r2619: Only issue the ldap extended password change operation if the ldap server

supports it. This might be a fix for bugs 1823 and 1545, notifying both.

Also ignore object class violation errors from the extended operation. We
don't have the userPassword field in sambaSamAccount, and if we have such
broken setup with user in /etc/passwd and only samba attribs in ldap, we fail
this :-)

Volker
(This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)

diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 454aa8d8702f1472f3546795639c0ee5c5db51d8..60312d265f3805edb1e3596754d22a1bc95acd30 100644 (file)
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -1404,6 +1404,66 @@ static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT
        return NT_STATUS_OK;
 }      
 
+static BOOL ldapsam_can_pwchange_exop(struct smbldap_state *ldap_state)
+{
+       LDAPMessage *msg = NULL;
+       LDAPMessage *entry = NULL;
+       char **values = NULL;
+       char *attrs[] = { "supportedExtension", NULL };
+       int rc, num_result, num_values, i;
+       BOOL result = False;
+
+       rc = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, "(objectclass=*)",
+                           attrs, 0, &msg);
+
+       if (rc != LDAP_SUCCESS) {
+               DEBUG(3, ("Could not search rootDSE\n"));
+               return False;
+       }
+
+       num_result = ldap_count_entries(ldap_state->ldap_struct, msg);
+
+       if (num_result != 1) {
+               DEBUG(3, ("Expected one rootDSE, got %d\n", num_result));
+               goto done;
+       }
+
+       entry = ldap_first_entry(ldap_state->ldap_struct, msg);
+
+       if (entry == NULL) {
+               DEBUG(3, ("Could not retrieve rootDSE\n"));
+               goto done;
+       }
+
+       values = ldap_get_values(ldap_state->ldap_struct, entry,
+                                "supportedExtension");
+
+       if (values == NULL) {
+               DEBUG(9, ("LDAP Server does not support any extensions\n"));
+               goto done;
+       }
+
+       num_values = ldap_count_values(values);
+
+       if (num_values == 0) {
+               DEBUG(9, ("LDAP Server does not support any extensions\n"));
+               goto done;
+       }
+
+       for (i=0; i<num_values; i++) {
+               if (strcmp(values[i], LDAP_EXOP_MODIFY_PASSWD) == 0)
+                       result = True;
+       }
+
+ done:
+       if (values != NULL)
+               ldap_value_free(values);
+       if (msg != NULL)
+               ldap_msgfree(msg);
+
+       return result;
+}
+
 /********************************************************************
  Do the actual modification - also change a plaintext passord if 
  it it set.
@@ -1467,6 +1527,12 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
                char *utf8_password;
                char *utf8_dn;
 
+               if (!ldapsam_can_pwchange_exop(ldap_state->smbldap_state)) {
+                       DEBUG(2, ("ldap password change requested, but LDAP "
+                                 "server does not support it -- ignoring\n"));
+                       return NT_STATUS_OK;
+               }
+
                if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
                        return NT_STATUS_NO_MEMORY;
                }
@@ -1503,6 +1569,15 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
                                                     bv, NULL, NULL, &retoid, 
                                                     &retdata)) != LDAP_SUCCESS) {
                        char *ld_error = NULL;
+
+                       if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
+                               DEBUG(3, ("Could not set userPassword "
+                                         "attribute due to an objectClass "
+                                         "violation -- ignoring\n"));
+                               ber_bvfree(bv);
+                               return NT_STATUS_OK;
+                       }
+
                        ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
                                        &ld_error);
                        DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",