5e196889ca2405472e41603c7b6412417e06930d
[samba.git] / source3 / passdb / ldap.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 1.9.
4    LDAP protocol helper functions for SAMBA
5    Copyright (C) Jean Fran├žois Micouleau 1998
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 2 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program; if not, write to the Free Software
19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20    
21 */
22
23 #ifdef WITH_LDAP
24
25 #include "includes.h"
26
27 #include <lber.h>
28 #include <ldap.h>
29
30 #define ADD_USER 1
31 #define MODIFY_USER 2
32
33 extern int DEBUGLEVEL;
34
35 /*******************************************************************
36  open a connection to the ldap serve.
37 ******************************************************************/     
38 static BOOL ldap_open_connection(LDAP **ldap_struct)
39 {
40         if ( (*ldap_struct = ldap_open(lp_ldap_server(),lp_ldap_port()) ) == NULL)
41         {
42                 DEBUG( 0, ( "The LDAP server is not responding !\n" ) );
43                 return( False );
44         }
45         DEBUG(2,("ldap_open_connection: connection opened\n"));
46         return (True);
47 }
48
49
50 /*******************************************************************
51  connect anonymously to the ldap server.
52  FIXME: later (jfm)
53 ******************************************************************/     
54 static BOOL ldap_connect_anonymous(LDAP *ldap_struct)
55 {
56         if ( ldap_simple_bind_s(ldap_struct,lp_ldap_root(),lp_ldap_rootpasswd()) ! = LDAP_SUCCESS)
57         {
58                 DEBUG( 0, ( "Couldn't bind to the LDAP server !\n" ) );
59                 return(False);
60         }
61         return (True);
62 }
63
64
65 /*******************************************************************
66  connect to the ldap server under system privileg.
67 ******************************************************************/     
68 static BOOL ldap_connect_system(LDAP *ldap_struct)
69 {
70         if ( ldap_simple_bind_s(ldap_struct,lp_ldap_root(),lp_ldap_rootpasswd()) ! = LDAP_SUCCESS)
71         {
72                 DEBUG( 0, ( "Couldn't bind to the LDAP server!\n" ) );
73                 return(False);
74         }
75         DEBUG(2,("ldap_connect_system: succesful connection to the LDAP server\n"));
76         return (True);
77 }
78
79 /*******************************************************************
80  connect to the ldap server under a particular user.
81 ******************************************************************/     
82 static BOOL ldap_connect_user(LDAP *ldap_struct, char *user, char *password)
83 {
84         if ( ldap_simple_bind_s(ldap_struct,lp_ldap_root(),lp_ldap_rootpasswd()) ! = LDAP_SUCCESS)
85         {
86                 DEBUG( 0, ( "Couldn't bind to the LDAP server !\n" ) );
87                 return(False);
88         }
89         DEBUG(2,("ldap_connect_user: succesful connection to the LDAP server\n"));
90         return (True);
91 }
92
93 /*******************************************************************
94  run the search by name.
95 ******************************************************************/     
96 static BOOL ldap_search_one_user(LDAP *ldap_struct, char *filter, LDAPMessage **result)
97 {       
98         int scope = LDAP_SCOPE_ONELEVEL;
99         int rc;
100                 
101         DEBUG(2,("ldap_search_one_user: searching for:[%s]\n", filter));
102                 
103         rc = ldap_search_s(ldap_struct, lp_ldap_suffix(), scope, filter, NULL, 0, result);
104
105         if (rc ! = LDAP_SUCCESS )
106         {
107                 DEBUG( 0, ( "Problem during the LDAP search\n" ) );
108                 return(False);
109         }
110         return (True);
111 }
112
113 /*******************************************************************
114  run the search by name.
115 ******************************************************************/     
116 static BOOL ldap_search_one_user_by_name(LDAP *ldap_struct, char *user, LDAPMessage **result)
117 {       
118         pstring filter;
119         /*
120            in the filter expression, replace %u with the real name
121            so in ldap filter, %u MUST exist :-)
122         */      
123         pstrcpy(filter,lp_ldap_filter());
124         string_sub(filter,"%u",user);
125         
126         if ( !ldap_search_one_user(ldap_struct, filter, result) )
127         {
128                 return(False);
129         }
130         return (True);
131 }
132
133 /*******************************************************************
134  run the search by uid.
135 ******************************************************************/     
136 static BOOL ldap_search_one_user_by_uid(LDAP *ldap_struct, int uid, LDAPMessage **result)
137 {       
138         pstring filter;
139         
140         slprintf(filter, sizeof(pstring)-1, "uidAccount = %d", uid);
141         
142         if ( !ldap_search_one_user(ldap_struct, filter, result) )
143         {       
144                 return(False);
145         }
146         return (True);
147 }
148
149 /*******************************************************************
150  search an attribute and return the first value found.
151 ******************************************************************/
152 static void get_single_attribute(LDAP *ldap_struct, LDAPMessage *entry, char *attribute, char *value)
153 {
154         char **valeurs;
155         
156         if ( (valeurs = ldap_get_values(ldap_struct, entry, attribute)) ! = NULL) 
157         {
158                 pstrcpy(value, valeurs[0]);
159                 ldap_value_free(valeurs);
160                 DEBUG(3,("get_single_attribute: [%s] = [%s]\n", attribute, value));     
161         }
162         else
163         {
164                 value = NULL;
165         }
166 }
167
168 /*******************************************************************
169  check if the returned entry is a sambaAccount objectclass.
170 ******************************************************************/     
171 static BOOL ldap_check_user(LDAP *ldap_struct, LDAPMessage *entry)
172 {
173         BOOL sambaAccount = False;
174         char **valeur;
175         int i;
176
177         DEBUG(2,("ldap_check_user: "));
178         valeur = ldap_get_values(ldap_struct, entry, "objectclass");
179         if (valeur! = NULL)
180         {
181                 for (i = 0;valeur[i]! = NULL;i++)
182                 {
183                         if (!strcmp(valeur[i],"sambaAccount")) sambaAccount = True;
184                 }
185         }
186         DEBUG(2,("%s\n",sambaAccount?"yes":"no"));
187         ldap_value_free(valeur);
188         return (sambaAccount);
189 }
190
191 /*******************************************************************
192  check if the returned entry is a sambaTrust objectclass.
193 ******************************************************************/     
194 static BOOL ldap_check_trust(LDAP *ldap_struct, LDAPMessage *entry)
195 {
196         BOOL sambaTrust = False;
197         char **valeur;
198         int i;
199         
200         DEBUG(2,("ldap_check_trust: "));
201         valeur = ldap_get_values(ldap_struct, entry, "objectclass");
202         if (valeur! = NULL)
203         {
204                 for (i = 0;valeur[i]! = NULL;i++)
205                 {
206                         if (!strcmp(valeur[i],"sambaTrust")) sambaTrust = True;
207                 }
208         }       
209         DEBUG(2,("%s\n",sambaTrust?"yes":"no"));
210         ldap_value_free(valeur);        
211         return (sambaTrust);
212 }
213
214 /*******************************************************************
215  retrieve the user's info and contruct a smb_passwd structure.
216 ******************************************************************/
217 static void ldap_get_smb_passwd(LDAP *ldap_struct,LDAPMessage *entry, 
218                           struct smb_passwd *user)
219 {       
220         static pstring user_name;
221         static pstring user_pass;
222         static pstring temp;
223         static unsigned char smblmpwd[16];
224         static unsigned char smbntpwd[16];
225
226         pwdb_init_smb(user);
227
228         bzero(smblmpwd, sizeof(smblmpwd));
229         bzero(smbntpwd, sizeof(smbntpwd));
230
231         get_single_attribute(ldap_struct, entry, "cn", user_name);
232         DEBUG(2,("ldap_get_smb_passwd: user: %s\n",user_name));
233                 
234 #ifdef LDAP_PLAINTEXT_PASSWORD
235         get_single_attribute(ldap_struct, entry, "userPassword", temp);
236         nt_lm_owf_gen(temp, user->smb_nt_passwd, user->smb_passwd);
237         bzero(temp, sizeof(temp)); /* destroy local copy of the password */
238 #else
239         get_single_attribute(ldap_struct, entry, "unicodePwd", temp);
240         pwdb_gethexpwd(temp, smbntpwd);         
241         bzero(temp, sizeof(temp)); /* destroy local copy of the password */
242
243         get_single_attribute(ldap_struct, entry, "dBCSPwd", temp);
244         pwdb_gethexpwd(temp, smblmpwd);         
245         bzero(temp, sizeof(temp)); /* destroy local copy of the password */
246 #endif
247         
248         get_single_attribute(ldap_struct, entry, "userAccountControl", temp);
249         user->acct_ctrl = pwdb_decode_acct_ctrl(temp);
250
251         get_single_attribute(ldap_struct, entry, "pwdLastSet", temp);
252         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
253
254         get_single_attribute(ldap_struct, entry, "rid", temp);
255
256         /* the smb (unix) ids are not stored: they are created */
257         user->unix_uid = pwdb_user_rid_to_uid (atoi(temp));
258
259         if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) )
260         {
261                 DEBUG(0,("Inconsistency in the LDAP database\n"));
262         }
263         if (user->acct_ctrl & ACB_NORMAL)
264         {
265                 user->smb_name      = user_name;
266                 user->smb_passwd    = smblmpwd;
267                 user->smb_nt_passwd = smbntpwd;
268         }
269 }
270
271 /*******************************************************************
272  retrieve the user's info and contruct a sam_passwd structure.
273
274  calls ldap_get_smb_passwd function first, though, to save code duplication.
275
276 ******************************************************************/
277 static void ldap_get_sam_passwd(LDAP *ldap_struct, LDAPMessage *entry, 
278                           struct sam_passwd *user)
279 {       
280         static pstring user_name;
281         static pstring fullname;
282         static pstring home_dir;
283         static pstring dir_drive;
284         static pstring logon_script;
285         static pstring profile_path;
286         static pstring acct_desc;
287         static pstring workstations;
288         static pstring temp;
289         static struct smb_passwd pw_buf;
290
291         pwdb_init_sam(user);
292
293         ldap_get_smb_passwd(ldap_struct, entry, &pw_buf);
294         
295         user->pass_last_set_time    = pw_buf.pass_last_set_time;
296
297         get_single_attribute(ldap_struct, entry, "logonTime", temp);
298         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
299
300         get_single_attribute(ldap_struct, entry, "logoffTime", temp);
301         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
302
303         get_single_attribute(ldap_struct, entry, "kickoffTime", temp);
304         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
305
306         get_single_attribute(ldap_struct, entry, "pwdLastSet", temp);
307         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
308
309         get_single_attribute(ldap_struct, entry, "pwdCanChange", temp);
310         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
311
312         get_single_attribute(ldap_struct, entry, "pwdMustChange", temp);
313         user->pass_last_set_time = (time_t)strtol(temp, NULL, 16);
314
315         user->smb_name = pw_buf.smb_name;
316
317         DEBUG(2,("ldap_get_sam_passwd: user: %s\n", user_name));
318                 
319         get_single_attribute(ldap_struct, entry, "userFullName", fullname);
320         user->full_name = fullname;
321
322         get_single_attribute(ldap_struct, entry, "homeDirectory", home_dir);
323         user->home_dir = home_dir;
324
325         get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive);
326         user->dir_drive = dir_drive;
327
328         get_single_attribute(ldap_struct, entry, "scriptPath", logon_script);
329         user->logon_script = logon_script;
330
331         get_single_attribute(ldap_struct, entry, "profilePath", profile_path);
332         user->profile_path = profile_path;
333
334         get_single_attribute(ldap_struct, entry, "comment", acct_desc);
335         user->acct_desc = acct_desc;
336
337         get_single_attribute(ldap_struct, entry, "userWorkstations", workstations);
338         user->workstations = workstations;
339
340         user->unknown_str = NULL; /* don't know, yet! */
341         user->munged_dial = NULL; /* "munged" dial-back telephone number */
342
343         get_single_attribute(ldap_struct, entry, "rid", temp);
344         user->user_rid = atoi(temp);
345
346         get_single_attribute(ldap_struct, entry, "primaryGroupID", temp);
347         user->group_rid = atoi(temp);
348
349         /* the smb (unix) ids are not stored: they are created */
350         user->unix_uid = pw_buf.unix_uid;
351         user->smb_grpid = group_rid_to_uid(user->group_rid);
352
353         user->acct_ctrl = pw_buf.acct_ctrl;
354
355         user->unknown_3 = 0xffffff; /* don't know */
356         user->logon_divs = 168; /* hours per week */
357         user->hours_len = 21; /* 21 times 8 bits = 168 */
358         memset(user->hours, 0xff, user->hours_len); /* available at all hours */
359         user->unknown_5 = 0x00020000; /* don't know */
360         user->unknown_5 = 0x000004ec; /* don't know */
361
362         if (user->acct_ctrl & (ACB_DOMTRUST|ACB_WSTRUST|ACB_SVRTRUST) )
363         {
364                 DEBUG(0,("Inconsistency in the LDAP database\n"));
365         }
366
367         if (!(user->acct_ctrl & ACB_NORMAL))
368         {
369                 DEBUG(0,("User's acct_ctrl bits not set to ACT_NORMAL in LDAP database\n"));
370                 return;
371         }
372 }
373
374 /************************************************************************
375  Routine to manage the LDAPMod structure array
376  manage memory used by the array, by each struct, and values
377
378 ************************************************************************/
379 static void make_a_mod(LDAPMod ***modlist,int modop, char *attribute, char *value)
380 {
381         LDAPMod **mods;
382         int i;
383         int j;
384         
385         mods = *modlist;
386         
387         if (mods == NULL)
388         {
389                 mods = (LDAPMod **)malloc( sizeof(LDAPMod *) );
390                 mods[0] = NULL;
391         }
392         
393         for ( i = 0; mods[ i ] ! = NULL; ++i )
394         {
395                 if ( mods[ i ]->mod_op == modop && 
396                     !strcasecmp( mods[ i ]->mod_type, attribute ) )
397                 {
398                         break;
399                 }
400         }
401         
402         if (mods[i] == NULL)
403         {
404                 mods = (LDAPMod **)realloc( mods,  (i+2) * sizeof( LDAPMod * ) );       
405                 mods[i] = (LDAPMod *)malloc( sizeof( LDAPMod ) );
406                 mods[i]->mod_op = modop;
407                 mods[i]->mod_values = NULL;
408                 mods[i]->mod_type = strdup( attribute );
409                 mods[i+1] = NULL;
410         }
411
412         if (value ! = NULL )
413         {
414                 j = 0;
415                 if ( mods[ i ]->mod_values ! = NULL )
416                 {
417                         for ( ; mods[ i ]->mod_values[ j ] ! = NULL; j++ );
418                 }
419                 mods[ i ]->mod_values = (char **)realloc(mods[ i ]->mod_values,
420                                                           (j+2) * sizeof( char * ));
421                 mods[ i ]->mod_values[ j ] = strdup(value);     
422                 mods[ i ]->mod_values[ j + 1 ] = NULL;          
423         }
424         *modlist = mods;
425 }
426
427 /************************************************************************
428  Add or modify an entry. Only the smb struct values
429
430 *************************************************************************/
431 static BOOL modadd_ldappwd_entry(struct smb_passwd *newpwd, int flag)
432 {
433         
434         /* assume the struct is correct and filled
435            that's the job of passdb.c to check */
436         int scope = LDAP_SCOPE_ONELEVEL;
437         int rc;
438         char *smb_name;
439         int trust = False;
440         int ldap_state;
441         pstring filter;
442         pstring dn;
443         pstring lmhash;
444         pstring nthash;
445         pstring rid;
446         pstring lst;
447         pstring temp;
448
449         LDAP *ldap_struct;
450         LDAPMessage *result;
451         LDAPMod **mods;
452         
453         smb_name = newpwd->smb_name;
454
455         if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
456         {
457                 return False;
458         }
459
460         if (!ldap_connect_system(ldap_struct)) /* connect as system account */
461         {
462                 ldap_unbind(ldap_struct);
463                 return False;
464         }
465         
466         if (smb_name[strlen(smb_name)-1] == '$' )
467         {
468                 smb_name[strlen(smb_name)-1] = '\0';
469                 trust = True;
470         }
471
472         slprintf(filter, sizeof(filter)-1,
473                  "(&(cn = %s)(|(objectclass = sambaTrust)(objectclass = sambaAccount)))",
474                  smb_name);
475         
476         rc = ldap_search_s(ldap_struct, lp_ldap_suffix(), scope, filter, NULL, 0, &result);
477
478         switch (flag)
479         {
480                 case ADD_USER:
481                 {
482                         if (ldap_count_entries(ldap_struct, result) ! = 0)
483                         {
484                                 DEBUG(0,("User already in the base, with samba properties\n"));         
485                                 ldap_unbind(ldap_struct);
486                                 return False;
487                         }
488                         ldap_state = LDAP_MOD_ADD;
489                         break;
490                 }
491                 case MODIFY_USER:
492                 {
493                         if (ldap_count_entries(ldap_struct, result) ! = 1)
494                         {
495                                 DEBUG(0,("No user to modify !\n"));             
496                                 ldap_unbind(ldap_struct);
497                                 return False;
498                         }
499                         ldap_state = LDAP_MOD_REPLACE;
500                         break;
501                 }
502                 default:
503                 {
504                         DEBUG(0,("How did you come here? \n"));         
505                         ldap_unbind(ldap_struct);
506                         return False;
507                         break;
508                 }
509         }
510         slprintf(dn, sizeof(dn)-1, "cn = %s, %s",smb_name, lp_ldap_suffix() );
511
512         if (newpwd->smb_passwd ! = NULL)
513         {
514                 int i;
515                 for( i = 0; i < 16; i++)
516                 {
517                         slprintf(&temp[2*i], sizeof(temp) - 1, "%02X", newpwd->smb_passwd[i]);
518                 }
519         
520         }
521         else
522         {
523                 if (newpwd->acct_ctrl & ACB_PWNOTREQ)
524                 {
525                         slprintf(temp, sizeof(temp) - 1, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
526                 }
527                 else
528                 {
529                         slprintf(temp, sizeof(temp) - 1, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
530                 }
531         }
532         slprintf(lmhash, sizeof(lmhash)-1, "%s", temp);
533
534         if (newpwd->smb_nt_passwd ! = NULL)
535         {
536                 int i;
537                 for( i = 0; i < 16; i++)
538                 {
539                         slprintf(&temp[2*i], sizeof(temp) - 1, "%02X", newpwd->smb_nt_passwd[i]);
540                 }
541         
542         }
543         else
544         {
545                 if (newpwd->acct_ctrl & ACB_PWNOTREQ)
546                 {
547                         slprintf(temp, sizeof(temp) - 1, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX");
548                 }
549                 else
550                 {
551                         slprintf(temp, sizeof(temp) - 1, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
552                 }
553         }
554         slprintf(nthash, sizeof(nthash)-1, "%s", temp);
555
556         slprintf(rid, sizeof(rid)-1, "%d", uid_to_user_rid(newpwd->unix_uid) );
557         slprintf(lst, sizeof(lst)-1, "%08X", newpwd->pass_last_set_time);
558         
559         mods = NULL; 
560
561         if (trust)
562         {
563                 make_a_mod(&mods, ldap_state, "objectclass", "sambaTrust");
564                 make_a_mod(&mods, ldap_state, "netbiosTrustName", smb_name);
565                 make_a_mod(&mods, ldap_state, "trustPassword", nthash);
566         }
567         else
568         {
569                 make_a_mod(&mods, ldap_state, "objectclass", "sambaAccount");
570                 make_a_mod(&mods, ldap_state, "dBCSPwd", lmhash);
571                 make_a_mod(&mods, ldap_state, "uid", smb_name);
572                 make_a_mod(&mods, ldap_state, "unicodePwd", nthash);
573         }
574         
575         make_a_mod(&mods, ldap_state, "cn", smb_name);
576         
577         make_a_mod(&mods, ldap_state, "rid", rid);
578         make_a_mod(&mods, ldap_state, "pwdLastSet", lst);
579         make_a_mod(&mods, ldap_state, "userAccountControl", pwdb_encode_acct_ctrl(newpwd->acct_ctrl, NEW_PW_FORMAT_SPACE_PADDED_LEN));
580         
581         switch(flag)
582         {
583                 case ADD_USER:
584                 {
585                         ldap_add_s(ldap_struct, dn, mods);
586                         DEBUG(2,("modadd_ldappwd_entry: added: cn = %s in the LDAP database\n",smb_name));
587                         break;
588                 }
589                 case MODIFY_USER:
590                 {
591                         ldap_modify_s(ldap_struct, dn, mods);
592                         DEBUG(2,("modadd_ldappwd_entry: changed: cn = %s in the LDAP database_n",smb_name));
593                         break;
594                 }
595                 default:
596                 {
597                         DEBUG(2,("modadd_ldappwd_entry: How did you come here? \n"));           
598                         ldap_unbind(ldap_struct);
599                         return False;
600                         break;
601                 }
602         }
603         
604         ldap_mods_free(mods, 1);
605         
606         ldap_unbind(ldap_struct);
607         
608         return True;
609 }
610
611 /************************************************************************
612  Add or modify an entry. everything except the smb struct
613
614 *************************************************************************/
615 static BOOL modadd_ldap21pwd_entry(struct sam_passwd *newpwd, int flag)
616 {
617         
618         /* assume the struct is correct and filled
619            that's the job of passdb.c to check */
620         int scope = LDAP_SCOPE_ONELEVEL;
621         int rc;
622         char *smb_name;
623         int trust = False;
624         int ldap_state;
625         pstring filter;
626         pstring dn;
627         pstring lmhash;
628         pstring nthash;
629         pstring rid;
630         pstring lst;
631         pstring temp;
632
633         LDAP *ldap_struct;
634         LDAPMessage *result;
635         LDAPMod **mods;
636         
637         smb_name = newpwd->smb_name;
638
639         if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
640         {
641                 return False;
642         }
643
644         if (!ldap_connect_system(ldap_struct)) /* connect as system account */
645         {
646                 ldap_unbind(ldap_struct);
647                 return False;
648         }
649         
650         if (smb_name[strlen(smb_name)-1] == '$' )
651         {
652                 smb_name[strlen(smb_name)-1] = '\0';
653                 trust = True;
654         }
655
656         slprintf(filter, sizeof(filter)-1,
657                  "(&(cn = %s)(|(objectclass = sambaTrust)(objectclass = sambaAccount)))",
658                  smb_name);
659         
660         rc = ldap_search_s(ldap_struct, lp_ldap_suffix(), scope, filter, NULL, 0, &result);
661
662         switch (flag)
663         {
664                 case ADD_USER:
665                 {
666                         if (ldap_count_entries(ldap_struct, result) ! = 1)
667                         {
668                                 DEBUG(2,("User already in the base, with samba properties\n"));         
669                                 ldap_unbind(ldap_struct);
670                                 return False;
671                         }
672                         ldap_state = LDAP_MOD_ADD;
673                         break;
674                 }
675
676                 case MODIFY_USER:
677                 {
678                         if (ldap_count_entries(ldap_struct, result) ! = 1)
679                         {
680                                 DEBUG(2,("No user to modify !\n"));             
681                                 ldap_unbind(ldap_struct);
682                                 return False;
683                         }
684                         ldap_state = LDAP_MOD_REPLACE;
685                         break;
686                 }
687
688                 default:
689                 {
690                         DEBUG(2,("How did you come here? \n"));         
691                         ldap_unbind(ldap_struct);
692                         return False;
693                         break;
694                 }
695         }
696         slprintf(dn, sizeof(dn)-1, "cn = %s, %s",smb_name, lp_ldap_suffix() );
697         
698         mods = NULL; 
699
700         if (trust)
701         {
702         }
703         else
704         {
705         }
706         
707         make_a_mod(&mods, ldap_state, "cn", smb_name);
708         
709         make_a_mod(&mods, ldap_state, "rid", rid);
710         make_a_mod(&mods, ldap_state, "pwdLastSet", lst);
711         make_a_mod(&mods, ldap_state, "userAccountControl", pwdb_encode_acct_ctrl(newpwd->acct_ctrl,NEW_PW_FORMAT_SPACE_PADDED_LEN));
712         
713         ldap_modify_s(ldap_struct, dn, mods);
714         
715         ldap_mods_free(mods, 1);
716         
717         ldap_unbind(ldap_struct);
718         
719         return True;
720 }
721
722 /************************************************************************
723  Routine to add an entry to the ldap passwd file.
724
725  do not call this function directly.  use passdb.c instead.
726
727 *************************************************************************/
728 static BOOL add_ldappwd_entry(struct smb_passwd *newpwd)
729 {
730         return (modadd_ldappwd_entry(newpwd, ADD_USER) );
731 }
732
733 /************************************************************************
734  Routine to search the ldap passwd file for an entry matching the username.
735  and then modify its password entry. We can't use the startldappwent()/
736  getldappwent()/endldappwent() interfaces here as we depend on looking
737  in the actual file to decide how much room we have to write data.
738  override = False, normal
739  override = True, override XXXXXXXX'd out password or NO PASS
740
741  do not call this function directly.  use passdb.c instead.
742
743 ************************************************************************/
744 static BOOL mod_ldappwd_entry(struct smb_passwd *pwd, BOOL override)
745 {
746         return (modadd_ldappwd_entry(pwd, MODIFY_USER) );
747 }
748
749 /************************************************************************
750  Routine to add an entry to the ldap passwd file.
751
752  do not call this function directly.  use passdb.c instead.
753
754 *************************************************************************/
755 static BOOL add_ldap21pwd_entry(struct sam_passwd *newpwd)
756 {       
757         return( modadd_ldappwd_entry(newpwd, ADD_USER)?
758         modadd_ldap21pwd_entry(newpwd, ADD_USER):False);
759 }
760
761 /************************************************************************
762  Routine to search the ldap passwd file for an entry matching the username.
763  and then modify its password entry. We can't use the startldappwent()/
764  getldappwent()/endldappwent() interfaces here as we depend on looking
765  in the actual file to decide how much room we have to write data.
766  override = False, normal
767  override = True, override XXXXXXXX'd out password or NO PASS
768
769  do not call this function directly.  use passdb.c instead.
770
771 ************************************************************************/
772 static BOOL mod_ldap21pwd_entry(struct sam_passwd *pwd, BOOL override)
773 {
774         return( modadd_ldappwd_entry(pwd, MODIFY_USER)?
775         modadd_ldap21pwd_entry(pwd, MODIFY_USER):False);
776 }
777
778 struct ldap_enum_info
779 {
780         LDAP *ldap_struct;
781         LDAPMessage *result;
782         LDAPMessage *entry;
783 };
784
785 static struct ldap_enum_info ldap_ent;
786
787 /***************************************************************
788  Start to enumerate the ldap passwd list. Returns a void pointer
789  to ensure no modification outside this module.
790
791  do not call this function directly.  use passdb.c instead.
792
793  ****************************************************************/
794 static void *startldappwent(BOOL update)
795 {
796         int scope = LDAP_SCOPE_ONELEVEL;
797         int rc;
798
799         pstring filter;
800
801         if (!ldap_open_connection(&ldap_ent.ldap_struct)) /* open a connection to the server */
802         {
803                 return NULL;
804         }
805
806         if (!ldap_connect_system(ldap_ent.ldap_struct)) /* connect as system account */
807         {
808                 return NULL;
809         }
810
811         /* when the class is known the search is much faster */
812         switch (0)
813         {
814                 case 1:
815                 {
816                         pstrcpy(filter, "objectclass = sambaAccount");
817                         break;
818                 }
819                 case 2:
820                 {
821                         pstrcpy(filter, "objectclass = sambaTrust");
822                         break;
823                 }
824                 default:
825                 {
826                         pstrcpy(filter, "(|(objectclass = sambaTrust)(objectclass = sambaAccount))");
827                         break;
828                 }
829         }
830
831         rc = ldap_search_s(ldap_ent.ldap_struct, lp_ldap_suffix(), scope, filter, NULL, 0, &ldap_ent.result);
832
833         DEBUG(2,("%d entries in the base!\n", ldap_count_entries(ldap_ent.ldap_struct, ldap_ent.result) ));
834
835         ldap_ent.entry = ldap_first_entry(ldap_ent.ldap_struct, ldap_ent.result);
836
837         return &ldap_ent;
838 }
839
840 /*************************************************************************
841  Routine to return the next entry in the ldap passwd list.
842
843  do not call this function directly.  use passdb.c instead.
844
845  *************************************************************************/
846 static struct smb_passwd *getldappwent(void *vp)
847 {
848         static struct smb_passwd user;
849         struct ldap_enum_info *ldap_vp = (struct ldap_enum_info *)vp;
850
851         ldap_vp->entry = ldap_next_entry(ldap_vp->ldap_struct, ldap_vp->entry);
852
853         if (ldap_vp->entry ! = NULL)
854         {
855                 ldap_get_smb_passwd(ldap_vp->ldap_struct, ldap_vp->entry, &user);
856                 return &user;
857         }
858         return NULL;
859 }
860
861 /*************************************************************************
862  Routine to return the next entry in the ldap passwd list.
863
864  do not call this function directly.  use passdb.c instead.
865
866  *************************************************************************/
867 static struct sam_passwd *getldap21pwent(void *vp)
868 {
869         static struct sam_passwd user;
870         struct ldap_enum_info *ldap_vp = (struct ldap_enum_info *)vp;
871
872         ldap_vp->entry = ldap_next_entry(ldap_vp->ldap_struct, ldap_vp->entry);
873
874         if (ldap_vp->entry ! = NULL)
875         {
876                 ldap_get_sam_passwd(ldap_vp->ldap_struct, ldap_vp->entry, &user);
877                 return &user;
878         }
879         return NULL;
880 }
881
882 /***************************************************************
883  End enumeration of the ldap passwd list.
884
885  do not call this function directly.  use passdb.c instead.
886
887 ****************************************************************/
888 static void endldappwent(void *vp)
889 {
890         struct ldap_enum_info *ldap_vp = (struct ldap_enum_info *)vp;
891         ldap_msgfree(ldap_vp->result);
892         ldap_unbind(ldap_vp->ldap_struct);
893 }
894
895 /*************************************************************************
896  Return the current position in the ldap passwd list as an SMB_BIG_UINT.
897  This must be treated as an opaque token.
898
899  do not call this function directly.  use passdb.c instead.
900
901 *************************************************************************/
902 static SMB_BIG_UINT getldappwpos(void *vp)
903 {
904         return (SMB_BIG_UINT)0;
905 }
906
907 /*************************************************************************
908  Set the current position in the ldap passwd list from SMB_BIG_UINT.
909  This must be treated as an opaque token.
910
911  do not call this function directly.  use passdb.c instead.
912
913 *************************************************************************/
914 static BOOL setldappwpos(void *vp, SMB_BIG_UINT tok)
915 {
916         return False;
917 }
918
919 /*
920  * Ldap derived functions.
921  */
922
923 static struct smb_passwd *getldappwnam(char *name)
924 {
925   return pwdb_sam_to_smb(iterate_getsam21pwnam(name));
926 }
927
928 static struct smb_passwd *getldappwuid(uid_t unix_uid)
929 {
930   return pwdb_sam_to_smb(iterate_getsam21pwuid(unix_uid));
931 }
932
933 static struct smb_passwd *getldappwrid(uint32 user_rid)
934 {
935   return pwdb_sam_to_smb(iterate_getsam21pwuid(pwdb_user_rid_to_uid(user_rid)));
936 }
937
938 static struct smb_passwd *getldappwent(void *vp)
939 {
940   return pwdb_sam_to_smb(getldap21pwent(vp));
941 }
942
943 static BOOL add_ldappwd_entry(struct smb_passwd *newpwd)
944 {
945   return add_ldap21pwd_entry(pwdb_smb_to_sam(newpwd));
946 }
947
948 static BOOL mod_ldappwd_entry(struct smb_passwd* pwd, BOOL override)
949 {
950   return mod_ldap21pwd_entry(pwdb_smb_to_sam(pwd), override);
951 }
952
953 static struct sam_disp_info *getldapdispnam(char *name)
954 {
955         return pwdb_sam_to_dispinfo(getldap21pwnam(name));
956 }
957
958 static struct sam_disp_info *getldapdisprid(uint32 rid)
959 {
960         return pwdb_sam_to_dispinfo(getldap21pwrid(rid));
961 }
962
963 static struct sam_disp_info *getldapdispent(void *vp)
964 {
965         return pwdb_sam_to_dispinfo(getldap21pwent(vp));
966 }
967
968 static struct sam_passwd *getldap21pwuid(uid_t uid)
969 {
970         return pwdb_smb_to_sam(iterate_getsam21pwuid(pwdb_uid_to_user_rid(uid)));
971 }
972
973 static struct passdb_ops ldap_ops =
974 {
975         startldappwent,
976         endldappwent,
977         getldappwpos,
978         setldappwpos,
979         getldappwnam,
980         getldappwuid,
981         getldappwrid,
982         getldappwent,
983         add_ldappwd_entry,
984         mod_ldappwd_entry,
985         getldap21pwent,
986         iterate_getsam21pwnam,       /* From passdb.c */
987         iterate_getsam21pwuid,       /* From passdb.c */
988         iterate_getsam21pwrid,       /* From passdb.c */
989         add_ldap21pwd_entry,
990         mod_ldap21pwd_entry,
991         getldapdispnam,
992         getldapdisprid,
993         getldapdispent
994 };
995
996 struct passdb_ops *ldap_initialise_password_db(void)
997 {
998   return &ldap_ops;
999 }
1000
1001 #else
1002  void dummy_function(void);
1003  void dummy_function(void) { } /* stop some compilers complaining */
1004 #endif