3 # adssearch.pl - query an Active Directory server and
4 # display objects in a human readable format
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2005
8 # TODO: add range retrieval
9 # write sddl-converter, decode userParameters
11 # apparently only win2k3 allows simple-binds with machine-accounts.
12 # make sasl support independent from Authen::SASL::Cyrus v >0.11
16 use Net::LDAP::Control;
19 use POSIX qw(strftime);
26 my $class = 'Authen::SASL';
27 $pref_version = "0.32";
28 if ( eval "require $class;" ) {
31 if ( eval "Net::LDAP->VERSION($pref_version);" ) {
36 # users may set defaults here
42 my $tdbdump = "/usr/bin/tdbdump";
43 my $testparm = "/usr/bin/testparm";
44 my $net = "/usr/bin/net";
45 my $dig = "/usr/bin/dig";
46 my $nmblookup = "/usr/bin/nmblookup";
47 my $secrets_tdb = "/etc/samba/secrets.tdb";
48 my $klist = "/usr/bin/klist";
49 my $kinit = "/usr/bin/kinit";
50 my $ads_h = "/home/gd/ads.h";
51 my $page_size = "1000";
61 $opt_display_extendeddn,
62 $opt_display_metadata,
84 'base|b=s' => \$opt_base,
85 'D|DN=s' => \$opt_binddn,
86 'debug=i' => \$opt_debug,
87 'extendeddn|e' => \$opt_display_extendeddn,
89 'host|h=s' => \$opt_host,
90 'machine|P' => \$opt_machine,
91 'metadata|m' => \$opt_display_metadata,
92 'nodiffs' => \$opt_notify_nodiffs,
93 'notify|n' => \$opt_notify,
94 'password|w=s' => \$opt_password,
95 'port=i' => \$opt_port,
96 'rawdisplay' => \$opt_display_raw,
97 'realm|R=s' => \$opt_realm,
98 'rootDSE' => \$opt_dump_rootdse,
99 'saslmech|Y=s' => \$opt_saslmech,
100 'schema|c' => \$opt_dump_schema,
101 'scope|s=s' => \$opt_scope,
102 'simpleauth|x' => \$opt_simpleauth,
103 'tls|Z' => \$opt_starttls,
104 'user|U=s' => \$opt_user,
105 'wknguid' => \$opt_dump_wknguid,
106 'workgroup|k=s' => \$opt_workgroup,
111 my $paging = 1 if !$opt_notify;
113 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
123 my ($filter, $dse, $uri);
125 my (@ctrls, @ctrls_s);
126 my ($ctl_paged, $cookie);
127 my ($page_count, $total_entry_count);
128 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
132 my (%ads_atype, %ads_gtype, %ads_uf);
134 # fixed values and vars
139 my $scope = $opt_scope || "sub";
140 my $port = $opt_port;
143 "LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
144 "LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
145 "LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
146 "LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
147 "LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
148 "LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
149 "LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
150 "LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
151 "LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
152 "LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
153 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
154 "LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
155 "LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
156 "LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
157 "LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
158 "LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
159 "LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
160 "LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
161 "LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
162 "NONE (Get stats control)" => "1.2.840.113556.1.4.970",
163 "LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
166 my %ads_capabilities = (
167 "LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
168 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
169 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
172 my %ads_extensions = (
173 "LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
174 "LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
175 "LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
176 "NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
179 my %ads_matching_rules = (
180 "LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
181 "LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
185 "WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
186 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
187 "WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
188 "WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
191 my %ads_systemflags = (
192 "FLAG_DONT_REPLICATE" => 0x00000001, # 1
193 "FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
194 "FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
195 "FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
196 "FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
197 "FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
198 "FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
199 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
200 #"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
201 #"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
202 "FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
205 my %ads_mixed_domain = (
206 "NATIVE_LEVEL_DOMAIN" => 0,
207 "MIXED_LEVEL_DOMAIN" => 1,
211 "DS_BEHAVIOR_WIN2000" => 0, # untested
212 "DS_BEHAVIOR_WIN2003" => 2,
215 my %ads_instance_type = (
216 "DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
218 "IT_NC_ABOVE" => 0x8,
222 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
223 "ACCOUNT_OK" => 0x800000, # 8388608
224 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
228 "CtxCfgPresent" => \&dump_int,
229 "CtxCfgFlags1" => \&dump_int,
230 "CtxCallback" => \&dump_string,
231 "CtxShadow" => \&dump_string,
232 "CtxMaxConnectionTime" => \&dump_int,
233 "CtxMaxDisconnectionTime"=> \&dump_int,
234 "CtxMaxIdleTime" => \&dump_int,
235 "CtxKeyboardLayout" => \&dump_int,
236 "CtxMinEncryptionLevel" => \&dump_int,
237 "CtxWorkDirectory" => \&dump_string,
238 "CtxNWLogonServer" => \&dump_string,
239 "CtxWFHomeDir" => \&dump_string,
240 "CtxWFHomeDirDrive" => \&dump_string,
241 "CtxWFProfilePath" => \&dump_string,
242 "CtxInitialProgram" => \&dump_string,
243 "CtxCallbackNumber" => \&dump_string,
247 $SIG{__WARN__} = sub {
255 # if there is data missing, we try to autodetect with samba-tools (if installed)
256 # this might fill up workgroup, machine, realm
260 $workgroup = $workgroup || $opt_workgroup || "";
263 $server = process_servername($opt_host) ||
264 detect_server($workgroup,$opt_realm) ||
265 die "please define server to query with -h host\n";
270 get_base_from_rootdse($server,$dse);
273 $realm = $opt_realm ||
274 get_realm_from_rootdse($server,$dse);
277 my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
278 my $sasl_mech = "GSSAPI";
280 $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
284 my $sasl_bind = 1 if (!$opt_simpleauth);
287 my $user = check_user($opt_user) || $ENV{'USER'} || "";
290 my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
293 $binddn = $opt_binddn || $upn;
296 $password = $password || $opt_password;
298 $password = $opt_machine ? get_machine_password($workgroup) : get_password();
302 "accountExpires" => \&dump_nttime,
303 "badPasswordTime" => \&dump_nttime,
304 "creationTime" => \&dump_nttime,
305 "currentTime" => \&dump_timestr,
306 "domainControllerFunctionality" => \&dump_ds_func,
307 "domainFunctionality" => \&dump_ds_func,
308 "dSCorePropagationData" => \&dump_timestr,
309 "forceLogoff" => \&dump_nttime_abs,
310 "forestFunctionality" => \&dump_ds_func,
311 "groupType" => \&dump_gtype,
312 "instanceType" => \&dump_instance_type,
313 "lastLogon" => \&dump_nttime,
314 "lastLogonTimestamp" => \&dump_nttime,
315 "lockoutTime" => \&dump_nttime,
316 "lockoutDuration" => \&dump_nttime_abs,
317 "lockOutObservationWindow" => \&dump_nttime_abs,
318 # "logonHours" => \&dump_not_yet,
319 "maxPwdAge" => \&dump_nttime_abs,
320 "minPwdAge" => \&dump_nttime_abs,
321 "modifyTimeStamp" => \&dump_timestr,
322 # "msRADIUSFramedIPAddress" => \&dump_ipaddr,
323 # "msRASSavedFramedIPAddress" => \&dump_ipaddr,
324 "ntMixedDomain" => \&dump_mixed_domain,
325 "nTSecurityDescriptor" => \&dump_secdesc,
326 "objectGUID" => \&dump_guid,
327 "objectSid" => \&dump_sid,
328 "pwdLastSet" => \&dump_nttime,
329 "sAMAccountType" => \&dump_atype,
330 "systemFlags" => \&dump_systemflags,
331 "supportedControl", => \&dump_controls,
332 "supportedCapabilities", => \&dump_capabilities,
333 "supportedExtension", => \&dump_extension,
334 "tokenGroups", => \&dump_sid,
335 "userAccountControl" => \&dump_uac,
336 "msDS-User-Account-Control-Computed" => \&dump_uacc,
337 "userFlags" => \&dump_uf,
338 "userParameters" => \&dump_munged_dial,
339 "whenChanged" => \&dump_timestr,
340 "whenCreated" => \&dump_timestr,
350 print "usage: $0 [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
351 print "\t--base|-b [base]\n\t\tUse base [base]\n";
352 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
353 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
354 print "\t--extendeddn|-e\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
355 print "\t--help\n\t\tDisplay help page\n";
356 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
357 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
358 print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
359 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
360 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
361 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
362 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
363 print "\t--rawdisplay\n\t\tDo not interpret values\n";
364 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
365 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
366 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
367 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
368 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
369 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
370 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
371 print "\t--user|-U [user]\n\t\tUse [user]\n";
372 print "\t--wknguid\n\t\tDisplay well known guids\n";
373 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
377 my ($mod,$attr,$value) = @_;
378 my $ofh = select(STDOUT);
384 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
390 my ($mod,$attr,$value) = @_;
391 my $ofh = select(STDOUT);
397 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
399 ~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
406 my $workgroup = shift;
411 # try net cache (nbt records)
412 if ( -x $net && $workgroup ) {
413 my $key = sprintf("NBT/%s#1C", uc($workgroup));
414 chomp($result = `$net cache search $key 2>&1 /dev/null`);
415 $result =~ s/^.*Value: //;
417 return $result if $result;
418 printf("%10s query failed for [%s]\n", "net cache", $key);
421 # try dns SRV entries
422 if ( -x $dig && $realm ) {
423 my $key = sprintf("_ldap._tcp.%s", lc($realm));
424 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
427 return $result if $result;
428 printf("%10s query failed for [%s]\n", "dns", $key);
431 # try netbios broadcast query
432 if ( -x $nmblookup && $workgroup ) {
433 my $key = sprintf("%s#1C", uc($workgroup));
434 my $pattern = sprintf("%s<1c>", uc($workgroup));
435 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
437 return $result if $result;
438 printf("%10s query failed for [%s]\n", "nmblookup", $key);
446 if (! -x $testparm) { return -1; }
449 open(TESTPARM, "$testparm -s -v 2> /dev/null |");
450 while (my $line = <TESTPARM>) {
452 if ($line =~ /netbios name/) {
453 ($tmp, $machine) = split(/=/, $line);
454 $machine =~ s/\s+|\t+//g;
456 if ($line =~ /realm/) {
457 ($tmp, $realm) = split(/=/, $line);
458 $realm =~ s/\s+|\t+//g;
460 if ($line =~ /workgroup/) {
461 ($tmp, $workgroup) = split(/=/, $line);
462 $workgroup =~ s/\s+|\t+//g;
472 if ($machine && $realm) {
473 return sprintf("%s\@%s", lc($machine), uc($realm));
479 if (!$password && $opt_simpleauth && check_ticket($user)) {
480 return prompt_password($user);
486 my $user = shift || prompt_user();
490 sub get_machine_password {
492 my $workgroup = shift || "";
493 $workgroup = uc($workgroup);
496 -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
497 -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
499 # get machine-password
500 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
501 open(SECRETS,"$tdbdump $secrets_tdb |");
502 while(my $line = <SECRETS>) {
506 ($line,$password) = split(/"/, $line);
509 if ($line =~ /$key/) {
516 print "Successfully autodetected machine password for workgroup: $workgroup\n";
519 warn "No machine password available for $workgroup\n";
524 sub prompt_password {
526 my $acct = shift || "";
528 ($acct, $password) = split(/\%/, $acct);
532 print "Enter password for $acct:";
533 my $password = <STDIN>;
542 print "Enter Username:";
550 return system("$klist -t");
555 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
557 open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
558 printf KRB5CONF "# autogenerated by $0\n";
559 printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
560 printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
563 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
571 my $acct = shift || "";
573 ($acct, $password) = split(/\%/, $acct);
578 sub check_ctrls ($$@) {
581 my $server = shift || "";
582 $dse = shift || get_dse($server) || return -1;
585 my $dse_controls = $dse->get_value('supportedControl', asref => '1');
586 my @dse_controls = @$dse_controls;
588 foreach my $i (@ctrls) {
589 # we could use -> supported_control but this
590 # is only available in newer versions of perl-ldap
591 # if ( ! $dse->supported_control( $i ) ) {
592 if ( grep(/$i->type()/, @dse_controls) ) {
593 printf("required control: %s is not supported by ADS-server.\n", $i->type());
600 sub get_base_from_rootdse {
602 my $server = shift || "";
603 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
604 return $dse->get_value('defaultNamingContext');
607 sub get_realm_from_rootdse {
609 my $server = shift || "";
610 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
611 my $service = $dse->get_value('ldapServiceName') || "";
613 my ($t,$realm) = split(/\@/, $service);
616 die "very odd: could not get realm";
620 sub get_sasl_mechs_from_rootdse {
622 my $server = shift || "";
623 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
624 my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
630 my $server = shift || return undef;
631 $async_ldap_hd = shift || get_ldap_hd($server,1);
632 if (!$async_ldap_hd) {
633 print "oh, no connection\n";
636 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
637 if ($mesg->code) { die "failed to bind\n"; };
638 my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
643 sub process_servername {
645 my $name = shift || return "";
646 if ($name =~ /^ldaps:\/\//i ) {
647 $name =~ s#^ldaps://##i;
648 $uri = sprintf("%s://%s", "ldaps", $name);
650 $name =~ s#^ldap://##i;
651 $uri = sprintf("%s://%s", "ldap", $name);
658 my $server = shift || return undef;
659 my $async = shift || "0";
661 die "uri unavailable" if (!$uri);
662 if ($uri =~ /^ldaps:\/\//i ) {
663 $port = $port || 636;
665 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
666 die "host $server not available: $!";
668 $port = $port || 389;
669 $hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
670 die "host $server not available: $!";
672 $hd->debug($opt_debug);
674 $hd->start_tls( verify => 'none' );
683 print "no sasl support\n";
688 if ($sasl_mech && $sasl_mech eq "GSSAPI") {
689 my $user = sprintf("%s\@%s", $user, uc($realm));
690 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
691 print "Could not get Kerberos ticket for user [$user]\n";
695 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
696 my $conn = $hd->client_new("ldap", $server);
698 if ($conn->code == -1) {
699 printf "%s\n", $conn->error();
703 } elsif ($sasl_mech) {
705 # here comes generic sasl code
706 $hd = Authen::SASL->new( mechanism => $sasl_mech,
709 pass => \&get_password
714 print "no supported SASL mechanism found (@sasl_mechs).\n";
715 print "falling back to simple bind.\n";
722 sub check_sasl_mech {
723 my $mech_check = shift;
725 foreach my $mech (@sasl_mechs) {
726 $have_mech = 1 if ($mech eq uc($mech_check));
737 -e "$ads_h" || die "cannot open samba3 ads.h ($ads_h): $!";
739 while (my $line = <ADSH>) {
741 if ($line =~ /#define.UF.*0x/) {
742 my ($tmp, $name, $val) = split(/\s+/,$line);
743 next if ($name =~ /UNUSED/);
744 $ads_uf{$name} = hex $val;
746 if ($line =~ /#define.GTYPE.*0x/) {
747 my ($tmp, $name, $val) = split(/\s+/,$line);
748 $ads_gtype{$name} = hex $val;
750 if ($line =~ /#define.ATYPE.*0x/) {
751 my ($tmp, $name, $val) = split(/\s+/,$line);
753 (exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val;
759 sub store_result ($) {
763 $entry_store{$entry->dn} = $entry;
766 sub display_result_diff ($) {
768 my $entry_new = shift;
769 return if ( !$entry_new);
771 if ( !exists $entry_store{$entry_new->dn}) {
772 print "can't display any differences yet. full dump...\n";
773 display_entry_generic($entry_new);
777 my $entry_old = $entry_store{$entry_new->dn};
779 foreach my $attr (sort $entry_new->attributes) {
780 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
781 display_attr_generic("add:\t", $entry_new, $attr);
786 foreach my $attr (sort $entry_old->attributes) {
787 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
788 display_attr_generic("del:\t", $entry_old, $attr);
792 # now check for all values if they have changed, display changes
793 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
795 $old_vals = $entry_old->get_value($attr, asref => 1);
796 @old_vals = @$old_vals;
797 $new_vals = $entry_new->get_value($attr, asref => 1);
798 @new_vals = @$new_vals;
800 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
801 if ($old_vals[0] ne $new_vals[0]) {
802 display_attr_generic("old:\t", $entry_old, $attr);
803 display_attr_generic("new:\t", $entry_new, $attr);
808 # handle multivalued diffs
809 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
810 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
811 foreach my $val (sort keys %new) {
812 if (!exists $old{$val}) {
813 display_value_generic("add:\t", $attr, $val);
816 foreach my $val (sort keys %old) {
817 if (!exists $new{$val}) {
818 display_value_generic("del:\t", $attr, $val);
828 my $binary_sid = shift;
838 my $tmp_sid = unpack 'H*', $binary_sid;
840 # split the binary string
841 ($sid_rev, $num_auths,
842 $id_auth[0], $id_auth[1], $id_auth[2], $id_auth[3], $id_auth[4], $id_auth[5],
843 $sub_auths[0], $sub_auths[1], $sub_auths[2], $sub_auths[3], $sub_auths[4], $inbuf2)
844 = unpack 'H2 H2 H2 H2 H2 H2 H2 H2 h8 h8 h8 h8 h8 h*',"$binary_sid";
847 for ( my $i = 0; $i < $num_auths; $i++ ) {
848 $sub_auths[$i] = reverse $sub_auths[$i];
851 # build the identifier authority
852 if ( ($id_auth[0] != 0) || ($id_auth[1] != 0) ) {
860 $ia = ($id_auth[5]) +
862 ($id_auth[3] << 16) +
867 $sid_strout = sprintf("S-%lu-%lu",hex($sid_rev),hex($ia));
869 for (my $i = 0; $i < $num_auths; $i++ ) {
870 $sid_strout .= sprintf( "-%lu", hex($sub_auths[$i]) );
878 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
880 return pack("I", hex $1) .
892 # print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
895 sub bindstring_to_guid {
897 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
918 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
920 unpack("S", substr($guid, 4, 2)),
921 unpack("S", substr($guid, 6, 2)),
922 unpack("C", substr($guid, 8, 1)),
923 unpack("C", substr($guid, 9, 1)),
924 unpack("C", substr($guid, 10, 1)),
925 unpack("C", substr($guid, 11, 1)),
926 unpack("C", substr($guid, 12, 1)),
927 unpack("C", substr($guid, 13, 1)),
928 unpack("C", substr($guid, 14, 1)),
929 unpack("C", substr($guid, 15, 1));
933 sub guid_to_bindstring {
935 return unpack("H" . 2 * length($guid), $guid),
939 print "Dumping Well known GUIDs:\n";
940 foreach my $wknguid (keys %wknguids) {
942 my $guid = bindstring_to_guid($wknguids{$wknguid});
943 my $str = guid_to_string($guid);
944 my $back = guid_to_bindstring($guid);
946 printf "wkguid: %s\n", $wknguid;
947 printf "bind_string format: %s\n", $wknguids{$wknguid};
948 printf "string format: %s\n", guid_to_string($guid);
949 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
951 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
955 sub gen_bitmask_string_format($%) {
959 foreach my $key (sort keys %tmp) {
960 push(@list, sprintf("%s %s", $tmp{$key}, $key));
962 return join("\n$mod\t\t\t",@list);
965 sub nt_to_unixtime ($) {
966 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
968 $t64 =~ s/(.+).{7,7}/$1/;
975 my $mod = shift || die "no mod";
979 foreach my $key (keys %header) {
980 if ($header{$key} eq $val) {
981 $tmp{"($val)"} = $key;
986 if (!$found) { $tmp{$val} = ""; };
987 return gen_bitmask_string_format($mod,%tmp);
991 my $op = shift || die "no op";
993 my $mod = shift || die "no mod";
997 foreach my $key (sort keys %header) {
999 $tmp{$key} = ( $val & $header{$key} ) ? $set:$unset;
1000 } elsif ($op eq "==") {
1001 $tmp{$key} = ( $val == $header{$key} ) ? $set:$unset;
1003 print "unknown operator: $op\n";
1007 return gen_bitmask_string_format($mod,%tmp);
1010 sub dump_bitmask_and {
1011 return dump_bitmask("&",@_);
1014 sub dump_bitmask_equal {
1015 return dump_bitmask("==",@_);
1019 return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1023 return dump_bitmask_equal(@_,%ads_uacc);
1027 return dump_bitmask_and(@_,%ads_uf);
1031 return dump_bitmask_and(@_,%ads_gtype);
1035 return dump_bitmask_equal(@_,%ads_atype);
1039 return dump_equal(@_,%ads_controls);
1042 sub dump_capabilities {
1043 return dump_equal(@_,%ads_capabilities);
1046 sub dump_extension {
1047 return dump_equal(@_,%ads_extensions);
1050 sub dump_systemflags {
1051 return dump_bitmask_and(@_,%ads_systemflags);
1054 sub dump_instance_type {
1055 return dump_bitmask_and(@_,%ads_instance_type);
1059 return dump_bitmask_equal(@_,%ads_ds_func);
1062 sub dump_mixed_domain {
1063 return dump_bitmask_equal(@_,%ads_mixed_domain);
1067 my $bin_sid = shift;
1068 return sid2string($bin_sid);
1073 return guid_to_string($guid);
1078 return "FIXME: write sddl-converter!";
1084 return sprintf("%s (%s)", "never", $nttime);
1086 my $localtime = localtime(nt_to_unixtime($nttime));
1087 return sprintf("%s (%s)", $localtime, $nttime);
1090 sub dump_nttime_abs {
1091 if ($_[0] == 9223372036854775807) {
1092 return sprintf("%s (%s)", "now", $_[0]);
1094 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1095 return sprintf("%s (%s)", "never", $_[0]);
1097 # FIXME: actually *do* abs time !
1098 return dump_nttime($_[0]);
1103 my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1104 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1106 my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1107 return sprintf("%s (%s)", $localtime, $time);
1115 return sprintf("%d", $_[0]);
1118 sub dump_munged_dial {
1120 return "FIXME! decode this";
1123 sub construct_filter {
1127 if (!$tmp || $opt_notify) {
1128 return "(objectclass=*)";
1131 if ($tmp && $tmp !~ /^.*\=/) {
1132 return "(ANR=$tmp)";
1136 # (&(objectCategory=person)
1137 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1140 sub construct_attrs {
1149 push(@attrs,"uSNChanged");
1152 if ($opt_display_metadata) {
1153 push(@attrs,"msDS-ReplAttributeMetaData");
1154 push(@attrs,"replPropertyMetaData");
1157 push(@attrs,"nTSecurityDescriptor");
1158 push(@attrs,"msDS-KeyVersionNumber");
1159 push(@attrs,"msDS-User-Account-Control-Computed");
1160 push(@attrs,"modifyTimeStamp");
1168 printf "%10s: %s\n", "uri", $uri;
1169 printf "%10s: %s\n", "port", $port;
1170 printf "%10s: %s\n", "base", $base;
1171 printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1172 printf "%10s: %s\n", "password", $password;
1173 printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1174 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1175 printf "%10s: %s\n", "filter", $filter;
1176 printf "%10s: %s\n", "scope", $scope;
1177 printf "%10s: %s\n", "attrs", join(", ", @attrs);
1178 printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1179 printf "%10s: %s\n", "page_size", $page_size if ($paging);
1180 printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1186 my $asn = Convert::ASN1->new;
1188 q< ExtendedDn ::= SEQUENCE {
1194 my $ctl_extended_dn_val = $asn->encode( mode => '1');
1195 my $ctl_extended_dn =Net::LDAP::Control->new(
1196 type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1198 value => $ctl_extended_dn_val);
1200 my $ctl_notification = Net::LDAP::Control->new(
1201 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1202 critical => 'true');
1204 $ctl_paged = Net::LDAP::Control->new(
1205 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1207 size => $page_size);
1210 push(@ctrls, $ctl_paged);
1211 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1214 if ($opt_display_extendeddn) {
1215 push(@ctrls, $ctl_extended_dn);
1216 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1219 push(@ctrls, $ctl_notification);
1220 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1226 sub display_value_generic ($$$) {
1228 my ($mod,$attr,$value) = @_;
1229 return unless (defined($value) and defined($attr));
1231 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1232 $value = $attr_handler{$attr}($value,$mod);
1233 write_ads_list($mod,$attr,$value);
1236 write_ads($mod,$attr,$value);
1239 sub display_attr_generic ($$$) {
1241 my ($mod,$entry,$attr) = @_;
1242 return if (!$attr || !$entry);
1244 my $ref = $entry->get_value($attr, asref => 1);
1247 foreach my $value (@values) {
1248 display_value_generic($mod,$attr,$value);
1252 sub display_entry_generic ($) {
1255 return if (!$entry);
1257 foreach my $attr ( $entry->attributes) {
1258 display_attr_generic("\t",$entry,$attr);
1262 sub display_ldap_err ($) {
1266 my ($package, $filename, $line, $subroutine) = caller(0);
1268 print "got error from ADS:\n";
1269 printf("%s(%d): ERROR (%s): %s\n",
1270 $subroutine, $line, $msg->code, $msg->error);
1274 sub process_result {
1276 my ($msg,$entry) = @_;
1278 if (!defined($msg)) {
1283 display_ldap_err($msg);
1287 if (!defined($entry)) {
1291 if ($entry->isa('Net::LDAP::Reference')) {
1292 foreach my $ref ($entry->references) {
1293 print "\ngot Reference: [$ref]\n";
1298 print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1300 display_entry_generic($entry);
1303 sub default_callback {
1305 my ($res,$obj) = @_;
1308 return process_result($res,$obj);
1312 sub error_callback {
1314 my ($msg,$entry) = @_;
1321 display_ldap_err($msg);
1327 sub notify_callback {
1329 my ($msg, $obj) = @_;
1331 if (! defined($obj)) {
1335 if ($obj->isa('Net::LDAP::Reference')) {
1336 foreach my $ref ($obj->references) {
1337 print "\ngot Reference: [$ref]\n";
1344 my $async_entry = $async_search->pop_entry;
1346 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1348 my $new_usn = $async_entry->get_value('uSNChanged');
1349 if (!$usn || $new_usn > $usn) {
1351 if ($opt_notify_nodiffs) {
1352 display_entry_generic($async_entry);
1354 display_result_diff($async_entry);
1357 store_result($async_entry);
1363 my $async_ldap_hd = shift || return undef;
1364 my $sasl_bind = shift;
1368 print "this version of Net::LDAP does not have proper SASL support.\n";
1369 print "Need at least perl-ldap V. $pref_version\n";
1371 $sasl_hd = get_sasl_hd();
1373 print "failed to create SASL handle\n";
1376 $mesg = $async_ldap_hd->bind(
1378 callback => \&error_callback
1379 ) || die "doesnt work";
1382 $mesg = $async_ldap_hd->bind(
1384 password => $password,
1385 callback => \&error_callback
1386 ) || die "doesnt work";
1389 display_ldap_err($mesg);
1396 if ($async_ldap_hd) {
1397 $async_ldap_hd->unbind;
1399 if ($sync_ldap_hd) {
1400 $sync_ldap_hd->unbind;
1404 ###############################################################################
1408 $filter = construct_filter($query);
1409 @attrs = construct_attrs(@attrs);
1410 @ctrls = gen_controls();
1411 if (check_ctrls($server,$dse,@ctrls) == -1) {
1412 print "not all required LDAP Controls are supported by this server\n";
1416 if ($opt_dump_rootdse) {
1417 print "Dumping Root-DSE:\n";
1418 display_entry_generic($dse);
1422 if ($opt_dump_wknguid) {
1427 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1433 if ($opt_dump_schema) {
1434 print "Dumping Schema:\n";
1435 my $ads_schema = $async_ldap_hd->schema;
1442 $async_search = $async_ldap_hd->search(
1445 attrs => [ @attrs ],
1446 control => [ @ctrls ],
1447 callback => \&default_callback,
1449 ) || die "cannot search";
1453 print "[$base] is registered now for change-notify\n";
1454 print "\nWaiting for change-notify...\n";
1456 my $sync_ldap_hd = get_ldap_hd($server,0);
1457 if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1461 my $sync_search = $sync_ldap_hd->search(
1464 attrs => [ @attrs ],
1465 callback => \¬ify_callback,
1467 ) || die "cannot search";
1471 $total_entry_count += $async_search->count;
1473 print "-" x 80 . "\n";
1474 printf("Got %d Entries in Page %d \n\n",
1475 $async_search->count, $page_count);
1476 my ($resp) = $async_search->control(
1477 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1478 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1481 if ($async_search->entries == 0) {
1482 print "No entries found with filter $filter\n";
1484 print "Got $total_entry_count Entries in $page_count Pages\n" if ($paging);
git.samba.org / samba.git / blob