+#ifndef _INCLUDE_ADS_H_
+#define _INCLUDE_ADS_H_
/*
header for ads (active directory) library routines
basically this is a wrapper around ldap
*/
-typedef struct {
- void *ld; /* the active ldap structure */
- struct in_addr ldap_ip; /* the ip of the active connection, if any */
- time_t last_attempt; /* last attempt to reconnect */
- int ldap_port;
-
+enum wb_posix_mapping {
+ WB_POSIX_MAP_UNKNOWN = -1,
+ WB_POSIX_MAP_TEMPLATE = 0,
+ WB_POSIX_MAP_SFU = 1,
+ WB_POSIX_MAP_SFU20 = 2,
+ WB_POSIX_MAP_RFC2307 = 3,
+ WB_POSIX_MAP_UNIXINFO = 4
+};
+
+typedef struct {
int is_mine; /* do I own this structure's memory? */
/* info needed to find the server */
char *kdc_server;
unsigned flags;
int time_offset;
- time_t expire;
+ time_t tgt_expire;
+ time_t tgs_expire;
time_t renewable;
} auth;
/* info derived from the servers config */
struct {
+ uint32 flags; /* cldap flags identifying the services. */
char *realm;
char *bind_path;
char *ldap_server_name;
+ char *server_site_name;
+ char *client_site_name;
time_t current_time;
+ int tried_closest_dc;
+ char *schema_path;
+ char *config_path;
} config;
- /* info derived from the servers schema */
+ /* info about the current LDAP connection */
+#ifdef HAVE_LDAP
struct {
- char *sfu_homedir_attr;
- char *sfu_shell_attr;
- char *sfu_uidnumber_attr;
- char *sfu_gidnumber_attr;
- char *sfu_gecos_attr;
- } schema;
-
+ LDAP *ld;
+ struct in_addr ip; /* the ip of the active connection, if any */
+ time_t last_attempt; /* last attempt to reconnect */
+ int port;
+
+#ifdef HAVE_ADS_SASL_WRAPPING
+ Sockbuf_IO_Desc *sbiod; /* lowlevel state for LDAP wrapping */
+#endif /* HAVE_ADS_SASL_WRAPPING */
+ } ldap;
+#endif /* HAVE_ADS */
} ADS_STRUCT;
+/* used to remember the names of the posix attributes in AD */
+/* see the rfc2307 & sfu nss backends */
+
+struct posix_schema {
+ char *posix_homedir_attr;
+ char *posix_shell_attr;
+ char *posix_uidnumber_attr;
+ char *posix_gidnumber_attr;
+ char *posix_gecos_attr;
+};
+
+
/* there are 5 possible types of errors the ads subsystem can produce */
enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS,
ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT};
#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
#define ADS_SUCCESS ADS_ERROR(0)
+#define ADS_ERROR_HAVE_NO_MEMORY(x) do { \
+ if (!(x)) {\
+ return ADS_ERROR(LDAP_NO_MEMORY);\
+ }\
+} while (0)
+
+
/* time between reconnect attempts */
#define ADS_RECONNECT_TIME 5
#define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473"
#define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413"
#define ADS_ASQ_OID "1.2.840.113556.1.4.1504"
+#define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529"
+#define ADS_SD_FLAGS_OID "1.2.840.113556.1.4.801"
-/* ldap attribute oids (Services for Unix) */
+/* ldap attribute oids (Services for Unix 3.0, 3.5) */
#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310"
#define ADS_ATTR_SFU_GIDNUMBER_OID "1.2.840.113556.1.6.18.1.311"
#define ADS_ATTR_SFU_HOMEDIR_OID "1.2.840.113556.1.6.18.1.344"
#define ADS_ATTR_SFU_SHELL_OID "1.2.840.113556.1.6.18.1.312"
#define ADS_ATTR_SFU_GECOS_OID "1.2.840.113556.1.6.18.1.337"
+/* ldap attribute oids (Services for Unix 2.0) */
+#define ADS_ATTR_SFU20_UIDNUMBER_OID "1.2.840.113556.1.4.7000.187.70"
+#define ADS_ATTR_SFU20_GIDNUMBER_OID "1.2.840.113556.1.4.7000.187.71"
+#define ADS_ATTR_SFU20_HOMEDIR_OID "1.2.840.113556.1.4.7000.187.106"
+#define ADS_ATTR_SFU20_SHELL_OID "1.2.840.113556.1.4.7000.187.72"
+#define ADS_ATTR_SFU20_GECOS_OID "1.2.840.113556.1.4.7000.187.97"
+
+/* ldap attribute oids (RFC2307) */
+#define ADS_ATTR_RFC2307_UIDNUMBER_OID "1.3.6.1.1.1.1.0"
+#define ADS_ATTR_RFC2307_GIDNUMBER_OID "1.3.6.1.1.1.1.1"
+#define ADS_ATTR_RFC2307_HOMEDIR_OID "1.3.6.1.1.1.1.3"
+#define ADS_ATTR_RFC2307_SHELL_OID "1.3.6.1.1.1.1.4"
+#define ADS_ATTR_RFC2307_GECOS_OID "1.3.6.1.1.1.1.2"
+
/* ldap bitwise searches */
#define ADS_LDAP_MATCHING_RULE_BIT_AND "1.2.840.113556.1.4.803"
#define ADS_LDAP_MATCHING_RULE_BIT_OR "1.2.840.113556.1.4.804"
GROUP_TYPE_ACCOUNT_GROUP| \
GROUP_TYPE_SECURITY_ENABLED \
)
+#define GTYPE_SECURITY_UNIVERSAL_GROUP ( /* 0x80000008 -2147483656 */ \
+ GROUP_TYPE_UNIVERSAL_GROUP| \
+ GROUP_TYPE_SECURITY_ENABLED \
+ )
+
#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */
#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */
#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */
#define ADS_DNS_DOMAIN 0x40000000 /* DomainName is a DNS name */
#define ADS_DNS_FOREST 0x80000000 /* DnsForestName is a DNS name */
-/* DomainCntrollerAddressType */
+/* DomainControllerAddressType */
#define ADS_INET_ADDRESS 0x00000001
#define ADS_NETBIOS_ADDRESS 0x00000002
#define KRB5_ADDR_NETBIOS 0x14
#endif
+#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
+#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
+#endif
+
#ifdef HAVE_KRB5
+typedef struct {
+ NTSTATUS ntstatus;
+ uint32 unknown1;
+ uint32 unknown2; /* 0x00000001 */
+} KRB5_EDATA_NTSTATUS;
+
typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
#endif
} smb_krb5_addresses;
#endif
+
+enum ads_extended_dn_flags {
+ ADS_EXTENDED_DN_HEX_STRING = 0,
+ ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */
+};
+
+/* this is probably not very well suited to pass other controls generically but
+ * is good enough for the extended dn control where it is only used for atm */
+
+typedef struct {
+ const char *control;
+ int val;
+ int critical;
+} ads_control;
+
+#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"
+
+#endif /* _INCLUDE_ADS_H_ */