VERSION: Disable git snapshots for the 4.2.3 release.
[samba.git] / source3 / passdb / pdb_ldap.c
1 /* 
2    Unix SMB/CIFS implementation.
3    LDAP protocol helper functions for SAMBA
4    Copyright (C) Jean Fran├žois Micouleau        1998
5    Copyright (C) Gerald Carter                  2001-2003
6    Copyright (C) Shahms King                    2001
7    Copyright (C) Andrew Bartlett                2002-2003
8    Copyright (C) Stefan (metze) Metzmacher      2002-2003
9    Copyright (C) Simo Sorce                     2006
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23
24 */
25
26 /* TODO:
27 *  persistent connections: if using NSS LDAP, many connections are made
28 *      however, using only one within Samba would be nice
29 *  
30 *  Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 *  Other LDAP based login attributes: accountExpires, etc.
33 *  (should be the domain of Samba proper, but the sam_password/struct samu
34 *  structures don't have fields for some of these attributes)
35 *
36 *  SSL is done, but can't get the certificate based authentication to work
37 *  against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 *  due to the fact that the two password fields cannot be retrieved
42 *  from a server; recommend using security = domain in this situation
43 *  and/or winbind
44 */
45
46 #include "includes.h"
47 #include "passdb.h"
48 #include "../libcli/auth/libcli_auth.h"
49 #include "secrets.h"
50 #include "idmap_cache.h"
51 #include "../libcli/security/security.h"
52 #include "../lib/util/util_pw.h"
53 #include "lib/winbind_util.h"
54 #include "librpc/gen_ndr/idmap.h"
55 #include "lib/param/loadparm.h"
56 #include "lib/util_sid_passdb.h"
57
58 #undef DBGC_CLASS
59 #define DBGC_CLASS DBGC_PASSDB
60
61 #include <lber.h>
62 #include <ldap.h>
63
64
65 #include "smbldap.h"
66 #include "passdb/pdb_ldap.h"
67 #include "passdb/pdb_nds.h"
68 #include "passdb/pdb_ipa.h"
69 #include "passdb/pdb_ldap_util.h"
70 #include "passdb/pdb_ldap_schema.h"
71
72 /**********************************************************************
73  Simple helper function to make stuff better readable
74  **********************************************************************/
75
76 LDAP *priv2ld(struct ldapsam_privates *priv)
77 {
78         return priv->smbldap_state->ldap_struct;
79 }
80
81 /**********************************************************************
82  Get the attribute name given a user schame version.
83  **********************************************************************/
84  
85 static const char* get_userattr_key2string( int schema_ver, int key )
86 {
87         switch ( schema_ver ) {
88                 case SCHEMAVER_SAMBASAMACCOUNT:
89                         return get_attr_key2string( attrib_map_v30, key );
90
91                 default:
92                         DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
93                         break;
94         }
95         return NULL;
96 }
97
98 /**********************************************************************
99  Return the list of attribute names given a user schema version.
100 **********************************************************************/
101
102 const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
103 {
104         switch ( schema_ver ) {
105                 case SCHEMAVER_SAMBASAMACCOUNT:
106                         return get_attr_list( mem_ctx, attrib_map_v30 );
107                 default:
108                         DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
109                         break;
110         }
111
112         return NULL;
113 }
114
115 /**************************************************************************
116  Return the list of attribute names to delete given a user schema version.
117 **************************************************************************/
118
119 static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
120                                               int schema_ver )
121 {
122         switch ( schema_ver ) {
123                 case SCHEMAVER_SAMBASAMACCOUNT:
124                         return get_attr_list( mem_ctx,
125                                               attrib_map_to_delete_v30 );
126                 default:
127                         DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
128                         break;
129         }
130
131         return NULL;
132 }
133
134
135 /*******************************************************************
136  Generate the LDAP search filter for the objectclass based on the 
137  version of the schema we are using.
138 ******************************************************************/
139
140 static const char* get_objclass_filter( int schema_ver )
141 {
142         fstring objclass_filter;
143         char *result;
144
145         switch( schema_ver ) {
146                 case SCHEMAVER_SAMBASAMACCOUNT:
147                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
148                         break;
149                 default:
150                         DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
151                         objclass_filter[0] = '\0';
152                         break;
153         }
154
155         result = talloc_strdup(talloc_tos(), objclass_filter);
156         SMB_ASSERT(result != NULL);
157         return result;
158 }
159
160 /*****************************************************************
161  Scan a sequence number off OpenLDAP's syncrepl contextCSN
162 ******************************************************************/
163
164 static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
165 {
166         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
167         NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
168         LDAPMessage *msg = NULL;
169         LDAPMessage *entry = NULL;
170         TALLOC_CTX *mem_ctx;
171         char **values = NULL;
172         int rc, num_result, num_values, rid;
173         char *suffix = NULL;
174         char *tok;
175         const char *p;
176         const char **attrs;
177
178         /* Unfortunatly there is no proper way to detect syncrepl-support in
179          * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
180          * but do not show up in the root-DSE yet. Neither we can query the
181          * subschema-context for the syncProviderSubentry or syncConsumerSubentry
182          * objectclass. Currently we require lp_ldap_suffix() to show up as
183          * namingContext.  -  Guenther
184          */
185
186         if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
187                 return ntstatus;
188         }
189
190         if (!seq_num) {
191                 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
192                 return ntstatus;
193         }
194
195         if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix(talloc_tos()))) {
196                 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
197                          "as top-level namingContext\n", lp_ldap_suffix(talloc_tos())));
198                 return ntstatus;
199         }
200
201         mem_ctx = talloc_init("ldapsam_get_seq_num");
202
203         if (mem_ctx == NULL)
204                 return NT_STATUS_NO_MEMORY;
205
206         if ((attrs = talloc_array(mem_ctx, const char *, 2)) == NULL) {
207                 ntstatus = NT_STATUS_NO_MEMORY;
208                 goto done;
209         }
210
211         /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
212         rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
213         if (rid > 0) {
214
215                 /* consumer syncreplCookie: */
216                 /* csn=20050126161620Z#0000001#00#00000 */
217                 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
218                 attrs[1] = NULL;
219                 suffix = talloc_asprintf(mem_ctx,
220                                 "cn=syncrepl%d,%s", rid, lp_ldap_suffix(talloc_tos()));
221                 if (!suffix) {
222                         ntstatus = NT_STATUS_NO_MEMORY;
223                         goto done;
224                 }
225         } else {
226
227                 /* provider contextCSN */
228                 /* 20050126161620Z#000009#00#000000 */
229                 attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
230                 attrs[1] = NULL;
231                 suffix = talloc_asprintf(mem_ctx,
232                                 "cn=ldapsync,%s", lp_ldap_suffix(talloc_tos()));
233
234                 if (!suffix) {
235                         ntstatus = NT_STATUS_NO_MEMORY;
236                         goto done;
237                 }
238         }
239
240         rc = smbldap_search(ldap_state->smbldap_state, suffix,
241                             LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
242
243         if (rc != LDAP_SUCCESS) {
244                 goto done;
245         }
246
247         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
248         if (num_result != 1) {
249                 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
250                 goto done;
251         }
252
253         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
254         if (entry == NULL) {
255                 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
256                 goto done;
257         }
258
259         values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
260         if (values == NULL) {
261                 DEBUG(3,("ldapsam_get_seq_num: no values\n"));
262                 goto done;
263         }
264
265         num_values = ldap_count_values(values);
266         if (num_values == 0) {
267                 DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
268                 goto done;
269         }
270
271         p = values[0];
272         if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
273                 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
274                 goto done;
275         }
276
277         p = tok;
278         if (!strncmp(p, "csn=", strlen("csn=")))
279                 p += strlen("csn=");
280
281         DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
282
283         *seq_num = generalized_to_unix_time(p);
284
285         /* very basic sanity check */
286         if (*seq_num <= 0) {
287                 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n", 
288                         (int)*seq_num));
289                 goto done;
290         }
291
292         ntstatus = NT_STATUS_OK;
293
294  done:
295         if (values != NULL)
296                 ldap_value_free(values);
297         if (msg != NULL)
298                 ldap_msgfree(msg);
299         if (mem_ctx)
300                 talloc_destroy(mem_ctx);
301
302         return ntstatus;
303 }
304
305 /*******************************************************************
306  Run the search by name.
307 ******************************************************************/
308
309 int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
310                                           const char *user,
311                                           LDAPMessage ** result,
312                                           const char **attr)
313 {
314         char *filter = NULL;
315         char *escape_user = escape_ldap_string(talloc_tos(), user);
316         int ret = -1;
317
318         if (!escape_user) {
319                 return LDAP_NO_MEMORY;
320         }
321
322         /*
323          * in the filter expression, replace %u with the real name
324          * so in ldap filter, %u MUST exist :-)
325          */
326         filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
327                 get_objclass_filter(ldap_state->schema_ver));
328         if (!filter) {
329                 TALLOC_FREE(escape_user);
330                 return LDAP_NO_MEMORY;
331         }
332         /*
333          * have to use this here because $ is filtered out
334          * in string_sub
335          */
336
337         filter = talloc_all_string_sub(talloc_tos(),
338                                 filter, "%u", escape_user);
339         TALLOC_FREE(escape_user);
340         if (!filter) {
341                 return LDAP_NO_MEMORY;
342         }
343
344         ret = smbldap_search_suffix(ldap_state->smbldap_state,
345                         filter, attr, result);
346         TALLOC_FREE(filter);
347         return ret;
348 }
349
350 /*******************************************************************
351  Run the search by SID.
352 ******************************************************************/
353
354 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
355                                  const struct dom_sid *sid, LDAPMessage ** result,
356                                  const char **attr)
357 {
358         char *filter = NULL;
359         int rc;
360         fstring sid_string;
361
362         filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
363                 get_userattr_key2string(ldap_state->schema_ver,
364                         LDAP_ATTR_USER_SID),
365                 sid_to_fstring(sid_string, sid),
366                 get_objclass_filter(ldap_state->schema_ver));
367         if (!filter) {
368                 return LDAP_NO_MEMORY;
369         }
370
371         rc = smbldap_search_suffix(ldap_state->smbldap_state,
372                         filter, attr, result);
373
374         TALLOC_FREE(filter);
375         return rc;
376 }
377
378 /*******************************************************************
379  Delete complete object or objectclass and attrs from
380  object found in search_result depending on lp_ldap_delete_dn
381 ******************************************************************/
382
383 static int ldapsam_delete_entry(struct ldapsam_privates *priv,
384                                 TALLOC_CTX *mem_ctx,
385                                 LDAPMessage *entry,
386                                 const char *objectclass,
387                                 const char **attrs)
388 {
389         LDAPMod **mods = NULL;
390         char *name;
391         const char *dn;
392         BerElement *ptr = NULL;
393
394         dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
395         if (dn == NULL) {
396                 return LDAP_NO_MEMORY;
397         }
398
399         if (lp_ldap_delete_dn()) {
400                 return smbldap_delete(priv->smbldap_state, dn);
401         }
402
403         /* Ok, delete only the SAM attributes */
404
405         for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
406              name != NULL;
407              name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
408                 const char **attrib;
409
410                 /* We are only allowed to delete the attributes that
411                    really exist. */
412
413                 for (attrib = attrs; *attrib != NULL; attrib++) {
414                         if (strequal(*attrib, name)) {
415                                 DEBUG(10, ("ldapsam_delete_entry: deleting "
416                                            "attribute %s\n", name));
417                                 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
418                                                 NULL);
419                         }
420                 }
421                 ldap_memfree(name);
422         }
423
424         if (ptr != NULL) {
425                 ber_free(ptr, 0);
426         }
427
428         smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
429         smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
430
431         return smbldap_modify(priv->smbldap_state, dn, mods);
432 }
433
434 static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
435 {
436         char *temp;
437         struct tm tm;
438
439         temp = smbldap_talloc_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
440                         get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
441                         talloc_tos());
442         if (!temp) {
443                 return (time_t) 0;
444         }
445
446         if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
447                 DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
448                         (char*)temp));
449                 TALLOC_FREE(temp);
450                 return (time_t) 0;
451         }
452         TALLOC_FREE(temp);
453         tzset();
454         return timegm(&tm);
455 }
456
457 /**********************************************************************
458  Initialize struct samu from an LDAP query.
459  (Based on init_sam_from_buffer in pdb_tdb.c)
460 *********************************************************************/
461
462 static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
463                                 struct samu * sampass,
464                                 LDAPMessage * entry)
465 {
466         time_t  logon_time,
467                         logoff_time,
468                         kickoff_time,
469                         pass_last_set_time,
470                         pass_can_change_time,
471                         ldap_entry_time,
472                         bad_password_time;
473         char *username = NULL,
474                         *domain = NULL,
475                         *nt_username = NULL,
476                         *fullname = NULL,
477                         *homedir = NULL,
478                         *dir_drive = NULL,
479                         *logon_script = NULL,
480                         *profile_path = NULL,
481                         *acct_desc = NULL,
482                         *workstations = NULL,
483                         *munged_dial = NULL;
484         uint32_t                user_rid;
485         uint8           smblmpwd[LM_HASH_LEN],
486                         smbntpwd[NT_HASH_LEN];
487         bool            use_samba_attrs = True;
488         uint32_t                acct_ctrl = 0;
489         uint16_t                logon_divs;
490         uint16_t                bad_password_count = 0,
491                         logon_count = 0;
492         uint32_t hours_len;
493         uint8           hours[MAX_HOURS_LEN];
494         char *temp = NULL;
495         struct login_cache cache_entry;
496         uint32_t                pwHistLen;
497         bool expand_explicit = lp_passdb_expand_explicit();
498         bool ret = false;
499         TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
500
501         if (!ctx) {
502                 return false;
503         }
504         if (sampass == NULL || ldap_state == NULL || entry == NULL) {
505                 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
506                 goto fn_exit;
507         }
508
509         if (priv2ld(ldap_state) == NULL) {
510                 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
511                           "ldap_struct is NULL!\n"));
512                 goto fn_exit;
513         }
514
515         if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state),
516                                         entry,
517                                         "uid",
518                                         ctx))) {
519                 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
520                           "this user!\n"));
521                 goto fn_exit;
522         }
523
524         DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
525
526         nt_username = talloc_strdup(ctx, username);
527         if (!nt_username) {
528                 goto fn_exit;
529         }
530
531         domain = talloc_strdup(ctx, ldap_state->domain_name);
532         if (!domain) {
533                 goto fn_exit;
534         }
535
536         pdb_set_username(sampass, username, PDB_SET);
537
538         pdb_set_domain(sampass, domain, PDB_DEFAULT);
539         pdb_set_nt_username(sampass, nt_username, PDB_SET);
540
541         /* deal with different attributes between the schema first */
542
543         if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
544                 if ((temp = smbldap_talloc_single_attribute(
545                                 ldap_state->smbldap_state->ldap_struct,
546                                 entry,
547                                 get_userattr_key2string(ldap_state->schema_ver,
548                                         LDAP_ATTR_USER_SID),
549                                 ctx))!=NULL) {
550                         pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
551                 }
552         } else {
553                 if ((temp = smbldap_talloc_single_attribute(
554                                 ldap_state->smbldap_state->ldap_struct,
555                                 entry,
556                                 get_userattr_key2string(ldap_state->schema_ver,
557                                         LDAP_ATTR_USER_RID),
558                                 ctx))!=NULL) {
559                         user_rid = (uint32_t)atol(temp);
560                         pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
561                 }
562         }
563
564         if (IS_SAM_DEFAULT(sampass, PDB_USERSID)) {
565                 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n", 
566                         get_userattr_key2string(ldap_state->schema_ver,
567                                 LDAP_ATTR_USER_SID),
568                         get_userattr_key2string(ldap_state->schema_ver,
569                                 LDAP_ATTR_USER_RID),
570                         username));
571                 return False;
572         }
573
574         temp = smbldap_talloc_single_attribute(
575                         ldap_state->smbldap_state->ldap_struct,
576                         entry,
577                         get_userattr_key2string(ldap_state->schema_ver,
578                                 LDAP_ATTR_PWD_LAST_SET),
579                         ctx);
580         if (temp) {
581                 pass_last_set_time = (time_t) atol(temp);
582                 pdb_set_pass_last_set_time(sampass,
583                                 pass_last_set_time, PDB_SET);
584         }
585
586         temp = smbldap_talloc_single_attribute(
587                         ldap_state->smbldap_state->ldap_struct,
588                         entry,
589                         get_userattr_key2string(ldap_state->schema_ver,
590                                 LDAP_ATTR_LOGON_TIME),
591                         ctx);
592         if (temp) {
593                 logon_time = (time_t) atol(temp);
594                 pdb_set_logon_time(sampass, logon_time, PDB_SET);
595         }
596
597         temp = smbldap_talloc_single_attribute(
598                         ldap_state->smbldap_state->ldap_struct,
599                         entry,
600                         get_userattr_key2string(ldap_state->schema_ver,
601                                 LDAP_ATTR_LOGOFF_TIME),
602                         ctx);
603         if (temp) {
604                 logoff_time = (time_t) atol(temp);
605                 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
606         }
607
608         temp = smbldap_talloc_single_attribute(
609                         ldap_state->smbldap_state->ldap_struct,
610                         entry,
611                         get_userattr_key2string(ldap_state->schema_ver,
612                                 LDAP_ATTR_KICKOFF_TIME),
613                         ctx);
614         if (temp) {
615                 kickoff_time = (time_t) atol(temp);
616                 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
617         }
618
619         temp = smbldap_talloc_single_attribute(
620                         ldap_state->smbldap_state->ldap_struct,
621                         entry,
622                         get_userattr_key2string(ldap_state->schema_ver,
623                                 LDAP_ATTR_PWD_CAN_CHANGE),
624                         ctx);
625         if (temp) {
626                 pass_can_change_time = (time_t) atol(temp);
627                 pdb_set_pass_can_change_time(sampass,
628                                 pass_can_change_time, PDB_SET);
629         }
630
631         /* recommend that 'gecos' and 'displayName' should refer to the same
632          * attribute OID.  userFullName depreciated, only used by Samba
633          * primary rules of LDAP: don't make a new attribute when one is already defined
634          * that fits your needs; using cn then displayName rather than 'userFullName'
635          */
636
637         fullname = smbldap_talloc_single_attribute(
638                         ldap_state->smbldap_state->ldap_struct,
639                         entry,
640                         get_userattr_key2string(ldap_state->schema_ver,
641                                 LDAP_ATTR_DISPLAY_NAME),
642                         ctx);
643         if (fullname) {
644                 pdb_set_fullname(sampass, fullname, PDB_SET);
645         } else {
646                 fullname = smbldap_talloc_single_attribute(
647                                 ldap_state->smbldap_state->ldap_struct,
648                                 entry,
649                                 get_userattr_key2string(ldap_state->schema_ver,
650                                         LDAP_ATTR_CN),
651                                 ctx);
652                 if (fullname) {
653                         pdb_set_fullname(sampass, fullname, PDB_SET);
654                 }
655         }
656
657         dir_drive = smbldap_talloc_single_attribute(
658                         ldap_state->smbldap_state->ldap_struct,
659                         entry,
660                         get_userattr_key2string(ldap_state->schema_ver,
661                                 LDAP_ATTR_HOME_DRIVE),
662                         ctx);
663         if (dir_drive) {
664                 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
665         } else {
666                 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
667         }
668
669         homedir = smbldap_talloc_single_attribute(
670                         ldap_state->smbldap_state->ldap_struct,
671                         entry,
672                         get_userattr_key2string(ldap_state->schema_ver,
673                                 LDAP_ATTR_HOME_PATH),
674                         ctx);
675         if (homedir) {
676                 if (expand_explicit) {
677                         homedir = talloc_sub_basic(ctx,
678                                                 username,
679                                                 domain,
680                                                 homedir);
681                         if (!homedir) {
682                                 goto fn_exit;
683                         }
684                 }
685                 pdb_set_homedir(sampass, homedir, PDB_SET);
686         } else {
687                 pdb_set_homedir(sampass,
688                         talloc_sub_basic(ctx, username, domain,
689                                          lp_logon_home()),
690                         PDB_DEFAULT);
691         }
692
693         logon_script = smbldap_talloc_single_attribute(
694                         ldap_state->smbldap_state->ldap_struct,
695                         entry,
696                         get_userattr_key2string(ldap_state->schema_ver,
697                                 LDAP_ATTR_LOGON_SCRIPT),
698                         ctx);
699         if (logon_script) {
700                 if (expand_explicit) {
701                         logon_script = talloc_sub_basic(ctx,
702                                                 username,
703                                                 domain,
704                                                 logon_script);
705                         if (!logon_script) {
706                                 goto fn_exit;
707                         }
708                 }
709                 pdb_set_logon_script(sampass, logon_script, PDB_SET);
710         } else {
711                 pdb_set_logon_script(sampass,
712                         talloc_sub_basic(ctx, username, domain,
713                                          lp_logon_script()),
714                         PDB_DEFAULT );
715         }
716
717         profile_path = smbldap_talloc_single_attribute(
718                         ldap_state->smbldap_state->ldap_struct,
719                         entry,
720                         get_userattr_key2string(ldap_state->schema_ver,
721                                 LDAP_ATTR_PROFILE_PATH),
722                         ctx);
723         if (profile_path) {
724                 if (expand_explicit) {
725                         profile_path = talloc_sub_basic(ctx,
726                                                 username,
727                                                 domain,
728                                                 profile_path);
729                         if (!profile_path) {
730                                 goto fn_exit;
731                         }
732                 }
733                 pdb_set_profile_path(sampass, profile_path, PDB_SET);
734         } else {
735                 pdb_set_profile_path(sampass,
736                         talloc_sub_basic(ctx, username, domain,
737                                           lp_logon_path()),
738                         PDB_DEFAULT );
739         }
740
741         acct_desc = smbldap_talloc_single_attribute(
742                         ldap_state->smbldap_state->ldap_struct,
743                         entry,
744                         get_userattr_key2string(ldap_state->schema_ver,
745                                 LDAP_ATTR_DESC),
746                         ctx);
747         if (acct_desc) {
748                 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
749         }
750
751         workstations = smbldap_talloc_single_attribute(
752                         ldap_state->smbldap_state->ldap_struct,
753                         entry,
754                         get_userattr_key2string(ldap_state->schema_ver,
755                                 LDAP_ATTR_USER_WKS),
756                         ctx);
757         if (workstations) {
758                 pdb_set_workstations(sampass, workstations, PDB_SET);
759         }
760
761         munged_dial = smbldap_talloc_single_attribute(
762                         ldap_state->smbldap_state->ldap_struct,
763                         entry,
764                         get_userattr_key2string(ldap_state->schema_ver,
765                                 LDAP_ATTR_MUNGED_DIAL),
766                         ctx);
767         if (munged_dial) {
768                 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
769         }
770
771         /* FIXME: hours stuff should be cleaner */
772
773         logon_divs = 168;
774         hours_len = 21;
775         memset(hours, 0xff, hours_len);
776
777         if (ldap_state->is_nds_ldap) {
778                 char *user_dn;
779                 size_t pwd_len;
780                 char clear_text_pw[512];
781
782                 /* Make call to Novell eDirectory ldap extension to get clear text password.
783                         NOTE: This will only work if we have an SSL connection to eDirectory. */
784                 user_dn = smbldap_talloc_dn(ctx, ldap_state->smbldap_state->ldap_struct, entry);
785                 if (user_dn != NULL) {
786                         DEBUG(3, ("init_sam_from_ldap: smbldap_talloc_dn(ctx, %s) returned '%s'\n", username, user_dn));
787
788                         pwd_len = sizeof(clear_text_pw);
789                         if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
790                                 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
791                                 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
792                                         TALLOC_FREE(user_dn);
793                                         return False;
794                                 }
795                                 ZERO_STRUCT(smblmpwd);
796                                 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
797                                         TALLOC_FREE(user_dn);
798                                         return False;
799                                 }
800                                 ZERO_STRUCT(smbntpwd);
801                                 use_samba_attrs = False;
802                         }
803
804                         TALLOC_FREE(user_dn);
805
806                 } else {
807                         DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
808                 }
809         }
810
811         if (use_samba_attrs) {
812                 temp = smbldap_talloc_single_attribute(
813                                 ldap_state->smbldap_state->ldap_struct,
814                                 entry,
815                                 get_userattr_key2string(ldap_state->schema_ver,
816                                         LDAP_ATTR_LMPW),
817                                 ctx);
818                 if (temp) {
819                         pdb_gethexpwd(temp, smblmpwd);
820                         memset((char *)temp, '\0', strlen(temp)+1);
821                         if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
822                                 goto fn_exit;
823                         }
824                         ZERO_STRUCT(smblmpwd);
825                 }
826
827                 temp = smbldap_talloc_single_attribute(
828                                 ldap_state->smbldap_state->ldap_struct,
829                                 entry,
830                                 get_userattr_key2string(ldap_state->schema_ver,
831                                         LDAP_ATTR_NTPW),
832                                 ctx);
833                 if (temp) {
834                         pdb_gethexpwd(temp, smbntpwd);
835                         memset((char *)temp, '\0', strlen(temp)+1);
836                         if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
837                                 goto fn_exit;
838                         }
839                         ZERO_STRUCT(smbntpwd);
840                 }
841         }
842
843         pwHistLen = 0;
844
845         pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
846         if (pwHistLen > 0){
847                 uint8 *pwhist = NULL;
848                 int i;
849                 char *history_string = talloc_array(ctx, char,
850                                                 MAX_PW_HISTORY_LEN*64);
851
852                 if (!history_string) {
853                         goto fn_exit;
854                 }
855
856                 pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
857
858                 pwhist = talloc_zero_array(ctx, uint8,
859                                            pwHistLen * PW_HISTORY_ENTRY_LEN);
860                 if (pwhist == NULL) {
861                         DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
862                         goto fn_exit;
863                 }
864
865                 if (smbldap_get_single_attribute(
866                                 ldap_state->smbldap_state->ldap_struct,
867                                 entry,
868                                 get_userattr_key2string(ldap_state->schema_ver,
869                                         LDAP_ATTR_PWD_HISTORY),
870                                 history_string,
871                                 MAX_PW_HISTORY_LEN*64)) {
872                         bool hex_failed = false;
873                         for (i = 0; i < pwHistLen; i++){
874                                 /* Get the 16 byte salt. */
875                                 if (!pdb_gethexpwd(&history_string[i*64],
876                                         &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
877                                         hex_failed = true;
878                                         break;
879                                 }
880                                 /* Get the 16 byte MD5 hash of salt+passwd. */
881                                 if (!pdb_gethexpwd(&history_string[(i*64)+32],
882                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+
883                                                 PW_HISTORY_SALT_LEN])) {
884                                         hex_failed = True;
885                                         break;
886                                 }
887                         }
888                         if (hex_failed) {
889                                 DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n",
890                                         username));
891                                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
892                         }
893                 }
894                 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
895                         goto fn_exit;
896                 }
897         }
898
899         temp = smbldap_talloc_single_attribute(
900                         ldap_state->smbldap_state->ldap_struct,
901                         entry,
902                         get_userattr_key2string(ldap_state->schema_ver,
903                                 LDAP_ATTR_ACB_INFO),
904                         ctx);
905         if (temp) {
906                 acct_ctrl = pdb_decode_acct_ctrl(temp);
907
908                 if (acct_ctrl == 0) {
909                         acct_ctrl |= ACB_NORMAL;
910                 }
911
912                 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
913         } else {
914                 acct_ctrl |= ACB_NORMAL;
915         }
916
917         pdb_set_hours_len(sampass, hours_len, PDB_SET);
918         pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
919
920         temp = smbldap_talloc_single_attribute(
921                         ldap_state->smbldap_state->ldap_struct,
922                         entry,
923                         get_userattr_key2string(ldap_state->schema_ver,
924                                 LDAP_ATTR_BAD_PASSWORD_COUNT),
925                         ctx);
926         if (temp) {
927                 bad_password_count = (uint32_t) atol(temp);
928                 pdb_set_bad_password_count(sampass,
929                                 bad_password_count, PDB_SET);
930         }
931
932         temp = smbldap_talloc_single_attribute(
933                         ldap_state->smbldap_state->ldap_struct,
934                         entry,
935                         get_userattr_key2string(ldap_state->schema_ver,
936                                 LDAP_ATTR_BAD_PASSWORD_TIME),
937                         ctx);
938         if (temp) {
939                 bad_password_time = (time_t) atol(temp);
940                 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
941         }
942
943
944         temp = smbldap_talloc_single_attribute(
945                         ldap_state->smbldap_state->ldap_struct,
946                         entry,
947                         get_userattr_key2string(ldap_state->schema_ver,
948                                 LDAP_ATTR_LOGON_COUNT),
949                         ctx);
950         if (temp) {
951                 logon_count = (uint32_t) atol(temp);
952                 pdb_set_logon_count(sampass, logon_count, PDB_SET);
953         }
954
955         /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
956
957         temp = smbldap_talloc_single_attribute(
958                         ldap_state->smbldap_state->ldap_struct,
959                         entry,
960                         get_userattr_key2string(ldap_state->schema_ver,
961                                 LDAP_ATTR_LOGON_HOURS),
962                         ctx);
963         if (temp) {
964                 pdb_gethexhours(temp, hours);
965                 memset((char *)temp, '\0', strlen(temp) +1);
966                 pdb_set_hours(sampass, hours, hours_len, PDB_SET);
967                 ZERO_STRUCT(hours);
968         }
969
970         if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
971                 struct passwd unix_pw;
972                 bool have_uid = false;
973                 bool have_gid = false;
974                 struct dom_sid mapped_gsid;
975                 const struct dom_sid *primary_gsid;
976                 struct unixid id;
977
978                 ZERO_STRUCT(unix_pw);
979
980                 unix_pw.pw_name = username;
981                 unix_pw.pw_passwd = discard_const_p(char, "x");
982
983                 temp = smbldap_talloc_single_attribute(
984                                 priv2ld(ldap_state),
985                                 entry,
986                                 "uidNumber",
987                                 ctx);
988                 if (temp) {
989                         /* We've got a uid, feed the cache */
990                         unix_pw.pw_uid = strtoul(temp, NULL, 10);
991                         have_uid = true;
992                 }
993                 temp = smbldap_talloc_single_attribute(
994                                 priv2ld(ldap_state),
995                                 entry,
996                                 "gidNumber",
997                                 ctx);
998                 if (temp) {
999                         /* We've got a uid, feed the cache */
1000                         unix_pw.pw_gid = strtoul(temp, NULL, 10);
1001                         have_gid = true;
1002                 }
1003                 unix_pw.pw_gecos = smbldap_talloc_single_attribute(
1004                                 priv2ld(ldap_state),
1005                                 entry,
1006                                 "gecos",
1007                                 ctx);
1008                 if (unix_pw.pw_gecos) {
1009                         unix_pw.pw_gecos = fullname;
1010                 }
1011                 unix_pw.pw_dir = smbldap_talloc_single_attribute(
1012                                 priv2ld(ldap_state),
1013                                 entry,
1014                                 "homeDirectory",
1015                                 ctx);
1016                 if (unix_pw.pw_dir) {
1017                         unix_pw.pw_dir = discard_const_p(char, "");
1018                 }
1019                 unix_pw.pw_shell = smbldap_talloc_single_attribute(
1020                                 priv2ld(ldap_state),
1021                                 entry,
1022                                 "loginShell",
1023                                 ctx);
1024                 if (unix_pw.pw_shell) {
1025                         unix_pw.pw_shell = discard_const_p(char, "");
1026                 }
1027
1028                 if (have_uid && have_gid) {
1029                         sampass->unix_pw = tcopy_passwd(sampass, &unix_pw);
1030                 } else {
1031                         sampass->unix_pw = Get_Pwnam_alloc(sampass, unix_pw.pw_name);
1032                 }
1033
1034                 if (sampass->unix_pw == NULL) {
1035                         DEBUG(0,("init_sam_from_ldap: Failed to find Unix account for %s\n",
1036                                  pdb_get_username(sampass)));
1037                         goto fn_exit;
1038                 }
1039
1040                 id.id = sampass->unix_pw->pw_uid;
1041                 id.type = ID_TYPE_UID;
1042
1043                 idmap_cache_set_sid2unixid(pdb_get_user_sid(sampass), &id);
1044
1045                 gid_to_sid(&mapped_gsid, sampass->unix_pw->pw_gid);
1046                 primary_gsid = pdb_get_group_sid(sampass);
1047                 if (primary_gsid && dom_sid_equal(primary_gsid, &mapped_gsid)) {
1048                         id.id = sampass->unix_pw->pw_gid;
1049                         id.type = ID_TYPE_GID;
1050
1051                         idmap_cache_set_sid2unixid(primary_gsid, &id);
1052                 }
1053         }
1054
1055         /* check the timestamp of the cache vs ldap entry */
1056         if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1057                                                             entry))) {
1058                 ret = true;
1059                 goto fn_exit;
1060         }
1061
1062         /* see if we have newer updates */
1063         if (!login_cache_read(sampass, &cache_entry)) {
1064                 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1065                            (unsigned int)pdb_get_bad_password_count(sampass),
1066                            (unsigned int)pdb_get_bad_password_time(sampass)));
1067                 ret = true;
1068                 goto fn_exit;
1069         }
1070
1071         DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1072                   (unsigned int)ldap_entry_time,
1073                   (unsigned int)cache_entry.entry_timestamp,
1074                   (unsigned int)cache_entry.bad_password_time));
1075
1076         if (ldap_entry_time > cache_entry.entry_timestamp) {
1077                 /* cache is older than directory , so
1078                    we need to delete the entry but allow the
1079                    fields to be written out */
1080                 login_cache_delentry(sampass);
1081         } else {
1082                 /* read cache in */
1083                 pdb_set_acct_ctrl(sampass,
1084                                   pdb_get_acct_ctrl(sampass) |
1085                                   (cache_entry.acct_ctrl & ACB_AUTOLOCK),
1086                                   PDB_SET);
1087                 pdb_set_bad_password_count(sampass,
1088                                            cache_entry.bad_password_count,
1089                                            PDB_SET);
1090                 pdb_set_bad_password_time(sampass,
1091                                           cache_entry.bad_password_time,
1092                                           PDB_SET);
1093         }
1094
1095         ret = true;
1096
1097   fn_exit:
1098
1099         TALLOC_FREE(ctx);
1100         return ret;
1101 }
1102
1103 /**********************************************************************
1104  Initialize the ldap db from a struct samu. Called on update.
1105  (Based on init_buffer_from_sam in pdb_tdb.c)
1106 *********************************************************************/
1107
1108 static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1109                                 LDAPMessage *existing,
1110                                 LDAPMod *** mods, struct samu * sampass,
1111                                 bool (*need_update)(const struct samu *,
1112                                                     enum pdb_elements))
1113 {
1114         char *temp = NULL;
1115
1116         if (mods == NULL || sampass == NULL) {
1117                 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1118                 return False;
1119         }
1120
1121         *mods = NULL;
1122
1123         /*
1124          * took out adding "objectclass: sambaAccount"
1125          * do this on a per-mod basis
1126          */
1127         if (need_update(sampass, PDB_USERNAME)) {
1128                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1129                               "uid", pdb_get_username(sampass));
1130                 if (ldap_state->is_nds_ldap) {
1131                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1132                                       "cn", pdb_get_username(sampass));
1133                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1134                                       "sn", pdb_get_username(sampass));
1135                 }
1136         }
1137
1138         DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1139
1140         /* only update the RID if we actually need to */
1141         if (need_update(sampass, PDB_USERSID)) {
1142                 fstring sid_string;
1143                 const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
1144
1145                 switch ( ldap_state->schema_ver ) {
1146                         case SCHEMAVER_SAMBASAMACCOUNT:
1147                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1148                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
1149                                         sid_to_fstring(sid_string, user_sid));
1150                                 break;
1151
1152                         default:
1153                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1154                                 break;
1155                 }
1156         }
1157
1158         /* we don't need to store the primary group RID - so leaving it
1159            'free' to hang off the unix primary group makes life easier */
1160
1161         if (need_update(sampass, PDB_GROUPSID)) {
1162                 fstring sid_string;
1163                 const struct dom_sid *group_sid = pdb_get_group_sid(sampass);
1164
1165                 switch ( ldap_state->schema_ver ) {
1166                         case SCHEMAVER_SAMBASAMACCOUNT:
1167                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1168                                         get_userattr_key2string(ldap_state->schema_ver, 
1169                                         LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid));
1170                                 break;
1171
1172                         default:
1173                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1174                                 break;
1175                 }
1176
1177         }
1178
1179         /* displayName, cn, and gecos should all be the same
1180          *  most easily accomplished by giving them the same OID
1181          *  gecos isn't set here b/c it should be handled by the
1182          *  add-user script
1183          *  We change displayName only and fall back to cn if
1184          *  it does not exist.
1185          */
1186
1187         if (need_update(sampass, PDB_FULLNAME))
1188                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1189                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
1190                         pdb_get_fullname(sampass));
1191
1192         if (need_update(sampass, PDB_ACCTDESC))
1193                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1194                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
1195                         pdb_get_acct_desc(sampass));
1196
1197         if (need_update(sampass, PDB_WORKSTATIONS))
1198                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1199                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
1200                         pdb_get_workstations(sampass));
1201
1202         if (need_update(sampass, PDB_MUNGEDDIAL))
1203                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1204                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), 
1205                         pdb_get_munged_dial(sampass));
1206
1207         if (need_update(sampass, PDB_SMBHOME))
1208                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1209                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
1210                         pdb_get_homedir(sampass));
1211
1212         if (need_update(sampass, PDB_DRIVE))
1213                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1214                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
1215                         pdb_get_dir_drive(sampass));
1216
1217         if (need_update(sampass, PDB_LOGONSCRIPT))
1218                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1219                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
1220                         pdb_get_logon_script(sampass));
1221
1222         if (need_update(sampass, PDB_PROFILE))
1223                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1224                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
1225                         pdb_get_profile_path(sampass));
1226
1227         if (asprintf(&temp, "%li", (long int)pdb_get_logon_time(sampass)) < 0) {
1228                 return false;
1229         }
1230         if (need_update(sampass, PDB_LOGONTIME))
1231                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1232                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1233         SAFE_FREE(temp);
1234
1235         if (asprintf(&temp, "%li", (long int)pdb_get_logoff_time(sampass)) < 0) {
1236                 return false;
1237         }
1238         if (need_update(sampass, PDB_LOGOFFTIME))
1239                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1240                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1241         SAFE_FREE(temp);
1242
1243         if (asprintf(&temp, "%li", (long int)pdb_get_kickoff_time(sampass)) < 0) {
1244                 return false;
1245         }
1246         if (need_update(sampass, PDB_KICKOFFTIME))
1247                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1248                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1249         SAFE_FREE(temp);
1250
1251         if (asprintf(&temp, "%li", (long int)pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
1252                 return false;
1253         }
1254         if (need_update(sampass, PDB_CANCHANGETIME))
1255                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1256                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1257         SAFE_FREE(temp);
1258
1259         if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1260                         || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1261
1262                 if (need_update(sampass, PDB_LMPASSWD)) {
1263                         const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1264                         if (lm_pw) {
1265                                 char pwstr[34];
1266                                 pdb_sethexpwd(pwstr, lm_pw,
1267                                               pdb_get_acct_ctrl(sampass));
1268                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1269                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1270                                                  pwstr);
1271                         } else {
1272                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1273                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1274                                                  NULL);
1275                         }
1276                 }
1277                 if (need_update(sampass, PDB_NTPASSWD)) {
1278                         const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1279                         if (nt_pw) {
1280                                 char pwstr[34];
1281                                 pdb_sethexpwd(pwstr, nt_pw,
1282                                               pdb_get_acct_ctrl(sampass));
1283                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1284                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1285                                                  pwstr);
1286                         } else {
1287                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1288                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1289                                                  NULL);
1290                         }
1291                 }
1292
1293                 if (need_update(sampass, PDB_PWHISTORY)) {
1294                         char *pwstr = NULL;
1295                         uint32_t pwHistLen = 0;
1296                         pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
1297
1298                         pwstr = SMB_MALLOC_ARRAY(char, 1024);
1299                         if (!pwstr) {
1300                                 return false;
1301                         }
1302                         if (pwHistLen == 0) {
1303                                 /* Remove any password history from the LDAP store. */
1304                                 memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1305                                 pwstr[64] = '\0';
1306                         } else {
1307                                 int i;
1308                                 uint32_t currHistLen = 0;
1309                                 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1310                                 if (pwhist != NULL) {
1311                                         /* We can only store (1024-1/64 password history entries. */
1312                                         pwHistLen = MIN(pwHistLen, ((1024-1)/64));
1313                                         for (i=0; i< pwHistLen && i < currHistLen; i++) {
1314                                                 /* Store the salt. */
1315                                                 pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1316                                                 /* Followed by the md5 hash of salt + md4 hash */
1317                                                 pdb_sethexpwd(&pwstr[(i*64)+32],
1318                                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1319                                                 DEBUG(100, ("pwstr=%s\n", pwstr));
1320                                         }
1321                                 }
1322                         }
1323                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1324                                          get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), 
1325                                          pwstr);
1326                         SAFE_FREE(pwstr);
1327                 }
1328
1329                 if (need_update(sampass, PDB_PASSLASTSET)) {
1330                         if (asprintf(&temp, "%li",
1331                                 (long int)pdb_get_pass_last_set_time(sampass)) < 0) {
1332                                 return false;
1333                         }
1334                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1335                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
1336                                 temp);
1337                         SAFE_FREE(temp);
1338                 }
1339         }
1340
1341         if (need_update(sampass, PDB_HOURS)) {
1342                 const uint8 *hours = pdb_get_hours(sampass);
1343                 if (hours) {
1344                         char hourstr[44];
1345                         pdb_sethexhours(hourstr, hours);
1346                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1347                                 existing,
1348                                 mods,
1349                                 get_userattr_key2string(ldap_state->schema_ver,
1350                                                 LDAP_ATTR_LOGON_HOURS),
1351                                 hourstr);
1352                 }
1353         }
1354
1355         if (need_update(sampass, PDB_ACCTCTRL))
1356                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1357                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
1358                         pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1359
1360         /* password lockout cache:
1361            - If we are now autolocking or clearing, we write to ldap
1362            - If we are clearing, we delete the cache entry
1363            - If the count is > 0, we update the cache
1364
1365            This even means when autolocking, we cache, just in case the
1366            update doesn't work, and we have to cache the autolock flag */
1367
1368         if (need_update(sampass, PDB_BAD_PASSWORD_COUNT))  /* &&
1369             need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1370                 uint16_t badcount = pdb_get_bad_password_count(sampass);
1371                 time_t badtime = pdb_get_bad_password_time(sampass);
1372                 uint32_t pol;
1373                 pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &pol);
1374
1375                 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1376                         (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1377
1378                 if ((badcount >= pol) || (badcount == 0)) {
1379                         DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1380                                 (unsigned int)badcount, (unsigned int)badtime));
1381                         if (asprintf(&temp, "%li", (long)badcount) < 0) {
1382                                 return false;
1383                         }
1384                         smbldap_make_mod(
1385                                 ldap_state->smbldap_state->ldap_struct,
1386                                 existing, mods,
1387                                 get_userattr_key2string(
1388                                         ldap_state->schema_ver,
1389                                         LDAP_ATTR_BAD_PASSWORD_COUNT),
1390                                 temp);
1391                         SAFE_FREE(temp);
1392
1393                         if (asprintf(&temp, "%li", (long int)badtime) < 0) {
1394                                 return false;
1395                         }
1396                         smbldap_make_mod(
1397                                 ldap_state->smbldap_state->ldap_struct,
1398                                 existing, mods,
1399                                 get_userattr_key2string(
1400                                         ldap_state->schema_ver,
1401                                         LDAP_ATTR_BAD_PASSWORD_TIME),
1402                                 temp);
1403                         SAFE_FREE(temp);
1404                 }
1405                 if (badcount == 0) {
1406                         DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1407                         login_cache_delentry(sampass);
1408                 } else {
1409                         struct login_cache cache_entry;
1410
1411                         cache_entry.entry_timestamp = time(NULL);
1412                         cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1413                         cache_entry.bad_password_count = badcount;
1414                         cache_entry.bad_password_time = badtime;
1415
1416                         DEBUG(7, ("Updating bad password count and time in login cache\n"));
1417                         login_cache_write(sampass, &cache_entry);
1418                 }
1419         }
1420
1421         return True;
1422 }
1423
1424 /**********************************************************************
1425  End enumeration of the LDAP password list.
1426 *********************************************************************/
1427
1428 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1429 {
1430         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1431         if (ldap_state->result) {
1432                 ldap_msgfree(ldap_state->result);
1433                 ldap_state->result = NULL;
1434         }
1435 }
1436
1437 static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
1438                         const char *new_attr)
1439 {
1440         int i;
1441
1442         if (new_attr == NULL) {
1443                 return;
1444         }
1445
1446         for (i=0; (*attr_list)[i] != NULL; i++) {
1447                 ;
1448         }
1449
1450         (*attr_list) = talloc_realloc(mem_ctx, (*attr_list),
1451                                             const char *,  i+2);
1452         SMB_ASSERT((*attr_list) != NULL);
1453         (*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
1454         (*attr_list)[i+1] = NULL;
1455 }
1456
1457 static void ldapsam_add_unix_attributes(TALLOC_CTX *mem_ctx,
1458                                         const char ***attr_list)
1459 {
1460         append_attr(mem_ctx, attr_list, "uidNumber");
1461         append_attr(mem_ctx, attr_list, "gidNumber");
1462         append_attr(mem_ctx, attr_list, "homeDirectory");
1463         append_attr(mem_ctx, attr_list, "loginShell");
1464         append_attr(mem_ctx, attr_list, "gecos");
1465 }
1466
1467 /**********************************************************************
1468 Get struct samu entry from LDAP by username.
1469 *********************************************************************/
1470
1471 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
1472 {
1473         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1474         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1475         LDAPMessage *result = NULL;
1476         LDAPMessage *entry = NULL;
1477         int count;
1478         const char ** attr_list;
1479         int rc;
1480
1481         attr_list = get_userattr_list( user, ldap_state->schema_ver );
1482         append_attr(user, &attr_list,
1483                     get_userattr_key2string(ldap_state->schema_ver,
1484                                             LDAP_ATTR_MOD_TIMESTAMP));
1485         ldapsam_add_unix_attributes(user, &attr_list);
1486         rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1487                                            attr_list);
1488         TALLOC_FREE( attr_list );
1489
1490         if ( rc != LDAP_SUCCESS ) 
1491                 return NT_STATUS_NO_SUCH_USER;
1492
1493         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1494
1495         if (count < 1) {
1496                 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1497                 ldap_msgfree(result);
1498                 return NT_STATUS_NO_SUCH_USER;
1499         } else if (count > 1) {
1500                 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1501                 ldap_msgfree(result);
1502                 return NT_STATUS_NO_SUCH_USER;
1503         }
1504
1505         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1506         if (entry) {
1507                 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1508                         DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1509                         ldap_msgfree(result);
1510                         return NT_STATUS_NO_SUCH_USER;
1511                 }
1512                 pdb_set_backend_private_data(user, result, NULL,
1513                                              my_methods, PDB_CHANGED);
1514                 smbldap_talloc_autofree_ldapmsg(user, result);
1515                 ret = NT_STATUS_OK;
1516         } else {
1517                 ldap_msgfree(result);
1518         }
1519         return ret;
1520 }
1521
1522 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 
1523                                    const struct dom_sid *sid, LDAPMessage **result)
1524 {
1525         int rc = -1;
1526         const char ** attr_list;
1527
1528         switch ( ldap_state->schema_ver ) {
1529                 case SCHEMAVER_SAMBASAMACCOUNT: {
1530                         TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1531                         if (tmp_ctx == NULL) {
1532                                 return LDAP_NO_MEMORY;
1533                         }
1534
1535                         attr_list = get_userattr_list(tmp_ctx,
1536                                                       ldap_state->schema_ver);
1537                         append_attr(tmp_ctx, &attr_list,
1538                                     get_userattr_key2string(
1539                                             ldap_state->schema_ver,
1540                                             LDAP_ATTR_MOD_TIMESTAMP));
1541                         ldapsam_add_unix_attributes(tmp_ctx, &attr_list);
1542                         rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1543                                                           result, attr_list);
1544                         TALLOC_FREE(tmp_ctx);
1545
1546                         if ( rc != LDAP_SUCCESS ) 
1547                                 return rc;
1548                         break;
1549                 }
1550
1551                 default:
1552                         DEBUG(0,("Invalid schema version specified\n"));
1553                         break;
1554         }
1555         return rc;
1556 }
1557
1558 /**********************************************************************
1559  Get struct samu entry from LDAP by SID.
1560 *********************************************************************/
1561
1562 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
1563 {
1564         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1565         LDAPMessage *result = NULL;
1566         LDAPMessage *entry = NULL;
1567         int count;
1568         int rc;
1569
1570         rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
1571                                           sid, &result); 
1572         if (rc != LDAP_SUCCESS)
1573                 return NT_STATUS_NO_SUCH_USER;
1574
1575         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1576
1577         if (count < 1) {
1578                 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
1579                           "count=%d\n", sid_string_dbg(sid), count));
1580                 ldap_msgfree(result);
1581                 return NT_STATUS_NO_SUCH_USER;
1582         }  else if (count > 1) {
1583                 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
1584                           "[%s]. Failing. count=%d\n", sid_string_dbg(sid),
1585                           count));
1586                 ldap_msgfree(result);
1587                 return NT_STATUS_NO_SUCH_USER;
1588         }
1589
1590         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1591         if (!entry) {
1592                 ldap_msgfree(result);
1593                 return NT_STATUS_NO_SUCH_USER;
1594         }
1595
1596         if (!init_sam_from_ldap(ldap_state, user, entry)) {
1597                 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1598                 ldap_msgfree(result);
1599                 return NT_STATUS_NO_SUCH_USER;
1600         }
1601
1602         pdb_set_backend_private_data(user, result, NULL,
1603                                      my_methods, PDB_CHANGED);
1604         smbldap_talloc_autofree_ldapmsg(user, result);
1605         return NT_STATUS_OK;
1606 }       
1607
1608 /********************************************************************
1609  Do the actual modification - also change a plaintext passord if 
1610  it it set.
1611 **********************************************************************/
1612
1613 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
1614                                      struct samu *newpwd, char *dn,
1615                                      LDAPMod **mods, int ldap_op, 
1616                                      bool (*need_update)(const struct samu *, enum pdb_elements))
1617 {
1618         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1619         int rc;
1620
1621         if (!newpwd || !dn) {
1622                 return NT_STATUS_INVALID_PARAMETER;
1623         }
1624
1625         if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1626                         (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1627                         need_update(newpwd, PDB_PLAINTEXT_PW) &&
1628                         (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1629                 BerElement *ber;
1630                 struct berval *bv;
1631                 char *retoid = NULL;
1632                 struct berval *retdata = NULL;
1633                 char *utf8_password;
1634                 char *utf8_dn;
1635                 size_t converted_size;
1636                 int ret;
1637
1638                 if (!ldap_state->is_nds_ldap) {
1639
1640                         if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct, 
1641                                                    LDAP_EXOP_MODIFY_PASSWD)) {
1642                                 DEBUG(2, ("ldap password change requested, but LDAP "
1643                                           "server does not support it -- ignoring\n"));
1644                                 return NT_STATUS_OK;
1645                         }
1646                 }
1647
1648                 if (!push_utf8_talloc(talloc_tos(), &utf8_password,
1649                                         pdb_get_plaintext_passwd(newpwd),
1650                                         &converted_size))
1651                 {
1652                         return NT_STATUS_NO_MEMORY;
1653                 }
1654
1655                 if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1656                         TALLOC_FREE(utf8_password);
1657                         return NT_STATUS_NO_MEMORY;
1658                 }
1659
1660                 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1661                         DEBUG(0,("ber_alloc_t returns NULL\n"));
1662                         TALLOC_FREE(utf8_password);
1663                         TALLOC_FREE(utf8_dn);
1664                         return NT_STATUS_UNSUCCESSFUL;
1665                 }
1666
1667                 if ((ber_printf (ber, "{") < 0) ||
1668                     (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
1669                                  utf8_dn) < 0)) {
1670                         DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
1671                                  "value <0\n"));
1672                         ber_free(ber,1);
1673                         TALLOC_FREE(utf8_dn);
1674                         TALLOC_FREE(utf8_password);
1675                         return NT_STATUS_UNSUCCESSFUL;
1676                 }
1677
1678                 if ((utf8_password != NULL) && (*utf8_password != '\0')) {
1679                         ret = ber_printf(ber, "ts}",
1680                                          LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
1681                                          utf8_password);
1682                 } else {
1683                         ret = ber_printf(ber, "}");
1684                 }
1685
1686                 if (ret < 0) {
1687                         DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
1688                                  "value <0\n"));
1689                         ber_free(ber,1);
1690                         TALLOC_FREE(utf8_dn);
1691                         TALLOC_FREE(utf8_password);
1692                         return NT_STATUS_UNSUCCESSFUL;
1693                 }
1694
1695                 if ((rc = ber_flatten (ber, &bv))<0) {
1696                         DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1697                         ber_free(ber,1);
1698                         TALLOC_FREE(utf8_dn);
1699                         TALLOC_FREE(utf8_password);
1700                         return NT_STATUS_UNSUCCESSFUL;
1701                 }
1702
1703                 TALLOC_FREE(utf8_dn);
1704                 TALLOC_FREE(utf8_password);
1705                 ber_free(ber, 1);
1706
1707                 if (!ldap_state->is_nds_ldap) {
1708                         rc = smbldap_extended_operation(ldap_state->smbldap_state, 
1709                                                         LDAP_EXOP_MODIFY_PASSWD,
1710                                                         bv, NULL, NULL, &retoid, 
1711                                                         &retdata);
1712                 } else {
1713                         rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1714                                                         pdb_get_plaintext_passwd(newpwd));
1715                 }
1716                 if (rc != LDAP_SUCCESS) {
1717                         char *ld_error = NULL;
1718
1719                         if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1720                                 DEBUG(3, ("Could not set userPassword "
1721                                           "attribute due to an objectClass "
1722                                           "violation -- ignoring\n"));
1723                                 ber_bvfree(bv);
1724                                 return NT_STATUS_OK;
1725                         }
1726
1727                         ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1728                                         &ld_error);
1729                         DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1730                                 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1731                         SAFE_FREE(ld_error);
1732                         ber_bvfree(bv);
1733 #if defined(LDAP_CONSTRAINT_VIOLATION)
1734                         if (rc == LDAP_CONSTRAINT_VIOLATION)
1735                                 return NT_STATUS_PASSWORD_RESTRICTION;
1736 #endif
1737                         return NT_STATUS_UNSUCCESSFUL;
1738                 } else {
1739                         DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1740 #ifdef DEBUG_PASSWORD
1741                         DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1742 #endif    
1743                         if (retdata)
1744                                 ber_bvfree(retdata);
1745                         if (retoid)
1746                                 ldap_memfree(retoid);
1747                 }
1748                 ber_bvfree(bv);
1749         }
1750
1751         if (!mods) {
1752                 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1753                 /* may be password change below however */
1754         } else {
1755                 switch(ldap_op) {
1756                         case LDAP_MOD_ADD:
1757                                 if (ldap_state->is_nds_ldap) {
1758                                         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1759                                                         "objectclass",
1760                                                         "inetOrgPerson");
1761                                 } else {
1762                                         smbldap_set_mod(&mods, LDAP_MOD_ADD,
1763                                                         "objectclass",
1764                                                         LDAP_OBJ_ACCOUNT);
1765                                 }
1766                                 rc = smbldap_add(ldap_state->smbldap_state,
1767                                                  dn, mods);
1768                                 break;
1769                         case LDAP_MOD_REPLACE:
1770                                 rc = smbldap_modify(ldap_state->smbldap_state,
1771                                                     dn ,mods);
1772                                 break;
1773                         default:
1774                                 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1775                                          ldap_op));
1776                                 return NT_STATUS_INVALID_PARAMETER;
1777                 }
1778
1779                 if (rc!=LDAP_SUCCESS) {
1780                         return NT_STATUS_UNSUCCESSFUL;
1781                 }
1782         }
1783
1784         return NT_STATUS_OK;
1785 }
1786
1787 /**********************************************************************
1788  Delete entry from LDAP for username.
1789 *********************************************************************/
1790
1791 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1792                                            struct samu * sam_acct)
1793 {
1794         struct ldapsam_privates *priv =
1795                 (struct ldapsam_privates *)my_methods->private_data;
1796         const char *sname;
1797         int rc;
1798         LDAPMessage *msg, *entry;
1799         NTSTATUS result = NT_STATUS_NO_MEMORY;
1800         const char **attr_list;
1801         TALLOC_CTX *mem_ctx;
1802
1803         if (!sam_acct) {
1804                 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1805                 return NT_STATUS_INVALID_PARAMETER;
1806         }
1807
1808         sname = pdb_get_username(sam_acct);
1809
1810         DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1811                   "LDAP.\n", sname));
1812
1813         mem_ctx = talloc_new(NULL);
1814         if (mem_ctx == NULL) {
1815                 DEBUG(0, ("talloc_new failed\n"));
1816                 goto done;
1817         }
1818
1819         attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1820         if (attr_list == NULL) {
1821                 goto done;
1822         }
1823
1824         rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1825
1826         if ((rc != LDAP_SUCCESS) ||
1827             (ldap_count_entries(priv2ld(priv), msg) != 1) ||
1828             ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1829                 DEBUG(5, ("Could not find user %s\n", sname));
1830                 result = NT_STATUS_NO_SUCH_USER;
1831                 goto done;
1832         }
1833
1834         rc = ldapsam_delete_entry(
1835                 priv, mem_ctx, entry,
1836                 priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1837                 LDAP_OBJ_SAMBASAMACCOUNT : 0,
1838                 attr_list);
1839
1840         result = (rc == LDAP_SUCCESS) ?
1841                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1842
1843  done:
1844         TALLOC_FREE(mem_ctx);
1845         return result;
1846 }
1847
1848 /**********************************************************************
1849  Update struct samu.
1850 *********************************************************************/
1851
1852 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1853 {
1854         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1855         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1856         int rc = 0;
1857         char *dn;
1858         LDAPMessage *result = NULL;
1859         LDAPMessage *entry = NULL;
1860         LDAPMod **mods = NULL;
1861         const char **attr_list;
1862
1863         result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1864         if (!result) {
1865                 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1866                 if (pdb_get_username(newpwd) == NULL) {
1867                         return NT_STATUS_INVALID_PARAMETER;
1868                 }
1869                 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1870                 TALLOC_FREE( attr_list );
1871                 if (rc != LDAP_SUCCESS) {
1872                         return NT_STATUS_UNSUCCESSFUL;
1873                 }
1874                 pdb_set_backend_private_data(newpwd, result, NULL,
1875                                              my_methods, PDB_CHANGED);
1876                 smbldap_talloc_autofree_ldapmsg(newpwd, result);
1877         }
1878
1879         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1880                 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1881                 return NT_STATUS_UNSUCCESSFUL;
1882         }
1883
1884         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1885         dn = smbldap_talloc_dn(talloc_tos(), ldap_state->smbldap_state->ldap_struct, entry);
1886         if (!dn) {
1887                 return NT_STATUS_UNSUCCESSFUL;
1888         }
1889
1890         DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1891
1892         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1893                                 pdb_element_is_changed)) {
1894                 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1895                 TALLOC_FREE(dn);
1896                 if (mods != NULL)
1897                         ldap_mods_free(mods,True);
1898                 return NT_STATUS_UNSUCCESSFUL;
1899         }
1900
1901         if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY)
1902             && (mods == NULL)) {
1903                 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1904                          pdb_get_username(newpwd)));
1905                 TALLOC_FREE(dn);
1906                 return NT_STATUS_OK;
1907         }
1908
1909         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, pdb_element_is_changed);
1910
1911         if (mods != NULL) {
1912                 ldap_mods_free(mods,True);
1913         }
1914
1915         TALLOC_FREE(dn);
1916
1917         /*
1918          * We need to set the backend private data to NULL here. For example
1919          * setuserinfo level 25 does a pdb_update_sam_account twice on the
1920          * same one, and with the explicit delete / add logic for attribute
1921          * values the second time we would use the wrong "old" value which
1922          * does not exist in LDAP anymore. Thus the LDAP server would refuse
1923          * the update.
1924          * The existing LDAPMessage is still being auto-freed by the
1925          * destructor.
1926          */
1927         pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
1928                                      PDB_CHANGED);
1929
1930         if (!NT_STATUS_IS_OK(ret)) {
1931                 return ret;
1932         }
1933
1934         DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1935                   pdb_get_username(newpwd)));
1936         return NT_STATUS_OK;
1937 }
1938
1939 /***************************************************************************
1940  Renames a struct samu
1941  - The "rename user script" has full responsibility for changing everything
1942 ***************************************************************************/
1943
1944 static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
1945                                      TALLOC_CTX *tmp_ctx,
1946                                      uint32_t group_rid,
1947                                      uint32_t member_rid);
1948
1949 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
1950                                                TALLOC_CTX *mem_ctx,
1951                                                struct samu *user,
1952                                                struct dom_sid **pp_sids,
1953                                                gid_t **pp_gids,
1954                                                uint32_t *p_num_groups);
1955
1956 static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1957                                            struct samu *old_acct,
1958                                            const char *newname)
1959 {
1960         const char *oldname;
1961         int rc;
1962         char *rename_script = NULL;
1963         fstring oldname_lower, newname_lower;
1964
1965         if (!old_acct) {
1966                 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1967                 return NT_STATUS_INVALID_PARAMETER;
1968         }
1969         if (!newname) {
1970                 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1971                 return NT_STATUS_INVALID_PARAMETER;
1972         }
1973
1974         oldname = pdb_get_username(old_acct);
1975
1976         /* rename the posix user */
1977         rename_script = lp_rename_user_script(talloc_tos());
1978         if (rename_script == NULL) {
1979                 return NT_STATUS_NO_MEMORY;
1980         }
1981
1982         if (!(*rename_script)) {
1983                 TALLOC_FREE(rename_script);
1984                 return NT_STATUS_ACCESS_DENIED;
1985         }
1986
1987         DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
1988                    oldname, newname));
1989
1990         /* We have to allow the account name to end with a '$'.
1991            Also, follow the semantics in _samr_create_user() and lower case the
1992            posix name but preserve the case in passdb */
1993
1994         fstrcpy( oldname_lower, oldname );
1995         if (!strlower_m( oldname_lower )) {
1996                 return NT_STATUS_INVALID_PARAMETER;
1997         }
1998         fstrcpy( newname_lower, newname );
1999         if (!strlower_m( newname_lower )) {
2000                 return NT_STATUS_INVALID_PARAMETER;
2001         }
2002
2003         rename_script = realloc_string_sub2(rename_script,
2004                                         "%unew",
2005                                         newname_lower,
2006                                         true,
2007                                         true);
2008         if (!rename_script) {
2009                 return NT_STATUS_NO_MEMORY;
2010         }
2011         rename_script = realloc_string_sub2(rename_script,
2012                                         "%uold",
2013                                         oldname_lower,
2014                                         true,
2015                                         true);
2016         rc = smbrun(rename_script, NULL);
2017
2018         DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
2019                           rename_script, rc));
2020
2021         TALLOC_FREE(rename_script);
2022
2023         if (rc == 0) {
2024                 smb_nscd_flush_user_cache();
2025         }
2026
2027         if (rc)
2028                 return NT_STATUS_UNSUCCESSFUL;
2029
2030         return NT_STATUS_OK;
2031 }
2032
2033 /**********************************************************************
2034  Add struct samu to LDAP.
2035 *********************************************************************/
2036
2037 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
2038 {
2039         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2040         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2041         int rc;
2042         LDAPMessage     *result = NULL;
2043         LDAPMessage     *entry  = NULL;
2044         LDAPMod         **mods = NULL;
2045         int             ldap_op = LDAP_MOD_REPLACE;
2046         uint32_t                num_result;
2047         const char      **attr_list;
2048         char *escape_user = NULL;
2049         const char      *username = pdb_get_username(newpwd);
2050         const struct dom_sid    *sid = pdb_get_user_sid(newpwd);
2051         char *filter = NULL;
2052         char *dn = NULL;
2053         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2054         TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
2055
2056         if (!ctx) {
2057                 return NT_STATUS_NO_MEMORY;
2058         }
2059
2060         if (!username || !*username) {
2061                 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
2062                 status = NT_STATUS_INVALID_PARAMETER;
2063                 goto fn_exit;
2064         }
2065
2066         /* free this list after the second search or in case we exit on failure */
2067         attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
2068
2069         rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2070
2071         if (rc != LDAP_SUCCESS) {
2072                 goto fn_exit;
2073         }
2074
2075         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2076                 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n", 
2077                          username));
2078                 goto fn_exit;
2079         }
2080         ldap_msgfree(result);
2081         result = NULL;
2082
2083         if (pdb_element_is_set_or_changed(newpwd, PDB_USERSID)) {
2084                 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
2085                                                   sid, &result);
2086                 if (rc == LDAP_SUCCESS) {
2087                         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2088                                 DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
2089                                          "already in the base, with samba "
2090                                          "attributes\n", sid_string_dbg(sid)));
2091                                 goto fn_exit;
2092                         }
2093                         ldap_msgfree(result);
2094                         result = NULL;
2095                 }
2096         }
2097
2098         /* does the entry already exist but without a samba attributes?
2099            we need to return the samba attributes here */
2100
2101         escape_user = escape_ldap_string(talloc_tos(), username);
2102         filter = talloc_strdup(attr_list, "(uid=%u)");
2103         if (!filter) {
2104                 status = NT_STATUS_NO_MEMORY;
2105                 goto fn_exit;
2106         }
2107         filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
2108         TALLOC_FREE(escape_user);
2109         if (!filter) {
2110                 status = NT_STATUS_NO_MEMORY;
2111                 goto fn_exit;
2112         }
2113
2114         rc = smbldap_search_suffix(ldap_state->smbldap_state,
2115                                    filter, attr_list, &result);
2116         if ( rc != LDAP_SUCCESS ) {
2117                 goto fn_exit;
2118         }
2119
2120         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2121
2122         if (num_result > 1) {
2123                 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2124                 goto fn_exit;
2125         }
2126
2127         /* Check if we need to update an existing entry */
2128         if (num_result == 1) {
2129                 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2130                 ldap_op = LDAP_MOD_REPLACE;
2131                 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2132                 dn = smbldap_talloc_dn(ctx, ldap_state->smbldap_state->ldap_struct, entry);
2133                 if (!dn) {
2134                         status = NT_STATUS_NO_MEMORY;
2135                         goto fn_exit;
2136                 }
2137
2138         } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2139
2140                 /* There might be a SID for this account already - say an idmap entry */
2141
2142                 filter = talloc_asprintf(ctx,
2143                                 "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
2144                                  get_userattr_key2string(ldap_state->schema_ver,
2145                                          LDAP_ATTR_USER_SID),
2146                                  sid_string_talloc(ctx, sid),
2147                                  LDAP_OBJ_IDMAP_ENTRY,
2148                                  LDAP_OBJ_SID_ENTRY);
2149                 if (!filter) {
2150                         status = NT_STATUS_NO_MEMORY;
2151                         goto fn_exit;
2152                 }
2153
2154                 /* free old result before doing a new search */
2155                 if (result != NULL) {
2156                         ldap_msgfree(result);
2157                         result = NULL;
2158                 }
2159                 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2160                                            filter, attr_list, &result);
2161
2162                 if ( rc != LDAP_SUCCESS ) {
2163                         goto fn_exit;
2164                 }
2165
2166                 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2167
2168                 if (num_result > 1) {
2169                         DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2170                         goto fn_exit;
2171                 }
2172
2173                 /* Check if we need to update an existing entry */
2174                 if (num_result == 1) {
2175
2176                         DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2177                         ldap_op = LDAP_MOD_REPLACE;
2178                         entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2179                         dn = smbldap_talloc_dn (ctx, ldap_state->smbldap_state->ldap_struct, entry);
2180                         if (!dn) {
2181                                 status = NT_STATUS_NO_MEMORY;
2182                                 goto fn_exit;
2183                         }
2184                 }
2185         }
2186
2187         if (num_result == 0) {
2188                 char *escape_username;
2189                 /* Check if we need to add an entry */
2190                 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2191                 ldap_op = LDAP_MOD_ADD;
2192
2193                 escape_username = escape_rdn_val_string_alloc(username);
2194                 if (!escape_username) {
2195                         status = NT_STATUS_NO_MEMORY;
2196                         goto fn_exit;
2197                 }
2198
2199                 if (username[strlen(username)-1] == '$') {
2200                         dn = talloc_asprintf(ctx,
2201                                         "uid=%s,%s",
2202                                         escape_username,
2203                                         lp_ldap_machine_suffix(talloc_tos()));
2204                 } else {
2205                         dn = talloc_asprintf(ctx,
2206                                         "uid=%s,%s",
2207                                         escape_username,
2208                                         lp_ldap_user_suffix(talloc_tos()));
2209                 }
2210
2211                 SAFE_FREE(escape_username);
2212                 if (!dn) {
2213                         status = NT_STATUS_NO_MEMORY;
2214                         goto fn_exit;
2215                 }
2216         }
2217
2218         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2219                                 pdb_element_is_set_or_changed)) {
2220                 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2221                 if (mods != NULL) {
2222                         ldap_mods_free(mods, true);
2223                 }
2224                 goto fn_exit;
2225         }
2226
2227         if (mods == NULL) {
2228                 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2229                 goto fn_exit;
2230         }
2231         switch ( ldap_state->schema_ver ) {
2232                 case SCHEMAVER_SAMBASAMACCOUNT:
2233                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2234                         break;
2235                 default:
2236                         DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2237                         break;
2238         }
2239
2240         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, pdb_element_is_set_or_changed);
2241         if (!NT_STATUS_IS_OK(ret)) {
2242                 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2243                          pdb_get_username(newpwd),dn));
2244                 ldap_mods_free(mods, true);
2245                 goto fn_exit;
2246         }
2247
2248         DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2249         ldap_mods_free(mods, true);
2250
2251         status = NT_STATUS_OK;
2252
2253   fn_exit:
2254
2255         TALLOC_FREE(ctx);
2256         if (result) {
2257                 ldap_msgfree(result);
2258         }
2259         return status;
2260 }
2261
2262 /**********************************************************************
2263  *********************************************************************/
2264
2265 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2266                                      const char *filter,
2267                                      LDAPMessage ** result)
2268 {
2269         int scope = LDAP_SCOPE_SUBTREE;
2270         int rc;
2271         const char **attr_list;
2272
2273         attr_list = get_attr_list(NULL, groupmap_attr_list);
2274         rc = smbldap_search(ldap_state->smbldap_state,
2275                             lp_ldap_suffix (talloc_tos()), scope,
2276                             filter, attr_list, 0, result);
2277         TALLOC_FREE(attr_list);
2278
2279         return rc;
2280 }
2281
2282 /**********************************************************************
2283  *********************************************************************/
2284
2285 static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
2286                                  GROUP_MAP *map, LDAPMessage *entry)
2287 {
2288         char *temp = NULL;
2289         TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
2290
2291         if (ldap_state == NULL || map == NULL || entry == NULL ||
2292                         ldap_state->smbldap_state->ldap_struct == NULL) {
2293                 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2294                 TALLOC_FREE(ctx);
2295                 return false;
2296         }
2297
2298         temp = smbldap_talloc_single_attribute(
2299                         ldap_state->smbldap_state->ldap_struct,
2300                         entry,
2301                         get_attr_key2string(groupmap_attr_list,
2302                                 LDAP_ATTR_GIDNUMBER),
2303                         ctx);
2304         if (!temp) {
2305                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 
2306                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2307                 TALLOC_FREE(ctx);
2308                 return false;
2309         }
2310         DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2311
2312         map->gid = (gid_t)atol(temp);
2313
2314         TALLOC_FREE(temp);
2315         temp = smbldap_talloc_single_attribute(
2316                         ldap_state->smbldap_state->ldap_struct,
2317                         entry,
2318                         get_attr_key2string(groupmap_attr_list,
2319                                 LDAP_ATTR_GROUP_SID),
2320                         ctx);
2321         if (!temp) {
2322                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2323                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2324                 TALLOC_FREE(ctx);
2325                 return false;
2326         }
2327
2328         if (!string_to_sid(&map->sid, temp)) {
2329                 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2330                 TALLOC_FREE(ctx);
2331                 return false;
2332         }
2333
2334         TALLOC_FREE(temp);
2335         temp = smbldap_talloc_single_attribute(
2336                         ldap_state->smbldap_state->ldap_struct,
2337                         entry,
2338                         get_attr_key2string(groupmap_attr_list,
2339                                 LDAP_ATTR_GROUP_TYPE),
2340                         ctx);
2341         if (!temp) {
2342                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2343                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2344                 TALLOC_FREE(ctx);
2345                 return false;
2346         }
2347         map->sid_name_use = (enum lsa_SidType)atol(temp);
2348
2349         if ((map->sid_name_use < SID_NAME_USER) ||
2350                         (map->sid_name_use > SID_NAME_UNKNOWN)) {
2351                 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2352                 TALLOC_FREE(ctx);
2353                 return false;
2354         }
2355
2356         TALLOC_FREE(temp);
2357         temp = smbldap_talloc_single_attribute(
2358                         ldap_state->smbldap_state->ldap_struct,
2359                         entry,
2360                         get_attr_key2string(groupmap_attr_list,
2361                                 LDAP_ATTR_DISPLAY_NAME),
2362                         ctx);
2363         if (!temp) {
2364                 temp = smbldap_talloc_single_attribute(
2365                                 ldap_state->smbldap_state->ldap_struct,
2366                                 entry,
2367                                 get_attr_key2string(groupmap_attr_list,
2368                                         LDAP_ATTR_CN),
2369                                 ctx);
2370                 if (!temp) {
2371                         DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2372 for gidNumber(%lu)\n",(unsigned long)map->gid));
2373                         TALLOC_FREE(ctx);
2374                         return false;
2375                 }
2376         }
2377         map->nt_name = talloc_strdup(map, temp);
2378         if (!map->nt_name) {
2379                 TALLOC_FREE(ctx);
2380                 return false;
2381         }
2382
2383         TALLOC_FREE(temp);
2384         temp = smbldap_talloc_single_attribute(
2385                         ldap_state->smbldap_state->ldap_struct,
2386                         entry,
2387                         get_attr_key2string(groupmap_attr_list,
2388                                 LDAP_ATTR_DESC),
2389                         ctx);
2390         if (!temp) {
2391                 temp = talloc_strdup(ctx, "");
2392                 if (!temp) {
2393                         TALLOC_FREE(ctx);
2394                         return false;
2395                 }
2396         }
2397         map->comment = talloc_strdup(map, temp);
2398         if (!map->comment) {
2399                 TALLOC_FREE(ctx);
2400                 return false;
2401         }
2402
2403         if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
2404                 struct unixid id;
2405                 id.id = map->gid;
2406                 id.type = ID_TYPE_GID;
2407
2408                 idmap_cache_set_sid2unixid(&map->sid, &id);
2409         }
2410
2411         TALLOC_FREE(ctx);
2412         return true;
2413 }
2414
2415 /**********************************************************************
2416  *********************************************************************/
2417
2418 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2419                                  const char *filter,
2420                                  GROUP_MAP *map)
2421 {
2422         struct ldapsam_privates *ldap_state =
2423                 (struct ldapsam_privates *)methods->private_data;
2424         LDAPMessage *result = NULL;
2425         LDAPMessage *entry = NULL;
2426         int count;
2427
2428         if (ldapsam_search_one_group(ldap_state, filter, &result)
2429             != LDAP_SUCCESS) {
2430                 return NT_STATUS_NO_SUCH_GROUP;
2431         }
2432
2433         count = ldap_count_entries(priv2ld(ldap_state), result);
2434
2435         if (count < 1) {
2436                 DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
2437                           "%s\n", filter));
2438                 ldap_msgfree(result);
2439                 return NT_STATUS_NO_SUCH_GROUP;
2440         }
2441
2442         if (count > 1) {
2443                 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2444                           "count=%d\n", filter, count));
2445                 ldap_msgfree(result);
2446                 return NT_STATUS_NO_SUCH_GROUP;
2447         }
2448
2449         entry = ldap_first_entry(priv2ld(ldap_state), result);
2450
2451         if (!entry) {
2452                 ldap_msgfree(result);
2453                 return NT_STATUS_UNSUCCESSFUL;
2454         }
2455
2456         if (!init_group_from_ldap(ldap_state, map, entry)) {
2457                 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2458                           "group filter %s\n", filter));
2459                 ldap_msgfree(result);
2460                 return NT_STATUS_NO_SUCH_GROUP;
2461         }
2462
2463         ldap_msgfree(result);
2464         return NT_STATUS_OK;
2465 }
2466
2467 /**********************************************************************
2468  *********************************************************************/
2469
2470 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2471                                  struct dom_sid sid)
2472 {
2473         char *filter = NULL;
2474         NTSTATUS status;
2475         fstring tmp;
2476
2477         if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
2478                 LDAP_OBJ_GROUPMAP,
2479                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2480                 sid_to_fstring(tmp, &sid)) < 0) {
2481                 return NT_STATUS_NO_MEMORY;
2482         }
2483
2484         status = ldapsam_getgroup(methods, filter, map);
2485         SAFE_FREE(filter);
2486         return status;
2487 }
2488
2489 /**********************************************************************
2490  *********************************************************************/
2491
2492 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2493                                  gid_t gid)
2494 {
2495         char *filter = NULL;
2496         NTSTATUS status;
2497
2498         if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
2499                 LDAP_OBJ_GROUPMAP,
2500                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2501                 (unsigned long)gid) < 0) {
2502                 return NT_STATUS_NO_MEMORY;
2503         }
2504
2505         status = ldapsam_getgroup(methods, filter, map);
2506         SAFE_FREE(filter);
2507         return status;
2508 }
2509
2510 /**********************************************************************
2511  *********************************************************************/
2512
2513 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2514                                  const char *name)
2515 {
2516         char *filter = NULL;
2517         char *escape_name = escape_ldap_string(talloc_tos(), name);
2518         NTSTATUS status;
2519
2520         if (!escape_name) {
2521                 return NT_STATUS_NO_MEMORY;
2522         }
2523
2524         if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2525                 LDAP_OBJ_GROUPMAP,
2526                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2527                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
2528                 escape_name) < 0) {
2529                 TALLOC_FREE(escape_name);
2530                 return NT_STATUS_NO_MEMORY;
2531         }
2532
2533         TALLOC_FREE(escape_name);
2534         status = ldapsam_getgroup(methods, filter, map);
2535         SAFE_FREE(filter);
2536         return status;
2537 }
2538
2539 static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2540                                            LDAPMessage *entry,
2541                                            const struct dom_sid *domain_sid,
2542                                            uint32_t *rid)
2543 {
2544         fstring str;
2545         struct dom_sid sid;
2546
2547         if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2548                                           str, sizeof(str)-1)) {
2549                 DEBUG(10, ("Could not find sambaSID attribute\n"));
2550                 return False;
2551         }
2552
2553         if (!string_to_sid(&sid, str)) {
2554                 DEBUG(10, ("Could not convert string %s to sid\n", str));
2555                 return False;
2556         }
2557
2558         if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
2559                 DEBUG(10, ("SID %s is not in expected domain %s\n",
2560                            str, sid_string_dbg(domain_sid)));
2561                 return False;
2562         }
2563
2564         if (!sid_peek_rid(&sid, rid)) {
2565                 DEBUG(10, ("Could not peek into RID\n"));
2566                 return False;
2567         }
2568
2569         return True;
2570 }
2571
2572 static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2573                                            TALLOC_CTX *mem_ctx,
2574                                            const struct dom_sid *group,
2575                                            uint32_t **pp_member_rids,
2576                                            size_t *p_num_members)
2577 {
2578         struct ldapsam_privates *ldap_state =
2579                 (struct ldapsam_privates *)methods->private_data;
2580         struct smbldap_state *conn = ldap_state->smbldap_state;
2581         const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2582         const char *sid_attrs[] = { "sambaSID", NULL };
2583         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2584         LDAPMessage *result = NULL;
2585         LDAPMessage *entry;
2586         char *filter;
2587         char **values = NULL;
2588         char **memberuid;
2589         char *gidstr;
2590         int rc, count;
2591
2592         *pp_member_rids = NULL;
2593         *p_num_members = 0;
2594
2595         filter = talloc_asprintf(mem_ctx,
2596                                  "(&(objectClass=%s)"
2597                                  "(objectClass=%s)"
2598                                  "(sambaSID=%s))",
2599                                  LDAP_OBJ_POSIXGROUP,
2600                                  LDAP_OBJ_GROUPMAP,
2601                                  sid_string_talloc(mem_ctx, group));
2602         if (filter == NULL) {
2603                 ret = NT_STATUS_NO_MEMORY;
2604                 goto done;
2605         }
2606
2607         rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
2608                             LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2609                             &result);
2610
2611         if (rc != LDAP_SUCCESS)
2612                 goto done;
2613
2614         smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2615
2616         count = ldap_count_entries(conn->ldap_struct, result);
2617
2618         if (count > 1) {
2619                 DEBUG(1, ("Found more than one groupmap entry for %s\n",
2620                           sid_string_dbg(group)));
2621                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2622                 goto done;
2623         }
2624
2625         if (count == 0) {
2626                 ret = NT_STATUS_NO_SUCH_GROUP;
2627                 goto done;
2628         }
2629
2630         entry = ldap_first_entry(conn->ldap_struct, result);
2631         if (entry == NULL)
2632                 goto done;
2633
2634         gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2635         if (!gidstr) {
2636                 DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2637                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2638                 goto done;
2639         }
2640
2641         values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
2642
2643         if ((values != NULL) && (values[0] != NULL)) {
2644
2645                 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
2646                 if (filter == NULL) {
2647                         ret = NT_STATUS_NO_MEMORY;
2648                         goto done;
2649                 }
2650
2651                 for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2652                         char *escape_memberuid;
2653
2654                         escape_memberuid = escape_ldap_string(talloc_tos(),
2655                                                               *memberuid);
2656                         if (escape_memberuid == NULL) {
2657                                 ret = NT_STATUS_NO_MEMORY;
2658                                 goto done;
2659                         }
2660
2661                         filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
2662                         TALLOC_FREE(escape_memberuid);
2663                         if (filter == NULL) {
2664                                 ret = NT_STATUS_NO_MEMORY;
2665                                 goto done;
2666                         }
2667                 }
2668
2669                 filter = talloc_asprintf_append_buffer(filter, "))");
2670                 if (filter == NULL) {
2671                         ret = NT_STATUS_NO_MEMORY;
2672                         goto done;
2673                 }
2674
2675                 rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
2676                                     LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2677                                     &result);
2678
2679                 if (rc != LDAP_SUCCESS)
2680                         goto done;
2681
2682                 count = ldap_count_entries(conn->ldap_struct, result);
2683                 DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2684
2685                 smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2686
2687                 for (entry = ldap_first_entry(conn->ldap_struct, result);
2688                      entry != NULL;
2689                      entry = ldap_next_entry(conn->ldap_struct, entry))
2690                 {
2691                         char *sidstr;
2692                         struct dom_sid sid;
2693                         uint32_t rid;
2694
2695                         sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
2696                                                                  entry, "sambaSID",
2697                                                                  mem_ctx);
2698                         if (!sidstr) {
2699                                 DEBUG(0, ("Severe DB error, %s can't miss the sambaSID"
2700                                           "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2701                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2702                                 goto done;
2703                         }
2704
2705                         if (!string_to_sid(&sid, sidstr))
2706                                 goto done;
2707
2708                         if (!sid_check_is_in_our_sam(&sid)) {
2709                                 DEBUG(0, ("Inconsistent SAM -- group member uid not "
2710                                           "in our domain\n"));
2711                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2712                                 goto done;
2713                         }
2714
2715                         sid_peek_rid(&sid, &rid);
2716
2717                         if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2718                                                 p_num_members)) {
2719                                 ret = NT_STATUS_NO_MEMORY;
2720                                 goto done;
2721                         }
2722                 }
2723         }
2724
2725         filter = talloc_asprintf(mem_ctx,
2726                                  "(&(objectClass=%s)"
2727                                  "(gidNumber=%s))",
2728                                  LDAP_OBJ_SAMBASAMACCOUNT,
2729                                  gidstr);
2730
2731         rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
2732                             LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2733                             &result);
2734
2735         if (rc != LDAP_SUCCESS)
2736                 goto done;
2737
2738         smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2739
2740         for (entry = ldap_first_entry(conn->ldap_struct, result);
2741              entry != NULL;
2742              entry = ldap_next_entry(conn->ldap_struct, entry))
2743         {
2744                 uint32_t rid;
2745
2746                 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2747                                                     entry,
2748                                                     get_global_sam_sid(),
2749                                                     &rid)) {
2750                         DEBUG(0, ("Severe DB error, %s can't miss the samba SID"                                                                "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2751                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2752                         goto done;
2753                 }
2754
2755                 if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2756                                         p_num_members)) {
2757                         ret = NT_STATUS_NO_MEMORY;
2758                         goto done;
2759                 }
2760         }
2761
2762         ret = NT_STATUS_OK;
2763
2764  done:
2765
2766         if (values)
2767                 ldap_value_free(values);
2768
2769         return ret;
2770 }
2771
2772 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2773                                                TALLOC_CTX *mem_ctx,
2774                                                struct samu *user,
2775                                                struct dom_sid **pp_sids,
2776                                                gid_t **pp_gids,
2777                                                uint32_t *p_num_groups)
2778 {
2779         struct ldapsam_privates *ldap_state =
2780                 (struct ldapsam_privates *)methods->private_data;
2781         struct smbldap_state *conn = ldap_state->smbldap_state;
2782         char *filter;
2783         const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2784         char *escape_name;
2785         int rc, count;
2786         LDAPMessage *result = NULL;
2787         LDAPMessage *entry;
2788         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2789         uint32_t num_sids;
2790         uint32_t num_gids;
2791         char *gidstr;
2792         gid_t primary_gid = -1;
2793
2794         *pp_sids = NULL;
2795         num_sids = 0;
2796
2797         if (pdb_get_username(user) == NULL) {
2798                 return NT_STATUS_INVALID_PARAMETER;
2799         }
2800
2801         escape_name = escape_ldap_string(talloc_tos(), pdb_get_username(user));
2802         if (escape_name == NULL)
2803                 return NT_STATUS_NO_MEMORY;
2804
2805         if (user->unix_pw) {
2806                 primary_gid = user->unix_pw->pw_gid;
2807         } else {
2808                 /* retrieve the users primary gid */
2809                 filter = talloc_asprintf(mem_ctx,
2810                                          "(&(objectClass=%s)(uid=%s))",
2811                                          LDAP_OBJ_SAMBASAMACCOUNT,
2812                                          escape_name);
2813                 if (filter == NULL) {
2814                         ret = NT_STATUS_NO_MEMORY;
2815                         goto done;
2816                 }
2817
2818                 rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
2819                                     LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2820
2821                 if (rc != LDAP_SUCCESS)
2822                         goto done;
2823
2824                 smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2825
2826                 count = ldap_count_entries(priv2ld(ldap_state), result);
2827
2828                 switch (count) {
2829                 case 0:
2830                         DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2831                         ret = NT_STATUS_NO_SUCH_USER;
2832                         goto done;
2833                 case 1:
2834                         entry = ldap_first_entry(priv2ld(ldap_state), result);
2835
2836                         gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2837                         if (!gidstr) {
2838                                 DEBUG (1, ("Unable to find the member's gid!\n"));
2839                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2840                                 goto done;
2841                         }
2842                         primary_gid = strtoul(gidstr, NULL, 10);
2843                         break;
2844                 default:
2845                         DEBUG(1, ("found more than one account with the same user name ?!\n"));
2846                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2847                         goto done;
2848                 }
2849         }
2850
2851         filter = talloc_asprintf(mem_ctx,
2852                                  "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%u)))",
2853                                  LDAP_OBJ_POSIXGROUP, escape_name, (unsigned int)primary_gid);
2854         if (filter == NULL) {
2855                 ret = NT_STATUS_NO_MEMORY;
2856                 goto done;
2857         }
2858
2859         rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
2860                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2861
2862         if (rc != LDAP_SUCCESS)
2863                 goto done;
2864
2865         smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
2866
2867         num_gids = 0;
2868         *pp_gids = NULL;
2869
2870         num_sids = 0;
2871         *pp_sids = NULL;
2872
2873         /* We need to add the primary group as the first gid/sid */
2874
2875         if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
2876                 ret = NT_STATUS_NO_MEMORY;
2877                 goto done;
2878         }
2879
2880         /* This sid will be replaced later */
2881
2882         ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
2883                                       &num_sids);
2884         if (!NT_STATUS_IS_OK(ret)) {
2885                 goto done;
2886         }
2887
2888         for (entry = ldap_first_entry(conn->ldap_struct, result);
2889              entry != NULL;
2890              entry = ldap_next_entry(conn->ldap_struct, entry))
2891         {
2892                 fstring str;
2893                 struct dom_sid sid;
2894                 gid_t gid;
2895                 char *end;
2896
2897                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2898                                                   entry, "sambaSID",
2899                                                   str, sizeof(str)-1))
2900                         continue;
2901
2902                 if (!string_to_sid(&sid, str))
2903                         goto done;
2904
2905                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2906                                                   entry, "gidNumber",
2907                                                   str, sizeof(str)-1))
2908                         continue;
2909
2910                 gid = strtoul(str, &end, 10);
2911
2912                 if (PTR_DIFF(end, str) != strlen(str))
2913                         goto done;
2914
2915                 if (gid == primary_gid) {
2916                         sid_copy(&(*pp_sids)[0], &sid);
2917                 } else {
2918                         if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
2919                                                 &num_gids)) {
2920                                 ret = NT_STATUS_NO_MEMORY;
2921                                 goto done;
2922                         }
2923                         ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
2924                                                       &num_sids);
2925                         if (!NT_STATUS_IS_OK(ret)) {
2926                                 goto done;
2927                         }
2928                 }
2929         }
2930
2931         if (dom_sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2932                 DEBUG(3, ("primary group of [%s] not found\n",
2933                           pdb_get_username(user)));
2934                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2935                 goto done;
2936         }
2937
2938         *p_num_groups = num_sids;
2939
2940         ret = NT_STATUS_OK;
2941
2942  done:
2943
2944         TALLOC_FREE(escape_name);
2945         return ret;
2946 }
2947
2948 /**********************************************************************
2949  * Augment a posixGroup object with a sambaGroupMapping domgroup
2950  *********************************************************************/
2951
2952 static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
2953                                        struct ldapsam_privates *ldap_state,
2954                                        GROUP_MAP *map)
2955 {
2956         const char *filter, *dn;
2957         LDAPMessage *msg, *entry;
2958         LDAPMod **mods;
2959         int rc;
2960
2961         filter = talloc_asprintf(mem_ctx,
2962                                  "(&(objectClass=%s)(gidNumber=%u))",
2963                                  LDAP_OBJ_POSIXGROUP, (unsigned int)map->gid);
2964         if (filter == NULL) {
2965                 return NT_STATUS_NO_MEMORY;
2966         }
2967
2968         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2969                                    get_attr_list(mem_ctx, groupmap_attr_list),
2970                                    &msg);
2971         smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
2972
2973         if ((rc != LDAP_SUCCESS) ||
2974             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
2975             ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2976                 return NT_STATUS_NO_SUCH_GROUP;
2977         }
2978
2979         dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
2980         if (dn == NULL) {
2981                 return NT_STATUS_NO_MEMORY;
2982         }
2983
2984         mods = NULL;
2985         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
2986                         LDAP_OBJ_GROUPMAP);
2987         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
2988                          sid_string_talloc(mem_ctx, &map->sid));
2989         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
2990                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
2991         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
2992                          map->nt_name);
2993         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
2994                          map->comment);
2995         smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
2996
2997         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2998         if (rc != LDAP_SUCCESS) {
2999                 return NT_STATUS_ACCESS_DENIED;
3000         }
3001
3002         return NT_STATUS_OK;
3003 }
3004
3005 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3006                                                 GROUP_MAP *map)
3007 {
3008         struct ldapsam_privates *ldap_state =
3009                 (struct ldapsam_privates *)methods->private_data;
3010         LDAPMessage *msg = NULL;
3011         LDAPMod **mods = NULL;
3012         const char *attrs[] = { NULL };
3013         char *filter;
3014
3015         char *dn;
3016         TALLOC_CTX *mem_ctx;
3017         NTSTATUS result;
3018
3019         struct dom_sid sid;
3020         struct unixid id;
3021
3022         int rc;
3023
3024         mem_ctx = talloc_new(NULL);
3025         if (mem_ctx == NULL) {
3026                 DEBUG(0, ("talloc_new failed\n"));
3027                 return NT_STATUS_NO_MEMORY;
3028         }
3029
3030         filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
3031                                  sid_string_talloc(mem_ctx, &map->sid));
3032         if (filter == NULL) {
3033                 result = NT_STATUS_NO_MEMORY;
3034                 goto done;
3035         }
3036
3037         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
3038                             LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
3039         smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
3040
3041         if ((rc == LDAP_SUCCESS) &&
3042             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
3043
3044                 DEBUG(3, ("SID %s already present in LDAP, refusing to add "
3045                           "group mapping entry\n", sid_string_dbg(&map->sid)));
3046                 result = NT_STATUS_GROUP_EXISTS;
3047                 goto done;
3048         }
3049
3050         switch (map->sid_name_use) {
3051
3052         case SID_NAME_DOM_GRP:
3053                 /* To map a domain group we need to have a posix group
3054                    to attach to. */
3055                 result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
3056                 goto done;
3057                 break;
3058
3059         case SID_NAME_ALIAS:
3060                 if (!sid_check_is_in_our_sam(&map->sid) 
3061                         && !sid_check_is_in_builtin(&map->sid) ) 
3062                 {
3063                         DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
3064                                   sid_string_dbg(&map->sid)));
3065                         result = NT_STATUS_INVALID_PARAMETER;
3066                         goto done;
3067                 }
3068                 break;
3069
3070         default:
3071                 DEBUG(3, ("Got invalid use '%s' for mapping\n",
3072                           sid_type_lookup(map->sid_name_use)));
3073                 result = NT_STATUS_INVALID_PARAMETER;
3074                 goto done;
3075         }
3076
3077         /* Domain groups have been mapped in a separate routine, we have to
3078          * create an alias now */
3079
3080         if (map->gid == -1) {
3081                 DEBUG(10, ("Refusing to map gid==-1\n"));
3082                 result = NT_STATUS_INVALID_PARAMETER;
3083                 goto done;
3084         }
3085
3086         id.id = map->gid;
3087         id.type = ID_TYPE_GID;
3088
3089         if (pdb_id_to_sid(&id, &sid)) {
3090                 DEBUG(3, ("Gid %u is already mapped to SID %s, refusing to "
3091                           "add\n", (unsigned int)map->gid, sid_string_dbg(&sid)));
3092                 result = NT_STATUS_GROUP_EXISTS;
3093                 goto done;
3094         }
3095
3096         /* Ok, enough checks done. It's still racy to go ahead now, but that's
3097          * the best we can get out of LDAP. */
3098
3099         dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
3100                              sid_string_talloc(mem_ctx, &map->sid),
3101                              lp_ldap_group_suffix(talloc_tos()));
3102         if (dn == NULL) {
3103                 result = NT_STATUS_NO_MEMORY;
3104                 goto done;
3105         }
3106
3107         mods = NULL;
3108
3109         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3110                          LDAP_OBJ_SID_ENTRY);
3111         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3112                          LDAP_OBJ_GROUPMAP);
3113         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
3114                          sid_string_talloc(mem_ctx, &map->sid));
3115         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
3116                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3117         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
3118                          map->nt_name);
3119         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
3120                          map->comment);
3121         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
3122                          talloc_asprintf(mem_ctx, "%u", (unsigned int)map->gid));
3123         smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
3124
3125         rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
3126
3127         result = (rc == LDAP_SUCCESS) ?
3128                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3129
3130  done:
3131         TALLOC_FREE(mem_ctx);
3132         return result;
3133 }
3134
3135 /**********************************************************************
3136  * Update a group mapping entry. We're quite strict about what can be changed: