2 Unix SMB/CIFS implementation.
3 ads (active directory) utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Jim McDonough 2002
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 connect to the LDAP server
30 ADS_STATUS ads_connect(ADS_STRUCT *ads)
32 int version = LDAP_VERSION3;
36 ads->last_attempt = time(NULL);
38 ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
40 return ADS_ERROR_SYSTEM(errno)
42 status = ads_server_info(ads);
43 if (!ADS_ERR_OK(status)) {
44 DEBUG(1,("Failed to get ldap server info\n"));
48 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
51 if ((code = ads_kinit_password(ads)))
52 return ADS_ERROR_KRB5(code);
55 return ads_sasl_bind(ads);
59 do a search with a timeout
61 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
63 const char **attrs, void **res)
65 struct timeval timeout;
68 timeout.tv_sec = ADS_SEARCH_TIMEOUT;
72 rc = ldap_search_ext_s(ads->ld,
74 exp, attrs, 0, NULL, NULL,
75 &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
79 do a general ADS search
81 ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
85 return ads_do_search(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
90 do a search on a specific DistinguishedName
92 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
96 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
100 free up memory from a ads_search
102 void ads_msgfree(ADS_STRUCT *ads, void *msg)
109 find a machine account given a hostname
111 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
115 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
117 /* the easiest way to find a machine account anywhere in the tree
118 is to look for hostname$ */
119 asprintf(&exp, "(samAccountName=%s$)", host);
120 status = ads_search(ads, res, exp, attrs);
126 initialize a list of mods - returns (void **) instead of (LDAPMod **)
127 so proto.h works on non-ldap systems
130 void **ads_mod_list_start(int num_mods)
137 mods = malloc(sizeof(LDAPMod *) * (num_mods + 1));
138 memset(mods, 0, sizeof(LDAPMod *) * num_mods);
139 mods[num_mods] = (LDAPMod *) -1;
141 return (void **) mods;
145 add an attribute to the list, with values list already constructed
147 static BOOL ads_mod_list_add(void **mods, int mod_op, char *name, char **values)
150 LDAPMod **modlist = (LDAPMod **) mods;
152 /* find the first empty slot */
153 for (curmod=0; modlist[curmod] > 0; curmod++);
154 if (modlist[curmod] == (LDAPMod *) -1)
157 modlist[curmod] = malloc(sizeof(LDAPMod));
158 modlist[curmod]->mod_type = name;
159 modlist[curmod]->mod_values = values;
160 modlist[curmod]->mod_op = mod_op;
164 BOOL ads_mod_add_list(void **mods, char *name, char **values)
166 return ads_mod_list_add(mods, LDAP_MOD_ADD, name, values);
169 BOOL ads_mod_repl_list(void **mods, char *name, char **values)
171 if (values && *values)
172 return ads_mod_list_add(mods, LDAP_MOD_REPLACE, name, values);
174 return ads_mod_list_add(mods, LDAP_MOD_DELETE, name, NULL);
178 add an attribute to the list, with values list to be built from args
180 BOOL ads_mod_list_add_var(void **mods, int mod_op, char *name, ...)
184 char *value, **values;
186 /* count the number of values */
188 for (num_vals=0; va_arg(ap, char *); num_vals++);
193 values = malloc(sizeof(char *) * (num_vals + 1));
195 for (i=0; (value = (char *) va_arg(ap, char *)) &&
202 return ads_mod_list_add(mods, mod_op, name, values);
205 BOOL ads_mod_repl(void **mods, char *name, char *val)
208 return ads_mod_list_add_var(mods, LDAP_MOD_REPLACE, name, val);
210 return ads_mod_list_add_var(mods, LDAP_MOD_DELETE, name, NULL);
213 BOOL ads_mod_add(void **mods, char *name, char *val)
215 return ads_mod_list_add_var(mods, LDAP_MOD_ADD, name, val);
218 void ads_mod_list_end(void **mods)
221 LDAPMod **modlist = (LDAPMod **) mods;
224 for (i = 0; modlist[i]; i++) {
225 if (modlist[i]->mod_values) {
226 free(modlist[i]->mod_values);
234 ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, void **mods)
238 /* find the end of the list, marked by NULL or -1 */
239 for(i=0;mods[i]>0;i++);
240 /* make sure the end of the list is NULL */
242 ret = ldap_add_s(ads->ld, mod_dn, (LDAPMod **) mods);
243 return ADS_ERROR(ret);
247 a convenient routine for adding a generic LDAP record
249 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
256 #define MAX_MOD_VALUES 10
258 /* count the number of attributes */
259 va_start(ap, new_dn);
260 for (i=0; va_arg(ap, char *); i++) {
261 /* skip the values */
262 while (va_arg(ap, char *)) ;
266 mods = malloc(sizeof(LDAPMod *) * (i+1));
268 va_start(ap, new_dn);
269 for (i=0; (name=va_arg(ap, char *)); i++) {
272 values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
273 for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
277 mods[i] = malloc(sizeof(LDAPMod));
278 mods[i]->mod_type = name;
279 mods[i]->mod_op = LDAP_MOD_ADD;
280 mods[i]->mod_values = values;
285 ret = ldap_add_s(ads->ld, new_dn, mods);
287 for (i=0; mods[i]; i++) {
288 free(mods[i]->mod_values);
293 return ADS_ERROR(ret);
297 build an org unit string
298 if org unit is Computers or blank then assume a container, otherwise
299 assume a \ separated list of organisational units
302 char *ads_ou_string(const char *org_unit)
304 if (!org_unit || !*org_unit || strcasecmp(org_unit, "Computers") == 0) {
305 return strdup("cn=Computers");
308 return ads_build_path(org_unit, "\\/", "ou=", 1);
314 add a machine account to the ADS server
316 static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
317 const char *org_unit)
320 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
323 asprintf(&host_spn, "HOST/%s", hostname);
324 asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
325 ou_str = ads_ou_string(org_unit);
326 asprintf(&new_dn, "cn=%s,%s,%s", hostname, ou_str, ads->bind_path);
328 asprintf(&samAccountName, "%s$", hostname);
329 asprintf(&controlstr, "%u",
330 UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
331 UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
333 ret = ads_gen_add(ads, new_dn,
334 "cn", hostname, NULL,
335 "sAMAccountName", samAccountName, NULL,
337 "top", "person", "organizationalPerson",
338 "user", "computer", NULL,
339 "userPrincipalName", host_upn, NULL,
340 "servicePrincipalName", host_spn, NULL,
341 "dNSHostName", hostname, NULL,
342 "userAccountControl", controlstr, NULL,
343 "operatingSystem", "Samba", NULL,
344 "operatingSystemVersion", VERSION, NULL,
350 free(samAccountName);
357 dump a binary result from ldap
359 static void dump_binary(const char *field, struct berval **values)
362 for (i=0; values[i]; i++) {
363 printf("%s: ", field);
364 for (j=0; j<values[i]->bv_len; j++) {
365 printf("%02X", (unsigned char)values[i]->bv_val[j]);
372 dump a sid result from ldap
374 static void dump_sid(const char *field, struct berval **values)
377 for (i=0; values[i]; i++) {
379 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
380 printf("%s: %s\n", field, sid_string_static(&sid));
385 dump a string result from ldap
387 static void dump_string(const char *field, struct berval **values)
390 for (i=0; values[i]; i++) {
391 printf("%s: %s\n", field, values[i]->bv_val);
396 dump a record from LDAP on stdout
399 void ads_dump(ADS_STRUCT *ads, void *res)
406 void (*handler)(const char *, struct berval **);
408 {"objectGUID", dump_binary},
409 {"nTSecurityDescriptor", dump_binary},
410 {"objectSid", dump_sid},
414 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
415 for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b);
417 field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) {
418 struct berval **values;
421 values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field);
423 for (i=0; handlers[i].name; i++) {
424 if (StrCaseCmp(handlers[i].name, field) == 0) {
425 handlers[i].handler(field, values);
429 if (!handlers[i].name) {
430 dump_string(field, values);
432 ldap_value_free_len(values);
442 count how many replies are in a LDAPMessage
444 int ads_count_replies(ADS_STRUCT *ads, void *res)
446 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
450 join a machine to a realm, creating the machine account
451 and setting the machine password
453 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org_unit)
459 /* hostname must be lowercase */
460 host = strdup(hostname);
463 status = ads_find_machine_acct(ads, (void **)&res, host);
464 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
465 DEBUG(0, ("Host account for %s already exists - deleting for readd\n", host));
466 status = ads_leave_realm(ads, host);
467 if (!ADS_ERR_OK(status)) {
468 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
474 status = ads_add_machine_acct(ads, host, org_unit);
475 if (!ADS_ERR_OK(status)) {
476 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
480 status = ads_find_machine_acct(ads, (void **)&res, host);
481 if (!ADS_ERR_OK(status)) {
482 DEBUG(0, ("Host account test failed\n"));
492 delete a machine from the realm
494 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
498 char *hostnameDN, *host;
501 /* hostname must be lowercase */
502 host = strdup(hostname);
505 status = ads_find_machine_acct(ads, &res, host);
506 if (!ADS_ERR_OK(status)) {
507 DEBUG(0, ("Host account for %s does not exist.\n", host));
511 hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
512 rc = ldap_delete_s(ads->ld, hostnameDN);
513 ldap_memfree(hostnameDN);
514 if (rc != LDAP_SUCCESS) {
515 return ADS_ERROR(rc);
518 status = ads_find_machine_acct(ads, &res, host);
519 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
520 DEBUG(0, ("Failed to remove host account.\n"));
530 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
531 const char *hostname,
532 const char *password)
535 char *host = strdup(hostname);
540 asprintf(&principal, "%s@%s", host, ads->realm);
542 status = krb5_set_password(ads->kdc_server, principal, password);
551 pull the first entry from a ADS result
553 void *ads_first_entry(ADS_STRUCT *ads, void *res)
555 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
559 pull the next entry from a ADS result
561 void *ads_next_entry(ADS_STRUCT *ads, void *res)
563 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
567 pull a single string from a ADS result
569 char *ads_pull_string(ADS_STRUCT *ads,
570 TALLOC_CTX *mem_ctx, void *msg, const char *field)
575 values = ldap_get_values(ads->ld, msg, field);
576 if (!values) return NULL;
579 ret = talloc_strdup(mem_ctx, values[0]);
581 ldap_value_free(values);
586 pull a single uint32 from a ADS result
588 BOOL ads_pull_uint32(ADS_STRUCT *ads,
589 void *msg, const char *field, uint32 *v)
593 values = ldap_get_values(ads->ld, msg, field);
594 if (!values) return False;
596 ldap_value_free(values);
600 *v = atoi(values[0]);
601 ldap_value_free(values);
606 pull a single DOM_SID from a ADS result
608 BOOL ads_pull_sid(ADS_STRUCT *ads,
609 void *msg, const char *field, DOM_SID *sid)
611 struct berval **values;
614 values = ldap_get_values_len(ads->ld, msg, field);
616 if (!values) return False;
619 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
622 ldap_value_free_len(values);
627 pull an array of DOM_SIDs from a ADS result
628 return the count of SIDs pulled
630 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
631 void *msg, const char *field, DOM_SID **sids)
633 struct berval **values;
637 values = ldap_get_values_len(ads->ld, msg, field);
639 if (!values) return 0;
641 for (i=0; values[i]; i++) /* nop */ ;
643 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
646 for (i=0; values[i]; i++) {
647 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
651 ldap_value_free_len(values);
656 /* find the update serial number - this is the core of the ldap cache */
657 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
659 const char *attrs[] = {"highestCommittedUSN", NULL};
663 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
664 if (!ADS_ERR_OK(status)) return status;
666 if (ads_count_replies(ads, res) != 1) {
667 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
670 ads_pull_uint32(ads, res, "highestCommittedUSN", usn);
671 ads_msgfree(ads, res);
676 /* find the servers name and realm - this can be done before authentication
677 The ldapServiceName field on w2k looks like this:
678 vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
680 ADS_STATUS ads_server_info(ADS_STRUCT *ads)
682 const char *attrs[] = {"ldapServiceName", NULL};
688 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
689 if (!ADS_ERR_OK(status)) return status;
691 values = ldap_get_values(ads->ld, res, "ldapServiceName");
692 if (!values || !values[0]) return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
694 p = strchr(values[0], ':');
696 ldap_value_free(values);
698 return ADS_ERROR(LDAP_DECODING_ERROR);
701 SAFE_FREE(ads->ldap_server_name);
703 ads->ldap_server_name = strdup(p+1);
704 p = strchr(ads->ldap_server_name, '$');
705 if (!p || p[1] != '@') {
706 ldap_value_free(values);
708 SAFE_FREE(ads->ldap_server_name);
709 return ADS_ERROR(LDAP_DECODING_ERROR);
714 SAFE_FREE(ads->server_realm);
715 SAFE_FREE(ads->bind_path);
717 ads->server_realm = strdup(p+2);
718 ads->bind_path = ads_build_dn(ads->server_realm);
720 /* in case the realm isn't configured in smb.conf */
721 if (!ads->realm || !ads->realm[0]) {
722 SAFE_FREE(ads->realm);
723 ads->realm = strdup(ads->server_realm);
726 DEBUG(3,("got ldap server name %s@%s\n",
727 ads->ldap_server_name, ads->realm));
734 find the list of trusted domains
736 ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
737 int *num_trusts, char ***names, DOM_SID **sids)
739 const char *attrs[] = {"flatName", "securityIdentifier", NULL};
746 status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
747 if (!ADS_ERR_OK(status)) return status;
749 count = ads_count_replies(ads, res);
751 ads_msgfree(ads, res);
752 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
755 (*names) = talloc(mem_ctx, sizeof(char *) * count);
756 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
757 if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY);
759 for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
760 (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatName");
761 ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i]);
765 ads_msgfree(ads, res);
772 /* find the domain sid for our domain */
773 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
775 const char *attrs[] = {"objectSid", NULL};
779 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
781 if (!ADS_ERR_OK(rc)) return rc;
782 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
783 return ADS_ERROR_SYSTEM(ENOENT);
785 ads_msgfree(ads, res);
git.samba.org / samba.git / blob