3 # adssearch.pl - query an Active Directory server and
4 # display objects in a human readable format
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2005
8 # TODO: add range retrieval
9 # write sddl-converter, decode userParameters
11 # apparently only win2k3 allows simple-binds with machine-accounts.
12 # make sasl support independent from Authen::SASL::Cyrus v >0.11
16 use Net
::LDAP
::Control
;
17 use Net
::LDAP
::Constant
qw(LDAP_REFERRAL);
20 use POSIX
qw(strftime);
27 my $class = 'Authen::SASL';
28 $pref_version = "0.32";
29 if ( eval "require $class;" ) {
32 if ( eval "Net::LDAP->VERSION($pref_version);" ) {
37 # users may set defaults here
45 my $tdbdump = "/usr/bin/tdbdump";
46 my $testparm = "/usr/bin/testparm";
47 my $net = "/usr/bin/net";
48 my $dig = "/usr/bin/dig";
49 my $nmblookup = "/usr/bin/nmblookup";
50 my $secrets_tdb = "/etc/samba/secrets.tdb";
51 my $klist = "/usr/bin/klist";
52 my $kinit = "/usr/bin/kinit";
53 my $ads_h = "/home/gd/ads.h";
64 $opt_display_extendeddn,
65 $opt_display_metadata,
92 'base|b=s' => \
$opt_base,
93 'D|DN=s' => \
$opt_binddn,
94 'debug=i' => \
$opt_debug,
95 'domain_scope' => \
$opt_domain_scope,
96 'extendeddn|e:i' => \
$opt_display_extendeddn,
97 'fastbind' => \
$opt_fastbind,
99 'host|h=s' => \
$opt_host,
100 'machine|P' => \
$opt_machine,
101 'metadata|m' => \
$opt_display_metadata,
102 'nodiffs' => \
$opt_notify_nodiffs,
103 'notify|n' => \
$opt_notify,
104 'paging:i' => \
$opt_paging,
105 'password|w=s' => \
$opt_password,
106 'port=i' => \
$opt_port,
107 'rawdisplay' => \
$opt_display_raw,
108 'realm|R=s' => \
$opt_realm,
109 'rootDSE' => \
$opt_dump_rootdse,
110 'saslmech|Y=s' => \
$opt_saslmech,
111 'schema|c' => \
$opt_dump_schema,
112 'scope|s=s' => \
$opt_scope,
113 'simpleauth|x' => \
$opt_simpleauth,
114 'tls|Z' => \
$opt_starttls,
115 'user|U=s' => \
$opt_user,
116 'verbose|v' => \
$opt_verbose,
117 'wknguid' => \
$opt_dump_wknguid,
118 'workgroup|k=s' => \
$opt_workgroup,
122 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
127 if ($opt_fastbind && !$opt_simpleauth) {
128 printf("LDAP fast bind can only be performed with simple binds\n");
144 my (@ctrls, @ctrls_s);
145 my ($ctl_paged, $cookie);
146 my ($page_count, $total_entry_count);
147 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
151 my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf);
153 # fixed values and vars
156 my $tabsize = "\t\t\t";
159 my $scope = $opt_scope || "sub";
160 my $port = $opt_port;
163 "LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
164 "LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
165 "LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
166 "LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
167 "LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
168 "LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
169 "LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
170 "LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
171 "LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
172 "LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
173 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
174 "LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
175 "LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
176 "LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
177 "LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
178 "LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
179 "LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
180 "LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
181 "LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
182 "NONE (Get stats control)" => "1.2.840.113556.1.4.970",
183 "LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
186 my %ads_capabilities = (
187 "LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
188 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
189 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
192 my %ads_extensions = (
193 "LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
194 "LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
195 "LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
196 "NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
199 my %ads_matching_rules = (
200 "LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
201 "LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
205 "WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
206 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
207 "WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
208 "WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
211 my %ads_systemflags = (
212 "FLAG_DONT_REPLICATE" => 0x00000001, # 1
213 "FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
214 "FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
215 "FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
216 "FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
217 "FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
218 "FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
219 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
220 #"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
221 #"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
222 "FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
225 my %ads_mixed_domain = (
226 "NATIVE_LEVEL_DOMAIN" => 0,
227 "MIXED_LEVEL_DOMAIN" => 1,
231 "DS_BEHAVIOR_WIN2000" => 0, # untested
232 "DS_BEHAVIOR_WIN2003" => 2,
235 my %ads_instance_type = (
236 "DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
238 "IT_NC_ABOVE" => 0x8,
242 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
243 "ACCOUNT_OK" => 0x800000, # 8388608
244 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
247 my %ads_gpoptions = (
248 "GPOPTIONS_INHERIT" => 0,
249 "GPOPTIONS_BLOCK_INHERITANCE" => 1,
252 my %ads_gplink_opts = (
253 "GPLINK_OPT_NONE" => 0,
254 "GPLINK_OPT_DISABLED" => 1,
255 "GPLINK_OPT_ENFORCED" => 2,
259 "GPFLAGS_ALL_ENABLED" => 0,
260 "GPFLAGS_USER_SETTINGS_DISABLED" => 1,
261 "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
262 "GPFLAGS_ALL_DISABLED" => 3,
265 my %ads_serverstate = (
266 "SERVER_ENABLED" => 1,
267 "SERVER_DISABLED" => 2,
270 my %ads_sdeffective = (
271 "OWNER_SECURITY_INFORMATION" => 0x01,
272 "DACL_SECURITY_INFORMATION" => 0x04,
273 "SACL_SECURITY_INFORMATION" => 0x10,
276 my %ads_trustattrs = (
277 "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
278 "TRUST_ATTRIBUTE_TREE_PARENT" => 2,
279 "TRUST_ATTRIBUTE_TREE_ROOT" => 3,
280 "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
283 my %ads_trustdirection = (
284 "TRUST_DIRECTION_INBOUND" => 1,
285 "TRUST_DIRECTION_OUTBOUND" => 2,
286 "TRUST_DIRECTION_BIDIRECTIONAL" => 3,
289 my %ads_trusttype = (
290 "TRUST_TYPE_DOWNLEVEL" => 1,
291 "TRUST_TYPE_UPLEVEL" => 2,
292 "TRUST_TYPE_KERBEROS" => 3,
293 "TRUST_TYPE_DCE" => 4,
296 my %ads_pwdproperties = (
297 "DOMAIN_PASSWORD_COMPLEX" => 1,
298 "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
299 "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
300 "DOMAIN_LOCKOUT_ADMINS" => 8,
301 "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
302 "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
305 my %ads_uascompat = (
306 "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
307 "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
311 "REPLICA_SET_SYSVOL" => 2, # unsure
312 "REPLICA_SET_DFS" => 1, # unsure
313 "REPLICA_SET_OTHER" => 0, # unsure
316 my %ads_gp_cse_extensions = (
317 "Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
318 "Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
319 "EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
320 "Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
321 "IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
322 "Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
323 "QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
324 "Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
325 "Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
326 "Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
330 my %ads_gpcextensions = (
331 "Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
332 "Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
333 "EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
334 "Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
335 "Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
336 "Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
337 "Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
338 "Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
339 "Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
340 "unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
341 "unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
344 my %ads_gpo_default_guids = (
345 "Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
346 "Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
347 "mist" => "61718096-3D3F-4398-8318-203A48976F9E",
351 "CtxCfgPresent" => \
&dump_int
,
352 "CtxCfgFlags1" => \
&dump_int
,
353 "CtxCallback" => \
&dump_string
,
354 "CtxShadow" => \
&dump_string
,
355 "CtxMaxConnectionTime" => \
&dump_int
,
356 "CtxMaxDisconnectionTime"=> \
&dump_int
,
357 "CtxMaxIdleTime" => \
&dump_int
,
358 "CtxKeyboardLayout" => \
&dump_int
,
359 "CtxMinEncryptionLevel" => \
&dump_int
,
360 "CtxWorkDirectory" => \
&dump_string
,
361 "CtxNWLogonServer" => \
&dump_string
,
362 "CtxWFHomeDir" => \
&dump_string
,
363 "CtxWFHomeDirDrive" => \
&dump_string
,
364 "CtxWFProfilePath" => \
&dump_string
,
365 "CtxInitialProgram" => \
&dump_string
,
366 "CtxCallbackNumber" => \
&dump_string
,
369 $SIG{__WARN__
} = sub {
377 # if there is data missing, we try to autodetect with samba-tools (if installed)
378 # this might fill up workgroup, machine, realm
382 $workgroup = $workgroup || $opt_workgroup || "";
385 $server = process_servername
($opt_host) ||
386 detect_server
($workgroup,$opt_realm) ||
387 die "please define server to query with -h host\n";
392 get_base_from_rootdse
($server,$dse);
395 $realm = $opt_realm ||
396 get_realm_from_rootdse
($server,$dse);
399 my @sasl_mechs = get_sasl_mechs_from_rootdse
($server,$dse);
400 my $sasl_mech = "GSSAPI";
402 $sasl_mech = sprintf("%s", (check_sasl_mech
($opt_saslmech) == 0)?
uc($opt_saslmech):"");
406 my $sasl_bind = 1 if (!$opt_simpleauth);
409 my $user = check_user
($opt_user) || $ENV{'USER'} || "";
412 my $upn = sprintf("%s", gen_upn
($opt_machine ?
"$machine\$" : $user, $realm));
415 $binddn = $opt_binddn || $upn;
418 $password = $password || $opt_password;
420 $password = $opt_machine ? get_machine_password
($workgroup) : get_password
();
424 "Token-Groups-No-GC-Acceptable" => \
&dump_sid
, #wrong name
425 "accountExpires" => \
&dump_nttime
,
426 "badPasswordTime" => \
&dump_nttime
,
427 "creationTime" => \
&dump_nttime
,
428 "currentTime" => \
&dump_timestr
,
429 "domainControllerFunctionality" => \
&dump_ds_func
,
430 "domainFunctionality" => \
&dump_ds_func
,
431 "fRSReplicaSetGUID" => \
&dump_guid
,
432 "fRSReplicaSetType" => \
&dump_frstype
,
433 "fRSVersionGUID" => \
&dump_guid
,
434 "flags" => \
&dump_gpflags
, # fixme: possibly only on gpos!
435 "forceLogoff" => \
&dump_nttime_abs
,
436 "forestFunctionality" => \
&dump_ds_func
,
437 # "gPCMachineExtensionNames" => \&dump_gpcextensions,
438 # "gPCUserExtensionNames" => \&dump_gpcextensions,
439 "gPLink" => \
&dump_gplink
,
440 "gPOptions" => \
&dump_gpoptions
,
441 "groupType" => \
&dump_gtype
,
442 "instanceType" => \
&dump_instance_type
,
443 "lastLogon" => \
&dump_nttime
,
444 "lastLogonTimestamp" => \
&dump_nttime
,
445 "lockOutObservationWindow" => \
&dump_nttime_abs
,
446 "lockoutDuration" => \
&dump_nttime_abs
,
447 "lockoutTime" => \
&dump_nttime
,
448 # "logonHours" => \&dump_logonhours,
449 "maxPwdAge" => \
&dump_nttime_abs
,
450 "minPwdAge" => \
&dump_nttime_abs
,
451 "modifyTimeStamp" => \
&dump_timestr
,
452 "msDS-Behavior-Version" => \
&dump_ds_func
, #unsure
453 "msDS-User-Account-Control-Computed" => \
&dump_uacc
,
454 "mS-DS-CreatorSID" => \
&dump_sid
,
455 # "msRADIUSFramedIPAddress" => \&dump_ipaddr,
456 # "msRASSavedFramedIPAddress" => \&dump_ipaddr,
457 "netbootGUID" => \
&dump_guid
,
458 "nTMixedDomain" => \
&dump_mixed_domain
,
459 "nTSecurityDescriptor" => \
&dump_secdesc
,
460 "objectGUID" => \
&dump_guid
,
461 "objectSid" => \
&dump_sid
,
463 "pKTGuid" => \
&dump_guid
,
464 "pwdLastSet" => \
&dump_nttime
,
465 "pwdProperties" => \
&dump_pwdproperties
,
466 "sAMAccountType" => \
&dump_atype
,
467 "sDRightsEffective" => \
&dump_sdeffective
,
468 "securityIdentifier" => \
&dump_sid
,
469 "serverState" => \
&dump_serverstate
,
470 "supportedCapabilities", => \
&dump_capabilities
,
471 "supportedControl", => \
&dump_controls
,
472 "supportedExtension", => \
&dump_extension
,
473 "systemFlags" => \
&dump_systemflags
,
474 "tokenGroups", => \
&dump_sid
,
475 "tokenGroupsGlobalAndUniversal" => \
&dump_sid
,
476 "tokenGroupsNoGCAcceptable" => \
&dump_sid
,
477 "trustAttributes" => \
&dump_trustattr
,
478 "trustDirection" => \
&dump_trustdirection
,
479 "trustType" => \
&dump_trusttype
,
480 "uASCompat" => \
&dump_uascompat
,
481 "userAccountControl" => \
&dump_uac
,
482 "userCertificate" => \
&dump_cert
,
483 "userFlags" => \
&dump_uf
,
484 "userParameters" => \
&dump_munged_dial
,
485 "whenChanged" => \
&dump_timestr
,
486 "whenCreated" => \
&dump_timestr
,
487 # "dSCorePropagationData" => \&dump_timestr,
497 print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
498 print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
499 print "\t--base|-b [base]\n\t\tUse base [base]\n";
500 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
501 print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
502 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
503 print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
504 print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
505 print "\t--help\n\t\tDisplay help page\n";
506 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
507 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
508 print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
509 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
510 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
511 print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
512 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
513 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
514 print "\t--rawdisplay\n\t\tDo not interpret values\n";
515 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
516 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
517 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
518 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
519 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
520 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
521 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
522 print "\t--user|-U [user]\n\t\tUse [user]\n";
523 print "\t--wknguid\n\t\tDisplay well known guids\n";
524 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
528 my ($mod,$attr,$value) = @_;
529 my $ofh = select(STDOUT
);
535 @
<<<< @
>>>>>>>>>>>>>>>>>>>>>>>: @
*
541 my ($mod,$attr,$value) = @_;
542 my $ofh = select(STDOUT
);
548 @
<<<< @
>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
550 ~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
557 my $workgroup = shift;
562 # try net cache (nbt records)
563 if ( -x
$net && $workgroup ) {
564 my $key = sprintf("NBT/%s#1C", uc($workgroup));
565 chomp($result = `$net cache search $key 2>&1 /dev/null`);
566 $result =~ s/^.*Value: //;
568 return $result if $result;
569 printf("%10s query failed for [%s]\n", "net cache", $key);
572 # try dns SRV entries
573 if ( -x
$dig && $realm ) {
574 my $key = sprintf("_ldap._tcp.%s", lc($realm));
575 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
578 return $result if $result;
579 printf("%10s query failed for [%s]\n", "dns", $key);
582 # try netbios broadcast query
583 if ( -x
$nmblookup && $workgroup ) {
584 my $key = sprintf("%s#1C", uc($workgroup));
585 my $pattern = sprintf("%s<1c>", uc($workgroup));
586 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
588 return $result if $result;
589 printf("%10s query failed for [%s]\n", "nmblookup", $key);
597 if (! -x
$testparm) { return -1; }
600 open(TESTPARM
, "$testparm -s -v 2> /dev/null |");
601 while (my $line = <TESTPARM
>) {
603 if ($line =~ /netbios name/) {
604 ($tmp, $machine) = split(/=/, $line);
605 $machine =~ s/\s+|\t+//g;
607 if ($line =~ /realm/) {
608 ($tmp, $realm) = split(/=/, $line);
609 $realm =~ s/\s+|\t+//g;
611 if ($line =~ /workgroup/) {
612 ($tmp, $workgroup) = split(/=/, $line);
613 $workgroup =~ s/\s+|\t+//g;
623 if ($machine && $realm) {
624 return sprintf("%s\@%s", lc($machine), uc($realm));
630 if (!$password && $opt_simpleauth && check_ticket
($user)) {
631 return prompt_password
($user);
637 my $user = shift || prompt_user
();
641 sub get_machine_password
{
643 my $workgroup = shift || "";
644 $workgroup = uc($workgroup);
647 -x
$tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
648 -r
$secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
650 # get machine-password
651 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
652 open(SECRETS
,"$tdbdump $secrets_tdb |");
653 while(my $line = <SECRETS
>) {
657 ($line,$password) = split(/"/, $line);
660 if ($line =~ /$key/) {
667 print "Successfully autodetected machine password for workgroup: $workgroup\n";
670 warn "No machine password available for $workgroup\n";
675 sub prompt_password
{
677 my $acct = shift || "";
679 ($acct, $password) = split(/\%/, $acct);
683 print "Enter password for $acct:";
684 my $password = <STDIN
>;
693 print "Enter Username:";
702 # works only for heimdal
703 return system("$klist -t");
708 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
710 open(KRB5CONF
, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
711 printf KRB5CONF
"# autogenerated by $0\n";
712 printf KRB5CONF
"[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
713 printf KRB5CONF
"[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
716 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
724 my $acct = shift || "";
726 ($acct, $password) = split(/\%/, $acct);
731 sub check_root_dse
($$$@
) {
734 my $server = shift || "";
735 $dse = shift || get_dse
($server) || return -1;
736 my $attr = shift || die "unknown query";
739 my $dse_list = $dse->get_value($attr, asref
=> '1');
740 my @dse_array = @
$dse_list;
742 foreach my $i (@array) {
743 # we could use -> supported_control but this
744 # is only available in newer versions of perl-ldap
745 # if ( ! $dse->supported_control( $i ) ) {
746 if ( grep(/$i->type()/, @dse_array) ) {
747 printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
754 sub check_ctrls
($$@
) {
758 return check_root_dse
($server, $dse, "supportedControl", @array);
761 sub check_exts
($$@
) {
765 return check_root_dse
($server, $dse, "supportedExtension", @array);
768 sub get_base_from_rootdse
{
770 my $server = shift || "";
771 $dse = shift || get_dse
($server,$async_ldap_hd) || return -1;
772 return $dse->get_value('defaultNamingContext');
775 sub get_realm_from_rootdse
{
777 my $server = shift || "";
778 $dse = shift || get_dse
($server,$async_ldap_hd) || return -1;
779 my $service = $dse->get_value('ldapServiceName') || "";
781 my ($t,$realm) = split(/\@/, $service);
784 die "very odd: could not get realm";
788 sub get_sasl_mechs_from_rootdse
{
790 my $server = shift || "";
791 $dse = shift || get_dse
($server,$async_ldap_hd) || return -1;
792 my $mechs = $dse->get_value('supportedSASLMechanisms', asref
=> 1);
798 my $server = shift || return undef;
799 $async_ldap_hd = shift || get_ldap_hd
($server,1);
800 if (!$async_ldap_hd) {
801 print "oh, no connection\n";
804 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
805 if ($mesg->code) { die "failed to bind\n"; };
806 my $dse = $async_ldap_hd->root_dse( attrs
=> ['*', "supportedExtension", "supportedFeatures" ] );
811 sub process_servername
{
813 my $name = shift || return "";
814 if ($name =~ /^ldaps:\/\
//i ) {
815 $name =~ s
#^ldaps://##i;
816 $uri = sprintf("%s://%s", "ldaps", $name);
818 $name =~ s
#^ldap://##i;
819 $uri = sprintf("%s://%s", "ldap", $name);
826 my $server = shift || return undef;
827 my $async = shift || "0";
829 die "uri unavailable" if (!$uri);
830 if ($uri =~ /^ldaps:\/\
//i ) {
831 $port = $port || 636;
833 $hd = Net
::LDAPS
->new( $server, async
=> $async, port
=> $port ) ||
834 die "host $server not available: $!";
836 $port = $port || 389;
837 $hd = Net
::LDAP
->new( $server, async
=> $async, port
=> $port ) ||
838 die "host $server not available: $!";
840 $hd->debug($opt_debug);
842 $hd->start_tls( verify
=> 'none' );
851 print "no sasl support\n";
856 if ($sasl_mech && $sasl_mech eq "GSSAPI") {
857 my $user = sprintf("%s\@%s", $user, uc($realm));
858 if (check_ticket
($user) != 0 && get_ticket
($user) != 0) {
859 print "Could not get Kerberos ticket for user [$user]\n";
863 $hd = Authen
::SASL
->new( mechanism
=> 'GSSAPI' ) || die "nope";
864 my $conn = $hd->client_new("ldap", $server);
866 if ($conn->code == -1) {
867 printf "%s\n", $conn->error();
871 } elsif ($sasl_mech) {
873 # here comes generic sasl code
874 $hd = Authen
::SASL
->new( mechanism
=> $sasl_mech,
877 pass
=> \
&get_password
882 print "no supported SASL mechanism found (@sasl_mechs).\n";
883 print "falling back to simple bind.\n";
890 sub check_sasl_mech
{
891 my $mech_check = shift;
893 foreach my $mech (@sasl_mechs) {
894 $have_mech = 1 if ($mech eq uc($mech_check));
905 -e
"$ads_h" || die "cannot open samba3 ads.h ($ads_h): $!";
907 while (my $line = <ADSH
>) {
909 if ($line =~ /#define.UF.*0x/) {
910 my ($tmp, $name, $val) = split(/\s+/,$line);
911 next if ($name =~ /UNUSED/);
912 # $ads_uf{$name} = sprintf("%d", hex $val);
913 $ads_uf{$name} = hex $val;
915 if ($line =~ /#define.GROUP_TYPE.*0x/) {
916 my ($tmp, $name, $val) = split(/\s+/,$line);
917 $ads_grouptype{$name} = hex $val;
919 if ($line =~ /#define.ATYPE.*0x/) {
920 my ($tmp, $name, $val) = split(/\s+/,$line);
922 (exists $ads_atype{$val}) ?
$ads_atype{$val} : hex $val;
924 if ($line =~ /#define.GTYPE.*0x/) {
926 my ($tmp, $name, @val) = split(/\s+/,$line);
927 foreach my $tempval (@val) {
928 if ($tempval =~ /^0x/) {
934 $ads_gtype{$name} = sprintf("%d", hex $val);
941 sub store_result
($) {
945 $entry_store{$entry->dn} = $entry;
948 sub display_result_diff
($) {
950 my $entry_new = shift;
951 return if ( !$entry_new);
953 if ( !exists $entry_store{$entry_new->dn}) {
954 print "can't display any differences yet. full dump...\n";
955 display_entry_generic
($entry_new);
959 my $entry_old = $entry_store{$entry_new->dn};
961 foreach my $attr (sort $entry_new->attributes) {
962 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
963 display_attr_generic
("add:\t", $entry_new, $attr);
968 foreach my $attr (sort $entry_old->attributes) {
969 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
970 display_attr_generic
("del:\t", $entry_old, $attr);
974 # now check for all values if they have changed, display changes
975 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
977 $old_vals = $entry_old->get_value($attr, asref
=> 1);
978 @old_vals = @
$old_vals;
979 $new_vals = $entry_new->get_value($attr, asref
=> 1);
980 @new_vals = @
$new_vals;
982 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
983 if ($old_vals[0] ne $new_vals[0]) {
984 display_attr_generic
("old:\t", $entry_old, $attr);
985 display_attr_generic
("new:\t", $entry_new, $attr);
990 # handle multivalued diffs
991 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
992 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
993 foreach my $val (sort keys %new) {
994 if (!exists $old{$val}) {
995 display_value_generic
("add:\t", $attr, $val);
998 foreach my $val (sort keys %old) {
999 if (!exists $new{$val}) {
1000 display_value_generic
("del:\t", $attr, $val);
1008 sub sid2string
($) {
1010 # Fix from Michael James <michael@james.st>
1011 my $binary_sid = shift;
1012 my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1013 my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1018 sub string_to_guid
{
1020 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1022 return pack("I", hex $1) .
1031 pack("C", hex $10) .
1034 # print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1037 sub bindstring_to_guid
{
1039 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
1058 sub guid_to_string
{
1060 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
1062 unpack("S", substr($guid, 4, 2)),
1063 unpack("S", substr($guid, 6, 2)),
1064 unpack("C", substr($guid, 8, 1)),
1065 unpack("C", substr($guid, 9, 1)),
1066 unpack("C", substr($guid, 10, 1)),
1067 unpack("C", substr($guid, 11, 1)),
1068 unpack("C", substr($guid, 12, 1)),
1069 unpack("C", substr($guid, 13, 1)),
1070 unpack("C", substr($guid, 14, 1)),
1071 unpack("C", substr($guid, 15, 1));
1075 sub guid_to_bindstring
{
1077 return unpack("H" . 2 * length($guid), $guid),
1081 print "Dumping Well known GUIDs:\n";
1082 foreach my $wknguid (keys %wknguids) {
1084 my $guid = bindstring_to_guid
($wknguids{$wknguid});
1085 my $str = guid_to_string
($guid);
1086 my $back = guid_to_bindstring
($guid);
1088 printf "wkguid: %s\n", $wknguid;
1089 printf "bind_string format: %s\n", $wknguids{$wknguid};
1090 printf "string format: %s\n", guid_to_string
($guid);
1091 printf "back to bind_string:%s\n", guid_to_bindstring
($guid);
1093 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring
($guid), $base;
1097 sub gen_bitmask_string_format
($%) {
1101 foreach my $key (sort keys %tmp) {
1102 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1104 return join("\n$mod$tabsize",@list);
1108 sub nt_to_unixtime
($) {
1109 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1111 $t64 =~ s/(.+).{7,7}/$1/;
1112 $t64 -= 11644473600;
1118 my $mod = shift || die "no mod";
1122 foreach my $key (keys %header) {
1123 if ($header{$key} eq $val) {
1124 $tmp{"($val)"} = $key;
1129 if (!$found) { $tmp{$val} = ""; };
1130 return gen_bitmask_string_format
($mod,%tmp);
1134 my $op = shift || die "no op";
1136 my $mod = shift || die "no mod";
1140 foreach my $key (sort keys %header) { # sort by val !
1142 $tmp{$key} = ( $val & $header{$key} ) ?
$set:$unset;
1143 } elsif ($op eq "==") {
1144 $tmp{$key} = ( $val == $header{$key} ) ?
$set:$unset;
1146 print "unknown operator: $op\n";
1150 return gen_bitmask_string_format
($mod,%tmp);
1153 sub dump_bitmask_and
{
1154 return dump_bitmask
("&",@_);
1157 sub dump_bitmask_equal
{
1158 return dump_bitmask
("==",@_);
1162 return dump_bitmask_and
(@_,%ads_uf); # ads_uf ?
1165 sub dump_uascompat
{
1166 return dump_bitmask_equal
(@_,%ads_uascompat);
1169 sub dump_gpoptions
{
1170 return dump_bitmask_equal
(@_,%ads_gpoptions);
1174 return dump_bitmask_equal
(@_,%ads_gpflags);
1178 return dump_bitmask_equal
(@_,%ads_uacc);
1182 return dump_bitmask_and
(@_,%ads_uf);
1186 my $ret = dump_bitmask_and
(@_,%ads_grouptype);
1187 $ret .= "\n$tabsize\t";
1188 $ret .= dump_bitmask_equal
(@_,%ads_gtype);
1193 return dump_bitmask_equal
(@_,%ads_atype);
1197 return dump_equal
(@_,%ads_controls);
1200 sub dump_capabilities
{
1201 return dump_equal
(@_,%ads_capabilities);
1204 sub dump_extension
{
1205 return dump_equal
(@_,%ads_extensions);
1208 sub dump_systemflags
{
1209 return dump_bitmask_and
(@_,%ads_systemflags);
1212 sub dump_instance_type
{
1213 return dump_bitmask_and
(@_,%ads_instance_type);
1217 return dump_bitmask_equal
(@_,%ads_ds_func);
1220 sub dump_serverstate
{
1221 return dump_bitmask_equal
(@_,%ads_serverstate);
1224 sub dump_sdeffective
{
1225 return dump_bitmask_and
(@_,%ads_sdeffective);
1228 sub dump_trustattr
{
1229 return dump_bitmask_equal
(@_,%ads_trustattrs);
1232 sub dump_trusttype
{
1233 return dump_bitmask_equal
(@_,%ads_trusttype);
1236 sub dump_trustdirection
{
1237 return dump_bitmask_equal
(@_,%ads_trustdirection);
1240 sub dump_pwdproperties
{
1241 return dump_bitmask_and
(@_,%ads_pwdproperties);
1245 return dump_bitmask_equal
(@_,%ads_frstypes)
1248 sub dump_mixed_domain
{
1249 return dump_bitmask_equal
(@_,%ads_mixed_domain);
1253 my $bin_sid = shift;
1254 return sid2string
($bin_sid);
1259 return guid_to_string
($guid);
1264 return "FIXME: write sddl-converter!";
1270 return sprintf("%s (%s)", "never", $nttime);
1272 my $localtime = localtime(nt_to_unixtime
($nttime));
1273 return sprintf("%s (%s)", $localtime, $nttime);
1276 sub dump_nttime_abs
{
1277 if ($_[0] == 9223372036854775807) {
1278 return sprintf("%s (%s)", "now", $_[0]);
1280 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1281 return sprintf("%s (%s)", "never", $_[0]);
1283 # FIXME: actually *do* abs time !
1284 return dump_nttime
($_[0]);
1289 if ($time eq "16010101000010.0Z") {
1290 return sprintf("%s (%s)", "never", $time);
1292 my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1293 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1295 my $localtime = localtime(timegm
($sec,$min,$hour,$mday,$mon,$year));
1296 return sprintf("%s (%s)", $localtime, $time);
1304 return sprintf("%d", $_[0]);
1307 sub dump_munged_dial
{
1309 return "FIXME! decode this";
1315 open(OPENSSL
, "| /usr/bin/openssl x509 -text -inform der");
1316 print OPENSSL
$cert;
1324 printf("%s: ", $pkt);
1325 printf("%02X", $pkt);
1332 my $gplink_mod = $gplink;
1333 my @links = split("\\]\\[", $gplink_mod);
1334 foreach my $link (@links) {
1335 $link =~ s/^\[|\]$//g;
1336 my ($ldap_link, $opt) = split(";", $link);
1337 my @array = ( "$opt", "\t" );
1338 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and
(@array, %ads_gplink_opts));
1343 sub construct_filter
{
1347 if (!$tmp || $opt_notify) {
1348 return "(objectclass=*)";
1351 if ($tmp && $tmp !~ /^.*\=/) {
1352 return "(ANR=$tmp)";
1356 # (&(objectCategory=person)
1357 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1360 sub construct_attrs
{
1369 push(@attrs,"uSNChanged");
1372 if ($opt_display_metadata) {
1373 push(@attrs,"msDS-ReplAttributeMetaData");
1374 push(@attrs,"replPropertyMetaData");
1378 push(@attrs,"nTSecurityDescriptor");
1379 push(@attrs,"msDS-KeyVersionNumber");
1380 push(@attrs,"msDS-User-Account-Control-Computed");
1381 push(@attrs,"modifyTimeStamp");
1390 printf "%10s: %s\n", "uri", $uri;
1391 printf "%10s: %s\n", "port", $port;
1392 printf "%10s: %s\n", "base", $base;
1393 printf "%10s: %s\n", $sasl_bind ?
"principal" : "binddn", $sasl_bind ?
$upn : $binddn;
1394 printf "%10s: %s\n", "password", $password;
1395 printf "%10s: %s\n", "bind-type", $sasl_bind ?
"SASL" : "simple";
1396 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1397 printf "%10s: %s\n", "filter", $filter;
1398 printf "%10s: %s\n", "scope", $scope;
1399 printf "%10s: %s\n", "attrs", join(", ", @attrs);
1400 printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1401 printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1402 printf "%10s: %s\n", "start_tls", $opt_starttls ?
"yes" : "no";
1408 # setup attribute-scoped query control
1409 my $asq_asn = Convert
::ASN1
->new;
1411 q
< asq
::= SEQUENCE
{
1412 sourceAttribute OCTET_STRING
1416 my $ctl_asq_val = $asq_asn->encode( sourceAttribute
=> $opt_asq);
1417 my $ctl_asq = Net
::LDAP
::Control
->new(
1418 type
=> $ads_controls{'LDAP_SERVER_ASQ_OID'},
1420 value
=> $ctl_asq_val);
1423 # setup extended dn control
1424 my $asn_extended_dn = Convert
::ASN1
->new;
1425 $asn_extended_dn->prepare(
1426 q
< ExtendedDn
::= SEQUENCE
{
1432 # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1433 my $ctl_extended_dn_val = $asn_extended_dn->encode( mode
=> $opt_display_extendeddn);
1434 my $ctl_extended_dn = Net
::LDAP
::Control
->new(
1435 type
=> $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1437 value
=> $opt_display_extendeddn ?
$ctl_extended_dn_val : "");
1439 # setup notify control
1440 my $ctl_notification = Net
::LDAP
::Control
->new(
1441 type
=> $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1442 critical
=> 'true');
1445 # setup paging control
1446 $ctl_paged = Net
::LDAP
::Control
->new(
1447 type
=> $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1449 size
=> $opt_paging ?
$opt_paging : 1000);
1451 # setup domscope control
1452 my $ctl_domscope = Net
::LDAP
::Control
->new(
1453 type
=> $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1457 if (defined($opt_paging)) {
1458 push(@ctrls, $ctl_paged);
1459 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1462 if (defined($opt_display_extendeddn)) {
1463 push(@ctrls, $ctl_extended_dn);
1464 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1467 push(@ctrls, $ctl_notification);
1468 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1472 push(@ctrls, $ctl_asq);
1473 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1476 if ($opt_domain_scope) {
1477 push(@ctrls, $ctl_domscope);
1478 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1484 sub display_value_generic
($$$) {
1486 my ($mod,$attr,$value) = @_;
1487 return unless (defined($value) and defined($attr));
1489 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1490 $value = $attr_handler{$attr}($value,$mod);
1491 write_ads_list
($mod,$attr,$value);
1494 write_ads
($mod,$attr,$value);
1497 sub display_attr_generic
($$$) {
1499 my ($mod,$entry,$attr) = @_;
1500 return if (!$attr || !$entry);
1502 my $ref = $entry->get_value($attr, asref
=> 1);
1505 foreach my $value ( sort @values) {
1506 display_value_generic
($mod,$attr,$value);
1510 sub display_entry_generic
($) {
1513 return if (!$entry);
1515 foreach my $attr ( sort $entry->attributes) {
1516 display_attr_generic
("\t",$entry,$attr);
1520 sub display_ldap_err
($) {
1524 my ($package, $filename, $line, $subroutine) = caller(0);
1526 print "got error from ADS:\n";
1527 printf("%s(%d): ERROR (%s): %s\n",
1528 $subroutine, $line, $msg->code, $msg->error);
1532 sub process_result
{
1534 my ($msg,$entry) = @_;
1536 if (!defined($msg)) {
1541 display_ldap_err
($msg);
1545 if (!defined($entry)) {
1549 if ($entry->isa('Net::LDAP::Reference')) {
1550 foreach my $ref ($entry->references) {
1551 print "\ngot Reference: [$ref]\n";
1556 print "\nfound entry: ".$entry->dn."\n".("-" x
80)."\n";
1558 display_entry_generic
($entry);
1561 sub default_callback
{
1563 my ($res,$obj) = @_;
1565 if (!$opt_notify && $res->code == LDAP_REFERRAL
) {
1570 return process_result
($res,$obj);
1574 sub error_callback
{
1576 my ($msg,$entry) = @_;
1583 display_ldap_err
($msg);
1589 sub notify_callback
{
1591 my ($msg, $obj) = @_;
1593 if (! defined($obj)) {
1597 if ($obj->isa('Net::LDAP::Reference')) {
1598 foreach my $ref ($obj->references) {
1599 print "\ngot Reference: [$ref]\n";
1606 my $async_entry = $async_search->pop_entry;
1608 if (!$async_entry->dn) {
1609 print "very weird. entry has no dn\n";
1613 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x
80));
1615 my $new_usn = $async_entry->get_value('uSNChanged');
1617 die "odd, no usnChanged attribute???";
1619 if (!$usn || $new_usn > $usn) {
1621 if ($opt_notify_nodiffs) {
1622 display_entry_generic
($async_entry);
1624 display_result_diff
($async_entry);
1627 store_result
($async_entry);
1633 my $async_ldap_hd = shift || return undef;
1634 my $sasl_bind = shift;
1638 print "this version of Net::LDAP does not have proper SASL support.\n";
1639 print "Need at least perl-ldap V. $pref_version\n";
1641 $sasl_hd = get_sasl_hd
();
1643 print "failed to create SASL handle\n";
1646 $mesg = $async_ldap_hd->bind(
1648 callback
=> \
&error_callback
1649 ) || die "doesnt work";
1652 $mesg = $async_ldap_hd->bind(
1654 password
=> $password,
1655 callback
=> $opt_fastbind ?
undef : \
&error_callback
1656 ) || die "doesnt work";
1659 display_ldap_err
($mesg) if (!$opt_fastbind);
1665 sub do_fast_bind
() {
1669 my $hd = get_ldap_hd
($server,1);
1671 my $mesg = $hd->extension(
1672 name
=> $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1675 display_ldap_err
($mesg);
1679 my $ret = do_bind
($hd, undef);
1682 printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n",
1683 $ret == 0 ?
"succeeded" : "failed");
1689 if ($async_ldap_hd) {
1690 $async_ldap_hd->unbind;
1692 if ($sync_ldap_hd) {
1693 $sync_ldap_hd->unbind;
1697 ###############################################################################
1701 if ($opt_fastbind) {
1703 if (check_exts
($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1704 print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1708 # fast bind can only bind, not search
1709 exit do_fast_bind
();
1712 $filter = construct_filter
($query);
1713 @attrs = construct_attrs
(@attrs);
1714 @ctrls = gen_controls
();
1716 if (check_ctrls
($server,$dse,@ctrls) == -1) {
1717 print "not all required LDAP Controls are supported by this server\n";
1721 if ($opt_dump_rootdse) {
1722 print "Dumping Root-DSE:\n";
1723 display_entry_generic
($dse);
1727 if ($opt_dump_wknguid) {
1732 if (do_bind
($async_ldap_hd, $sasl_bind) == -1) {
1738 if ($opt_dump_schema) {
1739 print "Dumping Schema:\n";
1740 my $ads_schema = $async_ldap_hd->schema;
1747 $async_search = $async_ldap_hd->search(
1750 attrs
=> [ @attrs ],
1751 control
=> [ @ctrls ],
1752 callback
=> \
&default_callback
,
1754 ) || die "cannot search";
1756 if (!$opt_notify && ($async_search->code == LDAP_REFERRAL
)) {
1757 foreach my $ref ($async_search->referrals) {
1758 print "\ngot Referral: [$ref]\n";
1759 $async_ldap_hd->unbind();
1760 $async_ldap_hd = get_ldap_hd
($ref, 1);
1761 if (do_bind
($async_ldap_hd, $sasl_bind) == -1) {
1762 $async_ldap_hd->unbind();
1765 print "\nsuccessful rebind to: [$ref]\n";
1768 next; # repeat the query
1773 print "Base [$base] is registered now for change-notify\n";
1774 print "\nWaiting for change-notify...\n";
1776 my $sync_ldap_hd = get_ldap_hd
($server,0);
1777 if (do_bind
($sync_ldap_hd, $sasl_bind) == -1) {
1781 my $sync_search = $sync_ldap_hd->search(
1784 attrs
=> [ @attrs ],
1785 callback
=> \
¬ify_callback
,
1787 ) || die "cannot search";
1791 $total_entry_count += $async_search->count;
1793 print "-" x
80 . "\n";
1794 printf("Got %d Entries in Page %d \n\n",
1795 $async_search->count, $page_count);
1796 my ($resp) = $async_search->control(
1797 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1798 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1801 if ($async_search->entries == 0) {
1802 print "No entries found with filter $filter\n";
1804 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);