2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002-2003
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
49 #define DBGC_CLASS DBGC_PASSDB
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
81 #define SAM_ACCOUNT struct sam_passwd
86 /**********************************************************************
87 Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
88 **********************************************************************/
90 void private_data_free_fn(void **result)
92 ldap_msgfree(*result);
96 /**********************************************************************
97 Get the attribute name given a user schame version.
98 **********************************************************************/
100 static const char* get_userattr_key2string( int schema_ver, int key )
102 switch ( schema_ver ) {
103 case SCHEMAVER_SAMBAACCOUNT:
104 return get_attr_key2string( attrib_map_v22, key );
106 case SCHEMAVER_SAMBASAMACCOUNT:
107 return get_attr_key2string( attrib_map_v30, key );
110 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
116 /**********************************************************************
117 Return the list of attribute names given a user schema version.
118 **********************************************************************/
120 const char** get_userattr_list( int schema_ver )
122 switch ( schema_ver ) {
123 case SCHEMAVER_SAMBAACCOUNT:
124 return get_attr_list( attrib_map_v22 );
126 case SCHEMAVER_SAMBASAMACCOUNT:
127 return get_attr_list( attrib_map_v30 );
129 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
136 /**************************************************************************
137 Return the list of attribute names to delete given a user schema version.
138 **************************************************************************/
140 static const char** get_userattr_delete_list( int schema_ver )
142 switch ( schema_ver ) {
143 case SCHEMAVER_SAMBAACCOUNT:
144 return get_attr_list( attrib_map_to_delete_v22 );
146 case SCHEMAVER_SAMBASAMACCOUNT:
147 return get_attr_list( attrib_map_to_delete_v30 );
149 DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
157 /*******************************************************************
158 Generate the LDAP search filter for the objectclass based on the
159 version of the schema we are using.
160 ******************************************************************/
162 static const char* get_objclass_filter( int schema_ver )
164 static fstring objclass_filter;
166 switch( schema_ver ) {
167 case SCHEMAVER_SAMBAACCOUNT:
168 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
170 case SCHEMAVER_SAMBASAMACCOUNT:
171 fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
174 DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
178 return objclass_filter;
181 /*****************************************************************
182 Scan a sequence number off OpenLDAP's syncrepl contextCSN
183 ******************************************************************/
185 static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
187 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
188 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
189 LDAPMessage *msg = NULL;
190 LDAPMessage *entry = NULL;
192 char **values = NULL;
193 int rc, num_result, num_values, rid;
199 /* Unfortunatly there is no proper way to detect syncrepl-support in
200 * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
201 * but do not show up in the root-DSE yet. Neither we can query the
202 * subschema-context for the syncProviderSubentry or syncConsumerSubentry
203 * objectclass. Currently we require lp_ldap_suffix() to show up as
204 * namingContext. - Guenther
207 if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
212 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
216 if (!smbldap_has_naming_context(ldap_state->smbldap_state, lp_ldap_suffix())) {
217 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
218 "as top-level namingContext\n", lp_ldap_suffix()));
222 mem_ctx = talloc_init("ldapsam_get_seq_num");
225 return NT_STATUS_NO_MEMORY;
227 attrs = TALLOC_ARRAY(mem_ctx, const char *, 2);
229 /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
230 rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
233 /* consumer syncreplCookie: */
234 /* csn=20050126161620Z#0000001#00#00000 */
235 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
237 pstr_sprintf( suffix, "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
241 /* provider contextCSN */
242 /* 20050126161620Z#000009#00#000000 */
243 attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
245 pstr_sprintf( suffix, "cn=ldapsync,%s", lp_ldap_suffix());
249 rc = smbldap_search(ldap_state->smbldap_state, suffix,
250 LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
252 if (rc != LDAP_SUCCESS) {
254 char *ld_error = NULL;
255 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
256 LDAP_OPT_ERROR_STRING, &ld_error);
257 DEBUG(0,("ldapsam_get_seq_num: Failed search for suffix: %s, error: %s (%s)\n",
258 suffix,ldap_err2string(rc), ld_error?ld_error:"unknown"));
263 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
264 if (num_result != 1) {
265 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
269 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
271 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
275 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
276 if (values == NULL) {
277 DEBUG(3,("ldapsam_get_seq_num: no values\n"));
281 num_values = ldap_count_values(values);
282 if (num_values == 0) {
283 DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
288 if (!next_token(&p, tok, "#", sizeof(tok))) {
289 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
294 if (!strncmp(p, "csn=", strlen("csn=")))
297 DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
299 *seq_num = generalized_to_unix_time(p);
301 /* very basic sanity check */
303 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
308 ntstatus = NT_STATUS_OK;
312 ldap_value_free(values);
316 talloc_destroy(mem_ctx);
321 /*******************************************************************
322 Run the search by name.
323 ******************************************************************/
325 int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
327 LDAPMessage ** result,
331 char *escape_user = escape_ldap_string_alloc(user);
334 return LDAP_NO_MEMORY;
338 * in the filter expression, replace %u with the real name
339 * so in ldap filter, %u MUST exist :-)
341 pstr_sprintf(filter, "(&%s%s)", "(uid=%u)",
342 get_objclass_filter(ldap_state->schema_ver));
345 * have to use this here because $ is filtered out
350 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
351 SAFE_FREE(escape_user);
353 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
356 /*******************************************************************
357 Run the search by rid.
358 ******************************************************************/
360 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
361 uint32 rid, LDAPMessage ** result,
367 pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
368 get_objclass_filter(ldap_state->schema_ver));
370 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
375 /*******************************************************************
376 Run the search by SID.
377 ******************************************************************/
379 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
380 const DOM_SID *sid, LDAPMessage ** result,
387 pstr_sprintf(filter, "(&(%s=%s)%s)",
388 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
389 sid_to_string(sid_string, sid),
390 get_objclass_filter(ldap_state->schema_ver));
392 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
397 /*******************************************************************
398 Delete complete object or objectclass and attrs from
399 object found in search_result depending on lp_ldap_delete_dn
400 ******************************************************************/
402 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
404 const char *objectclass,
408 LDAPMessage *entry = NULL;
409 LDAPMod **mods = NULL;
411 BerElement *ptr = NULL;
413 rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
416 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
417 return NT_STATUS_UNSUCCESSFUL;
420 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
421 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
423 return NT_STATUS_UNSUCCESSFUL;
426 if (lp_ldap_delete_dn()) {
427 NTSTATUS ret = NT_STATUS_OK;
428 rc = smbldap_delete(ldap_state->smbldap_state, dn);
430 if (rc != LDAP_SUCCESS) {
431 DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
432 ret = NT_STATUS_UNSUCCESSFUL;
438 /* Ok, delete only the SAM attributes */
440 for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
442 name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
445 /* We are only allowed to delete the attributes that
448 for (attrib = attrs; *attrib != NULL; attrib++) {
449 /* Don't delete LDAP_ATTR_MOD_TIMESTAMP attribute. */
450 if (strequal(*attrib, get_userattr_key2string(ldap_state->schema_ver,
451 LDAP_ATTR_MOD_TIMESTAMP))) {
454 if (strequal(*attrib, name)) {
455 DEBUG(10, ("ldapsam_delete_entry: deleting "
456 "attribute %s\n", name));
457 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
469 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
471 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
472 ldap_mods_free(mods, True);
474 if (rc != LDAP_SUCCESS) {
475 char *ld_error = NULL;
476 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
479 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
480 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
483 return NT_STATUS_UNSUCCESSFUL;
490 /* New Interface is being implemented here */
492 #if 0 /* JERRY - not uesed anymore */
494 /**********************************************************************
495 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
496 *********************************************************************/
497 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
498 SAM_ACCOUNT * sampass,
507 if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
508 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
512 for (values=ldap_values;*values;values++) {
513 if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
518 if (!*values) { /*end of array, no posixAccount */
519 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
520 ldap_value_free(ldap_values);
523 ldap_value_free(ldap_values);
525 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
526 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
531 if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
532 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
537 *gid = (gid_t)atol(temp);
539 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
541 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
548 static time_t ldapsam_get_entry_timestamp(
549 struct ldapsam_privates *ldap_state,
555 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
556 get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
560 strptime(temp, "%Y%m%d%H%M%SZ", &tm);
565 /**********************************************************************
566 Initialize SAM_ACCOUNT from an LDAP query.
567 (Based on init_sam_from_buffer in pdb_tdb.c)
568 *********************************************************************/
570 static BOOL init_sam_from_ldap(struct ldapsam_privates *ldap_state,
571 SAM_ACCOUNT * sampass,
578 pass_can_change_time,
579 pass_must_change_time,
592 char munged_dial[2048];
594 uint8 smblmpwd[LM_HASH_LEN],
595 smbntpwd[NT_HASH_LEN];
596 BOOL use_samba_attrs = True;
597 uint16 acct_ctrl = 0,
599 uint16 bad_password_count = 0,
602 uint8 hours[MAX_HOURS_LEN];
604 LOGIN_CACHE *cache_entry = NULL;
607 BOOL expand_explicit = lp_passdb_expand_explicit();
610 * do a little initialization
614 nt_username[0] = '\0';
618 logon_script[0] = '\0';
619 profile_path[0] = '\0';
621 munged_dial[0] = '\0';
622 workstations[0] = '\0';
625 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
626 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
630 if (ldap_state->smbldap_state->ldap_struct == NULL) {
631 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
635 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
636 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
640 DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
642 pstrcpy(nt_username, username);
644 pstrcpy(domain, ldap_state->domain_name);
646 pdb_set_username(sampass, username, PDB_SET);
648 pdb_set_domain(sampass, domain, PDB_DEFAULT);
649 pdb_set_nt_username(sampass, nt_username, PDB_SET);
651 /* deal with different attributes between the schema first */
653 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
654 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
655 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
656 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
659 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
660 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
661 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
663 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
666 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
667 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
668 user_rid = (uint32)atol(temp);
669 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
672 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
673 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
674 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
678 group_rid = (uint32)atol(temp);
680 /* for some reason, we often have 0 as a primary group RID.
681 Make sure that we treat this just as a 'default' value */
684 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
686 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
690 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
691 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
692 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
693 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
698 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
699 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
700 /* leave as default */
702 pass_last_set_time = (time_t) atol(temp);
703 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
706 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
707 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
708 /* leave as default */
710 logon_time = (time_t) atol(temp);
711 pdb_set_logon_time(sampass, logon_time, PDB_SET);
714 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
715 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
716 /* leave as default */
718 logoff_time = (time_t) atol(temp);
719 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
722 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
723 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
724 /* leave as default */
726 kickoff_time = (time_t) atol(temp);
727 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
730 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
731 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
732 /* leave as default */
734 pass_can_change_time = (time_t) atol(temp);
735 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
738 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
739 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
740 /* leave as default */
742 pass_must_change_time = (time_t) atol(temp);
743 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
746 /* recommend that 'gecos' and 'displayName' should refer to the same
747 * attribute OID. userFullName depreciated, only used by Samba
748 * primary rules of LDAP: don't make a new attribute when one is already defined
749 * that fits your needs; using cn then displayName rather than 'userFullName'
752 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
753 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
754 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
755 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
756 /* leave as default */
758 pdb_set_fullname(sampass, fullname, PDB_SET);
761 pdb_set_fullname(sampass, fullname, PDB_SET);
764 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
765 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
767 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
769 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
772 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
773 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
775 pdb_set_homedir( sampass,
776 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
779 pstrcpy( tmpstring, homedir );
780 if (expand_explicit) {
781 standard_sub_basic( username, tmpstring,
784 pdb_set_homedir(sampass, tmpstring, PDB_SET);
787 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
788 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
790 pdb_set_logon_script( sampass,
791 talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
794 pstrcpy( tmpstring, logon_script );
795 if (expand_explicit) {
796 standard_sub_basic( username, tmpstring,
799 pdb_set_logon_script(sampass, tmpstring, PDB_SET);
802 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
803 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
805 pdb_set_profile_path( sampass,
806 talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
809 pstrcpy( tmpstring, profile_path );
810 if (expand_explicit) {
811 standard_sub_basic( username, tmpstring,
814 pdb_set_profile_path(sampass, tmpstring, PDB_SET);
817 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
818 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
820 /* leave as default */
822 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
825 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
826 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
827 /* leave as default */;
829 pdb_set_workstations(sampass, workstations, PDB_SET);
832 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
833 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
834 /* leave as default */;
836 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
839 /* FIXME: hours stuff should be cleaner */
843 memset(hours, 0xff, hours_len);
845 if (ldap_state->is_nds_ldap) {
848 char clear_text_pw[512];
850 /* Make call to Novell eDirectory ldap extension to get clear text password.
851 NOTE: This will only work if we have an SSL connection to eDirectory. */
852 user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
853 if (user_dn != NULL) {
854 DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
856 pwd_len = sizeof(clear_text_pw);
857 if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
858 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
859 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
861 ZERO_STRUCT(smblmpwd);
862 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
864 ZERO_STRUCT(smbntpwd);
865 use_samba_attrs = False;
868 DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
872 if (use_samba_attrs) {
873 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
874 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
875 /* leave as default */
877 pdb_gethexpwd(temp, smblmpwd);
878 memset((char *)temp, '\0', strlen(temp)+1);
879 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
881 ZERO_STRUCT(smblmpwd);
884 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
885 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
886 /* leave as default */
888 pdb_gethexpwd(temp, smbntpwd);
889 memset((char *)temp, '\0', strlen(temp)+1);
890 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
892 ZERO_STRUCT(smbntpwd);
898 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
900 uint8 *pwhist = NULL;
903 /* We can only store (sizeof(pstring)-1)/64 password history entries. */
904 pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
906 if ((pwhist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN)) == NULL){
907 DEBUG(0, ("init_sam_from_ldap: malloc failed!\n"));
910 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
912 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
913 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), temp)) {
914 /* leave as default - zeros */
916 BOOL hex_failed = False;
917 for (i = 0; i < pwHistLen; i++){
918 /* Get the 16 byte salt. */
919 if (!pdb_gethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
923 /* Get the 16 byte MD5 hash of salt+passwd. */
924 if (!pdb_gethexpwd(&temp[(i*64)+32],
925 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN])) {
931 DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n",
933 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
936 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
943 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
944 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
945 acct_ctrl |= ACB_NORMAL;
947 acct_ctrl = pdb_decode_acct_ctrl(temp);
950 acct_ctrl |= ACB_NORMAL;
952 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
955 pdb_set_hours_len(sampass, hours_len, PDB_SET);
956 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
958 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
959 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
960 /* leave as default */
962 bad_password_count = (uint32) atol(temp);
963 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
966 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
967 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
968 /* leave as default */
970 bad_password_time = (time_t) atol(temp);
971 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
975 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
976 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
977 /* leave as default */
979 logon_count = (uint32) atol(temp);
980 pdb_set_logon_count(sampass, logon_count, PDB_SET);
983 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
985 if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
986 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) {
987 /* leave as default */
989 pdb_gethexhours(temp, hours);
990 memset((char *)temp, '\0', strlen(temp) +1);
991 pdb_set_hours(sampass, hours, PDB_SET);
995 /* check the timestamp of the cache vs ldap entry */
996 if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1000 /* see if we have newer updates */
1001 if (!(cache_entry = login_cache_read(sampass))) {
1002 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1003 (unsigned int)pdb_get_bad_password_count(sampass),
1004 (unsigned int)pdb_get_bad_password_time(sampass)));
1008 DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1009 (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
1010 (unsigned int)cache_entry->bad_password_time));
1012 if (ldap_entry_time > cache_entry->entry_timestamp) {
1013 /* cache is older than directory , so
1014 we need to delete the entry but allow the
1015 fields to be written out */
1016 login_cache_delentry(sampass);
1019 pdb_set_acct_ctrl(sampass,
1020 pdb_get_acct_ctrl(sampass) |
1021 (cache_entry->acct_ctrl & ACB_AUTOLOCK),
1023 pdb_set_bad_password_count(sampass,
1024 cache_entry->bad_password_count,
1026 pdb_set_bad_password_time(sampass,
1027 cache_entry->bad_password_time,
1031 SAFE_FREE(cache_entry);
1035 /**********************************************************************
1036 Initialize the ldap db from a SAM_ACCOUNT. Called on update.
1037 (Based on init_buffer_from_sam in pdb_tdb.c)
1038 *********************************************************************/
1040 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1041 LDAPMessage *existing,
1042 LDAPMod *** mods, SAM_ACCOUNT * sampass,
1043 BOOL (*need_update)(const SAM_ACCOUNT *,
1049 if (mods == NULL || sampass == NULL) {
1050 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1057 * took out adding "objectclass: sambaAccount"
1058 * do this on a per-mod basis
1060 if (need_update(sampass, PDB_USERNAME))
1061 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1062 "uid", pdb_get_username(sampass));
1064 DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1066 /* only update the RID if we actually need to */
1067 if (need_update(sampass, PDB_USERSID)) {
1069 fstring dom_sid_string;
1070 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
1072 switch ( ldap_state->schema_ver ) {
1073 case SCHEMAVER_SAMBAACCOUNT:
1074 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
1075 DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1076 sid_to_string(sid_string, user_sid),
1077 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
1080 slprintf(temp, sizeof(temp) - 1, "%i", rid);
1081 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1082 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
1086 case SCHEMAVER_SAMBASAMACCOUNT:
1087 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1088 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1089 sid_to_string(sid_string, user_sid));
1093 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1098 /* we don't need to store the primary group RID - so leaving it
1099 'free' to hang off the unix primary group makes life easier */
1101 if (need_update(sampass, PDB_GROUPSID)) {
1103 fstring dom_sid_string;
1104 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1106 switch ( ldap_state->schema_ver ) {
1107 case SCHEMAVER_SAMBAACCOUNT:
1108 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1109 DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1110 sid_to_string(sid_string, group_sid),
1111 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
1115 slprintf(temp, sizeof(temp) - 1, "%i", rid);
1116 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1117 get_userattr_key2string(ldap_state->schema_ver,
1118 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1121 case SCHEMAVER_SAMBASAMACCOUNT:
1122 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1123 get_userattr_key2string(ldap_state->schema_ver,
1124 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
1128 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1134 /* displayName, cn, and gecos should all be the same
1135 * most easily accomplished by giving them the same OID
1136 * gecos isn't set here b/c it should be handled by the
1138 * We change displayName only and fall back to cn if
1139 * it does not exist.
1142 if (need_update(sampass, PDB_FULLNAME))
1143 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1144 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
1145 pdb_get_fullname(sampass));
1147 if (need_update(sampass, PDB_ACCTDESC))
1148 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1149 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
1150 pdb_get_acct_desc(sampass));
1152 if (need_update(sampass, PDB_WORKSTATIONS))
1153 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1154 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
1155 pdb_get_workstations(sampass));
1157 if (need_update(sampass, PDB_MUNGEDDIAL))
1158 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1159 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
1160 pdb_get_munged_dial(sampass));
1162 if (need_update(sampass, PDB_SMBHOME))
1163 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1164 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
1165 pdb_get_homedir(sampass));
1167 if (need_update(sampass, PDB_DRIVE))
1168 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1169 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
1170 pdb_get_dir_drive(sampass));
1172 if (need_update(sampass, PDB_LOGONSCRIPT))
1173 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1174 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
1175 pdb_get_logon_script(sampass));
1177 if (need_update(sampass, PDB_PROFILE))
1178 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1179 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
1180 pdb_get_profile_path(sampass));
1182 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
1183 if (need_update(sampass, PDB_LOGONTIME))
1184 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1185 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1187 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
1188 if (need_update(sampass, PDB_LOGOFFTIME))
1189 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1190 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1192 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
1193 if (need_update(sampass, PDB_KICKOFFTIME))
1194 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1195 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1197 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
1198 if (need_update(sampass, PDB_CANCHANGETIME))
1199 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1200 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1202 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
1203 if (need_update(sampass, PDB_MUSTCHANGETIME))
1204 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1205 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1208 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1209 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1211 if (need_update(sampass, PDB_LMPASSWD)) {
1212 const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1214 pdb_sethexpwd(temp, lm_pw,
1215 pdb_get_acct_ctrl(sampass));
1216 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1217 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1220 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1221 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1225 if (need_update(sampass, PDB_NTPASSWD)) {
1226 const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1228 pdb_sethexpwd(temp, nt_pw,
1229 pdb_get_acct_ctrl(sampass));
1230 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1231 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1234 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1235 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1240 if (need_update(sampass, PDB_PWHISTORY)) {
1241 uint32 pwHistLen = 0;
1242 pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1243 if (pwHistLen == 0) {
1244 /* Remove any password history from the LDAP store. */
1245 memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1249 uint32 currHistLen = 0;
1250 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1251 if (pwhist != NULL) {
1252 /* We can only store (sizeof(pstring)-1)/64 password history entries. */
1253 pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
1254 for (i=0; i< pwHistLen && i < currHistLen; i++) {
1255 /* Store the salt. */
1256 pdb_sethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1257 /* Followed by the md5 hash of salt + md4 hash */
1258 pdb_sethexpwd(&temp[(i*64)+32],
1259 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1260 DEBUG(100, ("temp=%s\n", temp));
1264 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1265 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
1269 if (need_update(sampass, PDB_PASSLASTSET)) {
1270 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
1271 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1272 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1277 if (need_update(sampass, PDB_HOURS)) {
1278 const uint8 *hours = pdb_get_hours(sampass);
1280 pdb_sethexhours(temp, hours);
1281 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1284 get_userattr_key2string(ldap_state->schema_ver,
1285 LDAP_ATTR_LOGON_HOURS),
1290 if (need_update(sampass, PDB_ACCTCTRL))
1291 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1292 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1293 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1295 /* password lockout cache:
1296 - If we are now autolocking or clearing, we write to ldap
1297 - If we are clearing, we delete the cache entry
1298 - If the count is > 0, we update the cache
1300 This even means when autolocking, we cache, just in case the
1301 update doesn't work, and we have to cache the autolock flag */
1303 if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1304 need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1305 uint16 badcount = pdb_get_bad_password_count(sampass);
1306 time_t badtime = pdb_get_bad_password_time(sampass);
1308 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1310 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1311 (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1313 if ((badcount >= pol) || (badcount == 0)) {
1314 DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1315 (unsigned int)badcount, (unsigned int)badtime));
1316 slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1318 ldap_state->smbldap_state->ldap_struct,
1320 get_userattr_key2string(
1321 ldap_state->schema_ver,
1322 LDAP_ATTR_BAD_PASSWORD_COUNT),
1325 slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1327 ldap_state->smbldap_state->ldap_struct,
1329 get_userattr_key2string(
1330 ldap_state->schema_ver,
1331 LDAP_ATTR_BAD_PASSWORD_TIME),
1334 if (badcount == 0) {
1335 DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1336 login_cache_delentry(sampass);
1338 LOGIN_CACHE cache_entry;
1340 cache_entry.entry_timestamp = time(NULL);
1341 cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1342 cache_entry.bad_password_count = badcount;
1343 cache_entry.bad_password_time = badtime;
1345 DEBUG(7, ("Updating bad password count and time in login cache\n"));
1346 login_cache_write(sampass, cache_entry);
1353 /**********************************************************************
1354 Connect to LDAP server for password enumeration.
1355 *********************************************************************/
1357 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update, uint16 acb_mask)
1359 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1361 pstring filter, suffix;
1362 const char **attr_list;
1363 BOOL machine_mask = False, user_mask = False;
1365 pstr_sprintf( filter, "(&%s%s)", "(uid=%u)",
1366 get_objclass_filter(ldap_state->schema_ver));
1367 all_string_sub(filter, "%u", "*", sizeof(pstring));
1369 machine_mask = ((acb_mask != 0) && (acb_mask & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)));
1370 user_mask = ((acb_mask != 0) && (acb_mask & ACB_NORMAL));
1373 pstrcpy(suffix, lp_ldap_machine_suffix());
1374 } else if (user_mask) {
1375 pstrcpy(suffix, lp_ldap_user_suffix());
1377 pstrcpy(suffix, lp_ldap_suffix());
1380 DEBUG(10,("ldapsam_setsampwent: LDAP Query for acb_mask 0x%x will use suffix %s\n",
1383 attr_list = get_userattr_list(ldap_state->schema_ver);
1384 rc = smbldap_search(ldap_state->smbldap_state, suffix, LDAP_SCOPE_SUBTREE, filter,
1385 attr_list, 0, &ldap_state->result);
1386 free_attr_list( attr_list );
1388 if (rc != LDAP_SUCCESS) {
1389 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1390 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", suffix, filter));
1391 ldap_msgfree(ldap_state->result);
1392 ldap_state->result = NULL;
1393 return NT_STATUS_UNSUCCESSFUL;
1396 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base %s\n",
1397 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1398 ldap_state->result), suffix));
1400 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1401 ldap_state->result);
1402 ldap_state->index = 0;
1404 return NT_STATUS_OK;
1407 /**********************************************************************
1408 End enumeration of the LDAP password list.
1409 *********************************************************************/
1411 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1413 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1414 if (ldap_state->result) {
1415 ldap_msgfree(ldap_state->result);
1416 ldap_state->result = NULL;
1420 /**********************************************************************
1421 Get the next entry in the LDAP password database.
1422 *********************************************************************/
1424 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1426 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1427 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1431 if (!ldap_state->entry)
1434 ldap_state->index++;
1435 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1437 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1441 return NT_STATUS_OK;
1444 static void append_attr(const char ***attr_list, const char *new_attr)
1448 if (new_attr == NULL) {
1452 for (i=0; (*attr_list)[i] != NULL; i++) {
1456 (*attr_list) = SMB_REALLOC_ARRAY((*attr_list), const char *, i+2);
1457 SMB_ASSERT((*attr_list) != NULL);
1458 (*attr_list)[i] = SMB_STRDUP(new_attr);
1459 (*attr_list)[i+1] = NULL;
1462 /**********************************************************************
1463 Get SAM_ACCOUNT entry from LDAP by username.
1464 *********************************************************************/
1466 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1468 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1469 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1470 LDAPMessage *result = NULL;
1471 LDAPMessage *entry = NULL;
1473 const char ** attr_list;
1476 attr_list = get_userattr_list( ldap_state->schema_ver );
1477 append_attr(&attr_list, get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP));
1478 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1479 free_attr_list( attr_list );
1481 if ( rc != LDAP_SUCCESS )
1482 return NT_STATUS_NO_SUCH_USER;
1484 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1487 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1488 ldap_msgfree(result);
1489 return NT_STATUS_NO_SUCH_USER;
1490 } else if (count > 1) {
1491 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1492 ldap_msgfree(result);
1493 return NT_STATUS_NO_SUCH_USER;
1496 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1498 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1499 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1500 ldap_msgfree(result);
1501 return NT_STATUS_NO_SUCH_USER;
1503 pdb_set_backend_private_data(user, result,
1504 private_data_free_fn,
1505 my_methods, PDB_CHANGED);
1508 ldap_msgfree(result);
1513 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1514 const DOM_SID *sid, LDAPMessage **result)
1517 const char ** attr_list;
1520 switch ( ldap_state->schema_ver ) {
1521 case SCHEMAVER_SAMBASAMACCOUNT:
1522 attr_list = get_userattr_list(ldap_state->schema_ver);
1523 append_attr(&attr_list, get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP));
1524 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1525 free_attr_list( attr_list );
1527 if ( rc != LDAP_SUCCESS )
1531 case SCHEMAVER_SAMBAACCOUNT:
1532 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1536 attr_list = get_userattr_list(ldap_state->schema_ver);
1537 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1538 free_attr_list( attr_list );
1540 if ( rc != LDAP_SUCCESS )
1547 /**********************************************************************
1548 Get SAM_ACCOUNT entry from LDAP by SID.
1549 *********************************************************************/
1551 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1553 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1554 LDAPMessage *result = NULL;
1555 LDAPMessage *entry = NULL;
1560 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1562 if (rc != LDAP_SUCCESS)
1563 return NT_STATUS_NO_SUCH_USER;
1565 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1568 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1570 ldap_msgfree(result);
1571 return NT_STATUS_NO_SUCH_USER;
1572 } else if (count > 1) {
1573 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1575 ldap_msgfree(result);
1576 return NT_STATUS_NO_SUCH_USER;
1579 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1581 ldap_msgfree(result);
1582 return NT_STATUS_NO_SUCH_USER;
1585 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1586 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1587 ldap_msgfree(result);
1588 return NT_STATUS_NO_SUCH_USER;
1591 pdb_set_backend_private_data(user, result,
1592 private_data_free_fn,
1593 my_methods, PDB_CHANGED);
1594 return NT_STATUS_OK;
1597 static BOOL ldapsam_can_pwchange_exop(struct smbldap_state *ldap_state)
1599 return smbldap_has_extension(ldap_state, LDAP_EXOP_MODIFY_PASSWD);
1602 /********************************************************************
1603 Do the actual modification - also change a plaintext passord if
1605 **********************************************************************/
1607 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1608 SAM_ACCOUNT *newpwd, char *dn,
1609 LDAPMod **mods, int ldap_op,
1610 BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
1612 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1615 if (!my_methods || !newpwd || !dn) {
1616 return NT_STATUS_INVALID_PARAMETER;
1620 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1621 /* may be password change below however */
1625 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1628 rc = smbldap_add(ldap_state->smbldap_state,
1631 case LDAP_MOD_REPLACE:
1632 rc = smbldap_modify(ldap_state->smbldap_state,
1636 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1638 return NT_STATUS_INVALID_PARAMETER;
1641 if (rc!=LDAP_SUCCESS) {
1642 char *ld_error = NULL;
1643 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1645 DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1646 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1647 dn, ldap_err2string(rc),
1648 ld_error?ld_error:"unknown"));
1649 SAFE_FREE(ld_error);
1650 return NT_STATUS_UNSUCCESSFUL;
1654 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1655 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1656 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1657 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1660 char *retoid = NULL;
1661 struct berval *retdata = NULL;
1662 char *utf8_password;
1665 if (!ldap_state->is_nds_ldap) {
1666 if (!ldapsam_can_pwchange_exop(ldap_state->smbldap_state)) {
1667 DEBUG(2, ("ldap password change requested, but LDAP "
1668 "server does not support it -- ignoring\n"));
1669 return NT_STATUS_OK;
1673 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1674 return NT_STATUS_NO_MEMORY;
1677 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1678 return NT_STATUS_NO_MEMORY;
1681 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1682 DEBUG(0,("ber_alloc_t returns NULL\n"));
1683 SAFE_FREE(utf8_password);
1684 return NT_STATUS_UNSUCCESSFUL;
1687 ber_printf (ber, "{");
1688 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1689 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1690 ber_printf (ber, "N}");
1692 if ((rc = ber_flatten (ber, &bv))<0) {
1693 DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1696 SAFE_FREE(utf8_password);
1697 return NT_STATUS_UNSUCCESSFUL;
1701 SAFE_FREE(utf8_password);
1704 if (!ldap_state->is_nds_ldap) {
1705 rc = smbldap_extended_operation(ldap_state->smbldap_state,
1706 LDAP_EXOP_MODIFY_PASSWD,
1707 bv, NULL, NULL, &retoid,
1710 rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1711 pdb_get_plaintext_passwd(newpwd));
1713 if (rc != LDAP_SUCCESS) {
1714 char *ld_error = NULL;
1716 if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1717 DEBUG(3, ("Could not set userPassword "
1718 "attribute due to an objectClass "
1719 "violation -- ignoring\n"));
1721 return NT_STATUS_OK;
1724 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1726 DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1727 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1728 SAFE_FREE(ld_error);
1730 return NT_STATUS_UNSUCCESSFUL;
1732 DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1733 #ifdef DEBUG_PASSWORD
1734 DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1737 ber_bvfree(retdata);
1739 ber_memfree(retoid);
1743 return NT_STATUS_OK;
1746 /**********************************************************************
1747 Delete entry from LDAP for username.
1748 *********************************************************************/
1750 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1752 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1755 LDAPMessage *result = NULL;
1757 const char **attr_list;
1761 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1762 return NT_STATUS_INVALID_PARAMETER;
1765 sname = pdb_get_username(sam_acct);
1767 DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
1769 attr_list= get_userattr_delete_list( ldap_state->schema_ver );
1770 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1772 if (rc != LDAP_SUCCESS) {
1773 free_attr_list( attr_list );
1774 return NT_STATUS_NO_SUCH_USER;
1777 switch ( ldap_state->schema_ver ) {
1778 case SCHEMAVER_SAMBASAMACCOUNT:
1779 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1782 case SCHEMAVER_SAMBAACCOUNT:
1783 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1786 fstrcpy( objclass, "UNKNOWN" );
1787 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1791 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1792 ldap_msgfree(result);
1793 free_attr_list( attr_list );
1798 /**********************************************************************
1799 Helper function to determine for update_sam_account whether
1800 we need LDAP modification.
1801 *********************************************************************/
1803 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1804 enum pdb_elements element)
1806 return IS_SAM_CHANGED(sampass, element);
1809 /**********************************************************************
1811 *********************************************************************/
1813 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1815 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1816 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1819 LDAPMessage *result = NULL;
1820 LDAPMessage *entry = NULL;
1821 LDAPMod **mods = NULL;
1822 const char **attr_list;
1824 result = pdb_get_backend_private_data(newpwd, my_methods);
1826 attr_list = get_userattr_list(ldap_state->schema_ver);
1827 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1828 free_attr_list( attr_list );
1829 if (rc != LDAP_SUCCESS) {
1830 return NT_STATUS_UNSUCCESSFUL;
1832 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1835 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1836 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1837 return NT_STATUS_UNSUCCESSFUL;
1840 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1841 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1843 return NT_STATUS_UNSUCCESSFUL;
1846 DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1848 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1849 element_is_changed)) {
1850 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1853 ldap_mods_free(mods,True);
1854 return NT_STATUS_UNSUCCESSFUL;
1858 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1859 pdb_get_username(newpwd)));
1861 return NT_STATUS_OK;
1864 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1865 ldap_mods_free(mods,True);
1868 if (!NT_STATUS_IS_OK(ret)) {
1869 char *ld_error = NULL;
1870 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1872 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1873 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1874 SAFE_FREE(ld_error);
1878 DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1879 pdb_get_username(newpwd)));
1880 return NT_STATUS_OK;
1883 /***************************************************************************
1884 Renames a SAM_ACCOUNT
1885 - The "rename user script" has full responsibility for changing everything
1886 ***************************************************************************/
1888 static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1889 SAM_ACCOUNT *old_acct,
1890 const char *newname)
1892 const char *oldname;
1894 pstring rename_script;
1897 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1898 return NT_STATUS_INVALID_PARAMETER;
1901 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1902 return NT_STATUS_INVALID_PARAMETER;
1905 oldname = pdb_get_username(old_acct);
1907 /* rename the posix user */
1908 pstrcpy(rename_script, lp_renameuser_script());
1910 if (!(*rename_script))
1911 return NT_STATUS_ACCESS_DENIED;
1913 DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
1916 pstring_sub(rename_script, "%unew", newname);
1917 pstring_sub(rename_script, "%uold", oldname);
1918 rc = smbrun(rename_script, NULL);
1920 DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
1921 rename_script, rc));
1924 return NT_STATUS_UNSUCCESSFUL;
1926 return NT_STATUS_OK;
1929 /**********************************************************************
1930 Helper function to determine for update_sam_account whether
1931 we need LDAP modification.
1932 *********************************************************************/
1934 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1935 enum pdb_elements element)
1937 return (IS_SAM_SET(sampass, element) ||
1938 IS_SAM_CHANGED(sampass, element));
1941 /**********************************************************************
1942 Add SAM_ACCOUNT to LDAP.
1943 *********************************************************************/
1945 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1947 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1948 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1950 LDAPMessage *result = NULL;
1951 LDAPMessage *entry = NULL;
1953 LDAPMod **mods = NULL;
1954 int ldap_op = LDAP_MOD_REPLACE;
1956 const char **attr_list;
1958 const char *username = pdb_get_username(newpwd);
1959 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1963 if (!username || !*username) {
1964 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1965 return NT_STATUS_INVALID_PARAMETER;
1968 /* free this list after the second search or in case we exit on failure */
1969 attr_list = get_userattr_list(ldap_state->schema_ver);
1971 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1973 if (rc != LDAP_SUCCESS) {
1974 free_attr_list( attr_list );
1975 return NT_STATUS_UNSUCCESSFUL;
1978 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1979 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
1981 ldap_msgfree(result);
1982 free_attr_list( attr_list );
1983 return NT_STATUS_UNSUCCESSFUL;
1985 ldap_msgfree(result);
1988 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1989 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1991 if (rc == LDAP_SUCCESS) {
1992 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1993 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
1994 sid_to_string(sid_string, sid)));
1995 free_attr_list( attr_list );
1996 ldap_msgfree(result);
1997 return NT_STATUS_UNSUCCESSFUL;
1999 ldap_msgfree(result);
2003 /* does the entry already exist but without a samba attributes?
2004 we need to return the samba attributes here */
2006 escape_user = escape_ldap_string_alloc( username );
2007 pstrcpy( filter, "(uid=%u)" );
2008 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
2009 SAFE_FREE( escape_user );
2011 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2012 filter, attr_list, &result);
2013 if ( rc != LDAP_SUCCESS ) {
2014 free_attr_list( attr_list );
2015 return NT_STATUS_UNSUCCESSFUL;
2018 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2020 if (num_result > 1) {
2021 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2022 free_attr_list( attr_list );
2023 ldap_msgfree(result);
2024 return NT_STATUS_UNSUCCESSFUL;
2027 /* Check if we need to update an existing entry */
2028 if (num_result == 1) {
2031 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2032 ldap_op = LDAP_MOD_REPLACE;
2033 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2034 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2036 free_attr_list( attr_list );
2037 ldap_msgfree(result);
2038 return NT_STATUS_UNSUCCESSFUL;
2040 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
2043 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2045 /* There might be a SID for this account already - say an idmap entry */
2047 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
2048 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2049 sid_to_string(sid_string, sid),
2050 LDAP_OBJ_IDMAP_ENTRY,
2051 LDAP_OBJ_SID_ENTRY);
2053 /* free old result before doing a new search */
2054 if (result != NULL) {
2055 ldap_msgfree(result);
2058 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2059 filter, attr_list, &result);
2061 if ( rc != LDAP_SUCCESS ) {
2062 free_attr_list( attr_list );
2063 return NT_STATUS_UNSUCCESSFUL;
2066 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2068 if (num_result > 1) {
2069 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2070 free_attr_list( attr_list );
2071 ldap_msgfree(result);
2072 return NT_STATUS_UNSUCCESSFUL;
2075 /* Check if we need to update an existing entry */
2076 if (num_result == 1) {
2079 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2080 ldap_op = LDAP_MOD_REPLACE;
2081 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2082 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2084 free_attr_list( attr_list );
2085 ldap_msgfree(result);
2086 return NT_STATUS_UNSUCCESSFUL;
2088 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
2093 free_attr_list( attr_list );
2095 if (num_result == 0) {
2096 /* Check if we need to add an entry */
2097 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2098 ldap_op = LDAP_MOD_ADD;
2099 if (username[strlen(username)-1] == '$') {
2100 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
2102 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
2106 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2107 element_is_set_or_changed)) {
2108 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2109 ldap_msgfree(result);
2111 ldap_mods_free(mods,True);
2112 return NT_STATUS_UNSUCCESSFUL;
2115 ldap_msgfree(result);
2118 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2119 return NT_STATUS_UNSUCCESSFUL;
2121 switch ( ldap_state->schema_ver ) {
2122 case SCHEMAVER_SAMBAACCOUNT:
2123 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2125 case SCHEMAVER_SAMBASAMACCOUNT:
2126 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2129 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2133 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2134 if (!NT_STATUS_IS_OK(ret)) {
2135 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2136 pdb_get_username(newpwd),dn));
2137 ldap_mods_free(mods, True);
2141 DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2142 ldap_mods_free(mods, True);
2144 return NT_STATUS_OK;
2147 /**********************************************************************
2148 *********************************************************************/
2150 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2152 LDAPMessage ** result)
2154 int scope = LDAP_SCOPE_SUBTREE;
2156 const char **attr_list;
2158 attr_list = get_attr_list(groupmap_attr_list);
2159 rc = smbldap_search(ldap_state->smbldap_state,
2160 lp_ldap_group_suffix (), scope,
2161 filter, attr_list, 0, result);
2162 free_attr_list( attr_list );
2164 if (rc != LDAP_SUCCESS) {
2165 char *ld_error = NULL;
2166 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2168 DEBUG(0, ("ldapsam_search_one_group: "
2169 "Problem during the LDAP search: LDAP error: %s (%s)\n",
2170 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
2171 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
2172 lp_ldap_group_suffix(), filter));
2173 SAFE_FREE(ld_error);
2179 /**********************************************************************
2180 *********************************************************************/
2182 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
2183 GROUP_MAP *map, LDAPMessage *entry)
2187 if (ldap_state == NULL || map == NULL || entry == NULL ||
2188 ldap_state->smbldap_state->ldap_struct == NULL) {
2189 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2193 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2194 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
2195 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2196 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2199 DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2201 map->gid = (gid_t)atol(temp);
2203 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2204 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
2205 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2206 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2210 if (!string_to_sid(&map->sid, temp)) {
2211 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2215 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2216 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
2217 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2218 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2221 map->sid_name_use = (enum SID_NAME_USE)atol(temp);
2223 if ((map->sid_name_use < SID_NAME_USER) ||
2224 (map->sid_name_use > SID_NAME_UNKNOWN)) {
2225 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2229 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2230 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
2232 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2233 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
2235 DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2236 for gidNumber(%lu)\n",(unsigned long)map->gid));
2240 fstrcpy(map->nt_name, temp);
2242 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
2243 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
2246 fstrcpy(map->comment, temp);
2251 /**********************************************************************
2252 *********************************************************************/
2254 static BOOL init_ldap_from_group(LDAP *ldap_struct,
2255 LDAPMessage *existing,
2257 const GROUP_MAP *map)
2261 if (mods == NULL || map == NULL) {
2262 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
2268 sid_to_string(tmp, &map->sid);
2270 smbldap_make_mod(ldap_struct, existing, mods,
2271 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
2272 pstr_sprintf(tmp, "%i", map->sid_name_use);
2273 smbldap_make_mod(ldap_struct, existing, mods,
2274 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
2276 smbldap_make_mod(ldap_struct, existing, mods,
2277 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
2278 smbldap_make_mod(ldap_struct, existing, mods,
2279 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
2284 /**********************************************************************
2285 *********************************************************************/
2287 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2291 struct ldapsam_privates *ldap_state =
2292 (struct ldapsam_privates *)methods->private_data;
2293 LDAPMessage *result = NULL;
2294 LDAPMessage *entry = NULL;
2297 if (ldapsam_search_one_group(ldap_state, filter, &result)
2299 return NT_STATUS_NO_SUCH_GROUP;
2302 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2305 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
2306 ldap_msgfree(result);
2307 return NT_STATUS_NO_SUCH_GROUP;
2311 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
2313 ldap_msgfree(result);
2314 return NT_STATUS_NO_SUCH_GROUP;
2317 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2320 ldap_msgfree(result);
2321 return NT_STATUS_UNSUCCESSFUL;
2324 if (!init_group_from_ldap(ldap_state, map, entry)) {
2325 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
2327 ldap_msgfree(result);
2328 return NT_STATUS_NO_SUCH_GROUP;
2331 ldap_msgfree(result);
2332 return NT_STATUS_OK;
2335 /**********************************************************************
2336 *********************************************************************/
2338 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2343 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2345 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2346 sid_string_static(&sid));
2348 return ldapsam_getgroup(methods, filter, map);
2351 /**********************************************************************
2352 *********************************************************************/
2354 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2359 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
2361 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2362 (unsigned long)gid);
2364 return ldapsam_getgroup(methods, filter, map);
2367 /**********************************************************************
2368 *********************************************************************/
2370 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2374 char *escape_name = escape_ldap_string_alloc(name);
2377 return NT_STATUS_NO_MEMORY;
2380 pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2382 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2383 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
2385 SAFE_FREE(escape_name);
2387 return ldapsam_getgroup(methods, filter, map);
2390 static void add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
2391 uint32 rid, uint32 **pp_rids, size_t *p_num)
2395 for (i=0; i<*p_num; i++) {
2396 if ((*pp_rids)[i] == rid)
2400 *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1);
2402 if (*pp_rids == NULL)
2405 (*pp_rids)[*p_num] = rid;
2409 static BOOL ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2411 const DOM_SID *domain_sid,
2417 if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2418 str, sizeof(str)-1)) {
2419 DEBUG(10, ("Could not find sambaSID attribute\n"));
2423 if (!string_to_sid(&sid, str)) {
2424 DEBUG(10, ("Could not convert string %s to sid\n", str));
2428 if (sid_compare_domain(&sid, domain_sid) != 0) {
2429 DEBUG(10, ("SID %s is not in expected domain %s\n",
2430 str, sid_string_static(domain_sid)));
2434 if (!sid_peek_rid(&sid, rid)) {
2435 DEBUG(10, ("Could not peek into RID\n"));
2442 static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2443 TALLOC_CTX *mem_ctx,
2444 const DOM_SID *group,
2445 uint32 **pp_member_rids,
2446 size_t *p_num_members)
2448 struct ldapsam_privates *ldap_state =
2449 (struct ldapsam_privates *)methods->private_data;
2450 struct smbldap_state *conn = ldap_state->smbldap_state;
2453 LDAPMessage *msg = NULL;
2455 char **values = NULL;
2457 char *sid_filter = NULL;
2459 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2461 if (!lp_parm_bool(-1, "ldapsam", "trusted", False))
2462 return pdb_default_enum_group_members(methods, mem_ctx, group,
2466 *pp_member_rids = NULL;
2469 pstr_sprintf(filter,
2470 "(&(objectClass=sambaSamAccount)"
2471 "(sambaPrimaryGroupSid=%s))",
2472 sid_string_static(group));
2475 const char *attrs[] = { "sambaSID", NULL };
2476 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2477 LDAP_SCOPE_SUBTREE, filter, attrs, 0,
2481 if (rc != LDAP_SUCCESS)
2484 for (entry = ldap_first_entry(conn->ldap_struct, msg);
2486 entry = ldap_next_entry(conn->ldap_struct, entry))
2490 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2492 get_global_sam_sid(),
2494 DEBUG(2, ("Could not find sid from ldap entry\n"));
2498 add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2505 pstr_sprintf(filter,
2506 "(&(objectClass=sambaGroupMapping)"
2507 "(objectClass=posixGroup)"
2509 sid_string_static(group));
2512 const char *attrs[] = { "memberUid", NULL };
2513 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2514 LDAP_SCOPE_SUBTREE, filter, attrs, 0,
2518 if (rc != LDAP_SUCCESS)
2521 count = ldap_count_entries(conn->ldap_struct, msg);
2524 DEBUG(1, ("Found more than one groupmap entry for %s\n",
2525 sid_string_static(group)));
2530 result = NT_STATUS_OK;
2534 entry = ldap_first_entry(conn->ldap_struct, msg);
2538 values = ldap_get_values(conn->ldap_struct, msg, "memberUid");
2539 if (values == NULL) {
2540 result = NT_STATUS_OK;
2544 sid_filter = SMB_STRDUP("(&(objectClass=sambaSamAccount)(|");
2545 if (sid_filter == NULL) {
2546 result = NT_STATUS_NO_MEMORY;
2550 for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2552 asprintf(&sid_filter, "%s(uid=%s)", tmp, *memberuid);
2554 if (sid_filter == NULL) {
2555 result = NT_STATUS_NO_MEMORY;
2561 asprintf(&sid_filter, "%s))", sid_filter);
2563 if (sid_filter == NULL) {
2564 result = NT_STATUS_NO_MEMORY;
2569 const char *attrs[] = { "sambaSID", NULL };
2570 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2571 LDAP_SCOPE_SUBTREE, sid_filter, attrs, 0,
2575 if (rc != LDAP_SUCCESS)
2578 for (entry = ldap_first_entry(conn->ldap_struct, msg);
2580 entry = ldap_next_entry(conn->ldap_struct, entry))
2586 if (!smbldap_get_single_attribute(conn->ldap_struct,
2588 str, sizeof(str)-1))
2591 if (!string_to_sid(&sid, str))
2594 if (!sid_check_is_in_our_domain(&sid)) {
2595 DEBUG(1, ("Inconsistent SAM -- group member uid not "
2596 "in our domain\n"));
2600 sid_peek_rid(&sid, &rid);
2602 add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2606 result = NT_STATUS_OK;
2609 SAFE_FREE(sid_filter);
2612 ldap_value_free(values);
2620 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2621 const char *username,
2623 DOM_SID **pp_sids, gid_t **pp_gids,
2624 size_t *p_num_groups)
2626 struct ldapsam_privates *ldap_state =
2627 (struct ldapsam_privates *)methods->private_data;
2628 struct smbldap_state *conn = ldap_state->smbldap_state;
2630 const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2633 LDAPMessage *msg = NULL;
2635 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2636 size_t num_sids, num_gids;
2638 if (!lp_parm_bool(-1, "ldapsam", "trusted", False))
2639 return pdb_default_enum_group_memberships(methods, username,
2640 primary_gid, pp_sids,
2641 pp_gids, p_num_groups);
2646 escape_name = escape_ldap_string_alloc(username);
2648 if (escape_name == NULL)
2649 return NT_STATUS_NO_MEMORY;
2651 pstr_sprintf(filter, "(&(objectClass=posixGroup)"
2652 "(|(memberUid=%s)(gidNumber=%d)))",
2653 username, primary_gid);
2655 rc = smbldap_search(conn, lp_ldap_group_suffix(),
2656 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &msg);
2658 if (rc != LDAP_SUCCESS)
2667 /* We need to add the primary group as the first gid/sid */
2669 add_gid_to_array_unique(NULL, primary_gid, pp_gids, &num_gids);
2671 /* This sid will be replaced later */
2673 add_sid_to_array_unique(NULL, &global_sid_NULL, pp_sids, &num_sids);
2675 for (entry = ldap_first_entry(conn->ldap_struct, msg);
2677 entry = ldap_next_entry(conn->ldap_struct, entry))
2684 if (!smbldap_get_single_attribute(conn->ldap_struct,
2686 str, sizeof(str)-1))
2689 if (!string_to_sid(&sid, str))
2692 if (!smbldap_get_single_attribute(conn->ldap_struct,
2694 str, sizeof(str)-1))
2697 gid = strtoul(str, &end, 10);
2699 if (PTR_DIFF(end, str) != strlen(str))
2702 if (gid == primary_gid) {
2703 sid_copy(&(*pp_sids)[0], &sid);
2705 add_gid_to_array_unique(NULL, gid, pp_gids, &num_gids);
2706 add_sid_to_array_unique(NULL, &sid, pp_sids, &num_sids);
2710 if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2711 DEBUG(3, ("primary group of [%s] not found\n", username));
2715 *p_num_groups = num_sids;
2717 result = NT_STATUS_OK;
2721 SAFE_FREE(escape_name);
2728 /**********************************************************************
2729 *********************************************************************/
2731 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
2733 LDAPMessage **result)
2737 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%lu))",
2738 LDAP_OBJ_POSIXGROUP, LDAP_OBJ_IDMAP_ENTRY,
2739 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2740 (unsigned long)gid);
2742 return ldapsam_search_one_group(ldap_state, filter, result);
2745 /**********************************************************************
2746 *********************************************************************/
2748 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2751 struct ldapsam_privates *ldap_state =
2752 (struct ldapsam_privates *)methods->private_data;
2753 LDAPMessage *result = NULL;
2754 LDAPMod **mods = NULL;
2765 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2767 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
2768 return NT_STATUS_UNSUCCESSFUL;
2771 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2772 if (rc != LDAP_SUCCESS) {
2773 ldap_msgfree(result);
2774 return NT_STATUS_UNSUCCESSFUL;
2777 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2780 /* There's no posixGroup account, let's try to find an
2781 * appropriate idmap entry for aliases */
2785 const char **attr_list;
2787 ldap_msgfree(result);
2789 pstrcpy( suffix, lp_ldap_idmap_suffix() );
2790 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%u))",
2791 LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_GIDNUMBER,
2794 attr_list = get_attr_list( sidmap_attr_list );
2795 rc = smbldap_search(ldap_state->smbldap_state, suffix,
2796 LDAP_SCOPE_SUBTREE, filter, attr_list,
2799 free_attr_list(attr_list);
2801 if (rc != LDAP_SUCCESS) {
2802 DEBUG(3,("Failure looking up entry (%s)\n",
2803 ldap_err2string(rc) ));
2804 ldap_msgfree(result);
2805 return NT_STATUS_UNSUCCESSFUL;
2809 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2811 ldap_msgfree(result);
2812 return NT_STATUS_UNSUCCESSFUL;
2816 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2817 (unsigned long)map->gid));
2818 ldap_msgfree(result);
2819 return NT_STATUS_UNSUCCESSFUL;
2822 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2823 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2825 ldap_msgfree(result);
2826 return NT_STATUS_UNSUCCESSFUL;
2831 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2832 result, &mods, map)) {
2833 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2834 ldap_mods_free(mods, True);
2835 ldap_msgfree(result);
2836 return NT_STATUS_UNSUCCESSFUL;
2839 ldap_msgfree(result);
2842 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2843 return NT_STATUS_UNSUCCESSFUL;
2846 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2848 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2849 ldap_mods_free(mods, True);
2851 if (rc != LDAP_SUCCESS) {
2852 char *ld_error = NULL;
2853 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2855 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid,
2856 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2857 SAFE_FREE(ld_error);
2858 return NT_STATUS_UNSUCCESSFUL;
2861 DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2862 return NT_STATUS_OK;
2865 /**********************************************************************
2866 *********************************************************************/
2868 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2871 struct ldapsam_privates *ldap_state =
2872 (struct ldapsam_privates *)methods->private_data;
2875 LDAPMessage *result = NULL;
2876 LDAPMessage *entry = NULL;
2877 LDAPMod **mods = NULL;
2879 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2881 if (rc != LDAP_SUCCESS) {
2882 return NT_STATUS_UNSUCCESSFUL;
2885 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2886 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2887 ldap_msgfree(result);
2888 return NT_STATUS_UNSUCCESSFUL;
2891 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2893 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2894 result, &mods, map)) {
2895 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2896 ldap_msgfree(result);
2898 ldap_mods_free(mods,True);
2899 return NT_STATUS_UNSUCCESSFUL;
2903 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2904 ldap_msgfree(result);
2905 return NT_STATUS_OK;
2908 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2910 ldap_msgfree(result);
2911 return NT_STATUS_UNSUCCESSFUL;
2913 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2916 ldap_mods_free(mods, True);
2917 ldap_msgfree(result);
2919 if (rc != LDAP_SUCCESS) {
2920 char *ld_error = NULL;
2921 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2923 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid,
2924 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2925 SAFE_FREE(ld_error);
2926 return NT_STATUS_UNSUCCESSFUL;
2929 DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2930 return NT_STATUS_OK;
2933 /**********************************************************************
2934 *********************************************************************/
2936 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2939 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2940 pstring sidstring, filter;
2941 LDAPMessage *result = NULL;
2944 const char **attr_list;
2946 sid_to_string(sidstring, &sid);
2948 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2949 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2951 rc = ldapsam_search_one_group(ldap_state, filter, &result);
2953 if (rc != LDAP_SUCCESS) {
2954 return NT_STATUS_NO_SUCH_GROUP;
2957 attr_list = get_attr_list( groupmap_attr_list_to_delete );
2958 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2959 free_attr_list ( attr_list );
2961 ldap_msgfree(result);
2966 /**********************************************************************
2967 *********************************************************************/
2969 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2971 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2974 const char **attr_list;
2976 pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2977 attr_list = get_attr_list( groupmap_attr_list );
2978 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2979 LDAP_SCOPE_SUBTREE, filter,
2980 attr_list, 0, &ldap_state->result);
2981 free_attr_list( attr_list );
2983 if (rc != LDAP_SUCCESS) {
2984 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
2985 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2986 ldap_msgfree(ldap_state->result);
2987 ldap_state->result = NULL;
2988 return NT_STATUS_UNSUCCESSFUL;
2991 DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
2992 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2993 ldap_state->result)));
2995 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2996 ldap_state->index = 0;
2998 return NT_STATUS_OK;
3001 /**********************************************************************
3002 *********************************************************************/
3004 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3006 ldapsam_endsampwent(my_methods);
3009 /**********************************************************************
3010 *********************************************************************/
3012 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3015 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3016 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
3020 if (!ldap_state->entry)
3023 ldap_state->index++;
3024 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
3026 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
3030 return NT_STATUS_OK;
3033 /**********************************************************************
3034 *********************************************************************/
3036 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3037 enum SID_NAME_USE sid_name_use,
3038 GROUP_MAP **pp_rmap, size_t *p_num_entries,
3048 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3049 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
3050 return NT_STATUS_ACCESS_DENIED;
3053 while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
3054 if (sid_name_use != SID_NAME_UNKNOWN &&
3055 sid_name_use != map.sid_name_use) {
3056 DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
3059 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3060 DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
3064 mapt=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
3066 DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
3067 SAFE_FREE(*pp_rmap);
3068 return NT_STATUS_UNSUCCESSFUL;
3073 mapt[entries] = map;
3078 ldapsam_endsamgrent(methods);
3080 *p_num_entries = entries;
3082 return NT_STATUS_OK;
3085 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3086 const DOM_SID *alias,
3087 const DOM_SID *member,
3090 struct ldapsam_privates *ldap_state =
3091 (struct ldapsam_privates *)methods->private_data;
3093 LDAPMessage *result = NULL;
3094 LDAPMessage *entry = NULL;
3096 LDAPMod **mods = NULL;
3101 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
3102 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
3103 get_attr_key2string(groupmap_attr_list,
3104 LDAP_ATTR_GROUP_SID),
3105 sid_string_static(alias));
3107 if (ldapsam_search_one_group(ldap_state, filter,
3108 &result) != LDAP_SUCCESS)
3109 return NT_STATUS_NO_SUCH_ALIAS;
3111 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3115 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3116 ldap_msgfree(result);
3117 return NT_STATUS_NO_SUCH_ALIAS;
3121 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for filter %s: "
3122 "count=%d\n", filter, count));
3123 ldap_msgfree(result);
3124 return NT_STATUS_NO_SUCH_ALIAS;
3127 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3131 ldap_msgfree(result);
3132 return NT_STATUS_UNSUCCESSFUL;
3135 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
3137 ldap_msgfree(result);
3138 return NT_STATUS_UNSUCCESSFUL;
3141 smbldap_set_mod(&mods, modop,
3142 get_attr_key2string(groupmap_attr_list,
3143 LDAP_ATTR_SID_LIST),
3144 sid_string_static(member));
3146 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3148 ldap_mods_free(mods, True);
3149 ldap_msgfree(result);
3151 if (rc != LDAP_SUCCESS) {
3152 char *ld_error = NULL;
3153 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
3154 LDAP_OPT_ERROR_STRING,&ld_error);
3156 DEBUG(0, ("ldapsam_modify_aliasmem: Could not modify alias "
3157 "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
3158 ld_error?ld_error:"unknown"));
3159 SAFE_FREE(ld_error);
3161 return NT_STATUS_UNSUCCESSFUL;
3166 return NT_STATUS_OK;
3169 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3170 const DOM_SID *alias,
3171 const DOM_SID *member)
3173 return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3176 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3177 const DOM_SID *alias,
3178 const DOM_SID *member)
3180 return ldapsam_modify_aliasmem(methods, alias, member,
3184 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3185 const DOM_SID *alias, DOM_SID **pp_members,
3186 size_t *p_num_members)
3188 struct ldapsam_privates *ldap_state =
3189 (struct ldapsam_privates *)methods->private_data;
3190 LDAPMessage *result = NULL;
3191 LDAPMessage *entry = NULL;
3196 size_t num_members = 0;
3201 pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
3202 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
3203 get_attr_key2string(groupmap_attr_list,
3204 LDAP_ATTR_GROUP_SID),
3205 sid_string_static(alias));
3207 if (ldapsam_search_one_group(ldap_state, filter,
3208 &result) != LDAP_SUCCESS)
3209 return NT_STATUS_NO_SUCH_ALIAS;
3211 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3215 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3216 ldap_msgfree(result);
3217 return NT_STATUS_NO_SUCH_ALIAS;
3221 DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for filter %s: "
3222 "count=%d\n", filter, count));
3223 ldap_msgfree(result);
3224 return NT_STATUS_NO_SUCH_ALIAS;
3227 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3231 ldap_msgfree(result);
3232 return NT_STATUS_UNSUCCESSFUL;
3235 values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
3237 get_attr_key2string(groupmap_attr_list,
3238 LDAP_ATTR_SID_LIST));
3240 if (values == NULL) {
3241 ldap_msgfree(result);
3242 return NT_STATUS_OK;
3245 count = ldap_count_values(values);
3247 for (i=0; i<count; i++) {
3250 if (!string_to_sid(&member, values[i]))
3253 add_sid_to_array(NULL, &member, pp_members, &num_members);
3256 *p_num_members = num_members;
3257 ldap_value_free(values);
3258 ldap_msgfree(result);
3260 return NT_STATUS_OK;
3263 static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
3264 TALLOC_CTX *mem_ctx,
3265 const DOM_SID *domain_sid,
3266 const DOM_SID *members,
3268 uint32 **pp_alias_rids,
3269 size_t *p_num_alias_rids)
3271 struct ldapsam_privates *ldap_state =
3272 (struct ldapsam_privates *)methods->private_data;
3275 const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
3277 LDAPMessage *result = NULL;
3278 LDAPMessage *entry = NULL;
3283 /* This query could be further optimized by adding a
3284 (&(sambaSID=<domain-sid>*)) so that only those aliases that are
3285 asked for in the getuseraliases are returned. */
3287 filter = talloc_asprintf(mem_ctx,
3288 "(&(|(objectclass=%s)(objectclass=%s))(|",
3289 LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY);
3291 for (i=0; i<num_members; i++)
3292 filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
3294 sid_string_static(&members[i]));
3296 filter = talloc_asprintf(mem_ctx, "%s))", filter);
3298 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3299 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
3301 if (rc != LDAP_SUCCESS)
3302 return NT_STATUS_UNSUCCESSFUL;
3304 ldap_struct = ldap_state->smbldap_state->ldap_struct;
3306 for (entry = ldap_first_entry(ldap_struct, result);
3308 entry = ldap_next_entry(ldap_struct, entry))
3314 if (!smbldap_get_single_attribute(ldap_struct, entry,
3320 if (!string_to_sid(&sid, sid_str))
3323 if (!sid_peek_check_rid(domain_sid, &sid, &rid))
3326 add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
3330 ldap_msgfree(result);
3331 return NT_STATUS_OK;
3334 static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, uint32 value)
3336 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3338 LDAPMod **mods = NULL;
3339 fstring value_string;
3340 const char *policy_attr = NULL;
3342 struct ldapsam_privates *ldap_state =
3343 (struct ldapsam_privates *)methods->private_data;
3345 const char *attrs[2];
3347 DEBUG(10,("ldapsam_set_account_policy\n"));
3349 if (!ldap_state->domain_dn) {
3350 return NT_STATUS_INVALID_PARAMETER;
3353 policy_attr = get_account_policy_attr(policy_index);
3354 if (policy_attr == NULL) {
3355 DEBUG(0,("ldapsam_set_account_policy: invalid policy\n"));
3359 attrs[0] = policy_attr;
3362 slprintf(value_string, sizeof(value_string) - 1, "%i", value);
3364 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
3366 rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn, mods);
3368 ldap_mods_free(mods, True);
3370 if (rc != LDAP_SUCCESS) {
3371 char *ld_error = NULL;
3372 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
3373 LDAP_OPT_ERROR_STRING,&ld_error);
3375 DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy "
3376 "for %s, error: %s (%s)\n", ldap_state->domain_dn, ldap_err2string(rc),
3377 ld_error?ld_error:"unknown"));
3378 SAFE_FREE(ld_error);
3382 if (!cache_account_policy_set(policy_index, value)) {
3383 DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n"));
3387 return NT_STATUS_OK;
3390 static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods, int policy_index, uint32 *value)
3392 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3393 LDAPMessage *result = NULL;
3394 LDAPMessage *entry = NULL;
3398 const char *policy_attr = NULL;
3400 struct ldapsam_privates *ldap_state =
3401 (struct ldapsam_privates *)methods->private_data;
3403 const char *attrs[2];
3405 DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
3407 if (!ldap_state->domain_dn) {
3408 return NT_STATUS_INVALID_PARAMETER;
3411 policy_attr = get_account_policy_attr(policy_index);
3413 DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid policy index: %d\n", policy_index));
3417 attrs[0] = policy_attr;
3420 rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
3421 LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &result);
3423 if (rc != LDAP_SUCCESS) {
3424 char *ld_error = NULL;
3425 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
3426 LDAP_OPT_ERROR_STRING,&ld_error);
3428 DEBUG(0, ("ldapsam_get_account_policy_from_ldap: Could not get account policy "
3429 "for %s, error: %s (%s)\n", ldap_state->domain_dn, ldap_err2string(rc),
3430 ld_error?ld_error:"unknown"));
3431 SAFE_FREE(ld_error);
3435 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
3440 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
3441 if (entry == NULL) {
3445 vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, policy_attr);
3450 *value = (uint32)atol(vals[0]);
3452 ntstatus = NT_STATUS_OK;
3456 ldap_value_free(vals);
3457 ldap_msgfree(result);
3462 /* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
3464 - if there is a valid cache entry, return that
3465 - if there is an LDAP entry, update cache and return
3466 - otherwise set to default, update cache and return
3470 static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, uint32 *value)
3472 NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3474 if (cache_account_policy_get(policy_index, value)) {
3475 DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n"));
3476 return NT_STATUS_OK;
3479 ntstatus = ldapsam_get_account_policy_from_ldap(methods, policy_index, value);
3480 if (NT_STATUS_IS_OK(ntstatus)) {
3484 DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from ldap, returning default.\n"));
3487 /* should we automagically migrate old tdb value here ? */
3488 if (account_policy_get(policy_index, value))
3491 DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying default\n", policy_index));
3494 if (!account_policy_get_default(policy_index, value)) {
3500 ntstatus = ldapsam_set_account_policy(methods, policy_index, *value);
3501 if (!NT_STATUS_IS_OK(ntstatus)) {
3507 if (!cache_account_policy_set(policy_index, *value)) {
3508 DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n"));
3509 return NT_STATUS_UNSUCCESSFUL;
3512 return NT_STATUS_OK;
3515 static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
3516 const DOM_SID *domain_sid,
3522 struct ldapsam_privates *ldap_state =
3523 (struct ldapsam_privates *)methods->private_data;
3524 LDAP *ldap_struct = ldap_state->smbldap_state->ldap_struct;
3525 LDAPMessage *msg = NULL;
3527 char *allsids = NULL;
3529 int i, rc, num_mapped;
3530 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
3532 if (!lp_parm_bool(-1, "ldapsam", "trusted", False))
3533 return pdb_default_lookup_rids(methods, domain_sid,
3534 num_rids, rids, names, attrs);
3536 if (!sid_equal(domain_sid, get_global_sam_sid())) {
3537 /* TODO: Sooner or later we need to look up BUILTIN rids as
3542 for (i=0; i<num_rids; i++)
3543 attrs[i] = SID_NAME_UNKNOWN;
3545 allsids = SMB_STRDUP("");
3546 if (allsids == NULL) return NT_STATUS_NO_MEMORY;
3548 for (i=0; i<num_rids; i++) {
3550 sid_copy(&sid, domain_sid);
3551 sid_append_rid(&sid, rids[i]);
3553 asprintf(&allsids, "%s(sambaSid=%s)", allsids,
3554 sid_string_static(&sid));
3555 if (allsids == NULL) return NT_STATUS_NO_MEMORY;
3559 /* First look for users */
3563 const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
3565 asprintf(&filter, ("(&(objectClass=sambaSamAccount)(|%s))"),
3567 if (filter == NULL) return NT_STATUS_NO_MEMORY;
3569 rc = smbldap_search(ldap_state->smbldap_state,
3570 lp_ldap_user_suffix(),
3571 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
3577 if (rc != LDAP_SUCCESS)
3582 for (entry = ldap_first_entry(ldap_struct, msg);
3584 entry = ldap_next_entry(ldap_struct, entry))
3590 if (!ldapsam_extract_rid_from_entry(ldap_struct, entry,
3591 get_global_sam_sid(),
3593 DEBUG(2, ("Could not find sid from ldap entry\n"));
3597 if (!smbldap_get_single_attribute(ldap_struct, entry,
3598 "uid", str, sizeof(str)-1)) {
3599 DEBUG(2, ("Could not retrieve uid attribute\n"));
3603 for (rid_index = 0; rid_index < num_rids; rid_index++) {
3604 if (rid == rids[rid_index])
3608 if (rid_index == num_rids) {
3609 DEBUG(2, ("Got a RID not asked for: %d\n", rid));
3613 attrs[rid_index] = SID_NAME_USER;
3614 names[rid_index] = talloc_strdup(names, str);
3615 if (names[rid_index] == NULL) return NT_STATUS_NO_MEMORY;
3620 if (num_mapped == num_rids) {
3621 /* No need to look for groups anymore -- we're done */
3622 result = NT_STATUS_OK;
3626 /* Same game for groups */
3630 const char *ldap_attrs[] = { "cn", "sambaSid", NULL };
3632 asprintf(&filter, ("(&(objectClass=sambaGroupMapping)(|%s))"),
3634 if (filter == NULL) return NT_STATUS_NO_MEMORY;
3636 rc = smbldap_search(ldap_state->smbldap_state,
3637 lp_ldap_group_suffix(),
3638 LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
3644 if (rc != LDAP_SUCCESS)
3647 for (entry = ldap_first_entry(ldap_struct, msg);
3649 entry = ldap_next_entry(ldap_struct, entry))
3655 if (!ldapsam_extract_rid_from_entry(ldap_struct, entry,
3656 get_global_sam_sid(),
3658 DEBUG(2, ("Could not find sid from ldap entry\n"));
3662 if (!smbldap_get_single_attribute(ldap_struct, entry,
3663 "cn", str, sizeof(str)-1)) {
3664 DEBUG(2, ("Could not retrieve cn attribute\n"));
3668 for (rid_index = 0; rid_index < num_rids; rid_index++) {
3669 if (rid == rids[rid_index])
3673 if (rid_index == num_rids) {
3674 DEBUG(2, ("Got a RID not asked for: %d\n", rid));
3678 attrs[rid_index] = SID_NAME_DOM_GRP;
3679 names[rid_index] = talloc_strdup(names, str);
3680 if (names[rid_index] == NULL) return NT_STATUS_NO_MEMORY;
3684 result = NT_STATUS_NONE_MAPPED;
3687 result = (num_mapped == num_rids) ?
3688 NT_STATUS_OK : STATUS_SOME_UNMAPPED;
3698 char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
3700 char *filter = NULL;
3701 char *escaped = NULL;
3702 char *result = NULL;
3704 asprintf(&filter, "(&%s(objectclass=sambaSamAccount))",
3706 if (filter == NULL) goto done;
3708 escaped = escape_ldap_string_alloc(username);
3709 if (escaped == NULL) goto done;
3711 result = talloc_string_sub(mem_ctx, filter, "%u", username);
3720 const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...)
3724 const char **result;
3726 va_start(ap, mem_ctx);
3727 while (va_arg(ap, const char *) != NULL)
3731 result = TALLOC_ARRAY(mem_ctx, const char *, num+1);
3733 va_start(ap, mem_ctx);
3734 for (i=0; i<num; i++)
3735 result[i] = talloc_strdup(mem_ctx, va_arg(ap, const char*));
3742 struct ldap_search_state {
3743 struct smbldap_state *connection;
3753 void *pagedresults_cookie;
3755 LDAPMessage *entries, *current_entry;
3756 BOOL (*ldap2displayentry)(struct ldap_search_state *state,
3757 TALLOC_CTX *mem_ctx,
3758 LDAP *ld, LDAPMessage *entry,
3759 struct samr_displayentry *result);
3762 static BOOL ldapsam_search_firstpage(struct pdb_search *search)
3764 struct ldap_search_state *state = search->private_data;
3766 int rc = LDAP_OPERATIONS_ERROR;
3768 state->entries = NULL;
3770 if (state->connection->paged_results) {
3771 rc = smbldap_search_paged(state->connection, state->base,
3772 state->scope, state->filter,
3773 state->attrs, state->attrsonly,
3774 lp_ldap_page_size(), &state->entries,
3775 &state->pagedresults_cookie);
3778 if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) {
3780 if (state->entries != NULL) {
3781 /* Left over from unsuccessful paged attempt */
3782 ldap_msgfree(state->entries);
3783 state->entries = NULL;
3786 rc = smbldap_search(state->connection, state->base,
3787 state->scope, state->filter, state->attrs,
3788 state->attrsonly, &state->entries);
3790 if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
3793 /* Ok, the server was lying. It told us it could do paged
3794 * searches when it could not. */
3795 state->connection->paged_results = False;
3798 ld = state->connection->ldap_struct;
3800 DEBUG(5, ("Don't have an LDAP connection right after a "
3804 state->current_entry = ldap_first_entry(ld, state->entries);
3806 if (state->current_entry == NULL) {
3807 ldap_msgfree(state->entries);
3808 state->entries = NULL;
3814 static BOOL ldapsam_search_nextpage(struct pdb_search *search)
3816 struct ldap_search_state *state = search->private_data;
3817 LDAP *ld = state->connection->ldap_struct;
3820 if (!state->connection->paged_results) {
3821 /* There is no next page when there are no paged results */
3825 rc = smbldap_search_paged(state->connection, state->base,
3826 state->scope, state->filter, state->attrs,
3827 state->attrsonly, lp_ldap_page_size(),
3829 &state->pagedresults_cookie);
3831 if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
3834 state->current_entry = ldap_first_entry(ld, state->entries);
3836 if (state->current_entry == NULL) {
3837 ldap_msgfree(state->entries);
3838 state->entries = NULL;
3844 static BOOL ldapsam_search_next_entry(struct pdb_search *search,
3845 struct samr_displayentry *entry)
3847 struct ldap_search_state *state = search->private_data;
3848 LDAP *ld = state->connection->ldap_struct;
3852 if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
3855 if ((state->entries == NULL) &&
3856 !ldapsam_search_nextpage(search))
3859 result = state->ldap2displayentry(state, search->mem_ctx, ld,
3860 state->current_entry, entry);
3864 dn = ldap_get_dn(ld, state->current_entry);
3865 DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
3866 if (dn != NULL) ldap_memfree(dn);
3869 state->current_entry = ldap_next_entry(ld, state->current_entry);
3871 if (state->current_entry == NULL) {
3872 ldap_msgfree(state->entries);
3873 state->entries = NULL;
3876 if (!result) goto retry;
3881 static void ldapsam_search_end(struct pdb_search *search)
3883 struct ldap_search_state *state = search->private_data;
3886 if (state->pagedresults_cookie == NULL)
3889 if (state->entries != NULL)
3890 ldap_msgfree(state->entries);
3892 state->entries = NULL;
3893 state->current_entry = NULL;
3895 if (!state->connection->paged_results)
3898 /* Tell the LDAP server we're not interested in the rest anymore. */
3900 rc = smbldap_search_paged(state->connection, state->base, state->scope,
3901 state->filter, state->attrs,
3902 state->attrsonly, 0, &state->entries,
3903 &state->pagedresults_cookie);
3905 if (rc != LDAP_SUCCESS)
3906 DEBUG(5, ("Could not end search properly\n"));
3911 static BOOL ldapuser2displayentry(struct ldap_search_state *state,
3912 TALLOC_CTX *mem_ctx,
3913 LDAP *ld, LDAPMessage *entry,
3914 struct samr_displayentry *result)
3920 vals = ldap_get_values(ld, entry, "sambaAcctFlags");
3921 if ((vals == NULL) || (vals[0] == NULL)) {
3922 DEBUG(5, ("\"sambaAcctFlags\" not found\n"));
3925 acct_flags = pdb_decode_acct_ctrl(vals[0]);
3926 ldap_value_free(vals);
3928 if ((state->acct_flags != 0) &&
3929 ((state->acct_flags & acct_flags) == 0))
3932 result->acct_flags = acct_flags;
3933 result->account_name = "";
3934 result->fullname = "";
3935 result->description = "";
3937 vals = ldap_get_values(ld, entry, "uid");
3938 if ((vals == NULL) || (vals[0] == NULL)) {
3939 DEBUG(5, ("\"uid\" not found\n"));
3942 pull_utf8_talloc(mem_ctx,
3943 CONST_DISCARD(char **, &result->account_name),
3945 ldap_value_free(vals);
3947 vals = ldap_get_values(ld, entry, "displayName");
3948 if ((vals == NULL) || (vals[0] == NULL))
3949 DEBUG(8, ("\"displayName\" not found\n"));
3951 pull_utf8_talloc(mem_ctx,
3952 CONST_DISCARD(char **, &result->fullname),
3954 ldap_value_free(vals);
3956 vals = ldap_get_values(ld, entry, "description");
3957 if ((vals == NULL) || (vals[0] == NULL))
3958 DEBUG(8, ("\"description\" not found\n"));
3960 pull_utf8_talloc(mem_ctx,
3961 CONST_DISCARD(char **, &result->description),
3963 ldap_value_free(vals);
3965 if ((result->account_name == NULL) ||
3966 (result->fullname == NULL) ||
3967 (result->description == NULL)) {
3968 DEBUG(0, ("talloc failed\n"));
3972 vals = ldap_get_values(ld, entry, "sambaSid");
3973 if ((vals == NULL) || (vals[0] == NULL)) {
3974 DEBUG(0, ("\"objectSid\" not found\n"));
3978 if (!string_to_sid(&sid, vals[0])) {
3979 DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
3980 ldap_value_free(vals);
3983 ldap_value_free(vals);
3985 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
3986 DEBUG(0, ("sid %s does not belong to our domain\n", sid_string_static(&sid)));
3994 static BOOL ldapsam_search_users(struct pdb_methods *methods,
3995 struct pdb_search *search,
3998 struct ldapsam_privates *ldap_state = methods->private_data;
3999 struct ldap_search_state *state;
4001 state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4002 if (state == NULL) {
4003 DEBUG(0, ("talloc failed\n"));
4007 state->connection = ldap_state->smbldap_state;
4009 if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
4010 state->base = lp_ldap_user_suffix();
4011 else if ((acct_flags != 0) &&
4012 ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
4013 state->base = lp_ldap_machine_suffix();
4015 state->base = lp_ldap_suffix();
4017 state->acct_flags = acct_flags;
4018 state->base = talloc_strdup(search->mem_ctx, state->base);
4019 state->scope = LDAP_SCOPE_SUBTREE;
4020 state->filter = get_ldap_filter(search->mem_ctx, "*");
4021 state->attrs = talloc_attrs(search->mem_ctx, "uid", "sambaSid",
4022 "displayName", "description",
4023 "sambaAcctFlags", NULL);
4024 state->attrsonly = 0;
4025 state->pagedresults_cookie = NULL;
4026 state->entries = NULL;
4027 state->ldap2displayentry = ldapuser2displayentry;
4029 if ((state->filter == NULL) || (state->attrs == NULL)) {
4030 DEBUG(0, ("talloc failed\n"));
4034 search->private_data = state;
4035 search->next_entry = ldapsam_search_next_entry;
4036 search->search_end = ldapsam_search_end;
4038 return ldapsam_search_firstpage(search);
4041 static BOOL ldapgroup2displayentry(struct ldap_search_state *state,
4042 TALLOC_CTX *mem_ctx,
4043 LDAP *ld, LDAPMessage *entry,
4044 struct samr_displayentry *result)
4050 result->account_name = "";
4051 result->fullname = "";
4052 result->description = "";
4055 vals = ldap_get_values(ld, entry, "sambaGroupType");
4056 if ((vals == NULL) || (vals[0] == NULL)) {
4057 DEBUG(5, ("\"sambaGroupType\" not found\n"));
4061 group_type = atoi(vals[0]);
4063 if ((state->group_type != 0) &&
4064 ((state->group_type != group_type))) {
4068 /* display name is the NT group name */
4070 vals = ldap_get_values(ld, entry, "displayName");
4071 if ((vals == NULL) || (vals[0] == NULL)) {
4072 DEBUG(8, ("\"displayName\" not found\n"));
4074 /* fallback to the 'cn' attribute */
4075 vals = ldap_get_values(ld, entry, "cn");
4076 if ((vals == NULL) || (vals[0] == NULL)) {
4077 DEBUG(5, ("\"cn\" not found\n"));
4080 pull_utf8_talloc(mem_ctx, CONST_DISCARD(char **, &result->account_name), vals[0]);
4083 pull_utf8_talloc(mem_ctx, CONST_DISCARD(char **, &result->account_name), vals[0]);
4086 ldap_value_free(vals);
4088 vals = ldap_get_values(ld, entry, "description");
4089 if ((vals == NULL) || (vals[0] == NULL))
4090 DEBUG(8, ("\"description\" not found\n"));
4092 pull_utf8_talloc(mem_ctx,
4093 CONST_DISCARD(char **, &result->description),
4095 ldap_value_free(vals);
4097 if ((result->account_name == NULL) ||
4098 (result->fullname == NULL) ||
4099 (result->description == NULL)) {
4100 DEBUG(0, ("talloc failed\n"));
4104 vals = ldap_get_values(ld, entry, "sambaSid");
4105 if ((vals == NULL) || (vals[0] == NULL)) {
4106 DEBUG(0, ("\"objectSid\" not found\n"));
4110 if (!string_to_sid(&sid, vals[0])) {
4111 DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4115 ldap_value_free(vals);
4117 switch (group_type) {
4118 case SID_NAME_DOM_GRP:
4119 case SID_NAME_ALIAS:
4121 if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
4122 DEBUG(0, ("%s is not in our domain\n", sid_string_static(&sid)));
4127 case SID_NAME_WKN_GRP:
4129 if (!sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid)) {
4131 DEBUG(0, ("%s is not in builtin sid\n", sid_string_static(&sid)));
4137 DEBUG(0,("unkown group type: %d\n", group_type));
4144 static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
4145 struct pdb_search *search,
4146 enum SID_NAME_USE type)
4148 struct ldapsam_privates *ldap_state = methods->private_data;
4149 struct ldap_search_state *state;
4151 state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4152 if (state == NULL) {
4153 DEBUG(0, ("talloc failed\n"));
4157 state->connection = ldap_state->smbldap_state;
4159 state->base = talloc_strdup(search->mem_ctx, lp_ldap_group_suffix());
4160 state->connection = ldap_state->smbldap_state;
4161 state->scope = LDAP_SCOPE_SUBTREE;
4162 state->filter = talloc_asprintf(search->mem_ctx,
4163 "(&(objectclass=sambaGroupMapping)"
4164 "(sambaGroupType=%d))", type);
4165 state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
4166 "displayName", "description", "sambaGroupType", NULL);
4167 state->attrsonly = 0;
4168 state->pagedresults_cookie = NULL;
4169 state->entries = NULL;
4170 state->group_type = type;
4171 state->ldap2displayentry = ldapgroup2displayentry;
4173 if ((state->filter == NULL) || (state->attrs == NULL)) {
4174 DEBUG(0, ("talloc failed\n"));
4178 search->private_data = state;
4179 search->next_entry = ldapsam_search_next_entry;
4180 search->search_end = ldapsam_search_end;
4182 return ldapsam_search_firstpage(search);
4185 static BOOL ldapsam_search_groups(struct pdb_methods *methods,
4186 struct pdb_search *search)
4188 return ldapsam_search_grouptype(methods, search, SID_NAME_DOM_GRP);
4191 static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
4192 struct pdb_search *search,
4195 if (sid_check_is_domain(sid))
4196 return ldapsam_search_grouptype(methods, search,
4199 if (sid_check_is_builtin(sid))
4200 return ldapsam_search_grouptype(methods, search,
4203 DEBUG(5, ("Don't know SID %s\n", sid_string_static(sid)));
4207 /**********************************************************************
4209 *********************************************************************/
4211 static void free_private_data(void **vp)
4213 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
4215 smbldap_free_struct(&(*ldap_state)->smbldap_state);
4217 if ((*ldap_state)->result != NULL) {
4218 ldap_msgfree((*ldap_state)->result);
4219 (*ldap_state)->result = NULL;
4221 if ((*ldap_state)->domain_dn != NULL) {
4222 SAFE_FREE((*ldap_state)->domain_dn);
4227 /* No need to free any further, as it is talloc()ed */
4230 /**********************************************************************
4231 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
4232 *********************************************************************/
4234 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
4235 const char *location)
4238 struct ldapsam_privates *ldap_state;
4240 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
4244 (*pdb_method)->name = "ldapsam";
4246 (*pdb_method)->setsampwent = ldapsam_setsampwent;
4247 (*pdb_method)->endsampwent = ldapsam_endsampwent;
4248 (*pdb_method)->getsampwent = ldapsam_getsampwent;
4249 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
4250 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
4251 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
4252 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
4253 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
4254 (*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
4256 (*pdb_method)->getgrsid = ldapsam_getgrsid;
4257 (*pdb_method)->getgrgid = ldapsam_getgrgid;
4258 (*pdb_method)->getgrnam = ldapsam_getgrnam;
4259 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
4260 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
4261 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
4262 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
4263 (*pdb_method)->enum_group_members = ldapsam_enum_group_members;
4264 (*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
4265 (*pdb_method)->lookup_rids = ldapsam_lookup_rids;
4267 (*pdb_method)->get_account_policy = ldapsam_get_account_policy;
4268 (*pdb_method)->set_account_policy = ldapsam_set_account_policy;
4270 (*pdb_method)->get_seq_num = ldapsam_get_seq_num;
4272 /* TODO: Setup private data and free */
4274 ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
4276 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
4277 return NT_STATUS_NO_MEMORY;
4280 if (!NT_STATUS_IS_OK(nt_status =
4281 smbldap_init(pdb_context->mem_ctx, location,
4282 &ldap_state->smbldap_state)));
4284 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
4285 if (!ldap_state->domain_name) {
4286 return NT_STATUS_NO_MEMORY;
4289 (*pdb_method)->private_data = ldap_state;
4291 (*pdb_method)->free_private_data = free_private_data;
4293 return NT_STATUS_OK;
4296 /**********************************************************************
4297 Initialise the 'compat' mode for pdb_ldap
4298 *********************************************************************/
4300 NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
4303 struct ldapsam_privates *ldap_state;
4305 #ifdef WITH_LDAP_SAMCONFIG
4307 int ldap_port = lp_ldap_port();
4309 /* remap default port if not using SSL (ie clear or TLS) */
4310 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
4314 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
4316 return NT_STATUS_NO_MEMORY;
4321 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
4325 (*pdb_method)->name = "ldapsam_compat";
4327 ldap_state = (*pdb_method)->private_data;
4328 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
4330 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
4332 return NT_STATUS_OK;
4335 /**********************************************************************
4336 Initialise the normal mode for pdb_ldap
4337 *********************************************************************/
4339 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
4342 struct ldapsam_privates *ldap_state;
4343 uint32 alg_rid_base;
4344 pstring alg_rid_base_string;
4345 LDAPMessage *result = NULL;
4346 LDAPMessage *entry = NULL;
4347 DOM_SID ldap_domain_sid;
4348 DOM_SID secrets_domain_sid;
4349 pstring domain_sid_string;
4352 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
4356 (*pdb_method)->name = "ldapsam";
4358 (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
4359 (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
4360 (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
4361 (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
4362 (*pdb_method)->search_users = ldapsam_search_users;
4363 (*pdb_method)->search_groups = ldapsam_search_groups;
4364 (*pdb_method)->search_aliases = ldapsam_search_aliases;
4366 ldap_state = (*pdb_method)->private_data;
4367 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
4369 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
4371 nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result,
4372 ldap_state->domain_name, True);
4374 if ( !NT_STATUS_IS_OK(nt_status) ) {
4375 DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
4376 DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
4377 and will risk BDCs having inconsistant SIDs\n"));
4378 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
4379 return NT_STATUS_OK;
4382 /* Given that the above might fail, everything below this must be optional */
4384 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
4386 DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
4387 ldap_msgfree(result);
4388 return NT_STATUS_UNSUCCESSFUL;
4391 dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
4393 return NT_STATUS_UNSUCCESSFUL;
4396 ldap_state->domain_dn = smb_xstrdup(dn);
4399 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
4400 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
4401 domain_sid_string)) {
4403 if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
4404 DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string));
4405 return NT_STATUS_INVALID_PARAMETER;
4407 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
4408 if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
4409 fstring new_sid_str, old_sid_str;
4410 DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
4411 ldap_state->domain_name,
4412 sid_to_string(old_sid_str, &secrets_domain_sid),
4413 sid_to_string(new_sid_str, &ldap_domain_sid)));
4415 /* reset secrets.tdb sid */
4416 secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
4417 DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid())));
4419 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
4422 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
4423 get_attr_key2string( dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE ),
4424 alg_rid_base_string)) {
4425 alg_rid_base = (uint32)atol(alg_rid_base_string);
4426 if (alg_rid_base != algorithmic_rid_base()) {
4427 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
4428 "database was initialised. Aborting. \n"));
4429 ldap_msgfree(result);
4430 return NT_STATUS_UNSUCCESSFUL;
4433 ldap_msgfree(result);
4435 return NT_STATUS_OK;
4438 NTSTATUS pdb_ldap_init(void)
4441 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
4444 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
4447 /* Let pdb_nds register backends */
4450 return NT_STATUS_OK;