port latest changes from SAMBA_3_0 tree

[kai/samba.git] / source3 / passdb / pdb_ldap.c
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c

index ecca633d2f492dcdf8e1afa7ca30b9564d6c1f37..aee6495759308a362026277c5ef6794c9bd6b3e4 100644 (file)
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -1,12 +1,11 @@
  /* 
-   Unix SMB/CIFS implementation.
+   Unix SMB/CIFS mplementation.
     LDAP protocol helper functions for SAMBA
     Copyright (C) Jean François Micouleau       1998
-   Copyright (C) Gerald Carter                 2001
+   Copyright (C) Gerald Carter                 2001-2003
     Copyright (C) Shahms King                   2001
-   Copyright (C) Andrew Bartlett               2002
+   Copyright (C) Andrew Bartlett               2002-2003
     Copyright (C) Stefan (metze) Metzmacher     2002
-   Copyright (C) Jim McDonough                  2003
      
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -24,11 +23,6 @@
     
  */
  
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_PASSDB
-
  /* TODO:
  *  persistent connections: if using NSS LDAP, many connections are made
  *      however, using only one within Samba would be nice
@@ -49,61 +43,143 @@
  *  and/or winbind
  */
  
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
  #include <lber.h>
  #include <ldap.h>
  
-#include "smb_ldap.h"
+/*
+ * Work around versions of the LDAP client libs that don't have the OIDs
+ * defined, or have them defined under the old name.  
+ * This functionality is really a factor of the server, not the client 
+ *
+ */
+
+#if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
+#define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
+#elif !defined(LDAP_EXOP_MODIFY_PASSWD)
+#define "1.3.6.1.4.1.4203.1.11.1"
+#endif
+
+#if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
+#elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID        ((ber_tag_t) 0x80U)
+#endif
+
+#if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
+#elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
+#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW       ((ber_tag_t) 0x82U)
+#endif
+
  
  #ifndef SAM_ACCOUNT
  #define SAM_ACCOUNT struct sam_passwd
  #endif
  
-static uint32 ldapsam_get_next_available_nua_rid(struct smb_ldap_privates *ldap_state);
-
-static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
-                            "logoffTime", "kickoffTime", "cn",
-                            "pwdCanChange", "pwdMustChange",
-                            "displayName", "homeDrive",
-                            "smbHome", "scriptPath",
-                            "profilePath", "description",
-                            "userWorkstations", "rid",
-                            "primaryGroupID", "lmPassword",
-                            "ntPassword", "acctFlags",
-                            "domain", "objectClass", 
-                            "uidNumber", "gidNumber", 
-                            "homeDirectory", NULL };
+#include "smbldap.h"
  
-/*******************************************************************
- run the search by name.
-******************************************************************/
-static int ldapsam_search_one_user (struct smb_ldap_privates *ldap_state, const char *filter, LDAPMessage ** result)
+struct ldapsam_privates {
+       struct smbldap_state *smbldap_state;
+
+       /* Former statics */
+       LDAPMessage *result;
+       LDAPMessage *entry;
+       int index;
+       
+       const char *domain_name;
+       DOM_SID domain_sid;
+       
+       /* configuration items */
+       int schema_ver;
+};
+
+/**********************************************************************
+ Free a LDAPMessage (one is stored on the SAM_ACCOUNT)
+ **********************************************************************/
+ 
+static void private_data_free_fn(void **result) 
  {
-       int scope = LDAP_SCOPE_SUBTREE;
-       int rc;
+       ldap_msgfree(*result);
+       *result = NULL;
+}
  
-       DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
+/**********************************************************************
+ get the attribute name given a user schame version 
+ **********************************************************************/
+ 
+static const char* get_userattr_key2string( int schema_ver, int key )
+{
+       switch ( schema_ver )
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       return get_attr_key2string( attrib_map_v22, key );
+                       
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       return get_attr_key2string( attrib_map_v30, key );
+                       
+               default:
+                       DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
+                       break;
+       }
+       return NULL;
+}
  
-       rc = smb_ldap_search(ldap_state, lp_ldap_suffix (), scope, filter, attr, 0, result);
+/**********************************************************************
+ return the list of attribute names given a user schema version 
+ **********************************************************************/
  
-       if (rc != LDAP_SUCCESS) {
-               char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
-                               &ld_error);
-               DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s (%s)\n", 
-                       ld_error?ld_error:"(unknown)", ldap_err2string (rc)));
-               DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(), 
-                       filter));
-               SAFE_FREE(ld_error);
+static char** get_userattr_list( int schema_ver )
+{
+       switch ( schema_ver ) 
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       return get_attr_list( attrib_map_v22 );
+                       
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       return get_attr_list( attrib_map_v30 );
+               default:
+                       DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
+                       break;
         }
         
-       return rc;
+       return NULL;
+}
+/*******************************************************************
+ generate the LDAP search filter for the objectclass based on the 
+ version of the schema we are using 
+ ******************************************************************/
+
+static const char* get_objclass_filter( int schema_ver )
+{
+       static fstring objclass_filter;
+       
+       switch( schema_ver ) 
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
+                       break;
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
+                       break;
+               default:
+                       DEBUG(0,("pdb_ldapsam: get_objclass_filter(): Invalid schema version specified!\n"));
+                       break;
+       }
+       
+       return objclass_filter; 
  }
  
  /*******************************************************************
   run the search by name.
  ******************************************************************/
-static int ldapsam_search_one_user_by_name (struct smb_ldap_privates *ldap_state, const char *user,
-                            LDAPMessage ** result)
+static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, 
+                                         const char *user,
+                                         LDAPMessage ** result, char **attr)
  {
         pstring filter;
         char *escape_user = escape_ldap_string_alloc(user);
@@ -116,7 +192,8 @@ static int ldapsam_search_one_user_by_name (struct smb_ldap_privates *ldap_state
          * in the filter expression, replace %u with the real name
          * so in ldap filter, %u MUST exist :-)
          */
-       pstrcpy(filter, lp_ldap_filter());
+       pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(), 
+               get_objclass_filter(ldap_state->schema_ver));
  
         /* 
          * have to use this here because $ is filtered out
@@ -127,63 +204,45 @@ static int ldapsam_search_one_user_by_name (struct smb_ldap_privates *ldap_state
         all_string_sub(filter, "%u", escape_user, sizeof(pstring));
         SAFE_FREE(escape_user);
  
-       return ldapsam_search_one_user(ldap_state, filter, result);
+       return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
  }
  
  /*******************************************************************
- run the search by uid.
+ run the search by rid.
  ******************************************************************/
-static int ldapsam_search_one_user_by_uid(struct smb_ldap_privates *ldap_state, 
-                                         int uid,
-                                         LDAPMessage ** result)
+static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, 
+                                        uint32 rid, LDAPMessage ** result, 
+                                        char **attr)
  {
-       struct passwd *user;
         pstring filter;
-       char *escape_user;
+       int rc;
  
-       /* Get the username from the system and look that up in the LDAP */
+       pstr_sprintf(filter, "(&(rid=%i)%s)", rid, 
+               get_objclass_filter(ldap_state->schema_ver));
         
-       if ((user = getpwuid_alloc(uid)) == NULL) {
-               DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
-               return LDAP_NO_SUCH_OBJECT;
-       }
-       
-       pstrcpy(filter, lp_ldap_filter());
+       rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
         
-       escape_user = escape_ldap_string_alloc(user->pw_name);
-       if (!escape_user) {
-               passwd_free(&user);
-               return LDAP_NO_MEMORY;
-       }
-
-       all_string_sub(filter, "%u", escape_user, sizeof(pstring));
-
-       passwd_free(&user);
-       SAFE_FREE(escape_user);
-
-       return ldapsam_search_one_user(ldap_state, filter, result);
+       return rc;
  }
  
  /*******************************************************************
- run the search by rid.
+ run the search by SID.
  ******************************************************************/
-static int ldapsam_search_one_user_by_rid (struct smb_ldap_privates *ldap_state, 
-                                          uint32 rid,
-                                          LDAPMessage ** result)
+static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, 
+                                        const DOM_SID *sid, LDAPMessage ** result, 
+                                        char **attr)
  {
         pstring filter;
         int rc;
+       fstring sid_string;
  
-       /* check if the user rid exsists, if not, try searching on the uid */
-       
-       snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
-       rc = ldapsam_search_one_user(ldap_state, filter, result);
+       pstr_sprintf(filter, "(&(%s=%s)%s)", 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+               sid_to_string(sid_string, sid), 
+               get_objclass_filter(ldap_state->schema_ver));
+               
+       rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
         
-       if (rc != LDAP_SUCCESS)
-               rc = ldapsam_search_one_user_by_uid(ldap_state,
-                                                   fallback_pdb_user_rid_to_uid(rid), 
-                                                   result);
-
         return rc;
  }
  
@@ -191,10 +250,10 @@ static int ldapsam_search_one_user_by_rid (struct smb_ldap_privates *ldap_state,
   Delete complete object or objectclass and attrs from
   object found in search_result depending on lp_ldap_delete_dn
  ******************************************************************/
-static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
+static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
                                      LDAPMessage *result,
                                      const char *objectclass,
-                                    const char **attrs)
+                                    char **attrs)
  {
         int rc;
         LDAPMessage *entry;
@@ -202,19 +261,19 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
         char *name, *dn;
         BerElement *ptr = NULL;
  
-       rc = ldap_count_entries(ldap_state->ldap_struct, result);
+       rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
  
         if (rc != 1) {
                 DEBUG(0, ("Entry must exist exactly once!\n"));
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       dn    = ldap_get_dn(ldap_state->ldap_struct, entry);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       dn    = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
  
         if (lp_ldap_delete_dn()) {
                 NTSTATUS ret = NT_STATUS_OK;
-               rc = smb_ldap_delete(ldap_state, dn);
+               rc = smbldap_delete(ldap_state->smbldap_state, dn);
  
                 if (rc != LDAP_SUCCESS) {
                         DEBUG(0, ("Could not delete object %s\n", dn));
@@ -225,38 +284,39 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
         }
  
         /* Ok, delete only the SAM attributes */
-
-       for (name = ldap_first_attribute(ldap_state->ldap_struct, entry, &ptr);
+       
+       for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
              name != NULL;
-            name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr)) {
-
-               const char **attrib;
+            name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) 
+       {
+               char **attrib;
  
                 /* We are only allowed to delete the attributes that
                    really exist. */
  
-               for (attrib = attrs; *attrib != NULL; attrib++) {
+               for (attrib = attrs; *attrib != NULL; attrib++) 
+               {
                         if (StrCaseCmp(*attrib, name) == 0) {
                                 DEBUG(10, ("deleting attribute %s\n", name));
-                               smb_ldap_make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
+                               smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
                         }
                 }
  
                 ldap_memfree(name);
         }
-
+       
         if (ptr != NULL) {
                 ber_free(ptr, 0);
         }
         
-       smb_ldap_make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
+       smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
  
-       rc = smb_ldap_modify(ldap_state, dn, mods);
-       ldap_mods_free(mods, 1);
+       rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+       ldap_mods_free(mods, True);
  
         if (rc != LDAP_SUCCESS) {
                 char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                 &ld_error);
                 
                 DEBUG(0, ("could not delete attributes for %s, error: %s (%s)\n",
@@ -269,59 +329,59 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
         ldap_memfree(dn);
         return NT_STATUS_OK;
  }
-                                         
+                 
+
  /* New Interface is being implemented here */
  
  /**********************************************************************
  Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
  *********************************************************************/
-static BOOL get_unix_attributes (struct smb_ldap_privates *ldap_state, 
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, 
                                 SAM_ACCOUNT * sampass,
-                               LDAPMessage * entry)
+                               LDAPMessage * entry,
+                               gid_t *gid)
  {
         pstring  homedir;
         pstring  temp;
-       uid_t uid;
-       gid_t gid;
         char **ldap_values;
         char **values;
  
-       if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+       if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
                 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
                 return False;
         }
  
         for (values=ldap_values;*values;values++) {
-               if (strcasecmp(*values, "posixAccount") == 0) {
+               if (strcasecmp(*values, LDAP_OBJ_POSIXACCOUNT ) == 0) {
                         break;
                 }
         }
         
         if (!*values) { /*end of array, no posixAccount */
-               DEBUG(10, ("user does not have posixAcccount attributes\n"));
+               DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
                 ldap_value_free(ldap_values);
                 return False;
         }
         ldap_value_free(ldap_values);
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) 
-               return False;
-       
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+       if ( !smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) ) 
+       {
                 return False;
+       }
         
-       uid = (uid_t)atol(temp);
-       
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+       if ( !smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
+       {
                 return False;
+       }
         
-       gid = (gid_t)atol(temp);
+       *gid = (gid_t)atol(temp);
  
         pdb_set_unix_homedir(sampass, homedir, PDB_SET);
-       pdb_set_uid(sampass, uid, PDB_SET);
-       pdb_set_gid(sampass, gid, PDB_SET);
         
-       DEBUG(10, ("user has posixAcccount attributes\n"));
+       DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
+       
         return True;
  }
  
@@ -330,7 +390,7 @@ static BOOL get_unix_attributes (struct smb_ldap_privates *ldap_state,
  Initialize SAM_ACCOUNT from an LDAP query
  (Based on init_sam_from_buffer in pdb_tdb.c)
  *********************************************************************/
-static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state, 
+static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, 
                                 SAM_ACCOUNT * sampass,
                                 LDAPMessage * entry)
  {
@@ -351,9 +411,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                         acct_desc,
                         munged_dial,
                         workstations;
-       struct passwd   *pw;
-       uint32          user_rid, 
-                       group_rid;
+       uint32          user_rid; 
         uint8           smblmpwd[LM_HASH_LEN],
                         smbntpwd[NT_HASH_LEN];
         uint16          acct_ctrl = 0, 
@@ -362,8 +420,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
         uint8           hours[MAX_HOURS_LEN];
         pstring temp;
         uid_t           uid = -1;
-       gid_t           gid = getegid();
-
+       gid_t           gid = getegid();
  
         /*
          * do a little initialization
@@ -386,33 +443,83 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 return False;
         }
  
-       if (ldap_state->ldap_struct == NULL) {
-               DEBUG(0, ("init_sam_from_ldap: ldap_state->ldap_struct is NULL!\n"));
+       if (ldap_state->smbldap_state->ldap_struct == NULL) {
+               DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
                 return False;
         }
         
-       smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "uid", username);
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
+               DEBUG(1, ("No uid attribute found for this user!\n"));
+               return False;
+       }
+
         DEBUG(2, ("Entry found for user: %s\n", username));
  
         pstrcpy(nt_username, username);
  
-       pstrcpy(domain, lp_workgroup());
+       pstrcpy(domain, ldap_state->domain_name);
         
         pdb_set_username(sampass, username, PDB_SET);
  
         pdb_set_domain(sampass, domain, PDB_DEFAULT);
         pdb_set_nt_username(sampass, nt_username, PDB_SET);
  
-       smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp);
-       user_rid = (uint32)atol(temp);
+       /* deal with different attributes between the schema first */
+       
+       if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) 
+       {
+               if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) 
+               {
+                       pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
+               }
+               
+               if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) 
+               {
+                       pdb_set_group_sid_from_string(sampass, temp, PDB_SET);                  
+               }
+               else 
+               {
+                       pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+               }
  
-       pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
-               group_rid = 0;
-       } else {
-               group_rid = (uint32)atol(temp);
-               pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+       } 
+       else 
+       {
+               if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) 
+               {
+                       user_rid = (uint32)atol(temp);
+                       pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
+               }
+               
+               if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) 
+               {
+                       pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+               } else {
+                       uint32 group_rid;
+                       
+                       group_rid = (uint32)atol(temp);
+                       
+                       /* for some reason, we often have 0 as a primary group RID.
+                          Make sure that we treat this just as a 'default' value */
+                          
+                       if ( group_rid > 0 )
+                               pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+                       else
+                               pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+               }
+       }
+
+       if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
+               DEBUG(1, ("no %s or %s attribute found for this user %s\n", 
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
+                       username));
+               return False;
         }
  
  
@@ -420,78 +527,69 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
          * If so configured, try and get the values from LDAP 
          */
  
-       if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
-               
-               /* 
-                * Otherwise just ask the system getpw() calls.
-                */
-       
-               pw = getpwnam_alloc(username);
-               if (pw == NULL) {
-                       if (! ldap_state->permit_non_unix_accounts) {
-                               DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
-                               return False;
+       if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) 
+       {       
+               if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) 
+               {
+                       GROUP_MAP map;
+                       /* call the mapping code here */
+                       if(pdb_getgrgid(&map, gid)) {
+                               pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+                       } 
+                       else {
+                               pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
                         }
-               } else {
-                       uid = pw->pw_uid;
-                       pdb_set_uid(sampass, uid, PDB_SET);
-                       gid = pw->pw_gid;
-                       pdb_set_gid(sampass, gid, PDB_SET);
-                       
-                       pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
-                       passwd_free(&pw);
-               }
-       }
-
-       if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
-               GROUP_MAP map;
-               gid = pdb_get_gid(sampass);
-               /* call the mapping code here */
-               if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
-                       pdb_set_group_sid(sampass, &map.sid, PDB_SET);
-               } 
-               else {
-                       pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
                 }
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) 
+       {
                 /* leave as default */
         } else {
                 pass_last_set_time = (time_t) atol(temp);
                 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) 
+       {
                 /* leave as default */
         } else {
                 logon_time = (time_t) atol(temp);
                 pdb_set_logon_time(sampass, logon_time, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) 
+       {
                 /* leave as default */
         } else {
                 logoff_time = (time_t) atol(temp);
                 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) 
+       {
                 /* leave as default */
         } else {
                 kickoff_time = (time_t) atol(temp);
                 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) 
+       {
                 /* leave as default */
         } else {
                 pass_can_change_time = (time_t) atol(temp);
                 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) 
+       {       
                 /* leave as default */
         } else {
                 pass_must_change_time = (time_t) atol(temp);
@@ -504,10 +602,12 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
          * that fits your needs; using cn then displayName rather than 'userFullName'
          */
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry,
-                                 "displayName", fullname)) {
-               if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry,
-                                         "cn", fullname)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) 
+       {
+               if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) 
+               {
                         /* leave as default */
                 } else {
                         pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -516,7 +616,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 pdb_set_fullname(sampass, fullname, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive)) 
+       {
                 pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                   lp_logon_drive(),
                                                                   username, domain, 
@@ -526,7 +628,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir)) 
+       {
                 pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                   lp_logon_home(),
                                                                   username, domain, 
@@ -536,7 +640,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 pdb_set_homedir(sampass, homedir, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script)) 
+       {
                 pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                      lp_logon_script(),
                                                                      username, domain, 
@@ -546,7 +652,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 pdb_set_logon_script(sampass, logon_script, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path)) 
+       {
                 pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx, 
                                                                      lp_logon_path(),
                                                                      username, domain, 
@@ -556,13 +664,17 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 pdb_set_profile_path(sampass, profile_path, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc)) 
+       {
                 /* leave as default */
         } else {
                 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) 
+       {
                 /* leave as default */;
         } else {
                 pdb_set_workstations(sampass, workstations, PDB_SET);
@@ -574,7 +686,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
         hours_len = 21;
         memset(hours, 0xff, hours_len);
  
-       if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
+       if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry, 
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) 
+       {
                 /* leave as default */
         } else {
                 pdb_gethexpwd(temp, smblmpwd);
@@ -584,7 +698,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 ZERO_STRUCT(smblmpwd);
         }
  
-       if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
+       if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) 
+       {
                 /* leave as default */
         } else {
                 pdb_gethexpwd(temp, smbntpwd);
@@ -594,7 +710,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
                 ZERO_STRUCT(smbntpwd);
         }
  
-       if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
+       if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry,
+               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) 
+       {
                 acct_ctrl |= ACB_NORMAL;
         } else {
                 acct_ctrl = pdb_decode_acct_ctrl(temp);
@@ -619,75 +737,13 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
         return True;
  }
  
-/**********************************************************************
-  An LDAP modification is needed in two cases:
-  * If we are updating the record AND the attribute is CHANGED.
-  * If we are adding   the record AND it is SET or CHANGED (ie not default)
-*********************************************************************/
-static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
-       if (pdb_add) {
-               return (!IS_SAM_DEFAULT(sampass, element));
-       } else {
-               return IS_SAM_CHANGED(sampass, element);
-       }
-}
-
-/**********************************************************************
-  Set attribute to newval in LDAP, regardless of what value the
-  attribute had in LDAP before.
-*********************************************************************/
-static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
-                         LDAPMod ***mods,
-                         const char *attribute, const char *newval)
-{
-       char **values = NULL;
-
-       if (existing != NULL) {
-               values = ldap_get_values(ldap_struct, existing, attribute);
-       }
-
-       if ((values != NULL) && (values[0] != NULL) &&
-           strcmp(values[0], newval) == 0) {
-               
-               /* Believe it or not, but LDAP will deny a delete and
-                  an add at the same time if the values are the
-                  same... */
-
-               ldap_value_free(values);
-               return;
-       }
-
-       /* Regardless of the real operation (add or modify)
-          we add the new value here. We rely on deleting
-          the old value, should it exist. */
-
-       if ((newval != NULL) && (strlen(newval) > 0)) {
-               smb_ldap_make_a_mod(mods, LDAP_MOD_ADD, attribute, newval);
-       }
-
-       if (values == NULL) {
-               /* There has been no value before, so don't delete it.
-                  Here's a possible race: We might end up with
-                  duplicate attributes */
-               return;
-       }
-
-       /* By deleting exactly the value we found in the entry this
-          should be race-free in the sense that the LDAP-Server will
-          deny the complete operation if somebody changed the
-          attribute behind our back. */
-
-       smb_ldap_make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
-       ldap_value_free(values);
-}
-
  /**********************************************************************
  Initialize SAM_ACCOUNT from an LDAP query
  (Based on init_buffer_from_sam in pdb_tdb.c)
  *********************************************************************/
-static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state, 
+static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, 
                                 LDAPMessage *existing,
-                               LDAPMod *** mods, const SAM_ACCOUNT * sampass,
+                               LDAPMod *** mods, SAM_ACCOUNT * sampass,
                                 BOOL (*need_update)(const SAM_ACCOUNT *,
                                                     enum pdb_elements))
  {
@@ -706,62 +762,83 @@ static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state,
          * do this on a per-mod basis
          */
         if (need_update(sampass, PDB_USERNAME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods, 
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
                               "uid", pdb_get_username(sampass));
  
         DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
  
-       rid = pdb_get_user_rid(sampass);
-
-       if (rid == 0) {
-               if (!IS_SAM_DEFAULT(sampass, PDB_UID)) {
-                       rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
-               } else if (ldap_state->permit_non_unix_accounts) {
-                       rid = ldapsam_get_next_available_nua_rid(ldap_state);
-                       if (rid == 0) {
-                               DEBUG(0, ("NO user RID specified on account %s, and "
-                                         "finding next available NUA RID failed, "
-                                         "cannot store!\n",
-                                         pdb_get_username(sampass)));
-                               ldap_mods_free(*mods, 1);
-                               return False;
-                       }
-               } else {
-                       DEBUG(0, ("NO user RID specified on account %s, "
-                                 "cannot store!\n", pdb_get_username(sampass)));
-                       ldap_mods_free(*mods, 1);
-                       return False;
-               }
+       /* only update the RID if we actually need to */
+       if (need_update(sampass, PDB_USERSID)) 
+       {
+               fstring sid_string;
+               fstring dom_sid_string;
+               const DOM_SID *user_sid = pdb_get_user_sid(sampass);
+               
+               switch ( ldap_state->schema_ver )
+               {
+                       case SCHEMAVER_SAMBAACCOUNT:
+                               if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
+                                       DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
+                                               sid_to_string(sid_string, user_sid), 
+                                               sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
+                                       return False;
+                               }
+                               slprintf(temp, sizeof(temp) - 1, "%i", rid);
+                               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 
+                                       temp);
+                               break;
+                               
+                       case SCHEMAVER_SAMBASAMACCOUNT:
+                               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
+                                       sid_to_string(sid_string, user_sid));                                 
+                               break;
+                               
+                       default:
+                               DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
+                               break;
+               }               
         }
  
-       slprintf(temp, sizeof(temp) - 1, "%i", rid);
-
-       if (need_update(sampass, PDB_USERSID))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "rid", temp);
+       /* we don't need to store the primary group RID - so leaving it
+          'free' to hang off the unix primary group makes life easier */
  
-
-       rid = pdb_get_group_rid(sampass);
-
-       if (rid == 0) {
-               if (!IS_SAM_DEFAULT(sampass, PDB_GID)) {
-                       rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
-               } else if (ldap_state->permit_non_unix_accounts) {
-                       rid = DOMAIN_GROUP_RID_USERS;
-               } else {
-                       DEBUG(0, ("NO group RID specified on account %s, "
-                                 "cannot store!\n", pdb_get_username(sampass)));
-                       ldap_mods_free(*mods, 1);
-                       return False;
+       if (need_update(sampass, PDB_GROUPSID)) 
+       {
+               fstring sid_string;
+               fstring dom_sid_string;
+               const DOM_SID *group_sid = pdb_get_group_sid(sampass);
+               
+               switch ( ldap_state->schema_ver )
+               {
+                       case SCHEMAVER_SAMBAACCOUNT:
+                               if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
+                                       DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
+                                               sid_to_string(sid_string, group_sid),
+                                               sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
+                                       return False;
+                               }
+
+                               slprintf(temp, sizeof(temp) - 1, "%i", rid);
+                               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, 
+                                       LDAP_ATTR_PRIMARY_GROUP_RID), temp);
+                               break;
+                               
+                       case SCHEMAVER_SAMBASAMACCOUNT:
+                               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                                       get_userattr_key2string(ldap_state->schema_ver, 
+                                       LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
+                               break;
+                               
+                       default:
+                               DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
+                               break;
                 }
+               
         }
-
-       slprintf(temp, sizeof(temp) - 1, "%i", rid);
-
-       if (need_update(sampass, PDB_GROUPSID))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "primaryGroupID", temp);
-
+       
         /* displayName, cn, and gecos should all be the same
          *  most easily accomplished by giving them the same OID
          *  gecos isn't set here b/c it should be handled by the 
@@ -771,257 +848,122 @@ static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state,
          */
  
         if (need_update(sampass, PDB_FULLNAME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "displayName", pdb_get_fullname(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
+                       pdb_get_fullname(sampass));
  
         if (need_update(sampass, PDB_ACCTDESC))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "description", pdb_get_acct_desc(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
+                       pdb_get_acct_desc(sampass));
  
         if (need_update(sampass, PDB_WORKSTATIONS))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "userWorkstations", pdb_get_workstations(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
+                       pdb_get_workstations(sampass));
  
         if (need_update(sampass, PDB_SMBHOME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "smbHome", pdb_get_homedir(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
+                       pdb_get_homedir(sampass));
                         
         if (need_update(sampass, PDB_DRIVE))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "homeDrive", pdb_get_dir_drive(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
+                       pdb_get_dir_drive(sampass));
  
         if (need_update(sampass, PDB_LOGONSCRIPT))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "scriptPath", pdb_get_logon_script(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
+                       pdb_get_logon_script(sampass));
  
         if (need_update(sampass, PDB_PROFILE))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "profilePath", pdb_get_profile_path(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
+                       pdb_get_profile_path(sampass));
  
         slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
-
         if (need_update(sampass, PDB_LOGONTIME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "logonTime", temp);
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
  
         slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
-
         if (need_update(sampass, PDB_LOGOFFTIME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "logoffTime", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_kickoff_time(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
  
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
         if (need_update(sampass, PDB_KICKOFFTIME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "kickoffTime", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_pass_can_change_time(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
  
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
         if (need_update(sampass, PDB_CANCHANGETIME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "pwdCanChange", temp);
-
-       slprintf (temp, sizeof (temp) - 1, "%li",
-                 pdb_get_pass_must_change_time(sampass));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
  
+       slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
         if (need_update(sampass, PDB_MUSTCHANGETIME))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "pwdMustChange", temp);
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
  
-       if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))||
-           (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
+       if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
+               || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) 
+       {
  
-               pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass),
+               pdb_sethexpwd(temp, pdb_get_lanman_passwd(sampass),
                                pdb_get_acct_ctrl(sampass));
  
                 if (need_update(sampass, PDB_LMPASSWD))
-                       make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "lmPassword", temp);
+                       smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
+                               temp);
  
                 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass),
                                pdb_get_acct_ctrl(sampass));
  
                 if (need_update(sampass, PDB_NTPASSWD))
-                       make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "ntPassword", temp);
-
-               slprintf (temp, sizeof (temp) - 1, "%li",
-                         pdb_get_pass_last_set_time(sampass));
+                       smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
+                               temp);
  
+               slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
                 if (need_update(sampass, PDB_PASSLASTSET))
-                       make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                                     "pwdLastSet", temp);
+                       smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                               get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
+                               temp);
         }
  
         /* FIXME: Hours stuff goes in LDAP  */
  
         if (need_update(sampass, PDB_ACCTCTRL))
-               make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-                             "acctFlags",
-                             pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
-                                                   NEW_PW_FORMAT_SPACE_PADDED_LEN));
+               smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
+                       get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
+                       pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
  
         return True;
  }
  
  
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 check_nua_rid_is_avail(struct smb_ldap_privates *ldap_state, uint32 top_rid) 
-{
-       LDAPMessage *result;
-       uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
-       if (top_rid == 0) {
-               return 0;
-       }
-       
-       if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
-               return 0;
-       }
-
-       if (ldapsam_search_one_user_by_rid(ldap_state, final_rid, &result) != LDAP_SUCCESS) {
-               DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
-               return 0;
-       }
-
-       if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
-               DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
-               ldap_msgfree(result);
-               return 0;
-       }
-
-       DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
-       ldap_msgfree(result);
-       return final_rid;
-}
-
-/**********************************************************************
-Extract the RID from an LDAP entry
-*********************************************************************/
-static uint32 entry_to_user_rid(struct smb_ldap_privates *ldap_state, LDAPMessage *entry) {
-       uint32 rid;
-       SAM_ACCOUNT *user = NULL;
-       if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
-               return 0;
-       }
-
-       if (init_sam_from_ldap(ldap_state, user, entry)) {
-               rid = pdb_get_user_rid(user);
-       } else {
-               rid =0;
-       }
-       pdb_free_sam(&user);
-       if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
-               return rid;
-       }
-       return 0;
-}
-
-
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 search_top_nua_rid(struct smb_ldap_privates *ldap_state)
-{
-       int rc;
-       pstring filter;
-       LDAPMessage *result;
-       LDAPMessage *entry;
-       char *final_filter = NULL;
-       uint32 top_rid = 0;
-       uint32 count;
-       uint32 rid;
-
-       pstrcpy(filter, lp_ldap_filter());
-       all_string_sub(filter, "%u", "*", sizeof(pstring));
-
-#if 0
-       asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
-#else 
-       final_filter = strdup(filter);
-#endif 
-       DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
-
-       rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
-                          LDAP_SCOPE_SUBTREE, final_filter, attr, 0,
-                          &result);
-
-       if (rc != LDAP_SUCCESS) {
-               DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
-               DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
-
-               free(final_filter);
-               result = NULL;
-               return 0;
-       }
-       
-       count = ldap_count_entries(ldap_state->ldap_struct, result);
-       DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
-       
-       if (count == 0) {
-               DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
-               DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
-               free(final_filter);
-               ldap_msgfree(result);
-               result = NULL;
-               return ldap_state->low_nua_rid;
-       }
-       
-       free(final_filter);
-       entry = ldap_first_entry(ldap_state->ldap_struct,result);
-
-       top_rid = entry_to_user_rid(ldap_state, entry);
-
-       while ((entry = ldap_next_entry(ldap_state->ldap_struct, entry))) {
-
-               rid = entry_to_user_rid(ldap_state, entry);
-               if (rid > top_rid) {
-                       top_rid = rid;
-               }
-       }
-
-       ldap_msgfree(result);
-
-       if (top_rid < ldap_state->low_nua_rid) 
-               top_rid = ldap_state->low_nua_rid;
-
-       return top_rid;
-}
-
-/**********************************************************************
-Connect to LDAP server and find the next available RID.
-*********************************************************************/
-static uint32 ldapsam_get_next_available_nua_rid(struct smb_ldap_privates *ldap_state) {
-       uint32 next_nua_rid;
-       uint32 top_nua_rid;
-
-       top_nua_rid = search_top_nua_rid(ldap_state);
-
-       next_nua_rid = check_nua_rid_is_avail(ldap_state, 
-                                             top_nua_rid);
-       
-       return next_nua_rid;
-}
  
  /**********************************************************************
  Connect to LDAP server for password enumeration
  *********************************************************************/
  static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
  {
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         int rc;
         pstring filter;
+       char **attr_list;
  
-       pstrcpy(filter, lp_ldap_filter());
+       pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(), 
+               get_objclass_filter(ldap_state->schema_ver));
         all_string_sub(filter, "%u", "*", sizeof(pstring));
  
-       rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
-                          LDAP_SCOPE_SUBTREE, filter, attr, 0,
-                          &ldap_state->result);
+       attr_list = get_userattr_list(ldap_state->schema_ver);
+       rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, 
+                                  attr_list, &ldap_state->result);
+       free_attr_list( attr_list );
  
         if (rc != LDAP_SUCCESS) {
                 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
@@ -1032,10 +974,10 @@ static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
         }
  
         DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
-               ldap_count_entries(ldap_state->ldap_struct,
+               ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
                 ldap_state->result)));
  
-       ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
+       ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
                                  ldap_state->result);
         ldap_state->index = 0;
  
@@ -1047,7 +989,7 @@ End enumeration of the LDAP password list
  *********************************************************************/
  static void ldapsam_endsampwent(struct pdb_methods *my_methods)
  {
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         if (ldap_state->result) {
                 ldap_msgfree(ldap_state->result);
                 ldap_state->result = NULL;
@@ -1060,7 +1002,7 @@ Get the next entry in the LDAP password database
  static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
  {
         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         BOOL bret = False;
  
         while (!bret) {
@@ -1070,7 +1012,7 @@ static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT
                 ldap_state->index++;
                 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
                 
-               ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
+               ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
                                             ldap_state->entry); 
         }
  
@@ -1083,37 +1025,46 @@ Get SAM_ACCOUNT entry from LDAP by username
  static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
  {
         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         LDAPMessage *result;
         LDAPMessage *entry;
         int count;
+       char ** attr_list;
+       int rc;
         
-       if (ldapsam_search_one_user_by_name(ldap_state, sname, &result) != LDAP_SUCCESS) {
+       attr_list = get_userattr_list( ldap_state->schema_ver );
+       rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
+       free_attr_list( attr_list );
+
+       if ( rc != LDAP_SUCCESS ) 
                 return NT_STATUS_NO_SUCH_USER;
-       }
         
-       count = ldap_count_entries(ldap_state->ldap_struct, result);
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
         
         if (count < 1) {
                 DEBUG(4,
-                     ("We don't find this user [%s] count=%d\n", sname,
+                     ("Unable to locate user [%s] count=%d\n", sname,
                        count));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_USER;
         } else if (count > 1) {
                 DEBUG(1,
                       ("Duplicate entries for this user [%s] Failing. count=%d\n", sname,
                        count));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_USER;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
         if (entry) {
                 if (!init_sam_from_ldap(ldap_state, user, entry)) {
                         DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
                         ldap_msgfree(result);
                         return NT_STATUS_NO_SUCH_USER;
                 }
-               ldap_msgfree(result);
+               pdb_set_backend_private_data(user, result, 
+                                            private_data_free_fn, 
+                                            my_methods, PDB_CHANGED);
                 ret = NT_STATUS_OK;
         } else {
                 ldap_msgfree(result);
@@ -1121,69 +1072,107 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT
         return ret;
  }
  
+static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 
+                                  const DOM_SID *sid, LDAPMessage **result) 
+{
+       int rc = -1;
+       char ** attr_list;
+       uint32 rid;
+
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       attr_list = get_userattr_list(ldap_state->schema_ver);
+                       rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
+                       free_attr_list( attr_list );
+
+                       if ( rc != LDAP_SUCCESS ) 
+                               return rc;
+                       break;
+                       
+               case SCHEMAVER_SAMBAACCOUNT:
+                       if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
+                               return rc;
+                       }
+               
+                       attr_list = get_userattr_list(ldap_state->schema_ver);
+                       rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
+                       free_attr_list( attr_list );
+
+                       if ( rc != LDAP_SUCCESS ) 
+                               return rc;
+                       break;
+       }
+       return rc;
+}
+
  /**********************************************************************
-Get SAM_ACCOUNT entry from LDAP by rid 
+Get SAM_ACCOUNT entry from LDAP by SID
  *********************************************************************/
-static NTSTATUS ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
+static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
  {
-       NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = 
-               (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         LDAPMessage *result;
         LDAPMessage *entry;
         int count;
+       int rc;
+       fstring sid_string;
  
-       if (ldapsam_search_one_user_by_rid(ldap_state, rid, &result) != LDAP_SUCCESS) {
+       rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
+                                         sid, &result); 
+       if (rc != LDAP_SUCCESS)
                 return NT_STATUS_NO_SUCH_USER;
-       }
  
-       count = ldap_count_entries(ldap_state->ldap_struct, result);
-               
-       if (count < 1) {
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+       
+       if (count < 1) 
+       {
                 DEBUG(4,
-                     ("We don't find this rid [%i] count=%d\n", rid,
+                     ("Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
                        count));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_USER;
-       } else if (count > 1) {
+       }  
+       else if (count > 1) 
+       {
                 DEBUG(1,
-                     ("More than one user with rid [%i]. Failing. count=%d\n", rid,
+                     ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
                        count));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_USER;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       if (entry) {
-               if (!init_sam_from_ldap(ldap_state, user, entry)) {
-                       DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
-                       ldap_msgfree(result);
-                       return NT_STATUS_NO_SUCH_USER;
-               }
-               ldap_msgfree(result);
-               ret = NT_STATUS_OK;
-       } else {
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       if (!entry) 
+       {
                 ldap_msgfree(result);
+               return NT_STATUS_NO_SUCH_USER;
         }
-       return ret;
-}
  
-static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
-       uint32 rid;
-       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+       if (!init_sam_from_ldap(ldap_state, user, entry)) {
+               DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_USER;
-       return ldapsam_getsampwrid(my_methods, user, rid);
+       }
+
+       pdb_set_backend_private_data(user, result, 
+                                    private_data_free_fn, 
+                                    my_methods, PDB_CHANGED);
+       return NT_STATUS_OK;
  }      
  
  /********************************************************************
-Do the actual modification - also change a plaittext passord if 
+Do the actual modification - also change a plaintext passord if 
  it it set.
  **********************************************************************/
  
  static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
                                      SAM_ACCOUNT *newpwd, char *dn,
-                                    LDAPMod **mods, int ldap_op, BOOL pdb_add)
+                                    LDAPMod **mods, int ldap_op, 
+                                    BOOL (*need_update)(const SAM_ACCOUNT *,
+                                                        enum pdb_elements))
  {
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         int rc;
         
         if (!my_methods || !newpwd || !dn) {
@@ -1197,20 +1186,25 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
                 switch(ldap_op)
                 {
                         case LDAP_MOD_ADD: 
-                               smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
-                               rc = smb_ldap_add(ldap_state, dn, mods);
+                               smbldap_set_mod(&mods, LDAP_MOD_ADD, 
+                                               "objectclass", 
+                                               LDAP_OBJ_ACCOUNT);
+                               rc = smbldap_add(ldap_state->smbldap_state, 
+                                                dn, mods);
                                 break;
                         case LDAP_MOD_REPLACE: 
-                               rc = smb_ldap_modify(ldap_state, dn ,mods);
+                               rc = smbldap_modify(ldap_state->smbldap_state, 
+                                                   dn ,mods);
                                 break;
                         default:        
-                               DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
-                               return NT_STATUS_UNSUCCESSFUL;
+                               DEBUG(0,("Wrong LDAP operation type: %d!\n", 
+                                        ldap_op));
+                               return NT_STATUS_INVALID_PARAMETER;
                 }
                 
                 if (rc!=LDAP_SUCCESS) {
                         char *ld_error = NULL;
-                       ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+                       ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                         &ld_error);
                         DEBUG(1,
                               ("failed to %s user dn= %s with: %s\n\t%s\n",
@@ -1222,47 +1216,64 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
                 }  
         }
         
-#ifdef LDAP_EXOP_X_MODIFY_PASSWD
-       if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&&
-               (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&&
-               need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&&
+       if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
+               (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
+               need_update(newpwd, PDB_PLAINTEXT_PW) &&
                 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
                 BerElement *ber;
                 struct berval *bv;
                 char *retoid;
                 struct berval *retdata;
+               char *utf8_password;
+               char *utf8_dn;
+
+               if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+                       return NT_STATUS_NO_MEMORY;
+               }
  
                 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
                         DEBUG(0,("ber_alloc_t returns NULL\n"));
+                       SAFE_FREE(utf8_password);
                         return NT_STATUS_UNSUCCESSFUL;
                 }
+
                 ber_printf (ber, "{");
-               ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID,dn);
-               ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, pdb_get_plaintext_passwd(newpwd));
+               ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
+               ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
                 ber_printf (ber, "N}");
  
                 if ((rc = ber_flatten (ber, &bv))<0) {
                         DEBUG(0,("ber_flatten returns a value <0\n"));
+                       ber_free(ber,1);
+                       SAFE_FREE(utf8_dn);
+                       SAFE_FREE(utf8_password);
                         return NT_STATUS_UNSUCCESSFUL;
                 }
                 
-               ber_free(ber,1);
-
-               if ((rc = smb_ldap_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
-                                                   bv, NULL, NULL, &retoid, &retdata))!=LDAP_SUCCESS) {
+               SAFE_FREE(utf8_dn);
+               SAFE_FREE(utf8_password);
+               ber_free(ber, 1);
+
+               if ((rc = smbldap_extended_operation(ldap_state->smbldap_state, 
+                                                    LDAP_EXOP_MODIFY_PASSWD,
+                                                    bv, NULL, NULL, &retoid, 
+                                                    &retdata)) != LDAP_SUCCESS) {
                         DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
                                 pdb_get_username(newpwd),ldap_err2string(rc)));
                 } else {
                         DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
-    
+#ifdef DEBUG_PASSWORD
+                       DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
+#endif    
                         ber_bvfree(retdata);
                         ber_memfree(retoid);
                 }
                 ber_bvfree(bv);
         }
-#else
-       DEBUG(10,("LDAP PASSWORD SYNC is not supported!\n"));
-#endif /* LDAP_EXOP_X_MODIFY_PASSWD */
         return NT_STATUS_OK;
  }
  
@@ -1271,16 +1282,13 @@ Delete entry from LDAP for username
  *********************************************************************/
  static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
  {
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         const char *sname;
         int rc;
         LDAPMessage *result;
         NTSTATUS ret;
-       const char *sam_user_attrs[] =
-       { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime",
-         "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags",
-         "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath",
-         "userWorkstations", "primaryGroupID", "domain", "rid", NULL };
+       char **attr_list;
+       fstring objclass;
  
         if (!sam_acct) {
                 DEBUG(0, ("sam_acct was NULL!\n"));
@@ -1291,14 +1299,33 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
  
         DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
  
-       rc = ldapsam_search_one_user_by_name(ldap_state, sname, &result);
-       if (rc != LDAP_SUCCESS) {
+       attr_list= get_userattr_list( ldap_state->schema_ver );
+       rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
+
+       if (rc != LDAP_SUCCESS)  {
+               free_attr_list( attr_list );
                 return NT_STATUS_NO_SUCH_USER;
         }
+       
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
+                       break;
+                       
+               case SCHEMAVER_SAMBAACCOUNT:
+                       fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
+                       break;
+               default:
+                       fstrcpy( objclass, "UNKNOWN" );
+                       DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
+                               break;
+       }
  
-       ret = ldapsam_delete_entry(ldap_state, result, "sambaAccount",
-                                  sam_user_attrs);
+       ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
         ldap_msgfree(result);
+       free_attr_list( attr_list );
+
         return ret;
  }
  
@@ -1318,49 +1345,57 @@ Update SAM_ACCOUNT
  static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
  {
         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         int rc;
         char *dn;
         LDAPMessage *result;
         LDAPMessage *entry;
         LDAPMod **mods;
+       char **attr_list;
  
-       rc = ldapsam_search_one_user_by_name(ldap_state, pdb_get_username(newpwd), &result);
-       if (rc != LDAP_SUCCESS) {
-               return NT_STATUS_UNSUCCESSFUL;
+       result = pdb_get_backend_private_data(newpwd, my_methods);
+       if (!result) {
+               attr_list = get_userattr_list(ldap_state->schema_ver);
+               rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
+               free_attr_list( attr_list );
+               if (rc != LDAP_SUCCESS) {
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+               pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
         }
  
-       if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
+       if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
                 DEBUG(0, ("No user to modify!\n"));
-               ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       dn = ldap_get_dn(ldap_state->ldap_struct, entry);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
+
+       DEBUG(4, ("user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
  
         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
                                 element_is_changed)) {
                 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
-               ldap_msgfree(result);
+               ldap_memfree(dn);
                 return NT_STATUS_UNSUCCESSFUL;
         }
         
-        ldap_msgfree(result);
-       
         if (mods == NULL) {
                 DEBUG(4,("mods is empty: nothing to update for user: %s\n",
                          pdb_get_username(newpwd)));
-               ldap_mods_free(mods, 1);
+               ldap_mods_free(mods, True);
+               ldap_memfree(dn);
                 return NT_STATUS_OK;
         }
         
-       ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False);
-       ldap_mods_free(mods,1);
+       ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
+       ldap_mods_free(mods,True);
+       ldap_memfree(dn);
  
         if (!NT_STATUS_IS_OK(ret)) {
                 char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                 &ld_error);
                 DEBUG(0,("failed to modify user with uid = %s, error: %s (%s)\n",
                          pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
@@ -1376,7 +1411,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
  /**********************************************************************
    Helper function to determine for update_sam_account whether
    we need LDAP modification.
-*********************************************************************/
+ *********************************************************************/
  static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
                                       enum pdb_elements element)
  {
@@ -1387,48 +1422,84 @@ static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
  /**********************************************************************
  Add SAM_ACCOUNT to LDAP 
  *********************************************************************/
+
  static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
  {
         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         int rc;
-       pstring filter;
-       LDAPMessage *result = NULL;
-       LDAPMessage *entry  = NULL;
-       pstring dn;
-       LDAPMod **mods = NULL;
+       LDAPMessage     *result = NULL;
+       LDAPMessage     *entry  = NULL;
+       pstring         dn;
+       LDAPMod         **mods = NULL;
         int             ldap_op;
         uint32          num_result;
-       
-       const char *username = pdb_get_username(newpwd);
+       char            **attr_list;
+       char            *escape_user;
+       const char      *username = pdb_get_username(newpwd);
+       const DOM_SID   *sid = pdb_get_user_sid(newpwd);
+       pstring         filter;
+       fstring         sid_string;
+
         if (!username || !*username) {
                 DEBUG(0, ("Cannot add user without a username!\n"));
                 return NT_STATUS_INVALID_PARAMETER;
         }
  
-       rc = ldapsam_search_one_user_by_name (ldap_state, username, &result);
+       /* free this list after the second search or in case we exit on failure */
+       attr_list = get_userattr_list(ldap_state->schema_ver);
+
+       rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
+
         if (rc != LDAP_SUCCESS) {
+               free_attr_list( attr_list );
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) {
-               DEBUG(0,("User '%s' already in the base, with samba properties\n", 
+       if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
+               DEBUG(0,("User '%s' already in the base, with samba attributes\n", 
                          username));
                 ldap_msgfree(result);
+               free_attr_list( attr_list );
                 return NT_STATUS_UNSUCCESSFUL;
         }
         ldap_msgfree(result);
+       result = NULL;
+
+       if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
+               rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
+                                                 sid, &result); 
+               if (rc == LDAP_SUCCESS) {
+                       if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
+                               DEBUG(0,("SID '%s' already in the base, with samba attributes\n", 
+                                        sid_to_string(sid_string, sid)));
+                               free_attr_list( attr_list );
+                               return NT_STATUS_UNSUCCESSFUL;
+                       }
+                       ldap_msgfree(result);
+               }
+       }
  
-       slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
-       rc = ldapsam_search_one_user(ldap_state, filter, &result);
-       if (rc != LDAP_SUCCESS) {
+       /* does the entry already exist but without a samba attributes?
+          we need to return the samba attributes here */
+          
+       escape_user = escape_ldap_string_alloc( username );
+       pstrcpy( filter, lp_ldap_filter() );
+       all_string_sub( filter, "%u", escape_user, sizeof(filter) );
+       SAFE_FREE( escape_user );
+
+       rc = smbldap_search_suffix(ldap_state->smbldap_state, 
+                                  filter, attr_list, &result);
+       if ( rc != LDAP_SUCCESS ) {
+               free_attr_list( attr_list );
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       num_result = ldap_count_entries(ldap_state->ldap_struct, result);
+       num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
         
         if (num_result > 1) {
                 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
+               free_attr_list( attr_list );
                 ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
@@ -1437,21 +1508,64 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
         if (num_result == 1) {
                 char *tmp;
                 
-               DEBUG(3,("User exists without samba properties: adding them\n"));
+               DEBUG(3,("User exists without samba attributes: adding them\n"));
                 ldap_op = LDAP_MOD_REPLACE;
-               entry = ldap_first_entry (ldap_state->ldap_struct, result);
-               tmp = ldap_get_dn (ldap_state->ldap_struct, entry);
+               entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
+               tmp = ldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
                 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
                 ldap_memfree (tmp);
-       } else {
+
+       } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
+
+               /* There might be a SID for this account already - say an idmap entry */
+
+               pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))", 
+                        get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
+                        sid_to_string(sid_string, sid),
+                        LDAP_OBJ_IDMAP_ENTRY,
+                        LDAP_OBJ_SID_ENTRY);
+               
+               rc = smbldap_search_suffix(ldap_state->smbldap_state, 
+                                          filter, attr_list, &result);
+                       
+               if ( rc != LDAP_SUCCESS ) {
+                       free_attr_list( attr_list );
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+               
+               num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+               
+               if (num_result > 1) {
+                       DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
+                       free_attr_list( attr_list );
+                       ldap_msgfree(result);
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+               
+               /* Check if we need to update an existing entry */
+               if (num_result == 1) {
+                       char *tmp;
+                       
+                       DEBUG(3,("User exists without samba attributes: adding them\n"));
+                       ldap_op = LDAP_MOD_REPLACE;
+                       entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
+                       tmp = ldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
+                       slprintf (dn, sizeof (dn) - 1, "%s", tmp);
+                       ldap_memfree (tmp);
+               }
+       }
+       
+       free_attr_list( attr_list );
+
+       if (num_result == 0) {
                 /* Check if we need to add an entry */
                 DEBUG(3,("Adding new user\n"));
                 ldap_op = LDAP_MOD_ADD;
                 if (username[strlen(username)-1] == '$') {
-                        slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
-                } else {
-                        slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
-                }
+                       slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
+               } else {
+                       slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
+               }
         }
  
         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
@@ -1467,104 +1581,108 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
                 DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
                 return NT_STATUS_UNSUCCESSFUL;
         }
-       
-       smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
+       switch ( ldap_state->schema_ver )
+       {
+               case SCHEMAVER_SAMBAACCOUNT:
+                       smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
+                       break;
+               case SCHEMAVER_SAMBASAMACCOUNT:
+                       smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
+                       break;
+               default:
+                       DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
+                       break;
+       }
  
-       ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True);
-       if (NT_STATUS_IS_ERR(ret)) {
+       ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
+       if (!NT_STATUS_IS_OK(ret)) {
                 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
                          pdb_get_username(newpwd),dn));
-               ldap_mods_free(mods,1);
+               ldap_mods_free(mods, True);
                 return ret;
         }
  
-       DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
-       ldap_mods_free(mods, 1);
+       DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
+       ldap_mods_free(mods, True);
+       
         return NT_STATUS_OK;
  }
  
-static void free_private_data(void **vp) 
-{
-       struct smb_ldap_privates **ldap_state = (struct smb_ldap_privates **)vp;
-
-       smb_ldap_close(*ldap_state);
-
-       if ((*ldap_state)->bind_secret) {
-               memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
-       }
-
-       smb_ldap_close(*ldap_state);
-               
-       SAFE_FREE((*ldap_state)->bind_dn);
-       SAFE_FREE((*ldap_state)->bind_secret);
-
-       *ldap_state = NULL;
-
-       /* No need to free any further, as it is talloc()ed */
-}
+/**********************************************************************
+ *********************************************************************/
  
-static const char *group_attr[] = {"cn", "ntSid", "ntGroupType",
-                                  "gidNumber",
-                                  "displayName", "description",
-                                  NULL };
-                                  
-static int ldapsam_search_one_group (struct smb_ldap_privates *ldap_state,
+static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
                                      const char *filter,
                                      LDAPMessage ** result)
  {
         int scope = LDAP_SCOPE_SUBTREE;
         int rc;
+       char **attr_list;
  
         DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
  
-       rc = smb_ldap_search(ldap_state, lp_ldap_suffix (), scope,
-                           filter, group_attr, 0, result);
+
+       attr_list = get_attr_list(groupmap_attr_list);
+       rc = smbldap_search(ldap_state->smbldap_state, 
+                           lp_ldap_group_suffix (), scope,
+                           filter, attr_list, 0, result);
+       free_attr_list( attr_list );
  
         if (rc != LDAP_SUCCESS) {
                 char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                 &ld_error);
                 DEBUG(0, ("ldapsam_search_one_group: "
                           "Problem during the LDAP search: LDAP error: %s (%s)",
                           ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
                 DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
-                         lp_ldap_suffix(), filter));
+                         lp_ldap_group_suffix(), filter));
                 SAFE_FREE(ld_error);
         }
  
         return rc;
  }
  
-static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
+/**********************************************************************
+ *********************************************************************/
+
+static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
                                  GROUP_MAP *map, LDAPMessage *entry)
  {
         pstring temp;
  
         if (ldap_state == NULL || map == NULL || entry == NULL ||
-           ldap_state->ldap_struct == NULL) {
+           ldap_state->smbldap_state->ldap_struct == NULL) 
+       {
                 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
                 return False;
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber",
-                                 temp)) {
-               DEBUG(0, ("Mandatory attribute gidNumber not found\n"));
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) 
+       {
+               DEBUG(0, ("Mandatory attribute %s not found\n", 
+                       get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
                 return False;
         }
         DEBUG(2, ("Entry found for group: %s\n", temp));
  
         map->gid = (gid_t)atol(temp);
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "ntSid",
-                                 temp)) {
-               DEBUG(0, ("Mandatory attribute ntSid not found\n"));
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) 
+       {
+               DEBUG(0, ("Mandatory attribute %s not found\n",
+                       get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
                 return False;
         }
         string_to_sid(&map->sid, temp);
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "ntGroupType",
-                                 temp)) {
-               DEBUG(0, ("Mandatory attribute ntGroupType not found\n"));
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) 
+       {
+               DEBUG(0, ("Mandatory attribute %s not found\n",
+                       get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
                 return False;
         }
         map->sid_name_use = (uint32)atol(temp);
@@ -1575,32 +1693,33 @@ static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
                 return False;
         }
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "displayName",
-                                 temp)) {
-               DEBUG(3, ("Attribute displayName not found\n"));
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) 
+       {
                 temp[0] = '\0';
-               if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "cn",
-                                         temp)) {
+               if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                       get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp)) 
+               {
                         DEBUG(0, ("Attributes cn not found either "
-                                 "for gidNumber(%i)\n",map->gid));
+                                 "for gidNumber(%lu)\n",(unsigned long)map->gid));
                         return False;
                 }
         }
         fstrcpy(map->nt_name, temp);
  
-       if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "description",
-                                 temp)) {
-               DEBUG(3, ("Attribute description not found\n"));
+       if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) 
+       {
                 temp[0] = '\0';
         }
         fstrcpy(map->comment, temp);
  
-       map->systemaccount = 0;
-       init_privilege(&map->priv_set);
-
         return True;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static BOOL init_ldap_from_group(LDAP *ldap_struct,
                                  LDAPMessage *existing,
                                  LDAPMod ***mods,
@@ -1616,22 +1735,29 @@ static BOOL init_ldap_from_group(LDAP *ldap_struct,
         *mods = NULL;
  
         sid_to_string(tmp, &map->sid);
-       make_ldap_mod(ldap_struct, existing, mods, "ntSid", tmp);
-       snprintf(tmp, sizeof(tmp)-1, "%i", map->sid_name_use);
-       make_ldap_mod(ldap_struct, existing, mods, "ntGroupType", tmp);
+       smbldap_make_mod(ldap_struct, existing, mods, 
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
+       pstr_sprintf(tmp, "%i", map->sid_name_use);
+       smbldap_make_mod(ldap_struct, existing, mods, 
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
  
-       make_ldap_mod(ldap_struct, existing, mods, "displayName", map->nt_name);
-       make_ldap_mod(ldap_struct, existing, mods, "description", map->comment);
+       smbldap_make_mod(ldap_struct, existing, mods, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
+       smbldap_make_mod(ldap_struct, existing, mods, 
+               get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
  
         return True;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
                                  const char *filter,
                                  GROUP_MAP *map)
  {
-       struct smb_ldap_privates *ldap_state =
-               (struct smb_ldap_privates *)methods->private_data;
+       struct ldapsam_privates *ldap_state =
+               (struct ldapsam_privates *)methods->private_data;
         LDAPMessage *result;
         LDAPMessage *entry;
         int count;
@@ -1641,20 +1767,22 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
                 return NT_STATUS_NO_SUCH_GROUP;
         }
  
-       count = ldap_count_entries(ldap_state->ldap_struct, result);
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
  
         if (count < 1) {
-               DEBUG(4, ("Did not find group for filter %s\n", filter));
+               DEBUG(4, ("Did not find group\n"));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_GROUP;
         }
  
         if (count > 1) {
                 DEBUG(1, ("Duplicate entries for filter %s: count=%d\n",
                           filter, count));
+               ldap_msgfree(result);
                 return NT_STATUS_NO_SUCH_GROUP;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
  
         if (!entry) {
                 ldap_msgfree(result);
@@ -1672,63 +1800,89 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
-                                DOM_SID sid, BOOL with_priv)
+                                DOM_SID sid)
  {
         pstring filter;
  
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaGroupMapping)(ntSid=%s))",
-                sid_string_static(&sid));
+       pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
+               LDAP_OBJ_GROUPMAP, 
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
+               sid_string_static(&sid));
  
         return ldapsam_getgroup(methods, filter, map);
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
-                                gid_t gid, BOOL with_priv)
+                                gid_t gid)
  {
         pstring filter;
  
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaGroupMapping)(gidNumber=%d))",
-                gid);
+       pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
+               LDAP_OBJ_GROUPMAP,
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
+               (unsigned long)gid);
  
         return ldapsam_getgroup(methods, filter, map);
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
-                                char *name, BOOL with_priv)
+                                const char *name)
  {
         pstring filter;
+       char *escape_name = escape_ldap_string_alloc(name);
  
-       /* TODO: Escaping of name? */
+       if (!escape_name) {
+               return NT_STATUS_NO_MEMORY;
+       }
  
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaGroupMapping)(|(displayName=%s)(cn=%s)))",
-                name, name);
+       pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
+               LDAP_OBJ_GROUPMAP,
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
+
+       SAFE_FREE(escape_name);
  
         return ldapsam_getgroup(methods, filter, map);
  }
  
-static int ldapsam_search_one_group_by_gid(struct smb_ldap_privates *ldap_state,
+/**********************************************************************
+ *********************************************************************/
+
+static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
                                            gid_t gid,
                                            LDAPMessage **result)
  {
         pstring filter;
  
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=posixGroup)(gidNumber=%i))", gid);
+       pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))", 
+               LDAP_OBJ_POSIXGROUP,
+               get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
+               (unsigned long)gid);
  
         return ldapsam_search_one_group(ldap_state, filter, result);
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
                                                 GROUP_MAP *map)
  {
-       struct smb_ldap_privates *ldap_state =
-               (struct smb_ldap_privates *)methods->private_data;
+       struct ldapsam_privates *ldap_state =
+               (struct ldapsam_privates *)methods->private_data;
         LDAPMessage *result = NULL;
         LDAPMod **mods = NULL;
+       int count;
  
         char *tmp;
         pstring dn;
@@ -1739,32 +1893,40 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
         int rc;
  
         if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
-                                            map->gid, False))) {
-               DEBUG(0, ("Group %i already exists in LDAP\n", map->gid));
+                                            map->gid))) {
+               DEBUG(0, ("Group %ld already exists in LDAP\n", (unsigned long)map->gid));
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
         rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
         if (rc != LDAP_SUCCESS) {
+               ldap_msgfree(result);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+       if ( count == 0 ) {
+               ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       if (ldap_count_entries(ldap_state->ldap_struct, result) != 1) {
-               DEBUG(2, ("Group %i must exist exactly once in LDAP\n",
-                         map->gid));
+       if (count > 1) {
+               DEBUG(2, ("Group %lu must exist exactly once in LDAP\n",
+                         (unsigned long)map->gid));
                 ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       tmp = ldap_get_dn(ldap_state->ldap_struct, entry);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       tmp = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
         pstrcpy(dn, tmp);
         ldap_memfree(tmp);
  
-       if (!init_ldap_from_group(ldap_state->ldap_struct,
+       if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
                                   result, &mods, map)) {
                 DEBUG(0, ("init_ldap_from_group failed!\n"));
-               ldap_mods_free(mods, 1);
+               ldap_mods_free(mods, True);
                 ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
@@ -1776,31 +1938,33 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectClass",
-                  "sambaGroupMapping");
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
  
-       rc = smb_ldap_modify(ldap_state, dn, mods);
-       ldap_mods_free(mods, 1);
+       rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+       ldap_mods_free(mods, True);
  
         if (rc != LDAP_SUCCESS) {
                 char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                 &ld_error);
-               DEBUG(0, ("failed to add group %i error: %s (%s)\n", map->gid, 
+               DEBUG(0, ("failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid, 
                           ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
                 SAFE_FREE(ld_error);
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
+       DEBUG(2, ("successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
                                                    GROUP_MAP *map)
  {
-       struct smb_ldap_privates *ldap_state =
-               (struct smb_ldap_privates *)methods->private_data;
+       struct ldapsam_privates *ldap_state =
+               (struct ldapsam_privates *)methods->private_data;
         int rc;
         char *dn;
         LDAPMessage *result;
@@ -1813,16 +1977,16 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) {
+       if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
                 DEBUG(0, ("No group to modify!\n"));
                 ldap_msgfree(result);
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       entry = ldap_first_entry(ldap_state->ldap_struct, result);
-       dn = ldap_get_dn(ldap_state->ldap_struct, entry);
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
  
-       if (!init_ldap_from_group(ldap_state->ldap_struct,
+       if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
                                   result, &mods, map)) {
                 DEBUG(0, ("init_ldap_from_group failed\n"));
                 ldap_msgfree(result);
@@ -1836,39 +2000,40 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
-       rc = smb_ldap_modify(ldap_state, dn, mods);
+       rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
  
-       ldap_mods_free(mods, 1);
+       ldap_mods_free(mods, True);
  
         if (rc != LDAP_SUCCESS) {
                 char *ld_error = NULL;
-               ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+               ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                 &ld_error);
-               DEBUG(0, ("failed to modify group %i error: %s (%s)\n", map->gid, 
+               DEBUG(0, ("failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid, 
                           ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
                 SAFE_FREE(ld_error);
         }
  
-       DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
+       DEBUG(2, ("successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
                                                    DOM_SID sid)
  {
-       struct smb_ldap_privates *ldap_state =
-               (struct smb_ldap_privates *)methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
         pstring sidstring, filter;
         LDAPMessage *result;
         int rc;
         NTSTATUS ret;
+       char **attr_list;
  
-       const char *sam_group_attrs[] = { "ntSid", "ntGroupType",
-                                         "description", "displayName",
-                                         NULL };
         sid_to_string(sidstring, &sid);
-       snprintf(filter, sizeof(filter)-1,
-                "(&(objectClass=sambaGroupMapping)(ntSid=%s))", sidstring);
+       
+       pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))", 
+               LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
  
         rc = ldapsam_search_one_group(ldap_state, filter, &result);
  
@@ -1876,53 +2041,66 @@ static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
                 return NT_STATUS_NO_SUCH_GROUP;
         }
  
-       ret = ldapsam_delete_entry(ldap_state, result, "sambaGroupMapping",
-                                  sam_group_attrs);
+       attr_list = get_attr_list( groupmap_attr_list_to_delete );
+       ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
+       free_attr_list ( attr_list );
+
         ldap_msgfree(result);
+
         return ret;
  }
  
-static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
-                                   BOOL update)
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
  {
-       struct smb_ldap_privates *ldap_state =
-               (struct smb_ldap_privates *)my_methods->private_data;
-       const char *filter = "(objectClass=sambaGroupMapping)";
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+       fstring filter;
         int rc;
+       char **attr_list;
  
-       rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
+       pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
+       attr_list = get_attr_list( groupmap_attr_list );
+       rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
                             LDAP_SCOPE_SUBTREE, filter,
-                           group_attr, 0, &ldap_state->result);
+                           attr_list, 0, &ldap_state->result);
+       free_attr_list( attr_list );
  
         if (rc != LDAP_SUCCESS) {
                 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
-               DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
+               DEBUG(3, ("Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
                 ldap_msgfree(ldap_state->result);
                 ldap_state->result = NULL;
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
         DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
-                 ldap_count_entries(ldap_state->ldap_struct,
+                 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
                                      ldap_state->result)));
  
-       ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
-                                ldap_state->result);
+       ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
         ldap_state->index = 0;
  
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
  {
         ldapsam_endsampwent(my_methods);
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
                                     GROUP_MAP *map)
  {
         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-       struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
         BOOL bret = False;
  
         while (!bret) {
@@ -1932,17 +2110,20 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
                 ldap_state->index++;
                 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
                 
-               ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
+               ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
                                             ldap_state->entry); 
         }
  
         return NT_STATUS_OK;
  }
  
+/**********************************************************************
+ *********************************************************************/
+
  static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
                                            enum SID_NAME_USE sid_name_use,
                                            GROUP_MAP **rmap, int *num_entries,
-                                          BOOL unix_only, BOOL with_priv)
+                                          BOOL unix_only)
  {
         GROUP_MAP map;
         GROUP_MAP *mapt;
@@ -1989,11 +2170,30 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
         return NT_STATUS_OK;
  }
  
-NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+/**********************************************************************
+ Housekeeping
+ *********************************************************************/
+
+static void free_private_data(void **vp) 
+{
+       struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
+
+       smbldap_free_struct(&(*ldap_state)->smbldap_state);
+
+       *ldap_state = NULL;
+
+       /* No need to free any further, as it is talloc()ed */
+}
+
+/**********************************************************************
+ Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
+ *********************************************************************/
+
+static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, 
+                                       const char *location)
  {
         NTSTATUS nt_status;
-       struct smb_ldap_privates *ldap_state;
-       uint32 low_nua_uid, high_nua_uid;
+       struct ldapsam_privates *ldap_state;
  
         if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
                 return nt_status;
@@ -2020,17 +2220,39 @@ NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, co
  
         /* TODO: Setup private data and free */
  
-       ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct smb_ldap_privates));
-
+       ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
         if (!ldap_state) {
                 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
                 return NT_STATUS_NO_MEMORY;
         }
  
-       if (location) {
-               ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
+       if (!NT_STATUS_IS_OK(nt_status = 
+                            smbldap_init(pdb_context->mem_ctx, location, 
+                                         &ldap_state->smbldap_state)));
+
+       ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
+       if (!ldap_state->domain_name) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       (*pdb_method)->private_data = ldap_state;
+
+       (*pdb_method)->free_private_data = free_private_data;
+
+       return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ Initialise the 'compat' mode for pdb_ldap
+ *********************************************************************/
+
+static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+       NTSTATUS nt_status;
+       struct ldapsam_privates *ldap_state;
+
  #ifdef WITH_LDAP_SAMCONFIG
-       } else {
+       if (!location) {
                 int ldap_port = lp_ldap_port();
                         
                 /* remap default port if not using SSL (ie clear or TLS) */
@@ -2038,34 +2260,115 @@ NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, co
                         ldap_port = 389;
                 }
  
-               ldap_state->uri = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
-               if (!ldap_state->uri) {
+               location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
+               if (!location) {
                         return NT_STATUS_NO_MEMORY;
                 }
-#else
-       } else {
-               ldap_state->uri = "ldap://localhost";
+       }
  #endif
+
+       if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
+               return nt_status;
         }
  
-       (*pdb_method)->private_data = ldap_state;
+       (*pdb_method)->name = "ldapsam_compat";
  
-       (*pdb_method)->free_private_data = free_private_data;
+       ldap_state = (*pdb_method)->private_data;
+       ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
  
-       if (lp_idmap_uid(&low_nua_uid, &high_nua_uid)) {
-               DEBUG(0, ("idmap uid range defined, non unix accounts enabled\n"));
+       sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
  
-               ldap_state->permit_non_unix_accounts = True;
-               
-               ldap_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
+       return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ Initialise the normal mode for pdb_ldap
+ *********************************************************************/
+
+static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+       NTSTATUS nt_status;
+       struct ldapsam_privates *ldap_state;
+       uint32 alg_rid_base;
+       pstring alg_rid_base_string;
+       LDAPMessage *result = NULL;
+       LDAPMessage *entry = NULL;
+       DOM_SID ldap_domain_sid;
+       DOM_SID secrets_domain_sid;
+       pstring domain_sid_string;
  
-               ldap_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
+       if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
+               return nt_status;
         }
  
+       (*pdb_method)->name = "ldapsam";
+
+       ldap_state = (*pdb_method)->private_data;
+       ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
+
+       /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
+       
+       nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result, 
+               ldap_state->domain_name, True);
+       
+       if ( !NT_STATUS_IS_OK(nt_status) ) {
+               DEBUG(2, ("WARNING: Could not get domain info, nor add one to the domain\n"));
+               DEBUGADD(2, ("Continuing on regardless, will be unable to allocate new users/groups, "
+                       "and will risk BDCs having inconsistant SIDs\n"));
+               sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
+               return NT_STATUS_OK;
+       }
+
+       /* Given that the above might fail, everything below this must be optional */
+       
+       entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+       if (!entry) {
+               DEBUG(0, ("Could not get domain info entry\n"));
+               ldap_msgfree(result);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                                get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
+                                domain_sid_string)) 
+       {
+               BOOL found_sid;
+               string_to_sid(&ldap_domain_sid, domain_sid_string);
+               found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
+               if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
+                       /* reset secrets.tdb sid */
+                       secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
+               }
+               sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
+       }
+
+       if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
+                                get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE), 
+                                alg_rid_base_string)) 
+       {
+               alg_rid_base = (uint32)atol(alg_rid_base_string);
+               if (alg_rid_base != algorithmic_rid_base()) {
+                       DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
+                                 "database was initialised.  Aborting. \n"));
+                       ldap_msgfree(result);
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+       }
+       ldap_msgfree(result);
+
         return NT_STATUS_OK;
  }
  
  NTSTATUS pdb_ldap_init(void)
  {
-       return smb_register_passdb("ldapsam", pdb_init_ldapsam, PASSDB_INTERFACE_VERSION);
+       NTSTATUS nt_status;
+       if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
+               return nt_status;
+
+       if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
+               return nt_status;
+
+       return NT_STATUS_OK;
  }
+
+