 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3539 {
3540 ldapsam_endsampwent(my_methods);
3541 }
3542
3543 /**********************************************************************
3544 *********************************************************************/
3545
3546 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3547 GROUP_MAP *map)
3548 {
3549 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3550 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
3551 BOOL bret = False;
3552
3553 /* The rebind proc needs this *HACK*. We are not multithreaded, so
3554 this will work, but it's not nice. */
3555 static_ldap_state = ldap_state;
3556
3557 while (!bret) {
3558 if (!ldap_state->entry)
3559 return ret;
3560
3561 ldap_state->index++;
3562 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
3563
3564 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
3565 ldap_state->entry);
3566 }
3567
3568 return NT_STATUS_OK;
3569 }
3570
3571 /**********************************************************************
3572 *********************************************************************/
3573
3574 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3575 enum SID_NAME_USE sid_name_use,
3576 GROUP_MAP **rmap, int *num_entries,
3577 BOOL unix_only, BOOL with_priv)
3578 {
3579 GROUP_MAP map;
3580 GROUP_MAP *mapt;
3581 int entries = 0;
3582 NTSTATUS nt_status;
3583
3584 *num_entries = 0;
3585 *rmap = NULL;
3586
3587 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3588 DEBUG(0, ("Unable to open passdb\n"));
3589 return NT_STATUS_ACCESS_DENIED;
3590 }
3591
3592 while (NT_STATUS_IS_OK(nt_status = ldapsam_getsamgrent(methods, &map))) {
3593 if (sid_name_use != SID_NAME_UNKNOWN &&
3594 sid_name_use != map.sid_name_use) {
3595 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
3596 continue;
3597 }
3598 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3599 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
3600 continue;
3601 }
3602
3603 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
3604 if (!mapt) {
3605 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
3606 SAFE_FREE(*rmap);
3607 return NT_STATUS_UNSUCCESSFUL;
3608 }
3609 else
3610 (*rmap) = mapt;
3611
3612 mapt[entries] = map;
3613
3614 entries += 1;
3615
3616 }
3617 ldapsam_endsamgrent(methods);
3618
3619 *num_entries = entries;
3620
3621 return NT_STATUS_OK;
3622 }
3623
3624 /**********************************************************************
3625 *********************************************************************/
3626
3627 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
3628 const char *location)
3629 {
3630 NTSTATUS nt_status;
3631 struct ldapsam_privates *ldap_state;
3632
3633 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
3634 return nt_status;
3635 }
3636
3637 (*pdb_method)->name = "ldapsam";
3638
3639 (*pdb_method)->setsampwent = ldapsam_setsampwent;
3640 (*pdb_method)->endsampwent = ldapsam_endsampwent;
3641 (*pdb_method)->getsampwent = ldapsam_getsampwent;
3642 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
3643 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
3644 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
3645 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
3646 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
3647
3648 (*pdb_method)->getgrsid = ldapsam_getgrsid;
3649 (*pdb_method)->getgrgid = ldapsam_getgrgid;
3650 (*pdb_method)->getgrnam = ldapsam_getgrnam;
3651 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
3652 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
3653 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
3654 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
3655
3656 /* TODO: Setup private data and free */
3657
3658 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
3659
3660 if (!ldap_state) {
3661 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
3662 return NT_STATUS_NO_MEMORY;
3663 }
3664
3665 if (location) {
3666 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
3667 } else {
3668 ldap_state->uri = "ldap://localhost";
3669 }
3670
3671 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
3672 if (!ldap_state->domain_name) {
3673 return NT_STATUS_NO_MEMORY;
3674 }
3675
3676 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
3677
3678 (*pdb_method)->private_data = ldap_state;
3679
3680 (*pdb_method)->free_private_data = free_private_data;
3681
3682 return NT_STATUS_OK;
3683 }
3684
3685 /**********************************************************************
3686 *********************************************************************/
3687
3688 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
3689 {
3690 NTSTATUS nt_status;
3691 struct ldapsam_privates *ldap_state;
3692
3693 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
3694 return nt_status;
3695 }
3696
3697 (*pdb_method)->name = "ldapsam_compat";
3698
3699 ldap_state = (*pdb_method)->private_data;
3700 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
3701
3702 if (location) {
3703 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
3704 } else {
3705 #ifndef WITH_LDAP_SAMCONFIG
3706 ldap_state->uri = "ldap://localhost";
3707 #else
3708 int ldap_port = lp_ldap_port();
3709
3710 /* remap default port if not using SSL (ie clear or TLS) */
3711 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
3712 ldap_port = 389;
3713 }
3714
3715 ldap_state->uri = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
3716 if (!ldap_state->uri) {
3717 return NT_STATUS_NO_MEMORY;
3718 }
3719 #endif
3720 }
3721
3722 return NT_STATUS_OK;
3723 }
3724
3725 /**********************************************************************
3726 *********************************************************************/
3727
3728 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
3729 {
3730 NTSTATUS nt_status;
3731 struct ldapsam_privates *ldap_state;
3732 uint32 low_idmap_uid, high_idmap_uid;
3733 uint32 low_idmap_gid, high_idmap_gid;
3734
3735 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
3736 return nt_status;
3737 }
3738
3739 (*pdb_method)->name = "ldapsam";
3740
3741 ldap_state = (*pdb_method)->private_data;
3742 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
3743 ldap_state->permit_non_unix_accounts = False;
3744
3745 /* check for non-unix account ranges */
3746
3747 if (lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)
3748 && lp_idmap_gid(&low_idmap_gid, &high_idmap_gid))
3749 {
3750 DEBUG(2, ("Enabling non-unix account ranges\n"));
3751
3752 ldap_state->permit_non_unix_accounts = True;
3753
3754 ldap_state->low_allocated_user_rid = fallback_pdb_uid_to_user_rid(low_idmap_uid);
3755 ldap_state->high_allocated_user_rid = fallback_pdb_uid_to_user_rid(high_idmap_uid);
3756 ldap_state->low_allocated_group_rid = pdb_gid_to_group_rid(low_idmap_gid);
3757 ldap_state->high_allocated_group_rid = pdb_gid_to_group_rid(high_idmap_gid);
3758 }
3759
3760 return NT_STATUS_OK;
3761 }
3762
3763 NTSTATUS pdb_ldap_init(void)
3764 {
3765 NTSTATUS nt_status;
3766 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
3767 return nt_status;
3768
3769 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
3770 return nt_status;
3771
3772 return NT_STATUS_OK;
3773 }
3774
3775