search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-ipasam: add IPA specific attributes
[Samba/id10ts.git] / source3 / passdb / pdb_ipa.c
blob9e166fbfe08e27dbec9176b034f4224e338846f8
1 /*
2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 */
20
21 #include "includes.h"
22 #include "libcli/security/dom_sid.h"
23
24 #include "smbldap.h"
25
26 #define LDAP_TRUST_CONTAINER "ou=system"
27 #define LDAP_ATTRIBUTE_CN "cn"
28 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
29 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
30 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
31 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
32 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
33 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
34 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
35 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
36
37 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
38 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
39 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
40
41 struct ipasam_privates {
42 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
43 struct samu *sampass);
44 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
45 struct samu *sampass);
46 };
47
48 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
49 const char *domain,
50 char** pwd,
51 struct dom_sid *sid,
52 time_t *pass_last_set_time)
53 {
54 return false;
55 }
56
57 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
58 const char* domain,
59 const char* pwd,
60 const struct dom_sid *sid)
61 {
62 return false;
63 }
64
65 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
66 const char *domain)
67 {
68 return false;
69 }
70
71 static char *get_account_dn(const char *name)
72 {
73 char *escape_name;
74 char *dn;
75
76 escape_name = escape_rdn_val_string_alloc(name);
77 if (!escape_name) {
78 return NULL;
79 }
80
81 if (name[strlen(name)-1] == '$') {
82 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
83 lp_ldap_machine_suffix());
84 } else {
85 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
86 lp_ldap_user_suffix());
87 }
88
89 SAFE_FREE(escape_name);
90
91 return dn;
92 }
93
94 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
95 const char *domain)
96 {
97 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
98 LDAP_ATTRIBUTE_CN, domain,
99 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
100 }
101
102 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
103 {
104 return talloc_asprintf(talloc_tos(), "%s,%s",
105 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
106 }
107
108 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
109 TALLOC_CTX *mem_ctx,
110 const char *filter, LDAPMessage **entry)
111 {
112 int rc;
113 char *base_dn = NULL;
114 LDAPMessage *result = NULL;
115 uint32_t num_result;
116
117 base_dn = trusted_domain_base_dn(ldap_state);
118 if (base_dn == NULL) {
119 return false;
120 }
121
122 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
123 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
124 TALLOC_FREE(base_dn);
125
126 if (result != NULL) {
127 talloc_autofree_ldapmsg(mem_ctx, result);
128 }
129
130 if (rc == LDAP_NO_SUCH_OBJECT) {
131 *entry = NULL;
132 return true;
133 }
134
135 if (rc != LDAP_SUCCESS) {
136 return false;
137 }
138
139 num_result = ldap_count_entries(priv2ld(ldap_state), result);
140
141 if (num_result > 1) {
142 DEBUG(1, ("get_trusted_domain_int: more than one "
143 "%s object with filter '%s'?!\n",
144 LDAP_OBJ_TRUSTED_DOMAIN, filter));
145 return false;
146 }
147
148 if (num_result == 0) {
149 DEBUG(1, ("get_trusted_domain_int: no "
150 "%s object with filter '%s'.\n",
151 LDAP_OBJ_TRUSTED_DOMAIN, filter));
152 *entry = NULL;
153 } else {
154 *entry = ldap_first_entry(priv2ld(ldap_state), result);
155 }
156
157 return true;
158 }
159
160 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
161 TALLOC_CTX *mem_ctx,
162 const char *domain,
163 LDAPMessage **entry)
164 {
165 char *filter = NULL;
166
167 filter = talloc_asprintf(talloc_tos(),
168 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
169 LDAP_OBJ_TRUSTED_DOMAIN,
170 LDAP_ATTRIBUTE_FLAT_NAME, domain,
171 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
172 if (filter == NULL) {
173 return false;
174 }
175
176 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
177 }
178
179 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
180 TALLOC_CTX *mem_ctx,
181 const char *sid, LDAPMessage **entry)
182 {
183 char *filter = NULL;
184
185 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
186 LDAP_OBJ_TRUSTED_DOMAIN,
187 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
188 if (filter == NULL) {
189 return false;
190 }
191
192 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
193 }
194
195 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
196 LDAPMessage *entry,
197 const char *attr,
198 uint32_t *val)
199 {
200 char *dummy;
201 long int l;
202 char *endptr;
203
204 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
205 attr, talloc_tos());
206 if (dummy == NULL) {
207 DEBUG(9, ("Attribute %s not present.\n", attr));
208 *val = 0;
209 return true;
210 }
211
212 l = strtoul(dummy, &endptr, 10);
213 TALLOC_FREE(dummy);
214
215 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
216 return false;
217 }
218
219 *val = l;
220
221 return true;
222 }
223
224 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
225 struct ldapsam_privates *ldap_state,
226 LDAPMessage *entry, const char *attr,
227 DATA_BLOB *_blob)
228 {
229 char *dummy;
230 DATA_BLOB blob;
231
232 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
233 talloc_tos());
234 if (dummy == NULL) {
235 DEBUG(9, ("Attribute %s not present.\n", attr));
236 ZERO_STRUCTP(_blob);
237 } else {
238 blob = base64_decode_data_blob(dummy);
239 if (blob.length == 0) {
240 ZERO_STRUCTP(_blob);
241 } else {
242 _blob->length = blob.length;
243 _blob->data = talloc_steal(mem_ctx, blob.data);
244 }
245 }
246 TALLOC_FREE(dummy);
247 }
248
249 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
250 struct ldapsam_privates *ldap_state,
251 LDAPMessage *entry,
252 struct pdb_trusted_domain **_td)
253 {
254 char *dummy;
255 bool res;
256 struct pdb_trusted_domain *td;
257
258 if (entry == NULL) {
259 return false;
260 }
261
262 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
263 if (td == NULL) {
264 return false;
265 }
266
267 /* All attributes are MAY */
268
269 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
270 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
271 talloc_tos());
272 if (dummy == NULL) {
273 DEBUG(9, ("Attribute %s not present.\n",
274 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
275 ZERO_STRUCT(td->security_identifier);
276 } else {
277 res = string_to_sid(&td->security_identifier, dummy);
278 TALLOC_FREE(dummy);
279 if (!res) {
280 return false;
281 }
282 }
283
284 get_data_blob_from_ldap_msg(td, ldap_state, entry,
285 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
286 &td->trust_auth_incoming);
287
288 get_data_blob_from_ldap_msg(td, ldap_state, entry,
289 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
290 &td->trust_auth_outgoing);
291
292 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
293 entry,
294 LDAP_ATTRIBUTE_FLAT_NAME,
295 td);
296 if (td->netbios_name == NULL) {
297 DEBUG(9, ("Attribute %s not present.\n",
298 LDAP_ATTRIBUTE_FLAT_NAME));
299 }
300
301 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
302 entry,
303 LDAP_ATTRIBUTE_TRUST_PARTNER,
304 td);
305 if (td->domain_name == NULL) {
306 DEBUG(9, ("Attribute %s not present.\n",
307 LDAP_ATTRIBUTE_TRUST_PARTNER));
308 }
309
310 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
311 LDAP_ATTRIBUTE_TRUST_DIRECTION,
312 &td->trust_direction);
313 if (!res) {
314 return false;
315 }
316
317 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
318 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
319 &td->trust_attributes);
320 if (!res) {
321 return false;
322 }
323
324 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
325 LDAP_ATTRIBUTE_TRUST_TYPE,
326 &td->trust_type);
327 if (!res) {
328 return false;
329 }
330
331 *_td = td;
332
333 return true;
334 }
335
336 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
337 TALLOC_CTX *mem_ctx,
338 const char *domain,
339 struct pdb_trusted_domain **td)
340 {
341 struct ldapsam_privates *ldap_state =
342 (struct ldapsam_privates *)methods->private_data;
343 LDAPMessage *entry = NULL;
344
345 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
346
347 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
348 &entry)) {
349 return NT_STATUS_UNSUCCESSFUL;
350 }
351 if (entry == NULL) {
352 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
353 "%s\n", domain));
354 return NT_STATUS_NO_SUCH_DOMAIN;
355 }
356
357 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
358 return NT_STATUS_UNSUCCESSFUL;
359 }
360
361 return NT_STATUS_OK;
362 }
363
364 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
365 TALLOC_CTX *mem_ctx,
366 struct dom_sid *sid,
367 struct pdb_trusted_domain **td)
368 {
369 struct ldapsam_privates *ldap_state =
370 (struct ldapsam_privates *)methods->private_data;
371 LDAPMessage *entry = NULL;
372 char *sid_str;
373
374 sid_str = sid_string_tos(sid);
375
376 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
377 sid_str));
378
379 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
380 &entry)) {
381 return NT_STATUS_UNSUCCESSFUL;
382 }
383 if (entry == NULL) {
384 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
385 "with sid: %s\n", sid_str));
386 return NT_STATUS_NO_SUCH_DOMAIN;
387 }
388
389 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
390 return NT_STATUS_UNSUCCESSFUL;
391 }
392
393 return NT_STATUS_OK;
394 }
395
396 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
397 LDAPMod ***mods, const char *attribute,
398 const uint32_t val)
399 {
400 char *dummy;
401
402 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
403 if (dummy == NULL) {
404 return false;
405 }
406 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
407 TALLOC_FREE(dummy);
408
409 return true;
410 }
411
412 static bool smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *entry,
413 LDAPMod ***mods, const char *attribute,
414 DATA_BLOB blob)
415 {
416 char *dummy;
417
418 dummy = base64_encode_data_blob(talloc_tos(), blob);
419 if (dummy == NULL) {
420 return false;
421 }
422
423 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
424 TALLOC_FREE(dummy);
425
426 return true;
427 }
428
429 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
430 const char* domain,
431 const struct pdb_trusted_domain *td)
432 {
433 struct ldapsam_privates *ldap_state =
434 (struct ldapsam_privates *)methods->private_data;
435 LDAPMessage *entry = NULL;
436 LDAPMod **mods;
437 bool res;
438 char *trusted_dn = NULL;
439 int ret;
440
441 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
442
443 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
444 &entry);
445 if (!res) {
446 return NT_STATUS_UNSUCCESSFUL;
447 }
448
449 mods = NULL;
450 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
451 LDAP_OBJ_TRUSTED_DOMAIN);
452
453 if (td->netbios_name != NULL) {
454 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
455 LDAP_ATTRIBUTE_FLAT_NAME,
456 td->netbios_name);
457 }
458
459 if (td->domain_name != NULL) {
460 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
461 LDAP_ATTRIBUTE_TRUST_PARTNER,
462 td->domain_name);
463 }
464
465 if (!is_null_sid(&td->security_identifier)) {
466 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
467 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
468 sid_string_tos(&td->security_identifier));
469 }
470
471 if (td->trust_type != 0) {
472 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
473 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
474 td->trust_type);
475 if (!res) {
476 return NT_STATUS_UNSUCCESSFUL;
477 }
478 }
479
480 if (td->trust_attributes != 0) {
481 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
482 &mods,
483 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
484 td->trust_attributes);
485 if (!res) {
486 return NT_STATUS_UNSUCCESSFUL;
487 }
488 }
489
490 if (td->trust_direction != 0) {
491 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
492 &mods,
493 LDAP_ATTRIBUTE_TRUST_DIRECTION,
494 td->trust_direction);
495 if (!res) {
496 return NT_STATUS_UNSUCCESSFUL;
497 }
498 }
499
500 if (td->trust_auth_outgoing.data != NULL) {
501 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
502 &mods,
503 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
504 td->trust_auth_outgoing);
505 if (!res) {
506 return NT_STATUS_UNSUCCESSFUL;
507 }
508 }
509
510 if (td->trust_auth_incoming.data != NULL) {
511 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
512 &mods,
513 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
514 td->trust_auth_incoming);
515 if (!res) {
516 return NT_STATUS_UNSUCCESSFUL;
517 }
518 }
519
520 talloc_autofree_ldapmod(talloc_tos(), mods);
521
522 trusted_dn = trusted_domain_dn(ldap_state, domain);
523 if (trusted_dn == NULL) {
524 return NT_STATUS_NO_MEMORY;
525 }
526 if (entry == NULL) {
527 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
528 } else {
529 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
530 }
531
532 if (ret != LDAP_SUCCESS) {
533 DEBUG(1, ("error writing trusted domain data!\n"));
534 return NT_STATUS_UNSUCCESSFUL;
535 }
536 return NT_STATUS_OK;
537 }
538
539 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
540 const char *domain)
541 {
542 int ret;
543 struct ldapsam_privates *ldap_state =
544 (struct ldapsam_privates *)methods->private_data;
545 LDAPMessage *entry = NULL;
546 const char *dn;
547
548 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
549 &entry)) {
550 return NT_STATUS_UNSUCCESSFUL;
551 }
552
553 if (entry == NULL) {
554 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
555 "%s\n", domain));
556 return NT_STATUS_NO_SUCH_DOMAIN;
557 }
558
559 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
560 if (dn == NULL) {
561 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
562 return NT_STATUS_NO_MEMORY;
563 }
564
565 ret = smbldap_delete(ldap_state->smbldap_state, dn);
566 if (ret != LDAP_SUCCESS) {
567 return NT_STATUS_UNSUCCESSFUL;
568 }
569
570 return NT_STATUS_OK;
571 }
572
573 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
574 TALLOC_CTX *mem_ctx,
575 uint32_t *num_domains,
576 struct pdb_trusted_domain ***domains)
577 {
578 int rc;
579 struct ldapsam_privates *ldap_state =
580 (struct ldapsam_privates *)methods->private_data;
581 char *base_dn = NULL;
582 char *filter = NULL;
583 int scope = LDAP_SCOPE_SUBTREE;
584 LDAPMessage *result = NULL;
585 LDAPMessage *entry = NULL;
586
587 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
588 LDAP_OBJ_TRUSTED_DOMAIN);
589 if (filter == NULL) {
590 return NT_STATUS_NO_MEMORY;
591 }
592
593 base_dn = trusted_domain_base_dn(ldap_state);
594 if (base_dn == NULL) {
595 TALLOC_FREE(filter);
596 return NT_STATUS_NO_MEMORY;
597 }
598
599 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
600 NULL, 0, &result);
601 TALLOC_FREE(filter);
602 TALLOC_FREE(base_dn);
603
604 if (result != NULL) {
605 talloc_autofree_ldapmsg(mem_ctx, result);
606 }
607
608 if (rc == LDAP_NO_SUCH_OBJECT) {
609 *num_domains = 0;
610 *domains = NULL;
611 return NT_STATUS_OK;
612 }
613
614 if (rc != LDAP_SUCCESS) {
615 return NT_STATUS_UNSUCCESSFUL;
616 }
617
618 *num_domains = 0;
619 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
620 DEBUG(1, ("talloc failed\n"));
621 return NT_STATUS_NO_MEMORY;
622 }
623
624 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
625 entry != NULL;
626 entry = ldap_next_entry(priv2ld(ldap_state), entry))
627 {
628 struct pdb_trusted_domain *dom_info;
629
630 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
631 &dom_info)) {
632 return NT_STATUS_UNSUCCESSFUL;
633 }
634
635 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
636 domains, num_domains);
637
638 if (*domains == NULL) {
639 DEBUG(1, ("talloc failed\n"));
640 return NT_STATUS_NO_MEMORY;
641 }
642 }
643
644 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
645 return NT_STATUS_OK;
646 }
647
648 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
649 TALLOC_CTX *mem_ctx,
650 uint32_t *num_domains,
651 struct trustdom_info ***domains)
652 {
653 NTSTATUS status;
654 struct pdb_trusted_domain **td;
655 int i;
656
657 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
658 num_domains, &td);
659 if (!NT_STATUS_IS_OK(status)) {
660 return status;
661 }
662
663 if (*num_domains == 0) {
664 return NT_STATUS_OK;
665 }
666
667 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
668 *num_domains))) {
669 DEBUG(1, ("talloc failed\n"));
670 return NT_STATUS_NO_MEMORY;
671 }
672
673 for (i = 0; i < *num_domains; i++) {
674 struct trustdom_info *dom_info;
675
676 dom_info = TALLOC_P(*domains, struct trustdom_info);
677 if (dom_info == NULL) {
678 DEBUG(1, ("talloc failed\n"));
679 return NT_STATUS_NO_MEMORY;
680 }
681
682 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
683 sid_copy(&dom_info->sid, &td[i]->security_identifier);
684
685 (*domains)[i] = dom_info;
686 }
687
688 return NT_STATUS_OK;
689 }
690
691 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
692 {
693 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
694 }
695
696 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
697 TALLOC_CTX *mem_ctx)
698 {
699 struct pdb_domain_info *info;
700 NTSTATUS status;
701 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)pdb_methods->private_data;
702
703 info = talloc(mem_ctx, struct pdb_domain_info);
704 if (info == NULL) {
705 return NULL;
706 }
707
708 info->name = talloc_strdup(info, ldap_state->domain_name);
709 if (info->name == NULL) {
710 goto fail;
711 }
712
713 /* TODO: read dns_domain, dns_forest and guid from LDAP */
714 info->dns_domain = talloc_strdup(info, lp_realm());
715 if (info->dns_domain == NULL) {
716 goto fail;
717 }
718 strlower_m(info->dns_domain);
719 info->dns_forest = talloc_strdup(info, info->dns_domain);
720
721 sid_copy(&info->sid, &ldap_state->domain_sid);
722
723 status = GUID_from_string("testguid", &info->guid);
724
725 return info;
726
727 fail:
728 TALLOC_FREE(info);
729 return NULL;
730 }
731
732 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
733 struct samu *sampass)
734 {
735 int ret;
736 BerElement *ber = NULL;
737 struct berval *bv = NULL;
738 char *retoid = NULL;
739 struct berval *retdata = NULL;
740 const char *password;
741 char *dn;
742
743 password = pdb_get_plaintext_passwd(sampass);
744 if (password == NULL || *password == '\0') {
745 return NT_STATUS_INVALID_PARAMETER;
746 }
747
748 dn = get_account_dn(pdb_get_username(sampass));
749 if (dn == NULL) {
750 return NT_STATUS_INVALID_PARAMETER;
751 }
752
753 ber = ber_alloc_t( LBER_USE_DER );
754 if (ber == NULL) {
755 DEBUG(7, ("ber_alloc_t failed.\n"));
756 return NT_STATUS_NO_MEMORY;
757 }
758
759 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
760 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
761 if (ret == -1) {
762 DEBUG(7, ("ber_printf failed.\n"));
763 ber_free(ber, 1);
764 return NT_STATUS_UNSUCCESSFUL;
765 }
766
767 ret = ber_flatten(ber, &bv);
768 ber_free(ber, 1);
769 if (ret == -1) {
770 DEBUG(1, ("ber_flatten failed.\n"));
771 return NT_STATUS_UNSUCCESSFUL;
772 }
773
774 ret = smbldap_extended_operation(ldap_state->smbldap_state,
775 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
776 NULL, &retoid, &retdata);
777 ber_bvfree(bv);
778 if (retdata) {
779 ber_bvfree(retdata);
780 }
781 if (retoid) {
782 ldap_memfree(retoid);
783 }
784 if (ret != LDAP_SUCCESS) {
785 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
786 return NT_STATUS_UNSUCCESSFUL;
787 }
788
789 return NT_STATUS_OK;
790 }
791
792 static NTSTATUS ipasam_add_objectclasses(struct ldapsam_privates *ldap_state,
793 struct samu *sampass)
794 {
795 char *dn;
796 LDAPMod **mods = NULL;
797 NTSTATUS status;
798 int ret;
799 char *princ;
800
801 dn = get_account_dn(pdb_get_username(sampass));
802 if (dn == NULL) {
803 return NT_STATUS_INVALID_PARAMETER;
804 }
805
806 princ = talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass), lp_realm());
807 if (princ == NULL) {
808 return NT_STATUS_NO_MEMORY;
809 }
810
811 smbldap_set_mod(&mods, LDAP_MOD_ADD,
812 "objectclass", LDAP_OBJ_KRB_PRINCIPAL);
813 smbldap_set_mod(&mods, LDAP_MOD_ADD,
814 LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
815 smbldap_set_mod(&mods, LDAP_MOD_ADD,
816 "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX);
817 smbldap_set_mod(&mods, LDAP_MOD_ADD,
818 "objectclass", "ipaHost");
819 smbldap_set_mod(&mods, LDAP_MOD_ADD,
820 "fqdn", "dummy.dummy.dummy");
821 smbldap_set_mod(&mods, LDAP_MOD_ADD,
822 "objectclass", "posixAccount");
823 smbldap_set_mod(&mods, LDAP_MOD_ADD,
824 "cn", pdb_get_username(sampass));
825 smbldap_set_mod(&mods, LDAP_MOD_ADD,
826 "gidNumber", "12345");
827 smbldap_set_mod(&mods, LDAP_MOD_ADD,
828 "homeDirectory", "/dev/null");
829
830 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
831 ldap_mods_free(mods, true);
832 if (ret != LDAP_SUCCESS) {
833 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
834 pdb_get_username(sampass),dn));
835 return status;
836 }
837
838 return NT_STATUS_OK;
839 }
840
841 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
842 struct samu *sampass)
843 {
844 NTSTATUS status;
845 struct ldapsam_privates *ldap_state;
846
847 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
848
849 status =ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
850 sampass);
851 if (!NT_STATUS_IS_OK(status)) {
852 return status;
853 }
854
855 status = ipasam_add_objectclasses(ldap_state, sampass);
856 if (!NT_STATUS_IS_OK(status)) {
857 return status;
858 }
859
860 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
861 status = modify_ipa_password_exop(ldap_state, sampass);
862 if (!NT_STATUS_IS_OK(status)) {
863 return status;
864 }
865 }
866
867 return NT_STATUS_OK;
868 }
869
870 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
871 struct samu *sampass)
872 {
873 NTSTATUS status;
874 struct ldapsam_privates *ldap_state;
875 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
876
877 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
878 sampass);
879 if (!NT_STATUS_IS_OK(status)) {
880 return status;
881 }
882
883 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
884 status = modify_ipa_password_exop(ldap_state, sampass);
885 if (!NT_STATUS_IS_OK(status)) {
886 return status;
887 }
888 }
889
890 return NT_STATUS_OK;
891 }
892
893 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
894 {
895 struct ldapsam_privates *ldap_state;
896 NTSTATUS status;
897
898 status = pdb_init_ldapsam(pdb_method, location);
899 if (!NT_STATUS_IS_OK(status)) {
900 return status;
901 }
902
903 (*pdb_method)->name = "IPA_ldapsam";
904
905 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
906 ldap_state->ipasam_privates = talloc_zero(ldap_state,
907 struct ipasam_privates);
908 if (ldap_state->ipasam_privates == NULL) {
909 return NT_STATUS_NO_MEMORY;
910 }
911 ldap_state->is_ipa_ldap = true;
912 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
913 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
914
915 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
916 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
917
918 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
919 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
920
921 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
922 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
923 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
924 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
925
926 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
927 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
928 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
929 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
930 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
931
932 return NT_STATUS_OK;
933 }
934
935 NTSTATUS pdb_ipa_init(void)
936 {
937 NTSTATUS nt_status;
938
939 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))
940 return nt_status;
941
942 return NT_STATUS_OK;
943 }
Working branch of Samba for id10ts