2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libcli/security/dom_sid.h"
24 #include "../librpc/ndr/libndr.h"
28 #define LDAP_TRUST_CONTAINER "ou=system"
29 #define LDAP_ATTRIBUTE_CN "cn"
30 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
31 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
32 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
33 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
34 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
35 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
36 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
37 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
38 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
40 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
41 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
42 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
44 struct ipasam_privates {
45 NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
46 struct samu *sampass);
47 NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
48 struct samu *sampass);
51 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
55 time_t *pass_last_set_time)
60 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
63 const struct dom_sid *sid)
68 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
74 static char *get_account_dn(const char *name)
79 escape_name = escape_rdn_val_string_alloc(name);
84 if (name[strlen(name)-1] == '$') {
85 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
86 lp_ldap_machine_suffix());
88 dn = talloc_asprintf(talloc_tos(), "uid=%s,%s", escape_name,
89 lp_ldap_user_suffix());
92 SAFE_FREE(escape_name);
97 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
100 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
101 LDAP_ATTRIBUTE_CN, domain,
102 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
105 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
107 return talloc_asprintf(talloc_tos(), "%s,%s",
108 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
111 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
113 const char *filter, LDAPMessage **entry)
116 char *base_dn = NULL;
117 LDAPMessage *result = NULL;
120 base_dn = trusted_domain_base_dn(ldap_state);
121 if (base_dn == NULL) {
125 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
126 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
127 TALLOC_FREE(base_dn);
129 if (result != NULL) {
130 talloc_autofree_ldapmsg(mem_ctx, result);
133 if (rc == LDAP_NO_SUCH_OBJECT) {
138 if (rc != LDAP_SUCCESS) {
142 num_result = ldap_count_entries(priv2ld(ldap_state), result);
144 if (num_result > 1) {
145 DEBUG(1, ("get_trusted_domain_int: more than one "
146 "%s object with filter '%s'?!\n",
147 LDAP_OBJ_TRUSTED_DOMAIN, filter));
151 if (num_result == 0) {
152 DEBUG(1, ("get_trusted_domain_int: no "
153 "%s object with filter '%s'.\n",
154 LDAP_OBJ_TRUSTED_DOMAIN, filter));
157 *entry = ldap_first_entry(priv2ld(ldap_state), result);
163 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
170 filter = talloc_asprintf(talloc_tos(),
171 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
172 LDAP_OBJ_TRUSTED_DOMAIN,
173 LDAP_ATTRIBUTE_FLAT_NAME, domain,
174 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
175 if (filter == NULL) {
179 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
182 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
184 const char *sid, LDAPMessage **entry)
188 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
189 LDAP_OBJ_TRUSTED_DOMAIN,
190 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
191 if (filter == NULL) {
195 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
198 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
207 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
210 DEBUG(9, ("Attribute %s not present.\n", attr));
215 l = strtoul(dummy, &endptr, 10);
218 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
227 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
228 struct ldapsam_privates *ldap_state,
229 LDAPMessage *entry, const char *attr,
235 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
238 DEBUG(9, ("Attribute %s not present.\n", attr));
241 blob = base64_decode_data_blob(dummy);
242 if (blob.length == 0) {
245 _blob->length = blob.length;
246 _blob->data = talloc_steal(mem_ctx, blob.data);
252 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
253 struct ldapsam_privates *ldap_state,
255 struct pdb_trusted_domain **_td)
259 struct pdb_trusted_domain *td;
265 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
270 /* All attributes are MAY */
272 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
273 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
276 DEBUG(9, ("Attribute %s not present.\n",
277 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
278 ZERO_STRUCT(td->security_identifier);
280 res = string_to_sid(&td->security_identifier, dummy);
287 get_data_blob_from_ldap_msg(td, ldap_state, entry,
288 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
289 &td->trust_auth_incoming);
291 get_data_blob_from_ldap_msg(td, ldap_state, entry,
292 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
293 &td->trust_auth_outgoing);
295 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
297 LDAP_ATTRIBUTE_FLAT_NAME,
299 if (td->netbios_name == NULL) {
300 DEBUG(9, ("Attribute %s not present.\n",
301 LDAP_ATTRIBUTE_FLAT_NAME));
304 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
306 LDAP_ATTRIBUTE_TRUST_PARTNER,
308 if (td->domain_name == NULL) {
309 DEBUG(9, ("Attribute %s not present.\n",
310 LDAP_ATTRIBUTE_TRUST_PARTNER));
313 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
314 LDAP_ATTRIBUTE_TRUST_DIRECTION,
315 &td->trust_direction);
320 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
321 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
322 &td->trust_attributes);
327 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
328 LDAP_ATTRIBUTE_TRUST_TYPE,
334 get_data_blob_from_ldap_msg(td, ldap_state, entry,
335 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
336 &td->trust_forest_trust_info);
343 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
346 struct pdb_trusted_domain **td)
348 struct ldapsam_privates *ldap_state =
349 (struct ldapsam_privates *)methods->private_data;
350 LDAPMessage *entry = NULL;
352 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
354 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
356 return NT_STATUS_UNSUCCESSFUL;
359 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
361 return NT_STATUS_NO_SUCH_DOMAIN;
364 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
365 return NT_STATUS_UNSUCCESSFUL;
371 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
374 struct pdb_trusted_domain **td)
376 struct ldapsam_privates *ldap_state =
377 (struct ldapsam_privates *)methods->private_data;
378 LDAPMessage *entry = NULL;
381 sid_str = sid_string_tos(sid);
383 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
386 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
388 return NT_STATUS_UNSUCCESSFUL;
391 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
392 "with sid: %s\n", sid_str));
393 return NT_STATUS_NO_SUCH_DOMAIN;
396 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
397 return NT_STATUS_UNSUCCESSFUL;
403 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
404 LDAPMod ***mods, const char *attribute,
409 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
413 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
419 static bool _smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *entry,
420 LDAPMod ***mods, const char *attribute,
425 dummy = base64_encode_data_blob(talloc_tos(), blob);
430 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
436 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
438 const struct pdb_trusted_domain *td)
440 struct ldapsam_privates *ldap_state =
441 (struct ldapsam_privates *)methods->private_data;
442 LDAPMessage *entry = NULL;
445 char *trusted_dn = NULL;
448 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
450 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
453 return NT_STATUS_UNSUCCESSFUL;
457 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
458 LDAP_OBJ_TRUSTED_DOMAIN);
460 if (td->netbios_name != NULL) {
461 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
462 LDAP_ATTRIBUTE_FLAT_NAME,
466 if (td->domain_name != NULL) {
467 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
468 LDAP_ATTRIBUTE_TRUST_PARTNER,
472 if (!is_null_sid(&td->security_identifier)) {
473 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
474 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
475 sid_string_tos(&td->security_identifier));
478 if (td->trust_type != 0) {
479 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
480 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
483 return NT_STATUS_UNSUCCESSFUL;
487 if (td->trust_attributes != 0) {
488 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
490 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
491 td->trust_attributes);
493 return NT_STATUS_UNSUCCESSFUL;
497 if (td->trust_direction != 0) {
498 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
500 LDAP_ATTRIBUTE_TRUST_DIRECTION,
501 td->trust_direction);
503 return NT_STATUS_UNSUCCESSFUL;
507 if (td->trust_auth_outgoing.data != NULL) {
508 res = _smbldap_make_mod_blob(priv2ld(ldap_state), entry,
510 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
511 td->trust_auth_outgoing);
513 return NT_STATUS_UNSUCCESSFUL;
517 if (td->trust_auth_incoming.data != NULL) {
518 res = _smbldap_make_mod_blob(priv2ld(ldap_state), entry,
520 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
521 td->trust_auth_incoming);
523 return NT_STATUS_UNSUCCESSFUL;
527 if (td->trust_forest_trust_info.data != NULL) {
528 res = _smbldap_make_mod_blob(priv2ld(ldap_state), entry,
530 LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
531 td->trust_forest_trust_info);
533 return NT_STATUS_UNSUCCESSFUL;
537 talloc_autofree_ldapmod(talloc_tos(), mods);
539 trusted_dn = trusted_domain_dn(ldap_state, domain);
540 if (trusted_dn == NULL) {
541 return NT_STATUS_NO_MEMORY;
544 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
546 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
549 if (ret != LDAP_SUCCESS) {
550 DEBUG(1, ("error writing trusted domain data!\n"));
551 return NT_STATUS_UNSUCCESSFUL;
556 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
560 struct ldapsam_privates *ldap_state =
561 (struct ldapsam_privates *)methods->private_data;
562 LDAPMessage *entry = NULL;
565 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
567 return NT_STATUS_UNSUCCESSFUL;
571 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
573 return NT_STATUS_NO_SUCH_DOMAIN;
576 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
578 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
579 return NT_STATUS_NO_MEMORY;
582 ret = smbldap_delete(ldap_state->smbldap_state, dn);
583 if (ret != LDAP_SUCCESS) {
584 return NT_STATUS_UNSUCCESSFUL;
590 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
592 uint32_t *num_domains,
593 struct pdb_trusted_domain ***domains)
596 struct ldapsam_privates *ldap_state =
597 (struct ldapsam_privates *)methods->private_data;
598 char *base_dn = NULL;
600 int scope = LDAP_SCOPE_SUBTREE;
601 LDAPMessage *result = NULL;
602 LDAPMessage *entry = NULL;
604 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
605 LDAP_OBJ_TRUSTED_DOMAIN);
606 if (filter == NULL) {
607 return NT_STATUS_NO_MEMORY;
610 base_dn = trusted_domain_base_dn(ldap_state);
611 if (base_dn == NULL) {
613 return NT_STATUS_NO_MEMORY;
616 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
619 TALLOC_FREE(base_dn);
621 if (result != NULL) {
622 talloc_autofree_ldapmsg(mem_ctx, result);
625 if (rc == LDAP_NO_SUCH_OBJECT) {
631 if (rc != LDAP_SUCCESS) {
632 return NT_STATUS_UNSUCCESSFUL;
636 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
637 DEBUG(1, ("talloc failed\n"));
638 return NT_STATUS_NO_MEMORY;
641 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
643 entry = ldap_next_entry(priv2ld(ldap_state), entry))
645 struct pdb_trusted_domain *dom_info;
647 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
649 return NT_STATUS_UNSUCCESSFUL;
652 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
653 domains, num_domains);
655 if (*domains == NULL) {
656 DEBUG(1, ("talloc failed\n"));
657 return NT_STATUS_NO_MEMORY;
661 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
665 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
667 uint32_t *num_domains,
668 struct trustdom_info ***domains)
671 struct pdb_trusted_domain **td;
674 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
676 if (!NT_STATUS_IS_OK(status)) {
680 if (*num_domains == 0) {
684 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
686 DEBUG(1, ("talloc failed\n"));
687 return NT_STATUS_NO_MEMORY;
690 for (i = 0; i < *num_domains; i++) {
691 struct trustdom_info *dom_info;
693 dom_info = TALLOC_P(*domains, struct trustdom_info);
694 if (dom_info == NULL) {
695 DEBUG(1, ("talloc failed\n"));
696 return NT_STATUS_NO_MEMORY;
699 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
700 sid_copy(&dom_info->sid, &td[i]->security_identifier);
702 (*domains)[i] = dom_info;
708 static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods)
710 return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
713 static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pdb_methods,
716 struct pdb_domain_info *info;
718 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)pdb_methods->private_data;
720 info = talloc(mem_ctx, struct pdb_domain_info);
725 info->name = talloc_strdup(info, ldap_state->domain_name);
726 if (info->name == NULL) {
730 /* TODO: read dns_domain, dns_forest and guid from LDAP */
731 info->dns_domain = talloc_strdup(info, lp_realm());
732 if (info->dns_domain == NULL) {
735 strlower_m(info->dns_domain);
736 info->dns_forest = talloc_strdup(info, info->dns_domain);
737 sid_copy(&info->sid, &ldap_state->domain_sid);
739 status = GUID_from_string("testguid", &info->guid);
748 static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
749 struct samu *sampass)
752 BerElement *ber = NULL;
753 struct berval *bv = NULL;
755 struct berval *retdata = NULL;
756 const char *password;
759 password = pdb_get_plaintext_passwd(sampass);
760 if (password == NULL || *password == '\0') {
761 return NT_STATUS_INVALID_PARAMETER;
764 dn = get_account_dn(pdb_get_username(sampass));
766 return NT_STATUS_INVALID_PARAMETER;
769 ber = ber_alloc_t( LBER_USE_DER );
771 DEBUG(7, ("ber_alloc_t failed.\n"));
772 return NT_STATUS_NO_MEMORY;
775 ret = ber_printf(ber, "{tsts}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, dn,
776 LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, password);
778 DEBUG(7, ("ber_printf failed.\n"));
780 return NT_STATUS_UNSUCCESSFUL;
783 ret = ber_flatten(ber, &bv);
786 DEBUG(1, ("ber_flatten failed.\n"));
787 return NT_STATUS_UNSUCCESSFUL;
790 ret = smbldap_extended_operation(ldap_state->smbldap_state,
791 LDAP_EXOP_MODIFY_PASSWD, bv, NULL,
792 NULL, &retoid, &retdata);
798 ldap_memfree(retoid);
800 if (ret != LDAP_SUCCESS) {
801 DEBUG(1, ("smbldap_extended_operation LDAP_EXOP_MODIFY_PASSWD failed.\n"));
802 return NT_STATUS_UNSUCCESSFUL;
808 static NTSTATUS ipasam_add_objectclasses(struct ldapsam_privates *ldap_state,
809 struct samu *sampass)
812 LDAPMod **mods = NULL;
816 char *domain_with_dot;
818 dn = get_account_dn(pdb_get_username(sampass));
820 return NT_STATUS_INVALID_PARAMETER;
823 princ = talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass), lp_realm());
825 return NT_STATUS_NO_MEMORY;
828 domain = pdb_get_domain(sampass);
829 if (domain == NULL) {
830 return NT_STATUS_INVALID_PARAMETER;
833 domain_with_dot = talloc_asprintf(talloc_tos(), "%s.", domain);
834 if (domain_with_dot == NULL) {
835 return NT_STATUS_NO_MEMORY;
838 smbldap_set_mod(&mods, LDAP_MOD_ADD,
839 "objectclass", LDAP_OBJ_KRB_PRINCIPAL);
840 smbldap_set_mod(&mods, LDAP_MOD_ADD,
841 LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
842 smbldap_set_mod(&mods, LDAP_MOD_ADD,
843 "objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX);
844 smbldap_set_mod(&mods, LDAP_MOD_ADD,
845 "objectclass", "ipaHost");
846 smbldap_set_mod(&mods, LDAP_MOD_ADD,
848 smbldap_set_mod(&mods, LDAP_MOD_ADD,
849 "objectclass", "posixAccount");
850 smbldap_set_mod(&mods, LDAP_MOD_ADD,
851 "cn", pdb_get_username(sampass));
852 smbldap_set_mod(&mods, LDAP_MOD_ADD,
853 "gidNumber", "12345");
854 smbldap_set_mod(&mods, LDAP_MOD_ADD,
855 "homeDirectory", "/dev/null");
856 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain);
857 smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain_with_dot);
859 ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
860 ldap_mods_free(mods, true);
861 if (ret != LDAP_SUCCESS) {
862 DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
863 pdb_get_username(sampass),dn));
864 return NT_STATUS_LDAP(ret);
870 static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
871 struct samu *sampass)
874 struct ldapsam_privates *ldap_state;
876 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
878 status =ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
880 if (!NT_STATUS_IS_OK(status)) {
884 status = ipasam_add_objectclasses(ldap_state, sampass);
885 if (!NT_STATUS_IS_OK(status)) {
889 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
890 status = modify_ipa_password_exop(ldap_state, sampass);
891 if (!NT_STATUS_IS_OK(status)) {
899 static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
900 struct samu *sampass)
903 struct ldapsam_privates *ldap_state;
904 ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
906 status = ldap_state->ipasam_privates->ldapsam_update_sam_account(pdb_methods,
908 if (!NT_STATUS_IS_OK(status)) {
912 if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
913 status = modify_ipa_password_exop(ldap_state, sampass);
914 if (!NT_STATUS_IS_OK(status)) {
922 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
924 struct ldapsam_privates *ldap_state;
927 status = pdb_init_ldapsam(pdb_method, location);
928 if (!NT_STATUS_IS_OK(status)) {
932 (*pdb_method)->name = "IPA_ldapsam";
934 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
935 ldap_state->ipasam_privates = talloc_zero(ldap_state,
936 struct ipasam_privates);
937 if (ldap_state->ipasam_privates == NULL) {
938 return NT_STATUS_NO_MEMORY;
940 ldap_state->is_ipa_ldap = true;
941 ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
942 ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
944 (*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
945 (*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
947 (*pdb_method)->capabilities = pdb_ipasam_capabilities;
948 (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
950 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
951 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
952 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
953 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
955 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
956 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
957 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
958 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
959 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
964 NTSTATUS pdb_ipa_init(void)
968 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))