2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
49 #define DBGC_CLASS DBGC_PASSDB
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
81 #define SAM_ACCOUNT struct sam_passwd
84 #define MODIFY_TIMESTAMP_STRING "modifyTimestamp"
88 struct ldapsam_privates {
89 struct smbldap_state *smbldap_state;
96 const char *domain_name;
99 /* configuration items */
103 /**********************************************************************
104 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
105 **********************************************************************/
107 static void private_data_free_fn(void **result)
109 ldap_msgfree(*result);
113 /**********************************************************************
114 Get the attribute name given a user schame version.
115 **********************************************************************/
117 static const char* get_userattr_key2string( int schema_ver, int key )
119 switch ( schema_ver ) {
120 case SCHEMAVER_SAMBAACCOUNT:
121 return get_attr_key2string( attrib_map_v22, key );
123 case SCHEMAVER_SAMBASAMACCOUNT:
124 return get_attr_key2string( attrib_map_v30, key );
127 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
133 /**********************************************************************
134 Return the list of attribute names given a user schema version.
135 **********************************************************************/
137 static char** get_userattr_list( int schema_ver )
139 switch ( schema_ver ) {
140 case SCHEMAVER_SAMBAACCOUNT:
141 return get_attr_list( attrib_map_v22 );
143 case SCHEMAVER_SAMBASAMACCOUNT:
144 return get_attr_list( attrib_map_v30 );
146 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
153 /*******************************************************************
154 Generate the LDAP search filter for the objectclass based on the
155 version of the schema we are using.
156 ******************************************************************/
158 static const char* get_objclass_filter( int schema_ver )
160 static fstring objclass_filter;
162 switch( schema_ver ) {
163 case SCHEMAVER_SAMBAACCOUNT:
164 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
166 case SCHEMAVER_SAMBASAMACCOUNT:
167 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
170 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174 return objclass_filter;
177 /*******************************************************************
178 Run the search by name.
179 ******************************************************************/
181 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state,
183 LDAPMessage ** result, char **attr)
186 char *escape_user = escape_ldap_string_alloc(user);
189 return LDAP_NO_MEMORY;
193 * in the filter expression, replace %u with the real name
194 * so in ldap filter, %u MUST exist :-)
196 pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(),
197 get_objclass_filter(ldap_state->schema_ver));
200 * have to use this here because $ is filtered out
205 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
206 SAFE_FREE(escape_user);
208 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
211 /*******************************************************************
212 Run the search by rid.
213 ******************************************************************/
215 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
216 uint32 rid, LDAPMessage ** result,
222 pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
223 get_objclass_filter(ldap_state->schema_ver));
225 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
230 /*******************************************************************
231 Run the search by SID.
232 ******************************************************************/
234 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
235 const DOM_SID *sid, LDAPMessage ** result,
242 pstr_sprintf(filter, "(&(%s=%s)%s)",
243 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
244 sid_to_string(sid_string, sid),
245 get_objclass_filter(ldap_state->schema_ver));
247 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
252 /*******************************************************************
253 Delete complete object or objectclass and attrs from
254 object found in search_result depending on lp_ldap_delete_dn
255 ******************************************************************/
257 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
259 const char *objectclass,
263 LDAPMessage *entry = NULL;
264 LDAPMod **mods = NULL;
266 BerElement *ptr = NULL;
268 rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
271 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
272 return NT_STATUS_UNSUCCESSFUL;
275 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
276 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
278 return NT_STATUS_UNSUCCESSFUL;
281 if (lp_ldap_delete_dn()) {
282 NTSTATUS ret = NT_STATUS_OK;
283 rc = smbldap_delete(ldap_state->smbldap_state, dn);
285 if (rc != LDAP_SUCCESS) {
286 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
287 ret = NT_STATUS_UNSUCCESSFUL;
293 /* Ok, delete only the SAM attributes */
295 for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
297 name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
300 /* We are only allowed to delete the attributes that
303 for (attrib = attrs; *attrib != NULL; attrib++) {
304 if (StrCaseCmp(*attrib, name) == 0) {
305 DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name));
306 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
317 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
319 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
320 ldap_mods_free(mods, True);
322 if (rc != LDAP_SUCCESS) {
323 char *ld_error = NULL;
324 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
327 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
328 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
331 return NT_STATUS_UNSUCCESSFUL;
338 /* New Interface is being implemented here */
340 #if 0 /* JERRY - not uesed anymore */
342 /**********************************************************************
343 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
344 *********************************************************************/
345 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
346 SAM_ACCOUNT * sampass,
355 if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
356 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
360 for (values=ldap_values;*values;values++) {
361 if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
366 if (!*values) { /*end of array, no posixAccount */
367 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
368 ldap_value_free(ldap_values);
371 ldap_value_free(ldap_values);
373 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
374 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
379 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
380 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
385 *gid = (gid_t)atol(temp);
387 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
389 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
396 static time_t ldapsam_get_entry_timestamp(
397 struct ldapsam_privates *ldap_state,
403 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct,
404 entry, MODIFY_TIMESTAMP_STRING, temp))
407 strptime(temp, "%Y%m%d%H%M%SZ", &tm);
412 /**********************************************************************
413 Initialize SAM_ACCOUNT from an LDAP query.
414 (Based on init_sam_from_buffer in pdb_tdb.c)
415 *********************************************************************/
417 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
418 SAM_ACCOUNT * sampass,
425 pass_can_change_time,
426 pass_must_change_time,
439 char munged_dial[2048];
441 uint8 smblmpwd[LM_HASH_LEN],
442 smbntpwd[NT_HASH_LEN];
443 uint16 acct_ctrl = 0,
445 uint16 bad_password_count = 0,
448 uint8 hours[MAX_HOURS_LEN];
450 LOGIN_CACHE *cache_entry = NULL;
453 * do a little initialization
457 nt_username[0] = '\0';
461 logon_script[0] = '\0';
462 profile_path[0] = '\0';
464 munged_dial[0] = '\0';
465 workstations[0] = '\0';
468 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
469 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
473 if (ldap_state->smbldap_state->ldap_struct == NULL) {
474 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
478 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
479 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
483 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
485 pstrcpy(nt_username, username);
487 pstrcpy(domain, ldap_state->domain_name);
489 pdb_set_username(sampass, username, PDB_SET);
491 pdb_set_domain(sampass, domain, PDB_DEFAULT);
492 pdb_set_nt_username(sampass, nt_username, PDB_SET);
494 /* deal with different attributes between the schema first */
496 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
497 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
498 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
499 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
502 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
503 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
504 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
506 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
509 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
510 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
511 user_rid = (uint32)atol(temp);
512 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
515 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
516 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
517 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
521 group_rid = (uint32)atol(temp);
523 /* for some reason, we often have 0 as a primary group RID.
524 Make sure that we treat this just as a 'default' value */
527 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
529 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
533 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
534 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
535 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
536 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
541 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
542 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
543 /* leave as default */
545 pass_last_set_time = (time_t) atol(temp);
546 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
549 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
550 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
551 /* leave as default */
553 logon_time = (time_t) atol(temp);
554 pdb_set_logon_time(sampass, logon_time, PDB_SET);
557 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
558 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
559 /* leave as default */
561 logoff_time = (time_t) atol(temp);
562 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
565 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
566 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
567 /* leave as default */
569 kickoff_time = (time_t) atol(temp);
570 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
573 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
574 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
575 /* leave as default */
577 pass_can_change_time = (time_t) atol(temp);
578 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
581 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
582 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
583 /* leave as default */
585 pass_must_change_time = (time_t) atol(temp);
586 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
589 /* recommend that 'gecos' and 'displayName' should refer to the same
590 * attribute OID. userFullName depreciated, only used by Samba
591 * primary rules of LDAP: don't make a new attribute when one is already defined
592 * that fits your needs; using cn then displayName rather than 'userFullName'
595 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
596 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
597 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
598 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
599 /* leave as default */
601 pdb_set_fullname(sampass, fullname, PDB_SET);
604 pdb_set_fullname(sampass, fullname, PDB_SET);
607 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
608 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
610 pdb_set_dir_drive( sampass,
611 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
614 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
617 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
618 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
620 pdb_set_homedir( sampass,
621 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
624 pdb_set_homedir(sampass, homedir, PDB_SET);
627 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
628 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
630 pdb_set_logon_script( sampass,
631 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
634 pdb_set_logon_script(sampass, logon_script, PDB_SET);
637 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
638 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
640 pdb_set_profile_path( sampass,
641 talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
644 pdb_set_profile_path(sampass, profile_path, PDB_SET);
647 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
648 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
650 /* leave as default */
652 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
655 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
656 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
657 /* leave as default */;
659 pdb_set_workstations(sampass, workstations, PDB_SET);
662 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
663 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
664 /* leave as default */;
666 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
669 /* FIXME: hours stuff should be cleaner */
673 memset(hours, 0xff, hours_len);
675 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
676 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
677 /* leave as default */
679 pdb_gethexpwd(temp, smblmpwd);
680 memset((char *)temp, '\0', strlen(temp)+1);
681 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
683 ZERO_STRUCT(smblmpwd);
686 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
687 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
688 /* leave as default */
690 pdb_gethexpwd(temp, smbntpwd);
691 memset((char *)temp, '\0', strlen(temp)+1);
692 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
694 ZERO_STRUCT(smbntpwd);
697 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
698 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
699 acct_ctrl |= ACB_NORMAL;
701 acct_ctrl = pdb_decode_acct_ctrl(temp);
704 acct_ctrl |= ACB_NORMAL;
706 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
709 pdb_set_hours_len(sampass, hours_len, PDB_SET);
710 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
712 /* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
714 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
715 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
716 /* leave as default */
718 bad_password_count = (uint32) atol(temp);
719 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
722 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
723 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
724 /* leave as default */
726 bad_password_time = (time_t) atol(temp);
727 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
731 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
732 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
733 /* leave as default */
735 logon_count = (uint32) atol(temp);
736 pdb_set_logon_count(sampass, logon_count, PDB_SET);
739 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
741 pdb_set_hours(sampass, hours, PDB_SET);
743 /* check the timestamp of the cache vs ldap entry */
744 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
748 /* see if we have newer updates */
749 if (!(cache_entry = login_cache_read(sampass))) {
750 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
751 (unsigned int)pdb_get_bad_password_count(sampass),
752 (unsigned int)pdb_get_bad_password_time(sampass)));
756 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
757 (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
758 (unsigned int)cache_entry->bad_password_time));
760 if (ldap_entry_time > cache_entry->entry_timestamp) {
761 /* cache is older than directory , so
762 we need to delete the entry but allow the
763 fields to be written out */
764 login_cache_delentry(sampass);
767 pdb_set_acct_ctrl(sampass,
768 pdb_get_acct_ctrl(sampass) |
769 (cache_entry->acct_ctrl & ACB_AUTOLOCK),
771 pdb_set_bad_password_count(sampass,
772 cache_entry->bad_password_count,
774 pdb_set_bad_password_time(sampass,
775 cache_entry->bad_password_time,
779 SAFE_FREE(cache_entry);
783 /**********************************************************************
784 Initialize SAM_ACCOUNT from an LDAP query.
785 (Based on init_buffer_from_sam in pdb_tdb.c)
786 *********************************************************************/
788 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
789 LDAPMessage *existing,
790 LDAPMod *** mods, SAM_ACCOUNT * sampass,
791 BOOL (*need_update)(const SAM_ACCOUNT *,
797 if (mods == NULL || sampass == NULL) {
798 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
805 * took out adding "objectclass: sambaAccount"
806 * do this on a per-mod basis
808 if (need_update(sampass, PDB_USERNAME))
809 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
810 "uid", pdb_get_username(sampass));
812 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
814 /* only update the RID if we actually need to */
815 if (need_update(sampass, PDB_USERSID)) {
817 fstring dom_sid_string;
818 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
820 switch ( ldap_state->schema_ver ) {
821 case SCHEMAVER_SAMBAACCOUNT:
822 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
823 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
824 sid_to_string(sid_string, user_sid),
825 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
828 slprintf(temp, sizeof(temp) - 1, "%i", rid);
829 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
830 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
834 case SCHEMAVER_SAMBASAMACCOUNT:
835 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
836 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
837 sid_to_string(sid_string, user_sid));
841 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
846 /* we don't need to store the primary group RID - so leaving it
847 'free' to hang off the unix primary group makes life easier */
849 if (need_update(sampass, PDB_GROUPSID)) {
851 fstring dom_sid_string;
852 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
854 switch ( ldap_state->schema_ver ) {
855 case SCHEMAVER_SAMBAACCOUNT:
856 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
857 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
858 sid_to_string(sid_string, group_sid),
859 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
863 slprintf(temp, sizeof(temp) - 1, "%i", rid);
864 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
865 get_userattr_key2string(ldap_state->schema_ver,
866 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
869 case SCHEMAVER_SAMBASAMACCOUNT:
870 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
871 get_userattr_key2string(ldap_state->schema_ver,
872 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
876 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
882 /* displayName, cn, and gecos should all be the same
883 * most easily accomplished by giving them the same OID
884 * gecos isn't set here b/c it should be handled by the
886 * We change displayName only and fall back to cn if
890 if (need_update(sampass, PDB_FULLNAME))
891 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
892 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
893 pdb_get_fullname(sampass));
895 if (need_update(sampass, PDB_ACCTDESC))
896 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
897 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
898 pdb_get_acct_desc(sampass));
900 if (need_update(sampass, PDB_WORKSTATIONS))
901 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
902 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
903 pdb_get_workstations(sampass));
905 if (need_update(sampass, PDB_MUNGEDDIAL))
906 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
907 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
908 pdb_get_munged_dial(sampass));
910 if (need_update(sampass, PDB_SMBHOME))
911 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
912 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
913 pdb_get_homedir(sampass));
915 if (need_update(sampass, PDB_DRIVE))
916 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
917 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
918 pdb_get_dir_drive(sampass));
920 if (need_update(sampass, PDB_LOGONSCRIPT))
921 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
922 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
923 pdb_get_logon_script(sampass));
925 if (need_update(sampass, PDB_PROFILE))
926 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
927 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
928 pdb_get_profile_path(sampass));
930 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
931 if (need_update(sampass, PDB_LOGONTIME))
932 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
933 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
935 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
936 if (need_update(sampass, PDB_LOGOFFTIME))
937 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
938 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
940 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
941 if (need_update(sampass, PDB_KICKOFFTIME))
942 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
943 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
945 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
946 if (need_update(sampass, PDB_CANCHANGETIME))
947 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
948 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
950 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
951 if (need_update(sampass, PDB_MUSTCHANGETIME))
952 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
953 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
956 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
957 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
959 if (need_update(sampass, PDB_LMPASSWD)) {
960 const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
962 pdb_sethexpwd(temp, lm_pw,
963 pdb_get_acct_ctrl(sampass));
964 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
965 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
968 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
969 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
973 if (need_update(sampass, PDB_NTPASSWD)) {
974 const uchar *nt_pw = pdb_get_nt_passwd(sampass);
976 pdb_sethexpwd(temp, nt_pw,
977 pdb_get_acct_ctrl(sampass));
978 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
979 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
982 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
983 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
988 if (need_update(sampass, PDB_PASSLASTSET)) {
989 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
990 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
991 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
996 /* FIXME: Hours stuff goes in LDAP */
998 if (need_update(sampass, PDB_ACCTCTRL))
999 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1000 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1001 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1003 /* password lockout cache:
1004 - If we are now autolocking or clearing, we write to ldap
1005 - If we are clearing, we delete the cache entry
1006 - If the count is > 0, we update the cache
1008 This even means when autolocking, we cache, just in case the
1009 update doesn't work, and we have to cache the autolock flag */
1011 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1012 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1013 uint16 badcount = pdb_get_bad_password_count(sampass);
1014 time_t badtime = pdb_get_bad_password_time(sampass);
1016 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1018 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1019 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1021 if ((badcount >= pol) || (badcount == 0)) {
1022 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1023 (unsigned int)badcount, (unsigned int)badtime));
1024 slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1026 ldap_state->smbldap_state->ldap_struct,
1028 get_userattr_key2string(
1029 ldap_state->schema_ver,
1030 LDAP_ATTR_BAD_PASSWORD_COUNT),
1033 slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1035 ldap_state->smbldap_state->ldap_struct,
1037 get_userattr_key2string(
1038 ldap_state->schema_ver,
1039 LDAP_ATTR_BAD_PASSWORD_TIME),
1042 if (badcount == 0) {
1043 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1044 login_cache_delentry(sampass);
1046 LOGIN_CACHE cache_entry ={time(NULL),
1047 pdb_get_acct_ctrl(sampass),
1049 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1050 login_cache_write(sampass, cache_entry);
1057 /**********************************************************************
1058 Connect to LDAP server for password enumeration.
1059 *********************************************************************/
1061 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
1063 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1068 pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(),
1069 get_objclass_filter(ldap_state->schema_ver));
1070 all_string_sub(filter, "%u", "*", sizeof(pstring));
1072 attr_list = get_userattr_list(ldap_state->schema_ver);
1073 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
1074 attr_list, &ldap_state->result);
1075 free_attr_list( attr_list );
1077 if (rc != LDAP_SUCCESS) {
1078 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1079 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter));
1080 ldap_msgfree(ldap_state->result);
1081 ldap_state->result = NULL;
1082 return NT_STATUS_UNSUCCESSFUL;
1085 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1086 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1087 ldap_state->result)));
1089 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1090 ldap_state->result);
1091 ldap_state->index = 0;
1093 return NT_STATUS_OK;
1096 /**********************************************************************
1097 End enumeration of the LDAP password list.
1098 *********************************************************************/
1100 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1102 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1103 if (ldap_state->result) {
1104 ldap_msgfree(ldap_state->result);
1105 ldap_state->result = NULL;
1109 /**********************************************************************
1110 Get the next entry in the LDAP password database.
1111 *********************************************************************/
1113 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1115 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1116 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1120 if (!ldap_state->entry)
1123 ldap_state->index++;
1124 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1126 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1130 return NT_STATUS_OK;
1133 /**********************************************************************
1134 Get SAM_ACCOUNT entry from LDAP by username.
1135 *********************************************************************/
1137 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1139 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1140 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1141 LDAPMessage *result = NULL;
1142 LDAPMessage *entry = NULL;
1147 attr_list = get_userattr_list( ldap_state->schema_ver );
1148 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1149 free_attr_list( attr_list );
1151 if ( rc != LDAP_SUCCESS )
1152 return NT_STATUS_NO_SUCH_USER;
1154 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1157 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1158 ldap_msgfree(result);
1159 return NT_STATUS_NO_SUCH_USER;
1160 } else if (count > 1) {
1161 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1162 ldap_msgfree(result);
1163 return NT_STATUS_NO_SUCH_USER;
1166 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1168 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1169 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1170 ldap_msgfree(result);
1171 return NT_STATUS_NO_SUCH_USER;
1173 pdb_set_backend_private_data(user, result,
1174 private_data_free_fn,
1175 my_methods, PDB_CHANGED);
1178 ldap_msgfree(result);
1183 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1184 const DOM_SID *sid, LDAPMessage **result)
1190 switch ( ldap_state->schema_ver ) {
1191 case SCHEMAVER_SAMBASAMACCOUNT:
1192 attr_list = get_userattr_list(ldap_state->schema_ver);
1193 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1194 free_attr_list( attr_list );
1196 if ( rc != LDAP_SUCCESS )
1200 case SCHEMAVER_SAMBAACCOUNT:
1201 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1205 attr_list = get_userattr_list(ldap_state->schema_ver);
1206 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1207 free_attr_list( attr_list );
1209 if ( rc != LDAP_SUCCESS )
1216 /**********************************************************************
1217 Get SAM_ACCOUNT entry from LDAP by SID.
1218 *********************************************************************/
1220 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1222 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1223 LDAPMessage *result = NULL;
1224 LDAPMessage *entry = NULL;
1229 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1231 if (rc != LDAP_SUCCESS)
1232 return NT_STATUS_NO_SUCH_USER;
1234 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1237 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1239 ldap_msgfree(result);
1240 return NT_STATUS_NO_SUCH_USER;
1241 } else if (count > 1) {
1242 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1244 ldap_msgfree(result);
1245 return NT_STATUS_NO_SUCH_USER;
1248 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1250 ldap_msgfree(result);
1251 return NT_STATUS_NO_SUCH_USER;
1254 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1255 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1256 ldap_msgfree(result);
1257 return NT_STATUS_NO_SUCH_USER;
1260 pdb_set_backend_private_data(user, result,
1261 private_data_free_fn,
1262 my_methods, PDB_CHANGED);
1263 return NT_STATUS_OK;
1266 /********************************************************************
1267 Do the actual modification - also change a plaintext passord if
1269 **********************************************************************/
1271 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1272 SAM_ACCOUNT *newpwd, char *dn,
1273 LDAPMod **mods, int ldap_op,
1274 BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
1276 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1279 if (!my_methods || !newpwd || !dn) {
1280 return NT_STATUS_INVALID_PARAMETER;
1284 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1285 /* may be password change below however */
1289 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1292 rc = smbldap_add(ldap_state->smbldap_state,
1295 case LDAP_MOD_REPLACE:
1296 rc = smbldap_modify(ldap_state->smbldap_state,
1300 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1302 return NT_STATUS_INVALID_PARAMETER;
1305 if (rc!=LDAP_SUCCESS) {
1306 char *ld_error = NULL;
1307 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1309 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1310 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1311 dn, ldap_err2string(rc),
1312 ld_error?ld_error:"unknown"));
1313 SAFE_FREE(ld_error);
1314 return NT_STATUS_UNSUCCESSFUL;
1318 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1319 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1320 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1321 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1325 struct berval *retdata;
1326 char *utf8_password;
1329 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1330 return NT_STATUS_NO_MEMORY;
1333 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1334 return NT_STATUS_NO_MEMORY;
1337 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1338 DEBUG(0,("ber_alloc_t returns NULL\n"));
1339 SAFE_FREE(utf8_password);
1340 return NT_STATUS_UNSUCCESSFUL;
1343 ber_printf (ber, "{");
1344 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1345 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1346 ber_printf (ber, "N}");
1348 if ((rc = ber_flatten (ber, &bv))<0) {
1349 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1352 SAFE_FREE(utf8_password);
1353 return NT_STATUS_UNSUCCESSFUL;
1357 SAFE_FREE(utf8_password);
1360 if ((rc = smbldap_extended_operation(ldap_state->smbldap_state,
1361 LDAP_EXOP_MODIFY_PASSWD,
1362 bv, NULL, NULL, &retoid,
1363 &retdata)) != LDAP_SUCCESS) {
1364 char *ld_error = NULL;
1365 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1367 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1368 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1369 SAFE_FREE(ld_error);
1371 return NT_STATUS_UNSUCCESSFUL;
1373 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1374 #ifdef DEBUG_PASSWORD
1375 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1377 ber_bvfree(retdata);
1378 ber_memfree(retoid);
1382 return NT_STATUS_OK;
1385 /**********************************************************************
1386 Delete entry from LDAP for username.
1387 *********************************************************************/
1389 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1391 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1394 LDAPMessage *result = NULL;
1400 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1401 return NT_STATUS_INVALID_PARAMETER;
1404 sname = pdb_get_username(sam_acct);
1406 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
1408 attr_list= get_userattr_list( ldap_state->schema_ver );
1409 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1411 if (rc != LDAP_SUCCESS) {
1412 free_attr_list( attr_list );
1413 return NT_STATUS_NO_SUCH_USER;
1416 switch ( ldap_state->schema_ver ) {
1417 case SCHEMAVER_SAMBASAMACCOUNT:
1418 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1421 case SCHEMAVER_SAMBAACCOUNT:
1422 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1425 fstrcpy( objclass, "UNKNOWN" );
1426 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1430 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1431 ldap_msgfree(result);
1432 free_attr_list( attr_list );
1437 /**********************************************************************
1438 Helper function to determine for update_sam_account whether
1439 we need LDAP modification.
1440 *********************************************************************/
1442 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1443 enum pdb_elements element)
1445 return IS_SAM_CHANGED(sampass, element);
1448 /**********************************************************************
1450 *********************************************************************/
1452 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1454 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1455 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1458 LDAPMessage *result = NULL;
1459 LDAPMessage *entry = NULL;
1460 LDAPMod **mods = NULL;
1463 result = pdb_get_backend_private_data(newpwd, my_methods);
1465 attr_list = get_userattr_list(ldap_state->schema_ver);
1466 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1467 free_attr_list( attr_list );
1468 if (rc != LDAP_SUCCESS) {
1469 return NT_STATUS_UNSUCCESSFUL;
1471 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1474 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1475 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1476 return NT_STATUS_UNSUCCESSFUL;
1479 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1480 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1482 return NT_STATUS_UNSUCCESSFUL;
1485 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1487 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1488 element_is_changed)) {
1489 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1492 ldap_mods_free(mods,True);
1493 return NT_STATUS_UNSUCCESSFUL;
1497 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1498 pdb_get_username(newpwd)));
1500 return NT_STATUS_OK;
1503 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1504 ldap_mods_free(mods,True);
1507 if (!NT_STATUS_IS_OK(ret)) {
1508 char *ld_error = NULL;
1509 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1511 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1512 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1513 SAFE_FREE(ld_error);
1517 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1518 pdb_get_username(newpwd)));
1519 return NT_STATUS_OK;
1522 /**********************************************************************
1523 Helper function to determine for update_sam_account whether
1524 we need LDAP modification.
1525 *********************************************************************/
1527 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1528 enum pdb_elements element)
1530 return (IS_SAM_SET(sampass, element) ||
1531 IS_SAM_CHANGED(sampass, element));
1534 /**********************************************************************
1535 Add SAM_ACCOUNT to LDAP.
1536 *********************************************************************/
1538 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1540 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1541 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1543 LDAPMessage *result = NULL;
1544 LDAPMessage *entry = NULL;
1546 LDAPMod **mods = NULL;
1547 int ldap_op = LDAP_MOD_REPLACE;
1551 const char *username = pdb_get_username(newpwd);
1552 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1556 if (!username || !*username) {
1557 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1558 return NT_STATUS_INVALID_PARAMETER;
1561 /* free this list after the second search or in case we exit on failure */
1562 attr_list = get_userattr_list(ldap_state->schema_ver);
1564 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1566 if (rc != LDAP_SUCCESS) {
1567 free_attr_list( attr_list );
1568 return NT_STATUS_UNSUCCESSFUL;
1571 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1572 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1574 ldap_msgfree(result);
1575 free_attr_list( attr_list );
1576 return NT_STATUS_UNSUCCESSFUL;
1578 ldap_msgfree(result);
1581 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1582 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1584 if (rc == LDAP_SUCCESS) {
1585 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1586 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1587 sid_to_string(sid_string, sid)));
1588 free_attr_list( attr_list );
1589 ldap_msgfree(result);
1590 return NT_STATUS_UNSUCCESSFUL;
1592 ldap_msgfree(result);
1596 /* does the entry already exist but without a samba attributes?
1597 we need to return the samba attributes here */
1599 escape_user = escape_ldap_string_alloc( username );
1600 pstrcpy( filter, lp_ldap_filter() );
1601 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1602 SAFE_FREE( escape_user );
1604 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1605 filter, attr_list, &result);
1606 if ( rc != LDAP_SUCCESS ) {
1607 free_attr_list( attr_list );
1608 return NT_STATUS_UNSUCCESSFUL;
1611 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1613 if (num_result > 1) {
1614 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1615 free_attr_list( attr_list );
1616 ldap_msgfree(result);
1617 return NT_STATUS_UNSUCCESSFUL;
1620 /* Check if we need to update an existing entry */
1621 if (num_result == 1) {
1624 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1625 ldap_op = LDAP_MOD_REPLACE;
1626 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1627 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1629 free_attr_list( attr_list );
1630 ldap_msgfree(result);
1631 return NT_STATUS_UNSUCCESSFUL;
1633 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1636 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1638 /* There might be a SID for this account already - say an idmap entry */
1640 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1641 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1642 sid_to_string(sid_string, sid),
1643 LDAP_OBJ_IDMAP_ENTRY,
1644 LDAP_OBJ_SID_ENTRY);
1646 /* free old result before doing a new search */
1647 if (result != NULL) {
1648 ldap_msgfree(result);
1651 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1652 filter, attr_list, &result);
1654 if ( rc != LDAP_SUCCESS ) {
1655 free_attr_list( attr_list );
1656 return NT_STATUS_UNSUCCESSFUL;
1659 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1661 if (num_result > 1) {
1662 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1663 free_attr_list( attr_list );
1664 ldap_msgfree(result);
1665 return NT_STATUS_UNSUCCESSFUL;
1668 /* Check if we need to update an existing entry */
1669 if (num_result == 1) {
1672 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1673 ldap_op = LDAP_MOD_REPLACE;
1674 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1675 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1677 free_attr_list( attr_list );
1678 ldap_msgfree(result);
1679 return NT_STATUS_UNSUCCESSFUL;
1681 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1686 free_attr_list( attr_list );
1688 if (num_result == 0) {
1689 /* Check if we need to add an entry */
1690 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1691 ldap_op = LDAP_MOD_ADD;
1692 if (username[strlen(username)-1] == '$') {
1693 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1695 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1699 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1700 element_is_set_or_changed)) {
1701 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1702 ldap_msgfree(result);
1704 ldap_mods_free(mods,True);
1705 return NT_STATUS_UNSUCCESSFUL;
1708 ldap_msgfree(result);
1711 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
1712 return NT_STATUS_UNSUCCESSFUL;
1714 switch ( ldap_state->schema_ver ) {
1715 case SCHEMAVER_SAMBAACCOUNT:
1716 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
1718 case SCHEMAVER_SAMBASAMACCOUNT:
1719 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
1722 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1726 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
1727 if (!NT_STATUS_IS_OK(ret)) {
1728 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1729 pdb_get_username(newpwd),dn));
1730 ldap_mods_free(mods, True);
1734 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
1735 ldap_mods_free(mods, True);
1737 return NT_STATUS_OK;
1740 /**********************************************************************
1741 *********************************************************************/
1743 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
1745 LDAPMessage ** result)
1747 int scope = LDAP_SCOPE_SUBTREE;
1751 attr_list = get_attr_list(groupmap_attr_list);
1752 rc = smbldap_search(ldap_state->smbldap_state,
1753 lp_ldap_group_suffix (), scope,
1754 filter, attr_list, 0, result);
1755 free_attr_list( attr_list );
1757 if (rc != LDAP_SUCCESS) {
1758 char *ld_error = NULL;
1759 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1761 DEBUG(0, ("ldapsam_search_one_group: "
1762 "Problem during the LDAP search: LDAP error: %s (%s)\n",
1763 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
1764 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1765 lp_ldap_group_suffix(), filter));
1766 SAFE_FREE(ld_error);
1772 /**********************************************************************
1773 *********************************************************************/
1775 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
1776 GROUP_MAP *map, LDAPMessage *entry)
1780 if (ldap_state == NULL || map == NULL || entry == NULL ||
1781 ldap_state->smbldap_state->ldap_struct == NULL) {
1782 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
1786 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1787 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
1788 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1789 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
1792 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
1794 map->gid = (gid_t)atol(temp);
1796 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1797 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
1798 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1799 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
1803 if (!string_to_sid(&map->sid, temp)) {
1804 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
1808 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1809 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
1810 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
1811 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
1814 map->sid_name_use = (enum SID_NAME_USE)atol(temp);
1816 if ((map->sid_name_use < SID_NAME_USER) ||
1817 (map->sid_name_use > SID_NAME_UNKNOWN)) {
1818 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
1822 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1823 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
1825 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1826 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
1828 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
1829 for gidNumber(%lu)\n",(unsigned long)map->gid));
1833 fstrcpy(map->nt_name, temp);
1835 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
1836 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
1839 fstrcpy(map->comment, temp);
1844 /**********************************************************************
1845 *********************************************************************/
1847 static BOOL init_ldap_from_group(LDAP *ldap_struct,
1848 LDAPMessage *existing,
1850 const GROUP_MAP *map)
1854 if (mods == NULL || map == NULL) {
1855 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
1861 sid_to_string(tmp, &map->sid);
1863 smbldap_make_mod(ldap_struct, existing, mods,
1864 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
1865 pstr_sprintf(tmp, "%i", map->sid_name_use);
1866 smbldap_make_mod(ldap_struct, existing, mods,
1867 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
1869 smbldap_make_mod(ldap_struct, existing, mods,
1870 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
1871 smbldap_make_mod(ldap_struct, existing, mods,
1872 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
1877 /**********************************************************************
1878 *********************************************************************/
1880 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
1884 struct ldapsam_privates *ldap_state =
1885 (struct ldapsam_privates *)methods->private_data;
1886 LDAPMessage *result = NULL;
1887 LDAPMessage *entry = NULL;
1890 if (ldapsam_search_one_group(ldap_state, filter, &result)
1892 return NT_STATUS_NO_SUCH_GROUP;
1895 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1898 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
1899 ldap_msgfree(result);
1900 return NT_STATUS_NO_SUCH_GROUP;
1904 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
1906 ldap_msgfree(result);
1907 return NT_STATUS_NO_SUCH_GROUP;
1910 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1913 ldap_msgfree(result);
1914 return NT_STATUS_UNSUCCESSFUL;
1917 if (!init_group_from_ldap(ldap_state, map, entry)) {
1918 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
1920 ldap_msgfree(result);
1921 return NT_STATUS_NO_SUCH_GROUP;
1924 ldap_msgfree(result);
1925 return NT_STATUS_OK;
1928 /**********************************************************************
1929 *********************************************************************/
1931 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1936 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
1938 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
1939 sid_string_static(&sid));
1941 return ldapsam_getgroup(methods, filter, map);
1944 /**********************************************************************
1945 *********************************************************************/
1947 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1952 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
1954 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
1955 (unsigned long)gid);
1957 return ldapsam_getgroup(methods, filter, map);
1960 /**********************************************************************
1961 *********************************************************************/
1963 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1967 char *escape_name = escape_ldap_string_alloc(name);
1970 return NT_STATUS_NO_MEMORY;
1973 pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
1975 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
1976 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
1978 SAFE_FREE(escape_name);
1980 return ldapsam_getgroup(methods, filter, map);
1983 /**********************************************************************
1984 *********************************************************************/
1986 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
1988 LDAPMessage **result)
1992 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
1993 LDAP_OBJ_POSIXGROUP,
1994 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
1995 (unsigned long)gid);
1997 return ldapsam_search_one_group(ldap_state, filter, result);
2000 /**********************************************************************
2001 *********************************************************************/
2003 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2006 struct ldapsam_privates *ldap_state =
2007 (struct ldapsam_privates *)methods->private_data;
2008 LDAPMessage *result = NULL;
2009 LDAPMod **mods = NULL;
2020 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2022 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
2023 return NT_STATUS_UNSUCCESSFUL;
2026 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2027 if (rc != LDAP_SUCCESS) {
2028 ldap_msgfree(result);
2029 return NT_STATUS_UNSUCCESSFUL;
2032 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2035 ldap_msgfree(result);
2036 return NT_STATUS_UNSUCCESSFUL;
2040 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2041 (unsigned long)map->gid));
2042 ldap_msgfree(result);
2043 return NT_STATUS_UNSUCCESSFUL;
2046 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2047 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2049 ldap_msgfree(result);
2050 return NT_STATUS_UNSUCCESSFUL;
2055 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2056 result, &mods, map)) {
2057 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2058 ldap_mods_free(mods, True);
2059 ldap_msgfree(result);
2060 return NT_STATUS_UNSUCCESSFUL;
2063 ldap_msgfree(result);
2066 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2067 return NT_STATUS_UNSUCCESSFUL;
2070 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2072 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2073 ldap_mods_free(mods, True);
2075 if (rc != LDAP_SUCCESS) {
2076 char *ld_error = NULL;
2077 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2079 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid,
2080 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2081 SAFE_FREE(ld_error);
2082 return NT_STATUS_UNSUCCESSFUL;
2085 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2086 return NT_STATUS_OK;
2089 /**********************************************************************
2090 *********************************************************************/
2092 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2095 struct ldapsam_privates *ldap_state =
2096 (struct ldapsam_privates *)methods->private_data;
2099 LDAPMessage *result = NULL;
2100 LDAPMessage *entry = NULL;
2101 LDAPMod **mods = NULL;
2103 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2105 if (rc != LDAP_SUCCESS) {
2106 return NT_STATUS_UNSUCCESSFUL;
2109 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2110 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2111 ldap_msgfree(result);
2112 return NT_STATUS_UNSUCCESSFUL;
2115 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2117 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2118 result, &mods, map)) {
2119 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2120 ldap_msgfree(result);
2122 ldap_mods_free(mods,True);
2123 return NT_STATUS_UNSUCCESSFUL;
2127 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2128 ldap_msgfree(result);
2129 return NT_STATUS_OK;
2132 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2134 ldap_msgfree(result);
2135 return NT_STATUS_UNSUCCESSFUL;
2137 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2140 ldap_mods_free(mods, True);
2141 ldap_msgfree(result);
2143 if (rc != LDAP_SUCCESS) {
2144 char *ld_error = NULL;
2145 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2147 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid,
2148 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2149 SAFE_FREE(ld_error);
2150 return NT_STATUS_UNSUCCESSFUL;
2153 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2154 return NT_STATUS_OK;
2157 /**********************************************************************
2158 *********************************************************************/
2160 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2163 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2164 pstring sidstring, filter;
2165 LDAPMessage *result = NULL;
2170 sid_to_string(sidstring, &sid);
2172 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2173 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2175 rc = ldapsam_search_one_group(ldap_state, filter, &result);
2177 if (rc != LDAP_SUCCESS) {
2178 return NT_STATUS_NO_SUCH_GROUP;
2181 attr_list = get_attr_list( groupmap_attr_list_to_delete );
2182 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2183 free_attr_list ( attr_list );
2185 ldap_msgfree(result);
2190 /**********************************************************************
2191 *********************************************************************/
2193 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2195 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2200 pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2201 attr_list = get_attr_list( groupmap_attr_list );
2202 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2203 LDAP_SCOPE_SUBTREE, filter,
2204 attr_list, 0, &ldap_state->result);
2205 free_attr_list( attr_list );
2207 if (rc != LDAP_SUCCESS) {
2208 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
2209 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2210 ldap_msgfree(ldap_state->result);
2211 ldap_state->result = NULL;
2212 return NT_STATUS_UNSUCCESSFUL;
2215 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2216 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2217 ldap_state->result)));
2219 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2220 ldap_state->index = 0;
2222 return NT_STATUS_OK;
2225 /**********************************************************************
2226 *********************************************************************/
2228 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
2230 ldapsam_endsampwent(my_methods);
2233 /**********************************************************************
2234 *********************************************************************/
2236 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
2239 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2240 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2244 if (!ldap_state->entry)
2247 ldap_state->index++;
2248 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
2250 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2254 return NT_STATUS_OK;
2257 /**********************************************************************
2258 *********************************************************************/
2260 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
2261 enum SID_NAME_USE sid_name_use,
2262 GROUP_MAP **rmap, int *num_entries,
2272 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
2273 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2274 return NT_STATUS_ACCESS_DENIED;
2277 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
2278 if (sid_name_use != SID_NAME_UNKNOWN &&
2279 sid_name_use != map.sid_name_use) {
2280 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
2283 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
2284 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
2288 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
2290 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2292 return NT_STATUS_UNSUCCESSFUL;
2297 mapt[entries] = map;
2302 ldapsam_endsamgrent(methods);
2304 *num_entries = entries;
2306 return NT_STATUS_OK;
2309 /**********************************************************************
2311 *********************************************************************/
2313 static void free_private_data(void **vp)
2315 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
2317 smbldap_free_struct(&(*ldap_state)->smbldap_state);
2319 if ((*ldap_state)->result != NULL) {
2320 ldap_msgfree((*ldap_state)->result);
2321 (*ldap_state)->result = NULL;
2326 /* No need to free any further, as it is talloc()ed */
2329 /**********************************************************************
2330 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2331 *********************************************************************/
2333 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
2334 const char *location)
2337 struct ldapsam_privates *ldap_state;
2339 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
2343 (*pdb_method)->name = "ldapsam";
2345 (*pdb_method)->setsampwent = ldapsam_setsampwent;
2346 (*pdb_method)->endsampwent = ldapsam_endsampwent;
2347 (*pdb_method)->getsampwent = ldapsam_getsampwent;
2348 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
2349 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
2350 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
2351 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
2352 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
2354 (*pdb_method)->getgrsid = ldapsam_getgrsid;
2355 (*pdb_method)->getgrgid = ldapsam_getgrgid;
2356 (*pdb_method)->getgrnam = ldapsam_getgrnam;
2357 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
2358 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
2359 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
2360 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
2362 /* TODO: Setup private data and free */
2364 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
2366 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2367 return NT_STATUS_NO_MEMORY;
2370 if (!NT_STATUS_IS_OK(nt_status =
2371 smbldap_init(pdb_context->mem_ctx, location,
2372 &ldap_state->smbldap_state)));
2374 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
2375 if (!ldap_state->domain_name) {
2376 return NT_STATUS_NO_MEMORY;
2379 (*pdb_method)->private_data = ldap_state;
2381 (*pdb_method)->free_private_data = free_private_data;
2383 return NT_STATUS_OK;
2386 /**********************************************************************
2387 Initialise the 'compat' mode for pdb_ldap
2388 *********************************************************************/
2390 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2393 struct ldapsam_privates *ldap_state;
2395 #ifdef WITH_LDAP_SAMCONFIG
2397 int ldap_port = lp_ldap_port();
2399 /* remap default port if not using SSL (ie clear or TLS) */
2400 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
2404 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
2406 return NT_STATUS_NO_MEMORY;
2411 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2415 (*pdb_method)->name = "ldapsam_compat";
2417 ldap_state = (*pdb_method)->private_data;
2418 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
2420 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2422 return NT_STATUS_OK;
2425 /**********************************************************************
2426 Initialise the normal mode for pdb_ldap
2427 *********************************************************************/
2429 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2432 struct ldapsam_privates *ldap_state;
2433 uint32 alg_rid_base;
2434 pstring alg_rid_base_string;
2435 LDAPMessage *result = NULL;
2436 LDAPMessage *entry = NULL;
2437 DOM_SID ldap_domain_sid;
2438 DOM_SID secrets_domain_sid;
2439 pstring domain_sid_string;
2441 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2445 (*pdb_method)->name = "ldapsam";
2447 ldap_state = (*pdb_method)->private_data;
2448 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
2450 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2452 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result,
2453 ldap_state->domain_name, True);
2455 if ( !NT_STATUS_IS_OK(nt_status) ) {
2456 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
2457 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
2458 and will risk BDCs having inconsistant SIDs\n"));
2459 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2460 return NT_STATUS_OK;
2463 /* Given that the above might fail, everything below this must be optional */
2465 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2467 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
2468 ldap_msgfree(result);
2469 return NT_STATUS_UNSUCCESSFUL;
2472 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2473 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2474 domain_sid_string)) {
2476 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
2477 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string));
2478 return NT_STATUS_INVALID_PARAMETER;
2480 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
2481 if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
2482 fstring new_sid_str, old_sid_str;
2483 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
2484 ldap_state->domain_name,
2485 sid_to_string(old_sid_str, &secrets_domain_sid),
2486 sid_to_string(new_sid_str, &ldap_domain_sid)));
2488 /* reset secrets.tdb sid */
2489 secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
2490 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid())));
2492 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
2495 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2496 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE),
2497 alg_rid_base_string)) {
2498 alg_rid_base = (uint32)atol(alg_rid_base_string);
2499 if (alg_rid_base != algorithmic_rid_base()) {
2500 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2501 "database was initialised. Aborting. \n"));
2502 ldap_msgfree(result);
2503 return NT_STATUS_UNSUCCESSFUL;
2506 ldap_msgfree(result);
2508 return NT_STATUS_OK;
2511 NTSTATUS pdb_ldap_init(void)
2514 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
2517 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
2520 return NT_STATUS_OK;
git.samba.org / vlendec / samba-autobuild / .git / blob