2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
49 #define DBGC_CLASS DBGC_PASSDB
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
81 #define SAM_ACCOUNT struct sam_passwd
84 #define MODIFY_TIMESTAMP_STRING "modifyTimestamp"
88 struct ldapsam_privates
{
89 struct smbldap_state
*smbldap_state
;
96 const char *domain_name
;
99 /* configuration items */
103 /**********************************************************************
104 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
105 **********************************************************************/
107 static void private_data_free_fn(void **result
)
109 ldap_msgfree(*result
);
113 /**********************************************************************
114 Get the attribute name given a user schame version.
115 **********************************************************************/
117 static const char* get_userattr_key2string( int schema_ver
, int key
)
119 switch ( schema_ver
) {
120 case SCHEMAVER_SAMBAACCOUNT
:
121 return get_attr_key2string( attrib_map_v22
, key
);
123 case SCHEMAVER_SAMBASAMACCOUNT
:
124 return get_attr_key2string( attrib_map_v30
, key
);
127 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
133 /**********************************************************************
134 Return the list of attribute names given a user schema version.
135 **********************************************************************/
137 static char** get_userattr_list( int schema_ver
)
139 switch ( schema_ver
) {
140 case SCHEMAVER_SAMBAACCOUNT
:
141 return get_attr_list( attrib_map_v22
);
143 case SCHEMAVER_SAMBASAMACCOUNT
:
144 return get_attr_list( attrib_map_v30
);
146 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
153 /*******************************************************************
154 Generate the LDAP search filter for the objectclass based on the
155 version of the schema we are using.
156 ******************************************************************/
158 static const char* get_objclass_filter( int schema_ver
)
160 static fstring objclass_filter
;
162 switch( schema_ver
) {
163 case SCHEMAVER_SAMBAACCOUNT
:
164 fstr_sprintf( objclass_filter
, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT
);
166 case SCHEMAVER_SAMBASAMACCOUNT
:
167 fstr_sprintf( objclass_filter
, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT
);
170 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174 return objclass_filter
;
177 /*******************************************************************
178 Run the search by name.
179 ******************************************************************/
181 static int ldapsam_search_suffix_by_name (struct ldapsam_privates
*ldap_state
,
183 LDAPMessage
** result
, char **attr
)
186 char *escape_user
= escape_ldap_string_alloc(user
);
189 return LDAP_NO_MEMORY
;
193 * in the filter expression, replace %u with the real name
194 * so in ldap filter, %u MUST exist :-)
196 pstr_sprintf(filter
, "(&%s%s)", lp_ldap_filter(),
197 get_objclass_filter(ldap_state
->schema_ver
));
200 * have to use this here because $ is filtered out
205 all_string_sub(filter
, "%u", escape_user
, sizeof(pstring
));
206 SAFE_FREE(escape_user
);
208 return smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
211 /*******************************************************************
212 Run the search by rid.
213 ******************************************************************/
215 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates
*ldap_state
,
216 uint32 rid
, LDAPMessage
** result
,
222 pstr_sprintf(filter
, "(&(rid=%i)%s)", rid
,
223 get_objclass_filter(ldap_state
->schema_ver
));
225 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
230 /*******************************************************************
231 Run the search by SID.
232 ******************************************************************/
234 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates
*ldap_state
,
235 const DOM_SID
*sid
, LDAPMessage
** result
,
242 pstr_sprintf(filter
, "(&(%s=%s)%s)",
243 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
244 sid_to_string(sid_string
, sid
),
245 get_objclass_filter(ldap_state
->schema_ver
));
247 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
, attr
, result
);
252 /*******************************************************************
253 Delete complete object or objectclass and attrs from
254 object found in search_result depending on lp_ldap_delete_dn
255 ******************************************************************/
257 static NTSTATUS
ldapsam_delete_entry(struct ldapsam_privates
*ldap_state
,
259 const char *objectclass
,
263 LDAPMessage
*entry
= NULL
;
264 LDAPMod
**mods
= NULL
;
266 BerElement
*ptr
= NULL
;
268 rc
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
271 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
272 return NT_STATUS_UNSUCCESSFUL
;
275 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
276 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
278 return NT_STATUS_UNSUCCESSFUL
;
281 if (lp_ldap_delete_dn()) {
282 NTSTATUS ret
= NT_STATUS_OK
;
283 rc
= smbldap_delete(ldap_state
->smbldap_state
, dn
);
285 if (rc
!= LDAP_SUCCESS
) {
286 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn
));
287 ret
= NT_STATUS_UNSUCCESSFUL
;
293 /* Ok, delete only the SAM attributes */
295 for (name
= ldap_first_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
, &ptr
);
297 name
= ldap_next_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
, ptr
)) {
300 /* We are only allowed to delete the attributes that
303 for (attrib
= attrs
; *attrib
!= NULL
; attrib
++) {
304 if (StrCaseCmp(*attrib
, name
) == 0) {
305 DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name
));
306 smbldap_set_mod(&mods
, LDAP_MOD_DELETE
, name
, NULL
);
317 smbldap_set_mod(&mods
, LDAP_MOD_DELETE
, "objectClass", objectclass
);
319 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
320 ldap_mods_free(mods
, True
);
322 if (rc
!= LDAP_SUCCESS
) {
323 char *ld_error
= NULL
;
324 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
327 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
328 dn
, ldap_err2string(rc
), ld_error
?ld_error
:"unknown"));
331 return NT_STATUS_UNSUCCESSFUL
;
338 /* New Interface is being implemented here */
340 #if 0 /* JERRY - not uesed anymore */
342 /**********************************************************************
343 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
344 *********************************************************************/
345 static BOOL
get_unix_attributes (struct ldapsam_privates
*ldap_state
,
346 SAM_ACCOUNT
* sampass
,
355 if ((ldap_values
= ldap_get_values (ldap_state
->smbldap_state
->ldap_struct
, entry
, "objectClass")) == NULL
) {
356 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
360 for (values
=ldap_values
;*values
;values
++) {
361 if (strequal(*values
, LDAP_OBJ_POSIXACCOUNT
)) {
366 if (!*values
) { /*end of array, no posixAccount */
367 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT
));
368 ldap_value_free(ldap_values
);
371 ldap_value_free(ldap_values
);
373 if ( !smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
374 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_UNIX_HOME
), homedir
) )
379 if ( !smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
380 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_GIDNUMBER
), temp
) )
385 *gid
= (gid_t
)atol(temp
);
387 pdb_set_unix_homedir(sampass
, homedir
, PDB_SET
);
389 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT
));
396 static time_t ldapsam_get_entry_timestamp(
397 struct ldapsam_privates
*ldap_state
,
403 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
,
404 entry
, MODIFY_TIMESTAMP_STRING
, temp
))
407 strptime(temp
, "%Y%m%d%H%M%SZ", &tm
);
412 /**********************************************************************
413 Initialize SAM_ACCOUNT from an LDAP query.
414 (Based on init_sam_from_buffer in pdb_tdb.c)
415 *********************************************************************/
417 static BOOL
init_sam_from_ldap (struct ldapsam_privates
*ldap_state
,
418 SAM_ACCOUNT
* sampass
,
425 pass_can_change_time
,
426 pass_must_change_time
,
439 char munged_dial
[2048];
441 uint8 smblmpwd
[LM_HASH_LEN
],
442 smbntpwd
[NT_HASH_LEN
];
443 uint16 acct_ctrl
= 0,
445 uint16 bad_password_count
= 0,
448 uint8 hours
[MAX_HOURS_LEN
];
450 LOGIN_CACHE
*cache_entry
= NULL
;
453 * do a little initialization
457 nt_username
[0] = '\0';
461 logon_script
[0] = '\0';
462 profile_path
[0] = '\0';
464 munged_dial
[0] = '\0';
465 workstations
[0] = '\0';
468 if (sampass
== NULL
|| ldap_state
== NULL
|| entry
== NULL
) {
469 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
473 if (ldap_state
->smbldap_state
->ldap_struct
== NULL
) {
474 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
478 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
, "uid", username
)) {
479 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
483 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username
));
485 pstrcpy(nt_username
, username
);
487 pstrcpy(domain
, ldap_state
->domain_name
);
489 pdb_set_username(sampass
, username
, PDB_SET
);
491 pdb_set_domain(sampass
, domain
, PDB_DEFAULT
);
492 pdb_set_nt_username(sampass
, nt_username
, PDB_SET
);
494 /* deal with different attributes between the schema first */
496 if ( ldap_state
->schema_ver
== SCHEMAVER_SAMBASAMACCOUNT
) {
497 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
498 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
), temp
)) {
499 pdb_set_user_sid_from_string(sampass
, temp
, PDB_SET
);
502 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
503 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PRIMARY_GROUP_SID
), temp
)) {
504 pdb_set_group_sid_from_string(sampass
, temp
, PDB_SET
);
506 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
509 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
510 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
), temp
)) {
511 user_rid
= (uint32
)atol(temp
);
512 pdb_set_user_sid_from_rid(sampass
, user_rid
, PDB_SET
);
515 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
516 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PRIMARY_GROUP_RID
), temp
)) {
517 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
521 group_rid
= (uint32
)atol(temp
);
523 /* for some reason, we often have 0 as a primary group RID.
524 Make sure that we treat this just as a 'default' value */
527 pdb_set_group_sid_from_rid(sampass
, group_rid
, PDB_SET
);
529 pdb_set_group_sid_from_rid(sampass
, DOMAIN_GROUP_RID_USERS
, PDB_DEFAULT
);
533 if (pdb_get_init_flags(sampass
,PDB_USERSID
) == PDB_DEFAULT
) {
534 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
535 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
536 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
),
541 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
542 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_LAST_SET
), temp
)) {
543 /* leave as default */
545 pass_last_set_time
= (time_t) atol(temp
);
546 pdb_set_pass_last_set_time(sampass
, pass_last_set_time
, PDB_SET
);
549 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
550 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_TIME
), temp
)) {
551 /* leave as default */
553 logon_time
= (time_t) atol(temp
);
554 pdb_set_logon_time(sampass
, logon_time
, PDB_SET
);
557 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
558 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGOFF_TIME
), temp
)) {
559 /* leave as default */
561 logoff_time
= (time_t) atol(temp
);
562 pdb_set_logoff_time(sampass
, logoff_time
, PDB_SET
);
565 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
566 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_KICKOFF_TIME
), temp
)) {
567 /* leave as default */
569 kickoff_time
= (time_t) atol(temp
);
570 pdb_set_kickoff_time(sampass
, kickoff_time
, PDB_SET
);
573 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
574 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_CAN_CHANGE
), temp
)) {
575 /* leave as default */
577 pass_can_change_time
= (time_t) atol(temp
);
578 pdb_set_pass_can_change_time(sampass
, pass_can_change_time
, PDB_SET
);
581 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
582 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_MUST_CHANGE
), temp
)) {
583 /* leave as default */
585 pass_must_change_time
= (time_t) atol(temp
);
586 pdb_set_pass_must_change_time(sampass
, pass_must_change_time
, PDB_SET
);
589 /* recommend that 'gecos' and 'displayName' should refer to the same
590 * attribute OID. userFullName depreciated, only used by Samba
591 * primary rules of LDAP: don't make a new attribute when one is already defined
592 * that fits your needs; using cn then displayName rather than 'userFullName'
595 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
596 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DISPLAY_NAME
), fullname
)) {
597 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
598 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_CN
), fullname
)) {
599 /* leave as default */
601 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
604 pdb_set_fullname(sampass
, fullname
, PDB_SET
);
607 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
608 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_DRIVE
), dir_drive
))
610 pdb_set_dir_drive( sampass
,
611 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_drive()),
614 pdb_set_dir_drive(sampass
, dir_drive
, PDB_SET
);
617 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
618 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_PATH
), homedir
))
620 pdb_set_homedir( sampass
,
621 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_home()),
624 pdb_set_homedir(sampass
, homedir
, PDB_SET
);
627 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
628 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_SCRIPT
), logon_script
))
630 pdb_set_logon_script( sampass
,
631 talloc_sub_basic(sampass
->mem_ctx
, username
, lp_logon_script()),
634 pdb_set_logon_script(sampass
, logon_script
, PDB_SET
);
637 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
638 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PROFILE_PATH
), profile_path
))
640 pdb_set_profile_path( sampass
,
641 talloc_sub_basic( sampass
->mem_ctx
, username
, lp_logon_path()),
644 pdb_set_profile_path(sampass
, profile_path
, PDB_SET
);
647 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
648 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DESC
), acct_desc
))
650 /* leave as default */
652 pdb_set_acct_desc(sampass
, acct_desc
, PDB_SET
);
655 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
656 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_WKS
), workstations
)) {
657 /* leave as default */;
659 pdb_set_workstations(sampass
, workstations
, PDB_SET
);
662 if (!smbldap_get_single_attribute(ldap_state
->smbldap_state
->ldap_struct
, entry
,
663 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_MUNGED_DIAL
), munged_dial
, sizeof(munged_dial
))) {
664 /* leave as default */;
666 pdb_set_munged_dial(sampass
, munged_dial
, PDB_SET
);
669 /* FIXME: hours stuff should be cleaner */
673 memset(hours
, 0xff, hours_len
);
675 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
676 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
), temp
)) {
677 /* leave as default */
679 pdb_gethexpwd(temp
, smblmpwd
);
680 memset((char *)temp
, '\0', strlen(temp
)+1);
681 if (!pdb_set_lanman_passwd(sampass
, smblmpwd
, PDB_SET
))
683 ZERO_STRUCT(smblmpwd
);
686 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
687 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
), temp
)) {
688 /* leave as default */
690 pdb_gethexpwd(temp
, smbntpwd
);
691 memset((char *)temp
, '\0', strlen(temp
)+1);
692 if (!pdb_set_nt_passwd(sampass
, smbntpwd
, PDB_SET
))
694 ZERO_STRUCT(smbntpwd
);
697 if (!smbldap_get_single_pstring (ldap_state
->smbldap_state
->ldap_struct
, entry
,
698 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ACB_INFO
), temp
)) {
699 acct_ctrl
|= ACB_NORMAL
;
701 acct_ctrl
= pdb_decode_acct_ctrl(temp
);
704 acct_ctrl
|= ACB_NORMAL
;
706 pdb_set_acct_ctrl(sampass
, acct_ctrl
, PDB_SET
);
709 pdb_set_hours_len(sampass
, hours_len
, PDB_SET
);
710 pdb_set_logon_divs(sampass
, logon_divs
, PDB_SET
);
712 /* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
714 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
715 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_BAD_PASSWORD_COUNT
), temp
)) {
716 /* leave as default */
718 bad_password_count
= (uint32
) atol(temp
);
719 pdb_set_bad_password_count(sampass
, bad_password_count
, PDB_SET
);
722 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
723 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_BAD_PASSWORD_TIME
), temp
)) {
724 /* leave as default */
726 bad_password_time
= (time_t) atol(temp
);
727 pdb_set_bad_password_time(sampass
, bad_password_time
, PDB_SET
);
731 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
732 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_COUNT
), temp
)) {
733 /* leave as default */
735 logon_count
= (uint32
) atol(temp
);
736 pdb_set_logon_count(sampass
, logon_count
, PDB_SET
);
739 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
741 pdb_set_hours(sampass
, hours
, PDB_SET
);
743 /* check the timestamp of the cache vs ldap entry */
744 if (!(ldap_entry_time
= ldapsam_get_entry_timestamp(ldap_state
,
748 /* see if we have newer updates */
749 if (!(cache_entry
= login_cache_read(sampass
))) {
750 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
751 (unsigned int)pdb_get_bad_password_count(sampass
),
752 (unsigned int)pdb_get_bad_password_time(sampass
)));
756 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
757 (unsigned int)ldap_entry_time
, (unsigned int)cache_entry
->entry_timestamp
,
758 (unsigned int)cache_entry
->bad_password_time
));
760 if (ldap_entry_time
> cache_entry
->entry_timestamp
) {
761 /* cache is older than directory , so
762 we need to delete the entry but allow the
763 fields to be written out */
764 login_cache_delentry(sampass
);
767 pdb_set_acct_ctrl(sampass
,
768 pdb_get_acct_ctrl(sampass
) |
769 (cache_entry
->acct_ctrl
& ACB_AUTOLOCK
),
771 pdb_set_bad_password_count(sampass
,
772 cache_entry
->bad_password_count
,
774 pdb_set_bad_password_time(sampass
,
775 cache_entry
->bad_password_time
,
779 SAFE_FREE(cache_entry
);
783 /**********************************************************************
784 Initialize SAM_ACCOUNT from an LDAP query.
785 (Based on init_buffer_from_sam in pdb_tdb.c)
786 *********************************************************************/
788 static BOOL
init_ldap_from_sam (struct ldapsam_privates
*ldap_state
,
789 LDAPMessage
*existing
,
790 LDAPMod
*** mods
, SAM_ACCOUNT
* sampass
,
791 BOOL (*need_update
)(const SAM_ACCOUNT
*,
797 if (mods
== NULL
|| sampass
== NULL
) {
798 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
805 * took out adding "objectclass: sambaAccount"
806 * do this on a per-mod basis
808 if (need_update(sampass
, PDB_USERNAME
))
809 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
810 "uid", pdb_get_username(sampass
));
812 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass
)));
814 /* only update the RID if we actually need to */
815 if (need_update(sampass
, PDB_USERSID
)) {
817 fstring dom_sid_string
;
818 const DOM_SID
*user_sid
= pdb_get_user_sid(sampass
);
820 switch ( ldap_state
->schema_ver
) {
821 case SCHEMAVER_SAMBAACCOUNT
:
822 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, user_sid
, &rid
)) {
823 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
824 sid_to_string(sid_string
, user_sid
),
825 sid_to_string(dom_sid_string
, &ldap_state
->domain_sid
)));
828 slprintf(temp
, sizeof(temp
) - 1, "%i", rid
);
829 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
830 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_RID
),
834 case SCHEMAVER_SAMBASAMACCOUNT
:
835 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
836 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
837 sid_to_string(sid_string
, user_sid
));
841 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
846 /* we don't need to store the primary group RID - so leaving it
847 'free' to hang off the unix primary group makes life easier */
849 if (need_update(sampass
, PDB_GROUPSID
)) {
851 fstring dom_sid_string
;
852 const DOM_SID
*group_sid
= pdb_get_group_sid(sampass
);
854 switch ( ldap_state
->schema_ver
) {
855 case SCHEMAVER_SAMBAACCOUNT
:
856 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, group_sid
, &rid
)) {
857 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
858 sid_to_string(sid_string
, group_sid
),
859 sid_to_string(dom_sid_string
, &ldap_state
->domain_sid
)));
863 slprintf(temp
, sizeof(temp
) - 1, "%i", rid
);
864 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
865 get_userattr_key2string(ldap_state
->schema_ver
,
866 LDAP_ATTR_PRIMARY_GROUP_RID
), temp
);
869 case SCHEMAVER_SAMBASAMACCOUNT
:
870 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
871 get_userattr_key2string(ldap_state
->schema_ver
,
872 LDAP_ATTR_PRIMARY_GROUP_SID
), sid_to_string(sid_string
, group_sid
));
876 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
882 /* displayName, cn, and gecos should all be the same
883 * most easily accomplished by giving them the same OID
884 * gecos isn't set here b/c it should be handled by the
886 * We change displayName only and fall back to cn if
890 if (need_update(sampass
, PDB_FULLNAME
))
891 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
892 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DISPLAY_NAME
),
893 pdb_get_fullname(sampass
));
895 if (need_update(sampass
, PDB_ACCTDESC
))
896 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
897 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_DESC
),
898 pdb_get_acct_desc(sampass
));
900 if (need_update(sampass
, PDB_WORKSTATIONS
))
901 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
902 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_WKS
),
903 pdb_get_workstations(sampass
));
905 if (need_update(sampass
, PDB_MUNGEDDIAL
))
906 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
907 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_MUNGED_DIAL
),
908 pdb_get_munged_dial(sampass
));
910 if (need_update(sampass
, PDB_SMBHOME
))
911 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
912 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_PATH
),
913 pdb_get_homedir(sampass
));
915 if (need_update(sampass
, PDB_DRIVE
))
916 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
917 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_HOME_DRIVE
),
918 pdb_get_dir_drive(sampass
));
920 if (need_update(sampass
, PDB_LOGONSCRIPT
))
921 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
922 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_SCRIPT
),
923 pdb_get_logon_script(sampass
));
925 if (need_update(sampass
, PDB_PROFILE
))
926 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
927 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PROFILE_PATH
),
928 pdb_get_profile_path(sampass
));
930 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logon_time(sampass
));
931 if (need_update(sampass
, PDB_LOGONTIME
))
932 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
933 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGON_TIME
), temp
);
935 slprintf(temp
, sizeof(temp
) - 1, "%li", pdb_get_logoff_time(sampass
));
936 if (need_update(sampass
, PDB_LOGOFFTIME
))
937 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
938 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LOGOFF_TIME
), temp
);
940 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_kickoff_time(sampass
));
941 if (need_update(sampass
, PDB_KICKOFFTIME
))
942 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
943 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_KICKOFF_TIME
), temp
);
945 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_can_change_time(sampass
));
946 if (need_update(sampass
, PDB_CANCHANGETIME
))
947 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
948 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_CAN_CHANGE
), temp
);
950 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_must_change_time(sampass
));
951 if (need_update(sampass
, PDB_MUSTCHANGETIME
))
952 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
953 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_MUST_CHANGE
), temp
);
956 if ((pdb_get_acct_ctrl(sampass
)&(ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
))
957 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY
)) {
959 if (need_update(sampass
, PDB_LMPASSWD
)) {
960 const uchar
*lm_pw
= pdb_get_lanman_passwd(sampass
);
962 pdb_sethexpwd(temp
, lm_pw
,
963 pdb_get_acct_ctrl(sampass
));
964 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
965 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
),
968 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
969 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_LMPW
),
973 if (need_update(sampass
, PDB_NTPASSWD
)) {
974 const uchar
*nt_pw
= pdb_get_nt_passwd(sampass
);
976 pdb_sethexpwd(temp
, nt_pw
,
977 pdb_get_acct_ctrl(sampass
));
978 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
979 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
),
982 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
983 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_NTPW
),
988 if (need_update(sampass
, PDB_PASSLASTSET
)) {
989 slprintf (temp
, sizeof (temp
) - 1, "%li", pdb_get_pass_last_set_time(sampass
));
990 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
991 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_PWD_LAST_SET
),
996 /* FIXME: Hours stuff goes in LDAP */
998 if (need_update(sampass
, PDB_ACCTCTRL
))
999 smbldap_make_mod(ldap_state
->smbldap_state
->ldap_struct
, existing
, mods
,
1000 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ACB_INFO
),
1001 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass
), NEW_PW_FORMAT_SPACE_PADDED_LEN
));
1003 /* password lockout cache:
1004 - If we are now autolocking or clearing, we write to ldap
1005 - If we are clearing, we delete the cache entry
1006 - If the count is > 0, we update the cache
1008 This even means when autolocking, we cache, just in case the
1009 update doesn't work, and we have to cache the autolock flag */
1011 if (need_update(sampass
, PDB_BAD_PASSWORD_COUNT
)) /* &&
1012 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1013 uint16 badcount
= pdb_get_bad_password_count(sampass
);
1014 time_t badtime
= pdb_get_bad_password_time(sampass
);
1016 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT
, &pol
);
1018 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1019 (unsigned int)pol
, (unsigned int)badcount
, (unsigned int)badtime
));
1021 if ((badcount
>= pol
) || (badcount
== 0)) {
1022 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1023 (unsigned int)badcount
, (unsigned int)badtime
));
1024 slprintf (temp
, sizeof (temp
) - 1, "%li", (long)badcount
);
1026 ldap_state
->smbldap_state
->ldap_struct
,
1028 get_userattr_key2string(
1029 ldap_state
->schema_ver
,
1030 LDAP_ATTR_BAD_PASSWORD_COUNT
),
1033 slprintf (temp
, sizeof (temp
) - 1, "%li", badtime
);
1035 ldap_state
->smbldap_state
->ldap_struct
,
1037 get_userattr_key2string(
1038 ldap_state
->schema_ver
,
1039 LDAP_ATTR_BAD_PASSWORD_TIME
),
1042 if (badcount
== 0) {
1043 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass
)));
1044 login_cache_delentry(sampass
);
1046 LOGIN_CACHE cache_entry
={time(NULL
),
1047 pdb_get_acct_ctrl(sampass
),
1049 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1050 login_cache_write(sampass
, cache_entry
);
1057 /**********************************************************************
1058 Connect to LDAP server for password enumeration.
1059 *********************************************************************/
1061 static NTSTATUS
ldapsam_setsampwent(struct pdb_methods
*my_methods
, BOOL update
)
1063 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1068 pstr_sprintf( filter
, "(&%s%s)", lp_ldap_filter(),
1069 get_objclass_filter(ldap_state
->schema_ver
));
1070 all_string_sub(filter
, "%u", "*", sizeof(pstring
));
1072 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1073 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
, filter
,
1074 attr_list
, &ldap_state
->result
);
1075 free_attr_list( attr_list
);
1077 if (rc
!= LDAP_SUCCESS
) {
1078 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc
)));
1079 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter
));
1080 ldap_msgfree(ldap_state
->result
);
1081 ldap_state
->result
= NULL
;
1082 return NT_STATUS_UNSUCCESSFUL
;
1085 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1086 ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
1087 ldap_state
->result
)));
1089 ldap_state
->entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
,
1090 ldap_state
->result
);
1091 ldap_state
->index
= 0;
1093 return NT_STATUS_OK
;
1096 /**********************************************************************
1097 End enumeration of the LDAP password list.
1098 *********************************************************************/
1100 static void ldapsam_endsampwent(struct pdb_methods
*my_methods
)
1102 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1103 if (ldap_state
->result
) {
1104 ldap_msgfree(ldap_state
->result
);
1105 ldap_state
->result
= NULL
;
1109 /**********************************************************************
1110 Get the next entry in the LDAP password database.
1111 *********************************************************************/
1113 static NTSTATUS
ldapsam_getsampwent(struct pdb_methods
*my_methods
, SAM_ACCOUNT
*user
)
1115 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1116 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1120 if (!ldap_state
->entry
)
1123 ldap_state
->index
++;
1124 bret
= init_sam_from_ldap(ldap_state
, user
, ldap_state
->entry
);
1126 ldap_state
->entry
= ldap_next_entry(ldap_state
->smbldap_state
->ldap_struct
,
1130 return NT_STATUS_OK
;
1133 /**********************************************************************
1134 Get SAM_ACCOUNT entry from LDAP by username.
1135 *********************************************************************/
1137 static NTSTATUS
ldapsam_getsampwnam(struct pdb_methods
*my_methods
, SAM_ACCOUNT
*user
, const char *sname
)
1139 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1140 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1141 LDAPMessage
*result
= NULL
;
1142 LDAPMessage
*entry
= NULL
;
1147 attr_list
= get_userattr_list( ldap_state
->schema_ver
);
1148 rc
= ldapsam_search_suffix_by_name(ldap_state
, sname
, &result
, attr_list
);
1149 free_attr_list( attr_list
);
1151 if ( rc
!= LDAP_SUCCESS
)
1152 return NT_STATUS_NO_SUCH_USER
;
1154 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1157 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname
, count
));
1158 ldap_msgfree(result
);
1159 return NT_STATUS_NO_SUCH_USER
;
1160 } else if (count
> 1) {
1161 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname
, count
));
1162 ldap_msgfree(result
);
1163 return NT_STATUS_NO_SUCH_USER
;
1166 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1168 if (!init_sam_from_ldap(ldap_state
, user
, entry
)) {
1169 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname
));
1170 ldap_msgfree(result
);
1171 return NT_STATUS_NO_SUCH_USER
;
1173 pdb_set_backend_private_data(user
, result
,
1174 private_data_free_fn
,
1175 my_methods
, PDB_CHANGED
);
1178 ldap_msgfree(result
);
1183 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates
*ldap_state
,
1184 const DOM_SID
*sid
, LDAPMessage
**result
)
1190 switch ( ldap_state
->schema_ver
) {
1191 case SCHEMAVER_SAMBASAMACCOUNT
:
1192 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1193 rc
= ldapsam_search_suffix_by_sid(ldap_state
, sid
, result
, attr_list
);
1194 free_attr_list( attr_list
);
1196 if ( rc
!= LDAP_SUCCESS
)
1200 case SCHEMAVER_SAMBAACCOUNT
:
1201 if (!sid_peek_check_rid(&ldap_state
->domain_sid
, sid
, &rid
)) {
1205 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1206 rc
= ldapsam_search_suffix_by_rid(ldap_state
, rid
, result
, attr_list
);
1207 free_attr_list( attr_list
);
1209 if ( rc
!= LDAP_SUCCESS
)
1216 /**********************************************************************
1217 Get SAM_ACCOUNT entry from LDAP by SID.
1218 *********************************************************************/
1220 static NTSTATUS
ldapsam_getsampwsid(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* user
, const DOM_SID
*sid
)
1222 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1223 LDAPMessage
*result
= NULL
;
1224 LDAPMessage
*entry
= NULL
;
1229 rc
= ldapsam_get_ldap_user_by_sid(ldap_state
,
1231 if (rc
!= LDAP_SUCCESS
)
1232 return NT_STATUS_NO_SUCH_USER
;
1234 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1237 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string
, sid
),
1239 ldap_msgfree(result
);
1240 return NT_STATUS_NO_SUCH_USER
;
1241 } else if (count
> 1) {
1242 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string
, sid
),
1244 ldap_msgfree(result
);
1245 return NT_STATUS_NO_SUCH_USER
;
1248 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1250 ldap_msgfree(result
);
1251 return NT_STATUS_NO_SUCH_USER
;
1254 if (!init_sam_from_ldap(ldap_state
, user
, entry
)) {
1255 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1256 ldap_msgfree(result
);
1257 return NT_STATUS_NO_SUCH_USER
;
1260 pdb_set_backend_private_data(user
, result
,
1261 private_data_free_fn
,
1262 my_methods
, PDB_CHANGED
);
1263 return NT_STATUS_OK
;
1266 /********************************************************************
1267 Do the actual modification - also change a plaintext passord if
1269 **********************************************************************/
1271 static NTSTATUS
ldapsam_modify_entry(struct pdb_methods
*my_methods
,
1272 SAM_ACCOUNT
*newpwd
, char *dn
,
1273 LDAPMod
**mods
, int ldap_op
,
1274 BOOL (*need_update
)(const SAM_ACCOUNT
*, enum pdb_elements
))
1276 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1279 if (!my_methods
|| !newpwd
|| !dn
) {
1280 return NT_STATUS_INVALID_PARAMETER
;
1284 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1285 /* may be password change below however */
1289 smbldap_set_mod(&mods
, LDAP_MOD_ADD
,
1292 rc
= smbldap_add(ldap_state
->smbldap_state
,
1295 case LDAP_MOD_REPLACE
:
1296 rc
= smbldap_modify(ldap_state
->smbldap_state
,
1300 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1302 return NT_STATUS_INVALID_PARAMETER
;
1305 if (rc
!=LDAP_SUCCESS
) {
1306 char *ld_error
= NULL
;
1307 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1309 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1310 ldap_op
== LDAP_MOD_ADD
? "add" : "modify",
1311 dn
, ldap_err2string(rc
),
1312 ld_error
?ld_error
:"unknown"));
1313 SAFE_FREE(ld_error
);
1314 return NT_STATUS_UNSUCCESSFUL
;
1318 if (!(pdb_get_acct_ctrl(newpwd
)&(ACB_WSTRUST
|ACB_SVRTRUST
|ACB_DOMTRUST
)) &&
1319 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF
) &&
1320 need_update(newpwd
, PDB_PLAINTEXT_PW
) &&
1321 (pdb_get_plaintext_passwd(newpwd
)!=NULL
)) {
1325 struct berval
*retdata
;
1326 char *utf8_password
;
1329 if (push_utf8_allocate(&utf8_password
, pdb_get_plaintext_passwd(newpwd
)) == (size_t)-1) {
1330 return NT_STATUS_NO_MEMORY
;
1333 if (push_utf8_allocate(&utf8_dn
, dn
) == (size_t)-1) {
1334 return NT_STATUS_NO_MEMORY
;
1337 if ((ber
= ber_alloc_t(LBER_USE_DER
))==NULL
) {
1338 DEBUG(0,("ber_alloc_t returns NULL\n"));
1339 SAFE_FREE(utf8_password
);
1340 return NT_STATUS_UNSUCCESSFUL
;
1343 ber_printf (ber
, "{");
1344 ber_printf (ber
, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID
, utf8_dn
);
1345 ber_printf (ber
, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW
, utf8_password
);
1346 ber_printf (ber
, "N}");
1348 if ((rc
= ber_flatten (ber
, &bv
))<0) {
1349 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1352 SAFE_FREE(utf8_password
);
1353 return NT_STATUS_UNSUCCESSFUL
;
1357 SAFE_FREE(utf8_password
);
1360 if ((rc
= smbldap_extended_operation(ldap_state
->smbldap_state
,
1361 LDAP_EXOP_MODIFY_PASSWD
,
1362 bv
, NULL
, NULL
, &retoid
,
1363 &retdata
)) != LDAP_SUCCESS
) {
1364 char *ld_error
= NULL
;
1365 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1367 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1368 pdb_get_username(newpwd
), ldap_err2string(rc
), ld_error
?ld_error
:"unknown"));
1369 SAFE_FREE(ld_error
);
1371 return NT_STATUS_UNSUCCESSFUL
;
1373 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd
)));
1374 #ifdef DEBUG_PASSWORD
1375 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd
)));
1377 ber_bvfree(retdata
);
1378 ber_memfree(retoid
);
1382 return NT_STATUS_OK
;
1385 /**********************************************************************
1386 Delete entry from LDAP for username.
1387 *********************************************************************/
1389 static NTSTATUS
ldapsam_delete_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* sam_acct
)
1391 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1394 LDAPMessage
*result
= NULL
;
1400 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1401 return NT_STATUS_INVALID_PARAMETER
;
1404 sname
= pdb_get_username(sam_acct
);
1406 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname
));
1408 attr_list
= get_userattr_list( ldap_state
->schema_ver
);
1409 rc
= ldapsam_search_suffix_by_name(ldap_state
, sname
, &result
, attr_list
);
1411 if (rc
!= LDAP_SUCCESS
) {
1412 free_attr_list( attr_list
);
1413 return NT_STATUS_NO_SUCH_USER
;
1416 switch ( ldap_state
->schema_ver
) {
1417 case SCHEMAVER_SAMBASAMACCOUNT
:
1418 fstrcpy( objclass
, LDAP_OBJ_SAMBASAMACCOUNT
);
1421 case SCHEMAVER_SAMBAACCOUNT
:
1422 fstrcpy( objclass
, LDAP_OBJ_SAMBAACCOUNT
);
1425 fstrcpy( objclass
, "UNKNOWN" );
1426 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1430 ret
= ldapsam_delete_entry(ldap_state
, result
, objclass
, attr_list
);
1431 ldap_msgfree(result
);
1432 free_attr_list( attr_list
);
1437 /**********************************************************************
1438 Helper function to determine for update_sam_account whether
1439 we need LDAP modification.
1440 *********************************************************************/
1442 static BOOL
element_is_changed(const SAM_ACCOUNT
*sampass
,
1443 enum pdb_elements element
)
1445 return IS_SAM_CHANGED(sampass
, element
);
1448 /**********************************************************************
1450 *********************************************************************/
1452 static NTSTATUS
ldapsam_update_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* newpwd
)
1454 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1455 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1458 LDAPMessage
*result
= NULL
;
1459 LDAPMessage
*entry
= NULL
;
1460 LDAPMod
**mods
= NULL
;
1463 result
= pdb_get_backend_private_data(newpwd
, my_methods
);
1465 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1466 rc
= ldapsam_search_suffix_by_name(ldap_state
, pdb_get_username(newpwd
), &result
, attr_list
);
1467 free_attr_list( attr_list
);
1468 if (rc
!= LDAP_SUCCESS
) {
1469 return NT_STATUS_UNSUCCESSFUL
;
1471 pdb_set_backend_private_data(newpwd
, result
, private_data_free_fn
, my_methods
, PDB_CHANGED
);
1474 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) == 0) {
1475 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1476 return NT_STATUS_UNSUCCESSFUL
;
1479 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1480 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
1482 return NT_STATUS_UNSUCCESSFUL
;
1485 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd
), dn
));
1487 if (!init_ldap_from_sam(ldap_state
, entry
, &mods
, newpwd
,
1488 element_is_changed
)) {
1489 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1492 ldap_mods_free(mods
,True
);
1493 return NT_STATUS_UNSUCCESSFUL
;
1497 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1498 pdb_get_username(newpwd
)));
1500 return NT_STATUS_OK
;
1503 ret
= ldapsam_modify_entry(my_methods
,newpwd
,dn
,mods
,LDAP_MOD_REPLACE
, element_is_changed
);
1504 ldap_mods_free(mods
,True
);
1507 if (!NT_STATUS_IS_OK(ret
)) {
1508 char *ld_error
= NULL
;
1509 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1511 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1512 pdb_get_username(newpwd
), ld_error
?ld_error
:"(unknwon)", ldap_err2string(rc
)));
1513 SAFE_FREE(ld_error
);
1517 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1518 pdb_get_username(newpwd
)));
1519 return NT_STATUS_OK
;
1522 /**********************************************************************
1523 Helper function to determine for update_sam_account whether
1524 we need LDAP modification.
1525 *********************************************************************/
1527 static BOOL
element_is_set_or_changed(const SAM_ACCOUNT
*sampass
,
1528 enum pdb_elements element
)
1530 return (IS_SAM_SET(sampass
, element
) ||
1531 IS_SAM_CHANGED(sampass
, element
));
1534 /**********************************************************************
1535 Add SAM_ACCOUNT to LDAP.
1536 *********************************************************************/
1538 static NTSTATUS
ldapsam_add_sam_account(struct pdb_methods
*my_methods
, SAM_ACCOUNT
* newpwd
)
1540 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
1541 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
1543 LDAPMessage
*result
= NULL
;
1544 LDAPMessage
*entry
= NULL
;
1546 LDAPMod
**mods
= NULL
;
1547 int ldap_op
= LDAP_MOD_REPLACE
;
1551 const char *username
= pdb_get_username(newpwd
);
1552 const DOM_SID
*sid
= pdb_get_user_sid(newpwd
);
1556 if (!username
|| !*username
) {
1557 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1558 return NT_STATUS_INVALID_PARAMETER
;
1561 /* free this list after the second search or in case we exit on failure */
1562 attr_list
= get_userattr_list(ldap_state
->schema_ver
);
1564 rc
= ldapsam_search_suffix_by_name (ldap_state
, username
, &result
, attr_list
);
1566 if (rc
!= LDAP_SUCCESS
) {
1567 free_attr_list( attr_list
);
1568 return NT_STATUS_UNSUCCESSFUL
;
1571 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) != 0) {
1572 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1574 ldap_msgfree(result
);
1575 free_attr_list( attr_list
);
1576 return NT_STATUS_UNSUCCESSFUL
;
1578 ldap_msgfree(result
);
1581 if (element_is_set_or_changed(newpwd
, PDB_USERSID
)) {
1582 rc
= ldapsam_get_ldap_user_by_sid(ldap_state
,
1584 if (rc
== LDAP_SUCCESS
) {
1585 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) != 0) {
1586 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1587 sid_to_string(sid_string
, sid
)));
1588 free_attr_list( attr_list
);
1589 ldap_msgfree(result
);
1590 return NT_STATUS_UNSUCCESSFUL
;
1592 ldap_msgfree(result
);
1596 /* does the entry already exist but without a samba attributes?
1597 we need to return the samba attributes here */
1599 escape_user
= escape_ldap_string_alloc( username
);
1600 pstrcpy( filter
, lp_ldap_filter() );
1601 all_string_sub( filter
, "%u", escape_user
, sizeof(filter
) );
1602 SAFE_FREE( escape_user
);
1604 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
,
1605 filter
, attr_list
, &result
);
1606 if ( rc
!= LDAP_SUCCESS
) {
1607 free_attr_list( attr_list
);
1608 return NT_STATUS_UNSUCCESSFUL
;
1611 num_result
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1613 if (num_result
> 1) {
1614 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1615 free_attr_list( attr_list
);
1616 ldap_msgfree(result
);
1617 return NT_STATUS_UNSUCCESSFUL
;
1620 /* Check if we need to update an existing entry */
1621 if (num_result
== 1) {
1624 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1625 ldap_op
= LDAP_MOD_REPLACE
;
1626 entry
= ldap_first_entry (ldap_state
->smbldap_state
->ldap_struct
, result
);
1627 tmp
= smbldap_get_dn (ldap_state
->smbldap_state
->ldap_struct
, entry
);
1629 free_attr_list( attr_list
);
1630 ldap_msgfree(result
);
1631 return NT_STATUS_UNSUCCESSFUL
;
1633 slprintf (dn
, sizeof (dn
) - 1, "%s", tmp
);
1636 } else if (ldap_state
->schema_ver
== SCHEMAVER_SAMBASAMACCOUNT
) {
1638 /* There might be a SID for this account already - say an idmap entry */
1640 pstr_sprintf(filter
, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1641 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
1642 sid_to_string(sid_string
, sid
),
1643 LDAP_OBJ_IDMAP_ENTRY
,
1644 LDAP_OBJ_SID_ENTRY
);
1646 /* free old result before doing a new search */
1647 if (result
!= NULL
) {
1648 ldap_msgfree(result
);
1651 rc
= smbldap_search_suffix(ldap_state
->smbldap_state
,
1652 filter
, attr_list
, &result
);
1654 if ( rc
!= LDAP_SUCCESS
) {
1655 free_attr_list( attr_list
);
1656 return NT_STATUS_UNSUCCESSFUL
;
1659 num_result
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1661 if (num_result
> 1) {
1662 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1663 free_attr_list( attr_list
);
1664 ldap_msgfree(result
);
1665 return NT_STATUS_UNSUCCESSFUL
;
1668 /* Check if we need to update an existing entry */
1669 if (num_result
== 1) {
1672 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1673 ldap_op
= LDAP_MOD_REPLACE
;
1674 entry
= ldap_first_entry (ldap_state
->smbldap_state
->ldap_struct
, result
);
1675 tmp
= smbldap_get_dn (ldap_state
->smbldap_state
->ldap_struct
, entry
);
1677 free_attr_list( attr_list
);
1678 ldap_msgfree(result
);
1679 return NT_STATUS_UNSUCCESSFUL
;
1681 slprintf (dn
, sizeof (dn
) - 1, "%s", tmp
);
1686 free_attr_list( attr_list
);
1688 if (num_result
== 0) {
1689 /* Check if we need to add an entry */
1690 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1691 ldap_op
= LDAP_MOD_ADD
;
1692 if (username
[strlen(username
)-1] == '$') {
1693 slprintf (dn
, sizeof (dn
) - 1, "uid=%s,%s", username
, lp_ldap_machine_suffix ());
1695 slprintf (dn
, sizeof (dn
) - 1, "uid=%s,%s", username
, lp_ldap_user_suffix ());
1699 if (!init_ldap_from_sam(ldap_state
, entry
, &mods
, newpwd
,
1700 element_is_set_or_changed
)) {
1701 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1702 ldap_msgfree(result
);
1704 ldap_mods_free(mods
,True
);
1705 return NT_STATUS_UNSUCCESSFUL
;
1708 ldap_msgfree(result
);
1711 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd
)));
1712 return NT_STATUS_UNSUCCESSFUL
;
1714 switch ( ldap_state
->schema_ver
) {
1715 case SCHEMAVER_SAMBAACCOUNT
:
1716 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectclass", LDAP_OBJ_SAMBAACCOUNT
);
1718 case SCHEMAVER_SAMBASAMACCOUNT
:
1719 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT
);
1722 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1726 ret
= ldapsam_modify_entry(my_methods
,newpwd
,dn
,mods
,ldap_op
, element_is_set_or_changed
);
1727 if (!NT_STATUS_IS_OK(ret
)) {
1728 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1729 pdb_get_username(newpwd
),dn
));
1730 ldap_mods_free(mods
, True
);
1734 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd
)));
1735 ldap_mods_free(mods
, True
);
1737 return NT_STATUS_OK
;
1740 /**********************************************************************
1741 *********************************************************************/
1743 static int ldapsam_search_one_group (struct ldapsam_privates
*ldap_state
,
1745 LDAPMessage
** result
)
1747 int scope
= LDAP_SCOPE_SUBTREE
;
1751 attr_list
= get_attr_list(groupmap_attr_list
);
1752 rc
= smbldap_search(ldap_state
->smbldap_state
,
1753 lp_ldap_group_suffix (), scope
,
1754 filter
, attr_list
, 0, result
);
1755 free_attr_list( attr_list
);
1757 if (rc
!= LDAP_SUCCESS
) {
1758 char *ld_error
= NULL
;
1759 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
1761 DEBUG(0, ("ldapsam_search_one_group: "
1762 "Problem during the LDAP search: LDAP error: %s (%s)\n",
1763 ld_error
?ld_error
:"(unknown)", ldap_err2string(rc
)));
1764 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1765 lp_ldap_group_suffix(), filter
));
1766 SAFE_FREE(ld_error
);
1772 /**********************************************************************
1773 *********************************************************************/
1775 static BOOL
init_group_from_ldap(struct ldapsam_privates
*ldap_state
,
1776 GROUP_MAP
*map
, LDAPMessage
*entry
)
1780 if (ldap_state
== NULL
|| map
== NULL
|| entry
== NULL
||
1781 ldap_state
->smbldap_state
->ldap_struct
== NULL
) {
1782 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
1786 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1787 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
), temp
)) {
1788 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1789 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
)));
1792 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp
));
1794 map
->gid
= (gid_t
)atol(temp
);
1796 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1797 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_SID
), temp
)) {
1798 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1799 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_SID
)));
1803 if (!string_to_sid(&map
->sid
, temp
)) {
1804 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp
));
1808 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1809 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
), temp
)) {
1810 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1811 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
)));
1814 map
->sid_name_use
= (enum SID_NAME_USE
)atol(temp
);
1816 if ((map
->sid_name_use
< SID_NAME_USER
) ||
1817 (map
->sid_name_use
> SID_NAME_UNKNOWN
)) {
1818 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map
->sid_name_use
));
1822 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1823 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), temp
)) {
1825 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1826 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_CN
), temp
))
1828 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
1829 for gidNumber(%lu)\n",(unsigned long)map
->gid
));
1833 fstrcpy(map
->nt_name
, temp
);
1835 if (!smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
1836 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DESC
), temp
)) {
1839 fstrcpy(map
->comment
, temp
);
1844 /**********************************************************************
1845 *********************************************************************/
1847 static BOOL
init_ldap_from_group(LDAP
*ldap_struct
,
1848 LDAPMessage
*existing
,
1850 const GROUP_MAP
*map
)
1854 if (mods
== NULL
|| map
== NULL
) {
1855 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
1861 sid_to_string(tmp
, &map
->sid
);
1863 smbldap_make_mod(ldap_struct
, existing
, mods
,
1864 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_SID
), tmp
);
1865 pstr_sprintf(tmp
, "%i", map
->sid_name_use
);
1866 smbldap_make_mod(ldap_struct
, existing
, mods
,
1867 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_TYPE
), tmp
);
1869 smbldap_make_mod(ldap_struct
, existing
, mods
,
1870 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), map
->nt_name
);
1871 smbldap_make_mod(ldap_struct
, existing
, mods
,
1872 get_attr_key2string( groupmap_attr_list
, LDAP_ATTR_DESC
), map
->comment
);
1877 /**********************************************************************
1878 *********************************************************************/
1880 static NTSTATUS
ldapsam_getgroup(struct pdb_methods
*methods
,
1884 struct ldapsam_privates
*ldap_state
=
1885 (struct ldapsam_privates
*)methods
->private_data
;
1886 LDAPMessage
*result
= NULL
;
1887 LDAPMessage
*entry
= NULL
;
1890 if (ldapsam_search_one_group(ldap_state
, filter
, &result
)
1892 return NT_STATUS_NO_SUCH_GROUP
;
1895 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
1898 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
1899 ldap_msgfree(result
);
1900 return NT_STATUS_NO_SUCH_GROUP
;
1904 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
1906 ldap_msgfree(result
);
1907 return NT_STATUS_NO_SUCH_GROUP
;
1910 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
1913 ldap_msgfree(result
);
1914 return NT_STATUS_UNSUCCESSFUL
;
1917 if (!init_group_from_ldap(ldap_state
, map
, entry
)) {
1918 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
1920 ldap_msgfree(result
);
1921 return NT_STATUS_NO_SUCH_GROUP
;
1924 ldap_msgfree(result
);
1925 return NT_STATUS_OK
;
1928 /**********************************************************************
1929 *********************************************************************/
1931 static NTSTATUS
ldapsam_getgrsid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1936 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%s))",
1938 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GROUP_SID
),
1939 sid_string_static(&sid
));
1941 return ldapsam_getgroup(methods
, filter
, map
);
1944 /**********************************************************************
1945 *********************************************************************/
1947 static NTSTATUS
ldapsam_getgrgid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1952 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%lu))",
1954 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
),
1955 (unsigned long)gid
);
1957 return ldapsam_getgroup(methods
, filter
, map
);
1960 /**********************************************************************
1961 *********************************************************************/
1963 static NTSTATUS
ldapsam_getgrnam(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1967 char *escape_name
= escape_ldap_string_alloc(name
);
1970 return NT_STATUS_NO_MEMORY
;
1973 pstr_sprintf(filter
, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
1975 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_DISPLAY_NAME
), escape_name
,
1976 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_CN
), escape_name
);
1978 SAFE_FREE(escape_name
);
1980 return ldapsam_getgroup(methods
, filter
, map
);
1983 /**********************************************************************
1984 *********************************************************************/
1986 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates
*ldap_state
,
1988 LDAPMessage
**result
)
1992 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%lu))",
1993 LDAP_OBJ_POSIXGROUP
,
1994 get_attr_key2string(groupmap_attr_list
, LDAP_ATTR_GIDNUMBER
),
1995 (unsigned long)gid
);
1997 return ldapsam_search_one_group(ldap_state
, filter
, result
);
2000 /**********************************************************************
2001 *********************************************************************/
2003 static NTSTATUS
ldapsam_add_group_mapping_entry(struct pdb_methods
*methods
,
2006 struct ldapsam_privates
*ldap_state
=
2007 (struct ldapsam_privates
*)methods
->private_data
;
2008 LDAPMessage
*result
= NULL
;
2009 LDAPMod
**mods
= NULL
;
2020 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods
, &dummy
,
2022 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map
->gid
));
2023 return NT_STATUS_UNSUCCESSFUL
;
2026 rc
= ldapsam_search_one_group_by_gid(ldap_state
, map
->gid
, &result
);
2027 if (rc
!= LDAP_SUCCESS
) {
2028 ldap_msgfree(result
);
2029 return NT_STATUS_UNSUCCESSFUL
;
2032 count
= ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
);
2035 ldap_msgfree(result
);
2036 return NT_STATUS_UNSUCCESSFUL
;
2040 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2041 (unsigned long)map
->gid
));
2042 ldap_msgfree(result
);
2043 return NT_STATUS_UNSUCCESSFUL
;
2046 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2047 tmp
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
2049 ldap_msgfree(result
);
2050 return NT_STATUS_UNSUCCESSFUL
;
2055 if (!init_ldap_from_group(ldap_state
->smbldap_state
->ldap_struct
,
2056 result
, &mods
, map
)) {
2057 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2058 ldap_mods_free(mods
, True
);
2059 ldap_msgfree(result
);
2060 return NT_STATUS_UNSUCCESSFUL
;
2063 ldap_msgfree(result
);
2066 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2067 return NT_STATUS_UNSUCCESSFUL
;
2070 smbldap_set_mod(&mods
, LDAP_MOD_ADD
, "objectClass", LDAP_OBJ_GROUPMAP
);
2072 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
2073 ldap_mods_free(mods
, True
);
2075 if (rc
!= LDAP_SUCCESS
) {
2076 char *ld_error
= NULL
;
2077 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
2079 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map
->gid
,
2080 ld_error
? ld_error
: "(unknown)", ldap_err2string(rc
)));
2081 SAFE_FREE(ld_error
);
2082 return NT_STATUS_UNSUCCESSFUL
;
2085 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map
->gid
));
2086 return NT_STATUS_OK
;
2089 /**********************************************************************
2090 *********************************************************************/
2092 static NTSTATUS
ldapsam_update_group_mapping_entry(struct pdb_methods
*methods
,
2095 struct ldapsam_privates
*ldap_state
=
2096 (struct ldapsam_privates
*)methods
->private_data
;
2099 LDAPMessage
*result
= NULL
;
2100 LDAPMessage
*entry
= NULL
;
2101 LDAPMod
**mods
= NULL
;
2103 rc
= ldapsam_search_one_group_by_gid(ldap_state
, map
->gid
, &result
);
2105 if (rc
!= LDAP_SUCCESS
) {
2106 return NT_STATUS_UNSUCCESSFUL
;
2109 if (ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
, result
) == 0) {
2110 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2111 ldap_msgfree(result
);
2112 return NT_STATUS_UNSUCCESSFUL
;
2115 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2117 if (!init_ldap_from_group(ldap_state
->smbldap_state
->ldap_struct
,
2118 result
, &mods
, map
)) {
2119 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2120 ldap_msgfree(result
);
2122 ldap_mods_free(mods
,True
);
2123 return NT_STATUS_UNSUCCESSFUL
;
2127 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2128 ldap_msgfree(result
);
2129 return NT_STATUS_OK
;
2132 dn
= smbldap_get_dn(ldap_state
->smbldap_state
->ldap_struct
, entry
);
2134 ldap_msgfree(result
);
2135 return NT_STATUS_UNSUCCESSFUL
;
2137 rc
= smbldap_modify(ldap_state
->smbldap_state
, dn
, mods
);
2140 ldap_mods_free(mods
, True
);
2141 ldap_msgfree(result
);
2143 if (rc
!= LDAP_SUCCESS
) {
2144 char *ld_error
= NULL
;
2145 ldap_get_option(ldap_state
->smbldap_state
->ldap_struct
, LDAP_OPT_ERROR_STRING
,
2147 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map
->gid
,
2148 ld_error
? ld_error
: "(unknown)", ldap_err2string(rc
)));
2149 SAFE_FREE(ld_error
);
2150 return NT_STATUS_UNSUCCESSFUL
;
2153 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map
->gid
));
2154 return NT_STATUS_OK
;
2157 /**********************************************************************
2158 *********************************************************************/
2160 static NTSTATUS
ldapsam_delete_group_mapping_entry(struct pdb_methods
*methods
,
2163 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)methods
->private_data
;
2164 pstring sidstring
, filter
;
2165 LDAPMessage
*result
= NULL
;
2170 sid_to_string(sidstring
, &sid
);
2172 pstr_sprintf(filter
, "(&(objectClass=%s)(%s=%s))",
2173 LDAP_OBJ_GROUPMAP
, LDAP_ATTRIBUTE_SID
, sidstring
);
2175 rc
= ldapsam_search_one_group(ldap_state
, filter
, &result
);
2177 if (rc
!= LDAP_SUCCESS
) {
2178 return NT_STATUS_NO_SUCH_GROUP
;
2181 attr_list
= get_attr_list( groupmap_attr_list_to_delete
);
2182 ret
= ldapsam_delete_entry(ldap_state
, result
, LDAP_OBJ_GROUPMAP
, attr_list
);
2183 free_attr_list ( attr_list
);
2185 ldap_msgfree(result
);
2190 /**********************************************************************
2191 *********************************************************************/
2193 static NTSTATUS
ldapsam_setsamgrent(struct pdb_methods
*my_methods
, BOOL update
)
2195 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
2200 pstr_sprintf( filter
, "(objectclass=%s)", LDAP_OBJ_GROUPMAP
);
2201 attr_list
= get_attr_list( groupmap_attr_list
);
2202 rc
= smbldap_search(ldap_state
->smbldap_state
, lp_ldap_group_suffix(),
2203 LDAP_SCOPE_SUBTREE
, filter
,
2204 attr_list
, 0, &ldap_state
->result
);
2205 free_attr_list( attr_list
);
2207 if (rc
!= LDAP_SUCCESS
) {
2208 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc
)));
2209 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter
));
2210 ldap_msgfree(ldap_state
->result
);
2211 ldap_state
->result
= NULL
;
2212 return NT_STATUS_UNSUCCESSFUL
;
2215 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2216 ldap_count_entries(ldap_state
->smbldap_state
->ldap_struct
,
2217 ldap_state
->result
)));
2219 ldap_state
->entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, ldap_state
->result
);
2220 ldap_state
->index
= 0;
2222 return NT_STATUS_OK
;
2225 /**********************************************************************
2226 *********************************************************************/
2228 static void ldapsam_endsamgrent(struct pdb_methods
*my_methods
)
2230 ldapsam_endsampwent(my_methods
);
2233 /**********************************************************************
2234 *********************************************************************/
2236 static NTSTATUS
ldapsam_getsamgrent(struct pdb_methods
*my_methods
,
2239 NTSTATUS ret
= NT_STATUS_UNSUCCESSFUL
;
2240 struct ldapsam_privates
*ldap_state
= (struct ldapsam_privates
*)my_methods
->private_data
;
2244 if (!ldap_state
->entry
)
2247 ldap_state
->index
++;
2248 bret
= init_group_from_ldap(ldap_state
, map
, ldap_state
->entry
);
2250 ldap_state
->entry
= ldap_next_entry(ldap_state
->smbldap_state
->ldap_struct
,
2254 return NT_STATUS_OK
;
2257 /**********************************************************************
2258 *********************************************************************/
2260 static NTSTATUS
ldapsam_enum_group_mapping(struct pdb_methods
*methods
,
2261 enum SID_NAME_USE sid_name_use
,
2262 GROUP_MAP
**rmap
, int *num_entries
,
2272 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods
, False
))) {
2273 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2274 return NT_STATUS_ACCESS_DENIED
;
2277 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods
, &map
))) {
2278 if (sid_name_use
!= SID_NAME_UNKNOWN
&&
2279 sid_name_use
!= map
.sid_name_use
) {
2280 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map
.nt_name
));
2283 if (unix_only
==ENUM_ONLY_MAPPED
&& map
.gid
==-1) {
2284 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map
.nt_name
));
2288 mapt
=(GROUP_MAP
*)Realloc((*rmap
), (entries
+1)*sizeof(GROUP_MAP
));
2290 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2292 return NT_STATUS_UNSUCCESSFUL
;
2297 mapt
[entries
] = map
;
2302 ldapsam_endsamgrent(methods
);
2304 *num_entries
= entries
;
2306 return NT_STATUS_OK
;
2309 /**********************************************************************
2311 *********************************************************************/
2313 static void free_private_data(void **vp
)
2315 struct ldapsam_privates
**ldap_state
= (struct ldapsam_privates
**)vp
;
2317 smbldap_free_struct(&(*ldap_state
)->smbldap_state
);
2319 if ((*ldap_state
)->result
!= NULL
) {
2320 ldap_msgfree((*ldap_state
)->result
);
2321 (*ldap_state
)->result
= NULL
;
2326 /* No need to free any further, as it is talloc()ed */
2329 /**********************************************************************
2330 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2331 *********************************************************************/
2333 static NTSTATUS
pdb_init_ldapsam_common(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
,
2334 const char *location
)
2337 struct ldapsam_privates
*ldap_state
;
2339 if (!NT_STATUS_IS_OK(nt_status
= make_pdb_methods(pdb_context
->mem_ctx
, pdb_method
))) {
2343 (*pdb_method
)->name
= "ldapsam";
2345 (*pdb_method
)->setsampwent
= ldapsam_setsampwent
;
2346 (*pdb_method
)->endsampwent
= ldapsam_endsampwent
;
2347 (*pdb_method
)->getsampwent
= ldapsam_getsampwent
;
2348 (*pdb_method
)->getsampwnam
= ldapsam_getsampwnam
;
2349 (*pdb_method
)->getsampwsid
= ldapsam_getsampwsid
;
2350 (*pdb_method
)->add_sam_account
= ldapsam_add_sam_account
;
2351 (*pdb_method
)->update_sam_account
= ldapsam_update_sam_account
;
2352 (*pdb_method
)->delete_sam_account
= ldapsam_delete_sam_account
;
2354 (*pdb_method
)->getgrsid
= ldapsam_getgrsid
;
2355 (*pdb_method
)->getgrgid
= ldapsam_getgrgid
;
2356 (*pdb_method
)->getgrnam
= ldapsam_getgrnam
;
2357 (*pdb_method
)->add_group_mapping_entry
= ldapsam_add_group_mapping_entry
;
2358 (*pdb_method
)->update_group_mapping_entry
= ldapsam_update_group_mapping_entry
;
2359 (*pdb_method
)->delete_group_mapping_entry
= ldapsam_delete_group_mapping_entry
;
2360 (*pdb_method
)->enum_group_mapping
= ldapsam_enum_group_mapping
;
2362 /* TODO: Setup private data and free */
2364 ldap_state
= talloc_zero(pdb_context
->mem_ctx
, sizeof(*ldap_state
));
2366 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2367 return NT_STATUS_NO_MEMORY
;
2370 if (!NT_STATUS_IS_OK(nt_status
=
2371 smbldap_init(pdb_context
->mem_ctx
, location
,
2372 &ldap_state
->smbldap_state
)));
2374 ldap_state
->domain_name
= talloc_strdup(pdb_context
->mem_ctx
, get_global_sam_name());
2375 if (!ldap_state
->domain_name
) {
2376 return NT_STATUS_NO_MEMORY
;
2379 (*pdb_method
)->private_data
= ldap_state
;
2381 (*pdb_method
)->free_private_data
= free_private_data
;
2383 return NT_STATUS_OK
;
2386 /**********************************************************************
2387 Initialise the 'compat' mode for pdb_ldap
2388 *********************************************************************/
2390 static NTSTATUS
pdb_init_ldapsam_compat(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
, const char *location
)
2393 struct ldapsam_privates
*ldap_state
;
2395 #ifdef WITH_LDAP_SAMCONFIG
2397 int ldap_port
= lp_ldap_port();
2399 /* remap default port if not using SSL (ie clear or TLS) */
2400 if ( (lp_ldap_ssl() != LDAP_SSL_ON
) && (ldap_port
== 636) ) {
2404 location
= talloc_asprintf(pdb_context
->mem_ctx
, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON
? "ldaps" : "ldap", lp_ldap_server(), ldap_port
);
2406 return NT_STATUS_NO_MEMORY
;
2411 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_ldapsam_common(pdb_context
, pdb_method
, location
))) {
2415 (*pdb_method
)->name
= "ldapsam_compat";
2417 ldap_state
= (*pdb_method
)->private_data
;
2418 ldap_state
->schema_ver
= SCHEMAVER_SAMBAACCOUNT
;
2420 sid_copy(&ldap_state
->domain_sid
, get_global_sam_sid());
2422 return NT_STATUS_OK
;
2425 /**********************************************************************
2426 Initialise the normal mode for pdb_ldap
2427 *********************************************************************/
2429 static NTSTATUS
pdb_init_ldapsam(PDB_CONTEXT
*pdb_context
, PDB_METHODS
**pdb_method
, const char *location
)
2432 struct ldapsam_privates
*ldap_state
;
2433 uint32 alg_rid_base
;
2434 pstring alg_rid_base_string
;
2435 LDAPMessage
*result
= NULL
;
2436 LDAPMessage
*entry
= NULL
;
2437 DOM_SID ldap_domain_sid
;
2438 DOM_SID secrets_domain_sid
;
2439 pstring domain_sid_string
;
2441 if (!NT_STATUS_IS_OK(nt_status
= pdb_init_ldapsam_common(pdb_context
, pdb_method
, location
))) {
2445 (*pdb_method
)->name
= "ldapsam";
2447 ldap_state
= (*pdb_method
)->private_data
;
2448 ldap_state
->schema_ver
= SCHEMAVER_SAMBASAMACCOUNT
;
2450 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2452 nt_status
= smbldap_search_domain_info(ldap_state
->smbldap_state
, &result
,
2453 ldap_state
->domain_name
, True
);
2455 if ( !NT_STATUS_IS_OK(nt_status
) ) {
2456 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
2457 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
2458 and will risk BDCs having inconsistant SIDs\n"));
2459 sid_copy(&ldap_state
->domain_sid
, get_global_sam_sid());
2460 return NT_STATUS_OK
;
2463 /* Given that the above might fail, everything below this must be optional */
2465 entry
= ldap_first_entry(ldap_state
->smbldap_state
->ldap_struct
, result
);
2467 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
2468 ldap_msgfree(result
);
2469 return NT_STATUS_UNSUCCESSFUL
;
2472 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
2473 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_USER_SID
),
2474 domain_sid_string
)) {
2476 if (!string_to_sid(&ldap_domain_sid
, domain_sid_string
)) {
2477 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string
));
2478 return NT_STATUS_INVALID_PARAMETER
;
2480 found_sid
= secrets_fetch_domain_sid(ldap_state
->domain_name
, &secrets_domain_sid
);
2481 if (!found_sid
|| !sid_equal(&secrets_domain_sid
, &ldap_domain_sid
)) {
2482 fstring new_sid_str
, old_sid_str
;
2483 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
2484 ldap_state
->domain_name
,
2485 sid_to_string(old_sid_str
, &secrets_domain_sid
),
2486 sid_to_string(new_sid_str
, &ldap_domain_sid
)));
2488 /* reset secrets.tdb sid */
2489 secrets_store_domain_sid(ldap_state
->domain_name
, &ldap_domain_sid
);
2490 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str
, get_global_sam_sid())));
2492 sid_copy(&ldap_state
->domain_sid
, &ldap_domain_sid
);
2495 if (smbldap_get_single_pstring(ldap_state
->smbldap_state
->ldap_struct
, entry
,
2496 get_userattr_key2string(ldap_state
->schema_ver
, LDAP_ATTR_ALGORITHMIC_RID_BASE
),
2497 alg_rid_base_string
)) {
2498 alg_rid_base
= (uint32
)atol(alg_rid_base_string
);
2499 if (alg_rid_base
!= algorithmic_rid_base()) {
2500 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2501 "database was initialised. Aborting. \n"));
2502 ldap_msgfree(result
);
2503 return NT_STATUS_UNSUCCESSFUL
;
2506 ldap_msgfree(result
);
2508 return NT_STATUS_OK
;
2511 NTSTATUS
pdb_ldap_init(void)
2514 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "ldapsam", pdb_init_ldapsam
)))
2517 if (!NT_STATUS_IS_OK(nt_status
= smb_register_passdb(PASSDB_INTERFACE_VERSION
, "ldapsam_compat", pdb_init_ldapsam_compat
)))
2520 return NT_STATUS_OK
;