Merge branch 'v3-2-test' of ssh://jra@git.samba.org/data/git/samba into v3-2-test
[samba.git] / source3 / passdb / pdb_ldap.c
1 /* 
2    Unix SMB/CIFS implementation.
3    LDAP protocol helper functions for SAMBA
4    Copyright (C) Jean Fran├žois Micouleau        1998
5    Copyright (C) Gerald Carter                  2001-2003
6    Copyright (C) Shahms King                    2001
7    Copyright (C) Andrew Bartlett                2002-2003
8    Copyright (C) Stefan (metze) Metzmacher      2002-2003
9    Copyright (C) Simo Sorce                     2006
10     
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23    
24 */
25
26 /* TODO:
27 *  persistent connections: if using NSS LDAP, many connections are made
28 *      however, using only one within Samba would be nice
29 *  
30 *  Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 *  Other LDAP based login attributes: accountExpires, etc.
33 *  (should be the domain of Samba proper, but the sam_password/struct samu
34 *  structures don't have fields for some of these attributes)
35 *
36 *  SSL is done, but can't get the certificate based authentication to work
37 *  against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 *  due to the fact that the two password fields cannot be retrieved
42 *  from a server; recommend using security = domain in this situation
43 *  and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 /*
55  * Work around versions of the LDAP client libs that don't have the OIDs
56  * defined, or have them defined under the old name.  
57  * This functionality is really a factor of the server, not the client 
58  *
59  */
60
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65 #endif
66
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID        ((ber_tag_t) 0x80U)
71 #endif
72
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW       ((ber_tag_t) 0x82U)
77 #endif
78
79
80 #include "smbldap.h"
81
82 /**********************************************************************
83  Simple helper function to make stuff better readable
84  **********************************************************************/
85
86 static LDAP *priv2ld(struct ldapsam_privates *priv)
87 {
88         return priv->smbldap_state->ldap_struct;
89 }
90
91 /**********************************************************************
92  Get the attribute name given a user schame version.
93  **********************************************************************/
94  
95 static const char* get_userattr_key2string( int schema_ver, int key )
96 {
97         switch ( schema_ver ) {
98                 case SCHEMAVER_SAMBAACCOUNT:
99                         return get_attr_key2string( attrib_map_v22, key );
100                         
101                 case SCHEMAVER_SAMBASAMACCOUNT:
102                         return get_attr_key2string( attrib_map_v30, key );
103                         
104                 default:
105                         DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
106                         break;
107         }
108         return NULL;
109 }
110
111 /**********************************************************************
112  Return the list of attribute names given a user schema version.
113 **********************************************************************/
114
115 const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
116 {
117         switch ( schema_ver ) {
118                 case SCHEMAVER_SAMBAACCOUNT:
119                         return get_attr_list( mem_ctx, attrib_map_v22 );
120                         
121                 case SCHEMAVER_SAMBASAMACCOUNT:
122                         return get_attr_list( mem_ctx, attrib_map_v30 );
123                 default:
124                         DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
125                         break;
126         }
127         
128         return NULL;
129 }
130
131 /**************************************************************************
132  Return the list of attribute names to delete given a user schema version.
133 **************************************************************************/
134
135 static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
136                                               int schema_ver )
137 {
138         switch ( schema_ver ) {
139                 case SCHEMAVER_SAMBAACCOUNT:
140                         return get_attr_list( mem_ctx,
141                                               attrib_map_to_delete_v22 );
142                         
143                 case SCHEMAVER_SAMBASAMACCOUNT:
144                         return get_attr_list( mem_ctx,
145                                               attrib_map_to_delete_v30 );
146                 default:
147                         DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
148                         break;
149         }
150         
151         return NULL;
152 }
153
154
155 /*******************************************************************
156  Generate the LDAP search filter for the objectclass based on the 
157  version of the schema we are using.
158 ******************************************************************/
159
160 static const char* get_objclass_filter( int schema_ver )
161 {
162         fstring objclass_filter;
163         char *result;
164         
165         switch( schema_ver ) {
166                 case SCHEMAVER_SAMBAACCOUNT:
167                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
168                         break;
169                 case SCHEMAVER_SAMBASAMACCOUNT:
170                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
171                         break;
172                 default:
173                         DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174                         objclass_filter[0] = '\0';
175                         break;
176         }
177         
178         result = talloc_strdup(talloc_tos(), objclass_filter);
179         SMB_ASSERT(result != NULL);
180         return result;
181 }
182
183 /*****************************************************************
184  Scan a sequence number off OpenLDAP's syncrepl contextCSN
185 ******************************************************************/
186
187 static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
188 {
189         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
190         NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
191         LDAPMessage *msg = NULL;
192         LDAPMessage *entry = NULL;
193         TALLOC_CTX *mem_ctx;
194         char **values = NULL;
195         int rc, num_result, num_values, rid;
196         char *suffix = NULL;
197         char *tok;
198         const char *p;
199         const char **attrs;
200
201         /* Unfortunatly there is no proper way to detect syncrepl-support in
202          * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
203          * but do not show up in the root-DSE yet. Neither we can query the
204          * subschema-context for the syncProviderSubentry or syncConsumerSubentry
205          * objectclass. Currently we require lp_ldap_suffix() to show up as
206          * namingContext.  -  Guenther
207          */
208
209         if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
210                 return ntstatus;
211         }
212
213         if (!seq_num) {
214                 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
215                 return ntstatus;
216         }
217
218         if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) {
219                 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
220                          "as top-level namingContext\n", lp_ldap_suffix()));
221                 return ntstatus;
222         }
223
224         mem_ctx = talloc_init("ldapsam_get_seq_num");
225
226         if (mem_ctx == NULL)
227                 return NT_STATUS_NO_MEMORY;
228
229         if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) {
230                 ntstatus = NT_STATUS_NO_MEMORY;
231                 goto done;
232         }
233
234         /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
235         rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
236         if (rid > 0) {
237
238                 /* consumer syncreplCookie: */
239                 /* csn=20050126161620Z#0000001#00#00000 */
240                 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
241                 attrs[1] = NULL;
242                 suffix = talloc_asprintf(mem_ctx,
243                                 "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
244                 if (!suffix) {
245                         ntstatus = NT_STATUS_NO_MEMORY;
246                         goto done;
247                 }
248         } else {
249
250                 /* provider contextCSN */
251                 /* 20050126161620Z#000009#00#000000 */
252                 attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
253                 attrs[1] = NULL;
254                 suffix = talloc_asprintf(mem_ctx,
255                                 "cn=ldapsync,%s", lp_ldap_suffix());
256
257                 if (!suffix) {
258                         ntstatus = NT_STATUS_NO_MEMORY;
259                         goto done;
260                 }
261         }
262
263         rc = smbldap_search(ldap_state->smbldap_state, suffix,
264                             LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
265
266         if (rc != LDAP_SUCCESS) {
267                 goto done;
268         }
269
270         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
271         if (num_result != 1) {
272                 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
273                 goto done;
274         }
275
276         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
277         if (entry == NULL) {
278                 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
279                 goto done;
280         }
281
282         values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
283         if (values == NULL) {
284                 DEBUG(3,("ldapsam_get_seq_num: no values\n"));
285                 goto done;
286         }
287
288         num_values = ldap_count_values(values);
289         if (num_values == 0) {
290                 DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
291                 goto done;
292         }
293
294         p = values[0];
295         if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
296                 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
297                 goto done;
298         }
299
300         p = tok;
301         if (!strncmp(p, "csn=", strlen("csn=")))
302                 p += strlen("csn=");
303
304         DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
305
306         *seq_num = generalized_to_unix_time(p);
307
308         /* very basic sanity check */
309         if (*seq_num <= 0) {
310                 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n", 
311                         (int)*seq_num));
312                 goto done;
313         }
314
315         ntstatus = NT_STATUS_OK;
316
317  done:
318         if (values != NULL)
319                 ldap_value_free(values);
320         if (msg != NULL)
321                 ldap_msgfree(msg);
322         if (mem_ctx)
323                 talloc_destroy(mem_ctx);
324
325         return ntstatus;
326 }
327
328 /*******************************************************************
329  Run the search by name.
330 ******************************************************************/
331
332 int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
333                                           const char *user,
334                                           LDAPMessage ** result,
335                                           const char **attr)
336 {
337         char *filter = NULL;
338         char *escape_user = escape_ldap_string_alloc(user);
339         int ret = -1;
340
341         if (!escape_user) {
342                 return LDAP_NO_MEMORY;
343         }
344
345         /*
346          * in the filter expression, replace %u with the real name
347          * so in ldap filter, %u MUST exist :-)
348          */
349         filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
350                 get_objclass_filter(ldap_state->schema_ver));
351         if (!filter) {
352                 return LDAP_NO_MEMORY;
353         }
354         /*
355          * have to use this here because $ is filtered out
356          * in string_sub
357          */
358
359         filter = talloc_all_string_sub(talloc_tos(),
360                                 filter, "%u", escape_user);
361         if (!filter) {
362                 return LDAP_NO_MEMORY;
363         }
364         SAFE_FREE(escape_user);
365
366         ret = smbldap_search_suffix(ldap_state->smbldap_state,
367                         filter, attr, result);
368         TALLOC_FREE(filter);
369         return ret;
370 }
371
372 /*******************************************************************
373  Run the search by rid.
374 ******************************************************************/
375
376 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
377                                          uint32 rid, LDAPMessage ** result,
378                                          const char **attr)
379 {
380         char *filter = NULL;
381         int rc;
382
383         filter = talloc_asprintf(talloc_tos(), "(&(rid=%i)%s)", rid,
384                 get_objclass_filter(ldap_state->schema_ver));
385         if (!filter) {
386                 return LDAP_NO_MEMORY;
387         }
388
389         rc = smbldap_search_suffix(ldap_state->smbldap_state,
390                         filter, attr, result);
391         TALLOC_FREE(filter);
392         return rc;
393 }
394
395 /*******************************************************************
396  Run the search by SID.
397 ******************************************************************/
398
399 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
400                                  const DOM_SID *sid, LDAPMessage ** result,
401                                  const char **attr)
402 {
403         char *filter = NULL;
404         int rc;
405         fstring sid_string;
406
407         filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
408                 get_userattr_key2string(ldap_state->schema_ver,
409                         LDAP_ATTR_USER_SID),
410                 sid_to_fstring(sid_string, sid),
411                 get_objclass_filter(ldap_state->schema_ver));
412         if (!filter) {
413                 return LDAP_NO_MEMORY;
414         }
415
416         rc = smbldap_search_suffix(ldap_state->smbldap_state,
417                         filter, attr, result);
418
419         TALLOC_FREE(filter);
420         return rc;
421 }
422
423 /*******************************************************************
424  Delete complete object or objectclass and attrs from
425  object found in search_result depending on lp_ldap_delete_dn
426 ******************************************************************/
427
428 static int ldapsam_delete_entry(struct ldapsam_privates *priv,
429                                 TALLOC_CTX *mem_ctx,
430                                 LDAPMessage *entry,
431                                 const char *objectclass,
432                                 const char **attrs)
433 {
434         LDAPMod **mods = NULL;
435         char *name;
436         const char *dn;
437         BerElement *ptr = NULL;
438
439         dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
440         if (dn == NULL) {
441                 return LDAP_NO_MEMORY;
442         }
443
444         if (lp_ldap_delete_dn()) {
445                 return smbldap_delete(priv->smbldap_state, dn);
446         }
447
448         /* Ok, delete only the SAM attributes */
449         
450         for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
451              name != NULL;
452              name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
453                 const char **attrib;
454
455                 /* We are only allowed to delete the attributes that
456                    really exist. */
457
458                 for (attrib = attrs; *attrib != NULL; attrib++) {
459                         if (strequal(*attrib, name)) {
460                                 DEBUG(10, ("ldapsam_delete_entry: deleting "
461                                            "attribute %s\n", name));
462                                 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
463                                                 NULL);
464                         }
465                 }
466                 ldap_memfree(name);
467         }
468
469         if (ptr != NULL) {
470                 ber_free(ptr, 0);
471         }
472
473         smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
474         talloc_autofree_ldapmod(mem_ctx, mods);
475
476         return smbldap_modify(priv->smbldap_state, dn, mods);
477 }
478
479 static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
480 {
481         char *temp;
482         struct tm tm;
483
484         temp = smbldap_talloc_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
485                         get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
486                         talloc_tos());
487         if (!temp) {
488                 return (time_t) 0;
489         }
490
491         if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
492                 DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
493                         (char*)temp));
494                 TALLOC_FREE(temp);
495                 return (time_t) 0;
496         }
497         TALLOC_FREE(temp);
498         tzset();
499         return timegm(&tm);
500 }
501
502 /**********************************************************************
503  Initialize struct samu from an LDAP query.
504  (Based on init_sam_from_buffer in pdb_tdb.c)
505 *********************************************************************/
506
507 static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
508                                 struct samu * sampass,
509                                 LDAPMessage * entry)
510 {
511         time_t  logon_time,
512                         logoff_time,
513                         kickoff_time,
514                         pass_last_set_time,
515                         pass_can_change_time,
516                         pass_must_change_time,
517                         ldap_entry_time,
518                         bad_password_time;
519         char *username = NULL,
520                         *domain = NULL,
521                         *nt_username = NULL,
522                         *fullname = NULL,
523                         *homedir = NULL,
524                         *dir_drive = NULL,
525                         *logon_script = NULL,
526                         *profile_path = NULL,
527                         *acct_desc = NULL,
528                         *workstations = NULL,
529                         *munged_dial = NULL;
530         uint32          user_rid;
531         uint8           smblmpwd[LM_HASH_LEN],
532                         smbntpwd[NT_HASH_LEN];
533         bool            use_samba_attrs = True;
534         uint32          acct_ctrl = 0;
535         uint16          logon_divs;
536         uint16          bad_password_count = 0,
537                         logon_count = 0;
538         uint32 hours_len;
539         uint8           hours[MAX_HOURS_LEN];
540         char *temp = NULL;
541         LOGIN_CACHE     *cache_entry = NULL;
542         uint32          pwHistLen;
543         bool expand_explicit = lp_passdb_expand_explicit();
544         bool ret = false;
545         TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
546
547         if (!ctx) {
548                 return false;
549         }
550         if (sampass == NULL || ldap_state == NULL || entry == NULL) {
551                 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
552                 goto fn_exit;
553         }
554
555         if (priv2ld(ldap_state) == NULL) {
556                 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
557                           "ldap_struct is NULL!\n"));
558                 goto fn_exit;
559         }
560
561         if (!(username = smbldap_talloc_single_attribute(priv2ld(ldap_state),
562                                         entry,
563                                         "uid",
564                                         ctx))) {
565                 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
566                           "this user!\n"));
567                 goto fn_exit;
568         }
569
570         DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
571
572         nt_username = talloc_strdup(ctx, username);
573         if (!nt_username) {
574                 goto fn_exit;
575         }
576
577         domain = talloc_strdup(ctx, ldap_state->domain_name);
578         if (!domain) {
579                 goto fn_exit;
580         }
581
582         pdb_set_username(sampass, username, PDB_SET);
583
584         pdb_set_domain(sampass, domain, PDB_DEFAULT);
585         pdb_set_nt_username(sampass, nt_username, PDB_SET);
586
587         /* deal with different attributes between the schema first */
588
589         if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
590                 if ((temp = smbldap_talloc_single_attribute(
591                                 ldap_state->smbldap_state->ldap_struct,
592                                 entry,
593                                 get_userattr_key2string(ldap_state->schema_ver,
594                                         LDAP_ATTR_USER_SID),
595                                 ctx))!=NULL) {
596                         pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
597                 }
598         } else {
599                 if ((temp = smbldap_talloc_single_attribute(
600                                 ldap_state->smbldap_state->ldap_struct,
601                                 entry,
602                                 get_userattr_key2string(ldap_state->schema_ver,
603                                         LDAP_ATTR_USER_RID),
604                                 ctx))!=NULL) {
605                         user_rid = (uint32)atol(temp);
606                         pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
607                 }
608         }
609
610         if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
611                 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n", 
612                         get_userattr_key2string(ldap_state->schema_ver,
613                                 LDAP_ATTR_USER_SID),
614                         get_userattr_key2string(ldap_state->schema_ver,
615                                 LDAP_ATTR_USER_RID),
616                         username));
617                 return False;
618         }
619
620         temp = smbldap_talloc_single_attribute(
621                         ldap_state->smbldap_state->ldap_struct,
622                         entry,
623                         get_userattr_key2string(ldap_state->schema_ver,
624                                 LDAP_ATTR_PWD_LAST_SET),
625                         ctx);
626         if (temp) {
627                 pass_last_set_time = (time_t) atol(temp);
628                 pdb_set_pass_last_set_time(sampass,
629                                 pass_last_set_time, PDB_SET);
630         }
631
632         temp = smbldap_talloc_single_attribute(
633                         ldap_state->smbldap_state->ldap_struct,
634                         entry,
635                         get_userattr_key2string(ldap_state->schema_ver,
636                                 LDAP_ATTR_LOGON_TIME),
637                         ctx);
638         if (temp) {
639                 logon_time = (time_t) atol(temp);
640                 pdb_set_logon_time(sampass, logon_time, PDB_SET);
641         }
642
643         temp = smbldap_talloc_single_attribute(
644                         ldap_state->smbldap_state->ldap_struct,
645                         entry,
646                         get_userattr_key2string(ldap_state->schema_ver,
647                                 LDAP_ATTR_LOGOFF_TIME),
648                         ctx);
649         if (temp) {
650                 logoff_time = (time_t) atol(temp);
651                 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
652         }
653
654         temp = smbldap_talloc_single_attribute(
655                         ldap_state->smbldap_state->ldap_struct,
656                         entry,
657                         get_userattr_key2string(ldap_state->schema_ver,
658                                 LDAP_ATTR_KICKOFF_TIME),
659                         ctx);
660         if (temp) {
661                 kickoff_time = (time_t) atol(temp);
662                 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
663         }
664
665         temp = smbldap_talloc_single_attribute(
666                         ldap_state->smbldap_state->ldap_struct,
667                         entry,
668                         get_userattr_key2string(ldap_state->schema_ver,
669                                 LDAP_ATTR_PWD_CAN_CHANGE),
670                         ctx);
671         if (temp) {
672                 pass_can_change_time = (time_t) atol(temp);
673                 pdb_set_pass_can_change_time(sampass,
674                                 pass_can_change_time, PDB_SET);
675         }
676
677         temp = smbldap_talloc_single_attribute(
678                         ldap_state->smbldap_state->ldap_struct,
679                         entry,
680                         get_userattr_key2string(ldap_state->schema_ver,
681                                 LDAP_ATTR_PWD_MUST_CHANGE),
682                         ctx);
683         if (temp) {
684                 pass_must_change_time = (time_t) atol(temp);
685                 pdb_set_pass_must_change_time(sampass,
686                                 pass_must_change_time, PDB_SET);
687         }
688
689         /* recommend that 'gecos' and 'displayName' should refer to the same
690          * attribute OID.  userFullName depreciated, only used by Samba
691          * primary rules of LDAP: don't make a new attribute when one is already defined
692          * that fits your needs; using cn then displayName rather than 'userFullName'
693          */
694
695         fullname = smbldap_talloc_single_attribute(
696                         ldap_state->smbldap_state->ldap_struct,
697                         entry,
698                         get_userattr_key2string(ldap_state->schema_ver,
699                                 LDAP_ATTR_DISPLAY_NAME),
700                         ctx);
701         if (fullname) {
702                 pdb_set_fullname(sampass, fullname, PDB_SET);
703         } else {
704                 fullname = smbldap_talloc_single_attribute(
705                                 ldap_state->smbldap_state->ldap_struct,
706                                 entry,
707                                 get_userattr_key2string(ldap_state->schema_ver,
708                                         LDAP_ATTR_CN),
709                                 ctx);
710                 if (fullname) {
711                         pdb_set_fullname(sampass, fullname, PDB_SET);
712                 }
713         }
714
715         dir_drive = smbldap_talloc_single_attribute(
716                         ldap_state->smbldap_state->ldap_struct,
717                         entry,
718                         get_userattr_key2string(ldap_state->schema_ver,
719                                 LDAP_ATTR_HOME_DRIVE),
720                         ctx);
721         if (dir_drive) {
722                 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
723         } else {
724                 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
725         }
726
727         homedir = smbldap_talloc_single_attribute(
728                         ldap_state->smbldap_state->ldap_struct,
729                         entry,
730                         get_userattr_key2string(ldap_state->schema_ver,
731                                 LDAP_ATTR_HOME_PATH),
732                         ctx);
733         if (homedir) {
734                 if (expand_explicit) {
735                         homedir = talloc_sub_basic(ctx,
736                                                 username,
737                                                 domain,
738                                                 homedir);
739                         if (!homedir) {
740                                 goto fn_exit;
741                         }
742                 }
743                 pdb_set_homedir(sampass, homedir, PDB_SET);
744         } else {
745                 pdb_set_homedir(sampass,
746                         talloc_sub_basic(ctx, username, domain,
747                                          lp_logon_home()),
748                         PDB_DEFAULT);
749         }
750
751         logon_script = smbldap_talloc_single_attribute(
752                         ldap_state->smbldap_state->ldap_struct,
753                         entry,
754                         get_userattr_key2string(ldap_state->schema_ver,
755                                 LDAP_ATTR_LOGON_SCRIPT),
756                         ctx);
757         if (logon_script) {
758                 if (expand_explicit) {
759                         logon_script = talloc_sub_basic(ctx,
760                                                 username,
761                                                 domain,
762                                                 logon_script);
763                         if (!logon_script) {
764                                 goto fn_exit;
765                         }
766                 }
767                 pdb_set_logon_script(sampass, logon_script, PDB_SET);
768         } else {
769                 pdb_set_logon_script(sampass,
770                         talloc_sub_basic(ctx, username, domain,
771                                          lp_logon_script()),
772                         PDB_DEFAULT );
773         }
774
775         profile_path = smbldap_talloc_single_attribute(
776                         ldap_state->smbldap_state->ldap_struct,
777                         entry,
778                         get_userattr_key2string(ldap_state->schema_ver,
779                                 LDAP_ATTR_PROFILE_PATH),
780                         ctx);
781         if (profile_path) {
782                 if (expand_explicit) {
783                         profile_path = talloc_sub_basic(ctx,
784                                                 username,
785                                                 domain,
786                                                 profile_path);
787                         if (!profile_path) {
788                                 goto fn_exit;
789                         }
790                 }
791                 pdb_set_profile_path(sampass, profile_path, PDB_SET);
792         } else {
793                 pdb_set_profile_path(sampass,
794                         talloc_sub_basic(ctx, username, domain,
795                                           lp_logon_path()),
796                         PDB_DEFAULT );
797         }
798
799         acct_desc = smbldap_talloc_single_attribute(
800                         ldap_state->smbldap_state->ldap_struct,
801                         entry,
802                         get_userattr_key2string(ldap_state->schema_ver,
803                                 LDAP_ATTR_DESC),
804                         ctx);
805         if (acct_desc) {
806                 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
807         }
808
809         workstations = smbldap_talloc_single_attribute(
810                         ldap_state->smbldap_state->ldap_struct,
811                         entry,
812                         get_userattr_key2string(ldap_state->schema_ver,
813                                 LDAP_ATTR_USER_WKS),
814                         ctx);
815         if (workstations) {
816                 pdb_set_workstations(sampass, workstations, PDB_SET);
817         }
818
819         munged_dial = smbldap_talloc_single_attribute(
820                         ldap_state->smbldap_state->ldap_struct,
821                         entry,
822                         get_userattr_key2string(ldap_state->schema_ver,
823                                 LDAP_ATTR_MUNGED_DIAL),
824                         ctx);
825         if (munged_dial) {
826                 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
827         }
828
829         /* FIXME: hours stuff should be cleaner */
830
831         logon_divs = 168;
832         hours_len = 21;
833         memset(hours, 0xff, hours_len);
834
835         if (ldap_state->is_nds_ldap) {
836                 char *user_dn;
837                 size_t pwd_len;
838                 char clear_text_pw[512];
839
840                 /* Make call to Novell eDirectory ldap extension to get clear text password.
841                         NOTE: This will only work if we have an SSL connection to eDirectory. */
842                 user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
843                 if (user_dn != NULL) {
844                         DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
845
846                         pwd_len = sizeof(clear_text_pw);
847                         if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
848                                 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
849                                 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
850                                         SAFE_FREE(user_dn);
851                                         return False;
852                                 }
853                                 ZERO_STRUCT(smblmpwd);
854                                 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
855                                         SAFE_FREE(user_dn);
856                                         return False;
857                                 }
858                                 ZERO_STRUCT(smbntpwd);
859                                 use_samba_attrs = False;
860                         }
861
862                         SAFE_FREE(user_dn);
863
864                 } else {
865                         DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
866                 }
867         }
868
869         if (use_samba_attrs) {
870                 temp = smbldap_talloc_single_attribute(
871                                 ldap_state->smbldap_state->ldap_struct,
872                                 entry,
873                                 get_userattr_key2string(ldap_state->schema_ver,
874                                         LDAP_ATTR_LMPW),
875                                 ctx);
876                 if (temp) {
877                         pdb_gethexpwd(temp, smblmpwd);
878                         memset((char *)temp, '\0', strlen(temp)+1);
879                         if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
880                                 goto fn_exit;
881                         }
882                         ZERO_STRUCT(smblmpwd);
883                 }
884
885                 temp = smbldap_talloc_single_attribute(
886                                 ldap_state->smbldap_state->ldap_struct,
887                                 entry,
888                                 get_userattr_key2string(ldap_state->schema_ver,
889                                         LDAP_ATTR_NTPW),
890                                 ctx);
891                 if (temp) {
892                         pdb_gethexpwd(temp, smbntpwd);
893                         memset((char *)temp, '\0', strlen(temp)+1);
894                         if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
895                                 goto fn_exit;
896                         }
897                         ZERO_STRUCT(smbntpwd);
898                 }
899         }
900
901         pwHistLen = 0;
902
903         pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
904         if (pwHistLen > 0){
905                 uint8 *pwhist = NULL;
906                 int i;
907                 char *history_string = TALLOC_ARRAY(ctx, char,
908                                                 MAX_PW_HISTORY_LEN*64);
909
910                 if (!history_string) {
911                         goto fn_exit;
912                 }
913
914                 pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
915
916                 if ((pwhist = TALLOC_ARRAY(ctx, uint8,
917                                         pwHistLen * PW_HISTORY_ENTRY_LEN)) ==
918                                 NULL){
919                         DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
920                         goto fn_exit;
921                 }
922                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
923
924                 if (smbldap_get_single_attribute(
925                                 ldap_state->smbldap_state->ldap_struct,
926                                 entry,
927                                 get_userattr_key2string(ldap_state->schema_ver,
928                                         LDAP_ATTR_PWD_HISTORY),
929                                 history_string,
930                                 MAX_PW_HISTORY_LEN*64)) {
931                         bool hex_failed = false;
932                         for (i = 0; i < pwHistLen; i++){
933                                 /* Get the 16 byte salt. */
934                                 if (!pdb_gethexpwd(&history_string[i*64],
935                                         &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
936                                         hex_failed = true;
937                                         break;
938                                 }
939                                 /* Get the 16 byte MD5 hash of salt+passwd. */
940                                 if (!pdb_gethexpwd(&history_string[(i*64)+32],
941                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+
942                                                 PW_HISTORY_SALT_LEN])) {
943                                         hex_failed = True;
944                                         break;
945                                 }
946                         }
947                         if (hex_failed) {
948                                 DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n",
949                                         username));
950                                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
951                         }
952                 }
953                 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
954                         goto fn_exit;
955                 }
956         }
957
958         temp = smbldap_talloc_single_attribute(
959                         ldap_state->smbldap_state->ldap_struct,
960                         entry,
961                         get_userattr_key2string(ldap_state->schema_ver,
962                                 LDAP_ATTR_ACB_INFO),
963                         ctx);
964         if (temp) {
965                 acct_ctrl = pdb_decode_acct_ctrl(temp);
966
967                 if (acct_ctrl == 0) {
968                         acct_ctrl |= ACB_NORMAL;
969                 }
970
971                 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
972         } else {
973                 acct_ctrl |= ACB_NORMAL;
974         }
975
976         pdb_set_hours_len(sampass, hours_len, PDB_SET);
977         pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
978
979         temp = smbldap_talloc_single_attribute(
980                         ldap_state->smbldap_state->ldap_struct,
981                         entry,
982                         get_userattr_key2string(ldap_state->schema_ver,
983                                 LDAP_ATTR_BAD_PASSWORD_COUNT),
984                         ctx);
985         if (temp) {
986                 bad_password_count = (uint32) atol(temp);
987                 pdb_set_bad_password_count(sampass,
988                                 bad_password_count, PDB_SET);
989         }
990
991         temp = smbldap_talloc_single_attribute(
992                         ldap_state->smbldap_state->ldap_struct,
993                         entry,
994                         get_userattr_key2string(ldap_state->schema_ver,
995                                 LDAP_ATTR_BAD_PASSWORD_TIME),
996                         ctx);
997         if (temp) {
998                 bad_password_time = (time_t) atol(temp);
999                 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1000         }
1001
1002
1003         temp = smbldap_talloc_single_attribute(
1004                         ldap_state->smbldap_state->ldap_struct,
1005                         entry,
1006                         get_userattr_key2string(ldap_state->schema_ver,
1007                                 LDAP_ATTR_LOGON_COUNT),
1008                         ctx);
1009         if (temp) {
1010                 logon_count = (uint32) atol(temp);
1011                 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1012         }
1013
1014         /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
1015
1016         temp = smbldap_talloc_single_attribute(
1017                         ldap_state->smbldap_state->ldap_struct,
1018                         entry,
1019                         get_userattr_key2string(ldap_state->schema_ver,
1020                                 LDAP_ATTR_LOGON_HOURS),
1021                         ctx);
1022         if (temp) {
1023                 pdb_gethexhours(temp, hours);
1024                 memset((char *)temp, '\0', strlen(temp) +1);
1025                 pdb_set_hours(sampass, hours, PDB_SET);
1026                 ZERO_STRUCT(hours);
1027         }
1028
1029         if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1030                 temp = smbldap_talloc_single_attribute(
1031                                 priv2ld(ldap_state),
1032                                 entry,
1033                                 "uidNumber",
1034                                 ctx);
1035                 if (temp) {
1036                         /* We've got a uid, feed the cache */
1037                         uid_t uid = strtoul(temp, NULL, 10);
1038                         store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
1039                 }
1040         }
1041
1042         /* check the timestamp of the cache vs ldap entry */
1043         if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1044                                                             entry))) {
1045                 ret = true;
1046                 goto fn_exit;
1047         }
1048
1049         /* see if we have newer updates */
1050         if (!(cache_entry = login_cache_read(sampass))) {
1051                 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1052                            (unsigned int)pdb_get_bad_password_count(sampass),
1053                            (unsigned int)pdb_get_bad_password_time(sampass)));
1054                 ret = true;
1055                 goto fn_exit;
1056         }
1057
1058         DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1059                   (unsigned int)ldap_entry_time,
1060                   (unsigned int)cache_entry->entry_timestamp,
1061                   (unsigned int)cache_entry->bad_password_time));
1062
1063         if (ldap_entry_time > cache_entry->entry_timestamp) {
1064                 /* cache is older than directory , so
1065                    we need to delete the entry but allow the
1066                    fields to be written out */
1067                 login_cache_delentry(sampass);
1068         } else {
1069                 /* read cache in */
1070                 pdb_set_acct_ctrl(sampass,
1071                                   pdb_get_acct_ctrl(sampass) |
1072                                   (cache_entry->acct_ctrl & ACB_AUTOLOCK),
1073                                   PDB_SET);
1074                 pdb_set_bad_password_count(sampass,
1075                                            cache_entry->bad_password_count,
1076                                            PDB_SET);
1077                 pdb_set_bad_password_time(sampass,
1078                                           cache_entry->bad_password_time,
1079                                           PDB_SET);
1080         }
1081
1082         ret = true;
1083
1084   fn_exit:
1085
1086         TALLOC_FREE(ctx);
1087         SAFE_FREE(cache_entry);
1088         return ret;
1089 }
1090
1091 /**********************************************************************
1092  Initialize the ldap db from a struct samu. Called on update.
1093  (Based on init_buffer_from_sam in pdb_tdb.c)
1094 *********************************************************************/
1095
1096 static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1097                                 LDAPMessage *existing,
1098                                 LDAPMod *** mods, struct samu * sampass,
1099                                 bool (*need_update)(const struct samu *,
1100                                                     enum pdb_elements))
1101 {
1102         char *temp = NULL;
1103         uint32 rid;
1104
1105         if (mods == NULL || sampass == NULL) {
1106                 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1107                 return False;
1108         }
1109
1110         *mods = NULL;
1111
1112         /*
1113          * took out adding "objectclass: sambaAccount"
1114          * do this on a per-mod basis
1115          */
1116         if (need_update(sampass, PDB_USERNAME)) {
1117                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1118                               "uid", pdb_get_username(sampass));
1119                 if (ldap_state->is_nds_ldap) {
1120                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1121                                       "cn", pdb_get_username(sampass));
1122                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1123                                       "sn", pdb_get_username(sampass));
1124                 }
1125         }
1126
1127         DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1128
1129         /* only update the RID if we actually need to */
1130         if (need_update(sampass, PDB_USERSID)) {
1131                 fstring sid_string;
1132                 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
1133
1134                 switch ( ldap_state->schema_ver ) {
1135                         case SCHEMAVER_SAMBAACCOUNT:
1136                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
1137                                         DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
1138                                                   sid_string_dbg(user_sid),
1139                                                   sid_string_dbg(
1140                                                           &ldap_state->domain_sid)));
1141                                         return False;
1142                                 }
1143                                 if (asprintf(&temp, "%i", rid) < 0) {
1144                                         return false;
1145                                 }
1146                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1147                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 
1148                                         temp);
1149                                 SAFE_FREE(temp);
1150                                 break;
1151
1152                         case SCHEMAVER_SAMBASAMACCOUNT:
1153                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1154                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
1155                                         sid_to_fstring(sid_string, user_sid));
1156                                 break;
1157
1158                         default:
1159                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1160                                 break;
1161                 }
1162         }
1163
1164         /* we don't need to store the primary group RID - so leaving it
1165            'free' to hang off the unix primary group makes life easier */
1166
1167         if (need_update(sampass, PDB_GROUPSID)) {
1168                 fstring sid_string;
1169                 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1170
1171                 switch ( ldap_state->schema_ver ) {
1172                         case SCHEMAVER_SAMBAACCOUNT:
1173                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1174                                         DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1175                                                   sid_string_dbg(group_sid),
1176                                                   sid_string_dbg(
1177                                                           &ldap_state->domain_sid)));
1178                                         return False;
1179                                 }
1180
1181                                 if (asprintf(&temp, "%i", rid) < 0) {
1182                                         return false;
1183                                 }
1184                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1185                                         get_userattr_key2string(ldap_state->schema_ver, 
1186                                         LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1187                                 SAFE_FREE(temp);
1188                                 break;
1189
1190                         case SCHEMAVER_SAMBASAMACCOUNT:
1191                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1192                                         get_userattr_key2string(ldap_state->schema_ver, 
1193                                         LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid));
1194                                 break;
1195
1196                         default:
1197                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1198                                 break;
1199                 }
1200
1201         }
1202
1203         /* displayName, cn, and gecos should all be the same
1204          *  most easily accomplished by giving them the same OID
1205          *  gecos isn't set here b/c it should be handled by the
1206          *  add-user script
1207          *  We change displayName only and fall back to cn if
1208          *  it does not exist.
1209          */
1210
1211         if (need_update(sampass, PDB_FULLNAME))
1212                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1213                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
1214                         pdb_get_fullname(sampass));
1215
1216         if (need_update(sampass, PDB_ACCTDESC))
1217                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1218                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
1219                         pdb_get_acct_desc(sampass));
1220
1221         if (need_update(sampass, PDB_WORKSTATIONS))
1222                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1223                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
1224                         pdb_get_workstations(sampass));
1225
1226         if (need_update(sampass, PDB_MUNGEDDIAL))
1227                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1228                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), 
1229                         pdb_get_munged_dial(sampass));
1230
1231         if (need_update(sampass, PDB_SMBHOME))
1232                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1233                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
1234                         pdb_get_homedir(sampass));
1235
1236         if (need_update(sampass, PDB_DRIVE))
1237                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1238                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
1239                         pdb_get_dir_drive(sampass));
1240
1241         if (need_update(sampass, PDB_LOGONSCRIPT))
1242                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1243                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
1244                         pdb_get_logon_script(sampass));
1245
1246         if (need_update(sampass, PDB_PROFILE))
1247                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1248                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
1249                         pdb_get_profile_path(sampass));
1250
1251         if (asprintf(&temp, "%li", pdb_get_logon_time(sampass)) < 0) {
1252                 return false;
1253         }
1254         if (need_update(sampass, PDB_LOGONTIME))
1255                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1256                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1257         SAFE_FREE(temp);
1258
1259         if (asprintf(&temp, "%li", pdb_get_logoff_time(sampass)) < 0) {
1260                 return false;
1261         }
1262         if (need_update(sampass, PDB_LOGOFFTIME))
1263                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1264                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1265         SAFE_FREE(temp);
1266
1267         if (asprintf(&temp, "%li", pdb_get_kickoff_time(sampass)) < 0) {
1268                 return false;
1269         }
1270         if (need_update(sampass, PDB_KICKOFFTIME))
1271                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1272                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1273         SAFE_FREE(temp);
1274
1275         if (asprintf(&temp, "%li", pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
1276                 return false;
1277         }
1278         if (need_update(sampass, PDB_CANCHANGETIME))
1279                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1280                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1281         SAFE_FREE(temp);
1282
1283         if (asprintf(&temp, "%li", pdb_get_pass_must_change_time(sampass)) < 0) {
1284                 return false;
1285         }
1286         if (need_update(sampass, PDB_MUSTCHANGETIME))
1287                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1288                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1289         SAFE_FREE(temp);
1290
1291         if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1292                         || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1293
1294                 if (need_update(sampass, PDB_LMPASSWD)) {
1295                         const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1296                         if (lm_pw) {
1297                                 char pwstr[34];
1298                                 pdb_sethexpwd(pwstr, lm_pw,
1299                                               pdb_get_acct_ctrl(sampass));
1300                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1301                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1302                                                  pwstr);
1303                         } else {
1304                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1305                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1306                                                  NULL);
1307                         }
1308                 }
1309                 if (need_update(sampass, PDB_NTPASSWD)) {
1310                         const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1311                         if (nt_pw) {
1312                                 char pwstr[34];
1313                                 pdb_sethexpwd(pwstr, nt_pw,
1314                                               pdb_get_acct_ctrl(sampass));
1315                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1316                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1317                                                  pwstr);
1318                         } else {
1319                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1320                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1321                                                  NULL);
1322                         }
1323                 }
1324
1325                 if (need_update(sampass, PDB_PWHISTORY)) {
1326                         char *pwstr = NULL;
1327                         uint32 pwHistLen = 0;
1328                         pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1329
1330                         pwstr = SMB_MALLOC_ARRAY(char, 1024);
1331                         if (!pwstr) {
1332                                 return false;
1333                         }
1334                         if (pwHistLen == 0) {
1335                                 /* Remove any password history from the LDAP store. */
1336                                 memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1337                                 pwstr[64] = '\0';
1338                         } else {
1339                                 int i;
1340                                 uint32 currHistLen = 0;
1341                                 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1342                                 if (pwhist != NULL) {
1343                                         /* We can only store (1024-1/64 password history entries. */
1344                                         pwHistLen = MIN(pwHistLen, ((1024-1)/64));
1345                                         for (i=0; i< pwHistLen && i < currHistLen; i++) {
1346                                                 /* Store the salt. */
1347                                                 pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1348                                                 /* Followed by the md5 hash of salt + md4 hash */
1349                                                 pdb_sethexpwd(&pwstr[(i*64)+32],
1350                                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1351                                                 DEBUG(100, ("pwstr=%s\n", pwstr));
1352                                         }
1353                                 }
1354                         }
1355                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1356                                          get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), 
1357                                          pwstr);
1358                         SAFE_FREE(pwstr);
1359                 }
1360
1361                 if (need_update(sampass, PDB_PASSLASTSET)) {
1362                         if (asprintf(&temp, "%li",
1363                                 pdb_get_pass_last_set_time(sampass)) < 0) {
1364                                 return false;
1365                         }
1366                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1367                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
1368                                 temp);
1369                         SAFE_FREE(temp);
1370                 }
1371         }
1372
1373         if (need_update(sampass, PDB_HOURS)) {
1374                 const uint8 *hours = pdb_get_hours(sampass);
1375                 if (hours) {
1376                         char hourstr[44];
1377                         pdb_sethexhours(hourstr, hours);
1378                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1379                                 existing,
1380                                 mods,
1381                                 get_userattr_key2string(ldap_state->schema_ver,
1382                                                 LDAP_ATTR_LOGON_HOURS),
1383                                 hourstr);
1384                 }
1385         }
1386
1387         if (need_update(sampass, PDB_ACCTCTRL))
1388                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1389                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
1390                         pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1391
1392         /* password lockout cache:
1393            - If we are now autolocking or clearing, we write to ldap
1394            - If we are clearing, we delete the cache entry
1395            - If the count is > 0, we update the cache
1396
1397            This even means when autolocking, we cache, just in case the
1398            update doesn't work, and we have to cache the autolock flag */
1399
1400         if (need_update(sampass, PDB_BAD_PASSWORD_COUNT))  /* &&
1401             need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1402                 uint16 badcount = pdb_get_bad_password_count(sampass);
1403                 time_t badtime = pdb_get_bad_password_time(sampass);
1404                 uint32 pol;
1405                 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1406
1407                 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1408                         (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1409
1410                 if ((badcount >= pol) || (badcount == 0)) {
1411                         DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1412                                 (unsigned int)badcount, (unsigned int)badtime));
1413                         if (asprintf(&temp, "%li", (long)badcount) < 0) {
1414                                 return false;
1415                         }
1416                         smbldap_make_mod(
1417                                 ldap_state->smbldap_state->ldap_struct,
1418                                 existing, mods,
1419                                 get_userattr_key2string(
1420                                         ldap_state->schema_ver,
1421                                         LDAP_ATTR_BAD_PASSWORD_COUNT),
1422                                 temp);
1423                         SAFE_FREE(temp);
1424
1425                         if (asprintf(&temp, "%li", badtime) < 0) {
1426                                 return false;
1427                         }
1428                         smbldap_make_mod(
1429                                 ldap_state->smbldap_state->ldap_struct,
1430                                 existing, mods,
1431                                 get_userattr_key2string(
1432                                         ldap_state->schema_ver,
1433                                         LDAP_ATTR_BAD_PASSWORD_TIME),
1434                                 temp);
1435                         SAFE_FREE(temp);
1436                 }
1437                 if (badcount == 0) {
1438                         DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1439                         login_cache_delentry(sampass);
1440                 } else {
1441                         LOGIN_CACHE cache_entry;
1442
1443                         cache_entry.entry_timestamp = time(NULL);
1444                         cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1445                         cache_entry.bad_password_count = badcount;
1446                         cache_entry.bad_password_time = badtime;
1447
1448                         DEBUG(7, ("Updating bad password count and time in login cache\n"));
1449                         login_cache_write(sampass, cache_entry);
1450                 }
1451         }
1452
1453         return True;
1454 }
1455
1456 /**********************************************************************
1457  End enumeration of the LDAP password list.
1458 *********************************************************************/
1459
1460 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1461 {
1462         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1463         if (ldap_state->result) {
1464                 ldap_msgfree(ldap_state->result);
1465                 ldap_state->result = NULL;
1466         }
1467 }
1468
1469 static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
1470                         const char *new_attr)
1471 {
1472         int i;
1473
1474         if (new_attr == NULL) {
1475                 return;
1476         }
1477
1478         for (i=0; (*attr_list)[i] != NULL; i++) {
1479                 ;
1480         }
1481
1482         (*attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (*attr_list),
1483                                             const char *,  i+2);
1484         SMB_ASSERT((*attr_list) != NULL);
1485         (*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
1486         (*attr_list)[i+1] = NULL;
1487 }
1488
1489 /**********************************************************************
1490 Get struct samu entry from LDAP by username.
1491 *********************************************************************/
1492
1493 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
1494 {
1495         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1496         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1497         LDAPMessage *result = NULL;
1498         LDAPMessage *entry = NULL;
1499         int count;
1500         const char ** attr_list;
1501         int rc;
1502         
1503         attr_list = get_userattr_list( user, ldap_state->schema_ver );
1504         append_attr(user, &attr_list,
1505                     get_userattr_key2string(ldap_state->schema_ver,
1506                                             LDAP_ATTR_MOD_TIMESTAMP));
1507         append_attr(user, &attr_list, "uidNumber");
1508         rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1509                                            attr_list);
1510         TALLOC_FREE( attr_list );
1511
1512         if ( rc != LDAP_SUCCESS ) 
1513                 return NT_STATUS_NO_SUCH_USER;
1514         
1515         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1516         
1517         if (count < 1) {
1518                 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1519                 ldap_msgfree(result);
1520                 return NT_STATUS_NO_SUCH_USER;
1521         } else if (count > 1) {
1522                 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1523                 ldap_msgfree(result);
1524                 return NT_STATUS_NO_SUCH_USER;
1525         }
1526
1527         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1528         if (entry) {
1529                 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1530                         DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1531                         ldap_msgfree(result);
1532                         return NT_STATUS_NO_SUCH_USER;
1533                 }
1534                 pdb_set_backend_private_data(user, result, NULL,
1535                                              my_methods, PDB_CHANGED);
1536                 talloc_autofree_ldapmsg(user, result);
1537                 ret = NT_STATUS_OK;
1538         } else {
1539                 ldap_msgfree(result);
1540         }
1541         return ret;
1542 }
1543
1544 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 
1545                                    const DOM_SID *sid, LDAPMessage **result) 
1546 {
1547         int rc = -1;
1548         const char ** attr_list;
1549         uint32 rid;
1550
1551         switch ( ldap_state->schema_ver ) {
1552                 case SCHEMAVER_SAMBASAMACCOUNT: {
1553                         TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1554                         if (tmp_ctx == NULL) {
1555                                 return LDAP_NO_MEMORY;
1556                         }
1557
1558                         attr_list = get_userattr_list(tmp_ctx,
1559                                                       ldap_state->schema_ver);
1560                         append_attr(tmp_ctx, &attr_list,
1561                                     get_userattr_key2string(
1562                                             ldap_state->schema_ver,
1563                                             LDAP_ATTR_MOD_TIMESTAMP));
1564                         append_attr(tmp_ctx, &attr_list, "uidNumber");
1565                         rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1566                                                           result, attr_list);
1567                         TALLOC_FREE(tmp_ctx);
1568
1569                         if ( rc != LDAP_SUCCESS ) 
1570                                 return rc;
1571                         break;
1572                 }
1573                         
1574                 case SCHEMAVER_SAMBAACCOUNT:
1575                         if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1576                                 return rc;
1577                         }
1578                 
1579                         attr_list = get_userattr_list(NULL,
1580                                                       ldap_state->schema_ver);
1581                         rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1582                         TALLOC_FREE( attr_list );
1583
1584                         if ( rc != LDAP_SUCCESS ) 
1585                                 return rc;
1586                         break;
1587         }
1588         return rc;
1589 }
1590
1591 /**********************************************************************
1592  Get struct samu entry from LDAP by SID.
1593 *********************************************************************/
1594
1595 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const DOM_SID *sid)
1596 {
1597         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1598         LDAPMessage *result = NULL;
1599         LDAPMessage *entry = NULL;
1600         int count;
1601         int rc;
1602
1603         rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
1604                                           sid, &result); 
1605         if (rc != LDAP_SUCCESS)
1606                 return NT_STATUS_NO_SUCH_USER;
1607
1608         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1609         
1610         if (count < 1) {
1611                 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
1612                           "count=%d\n", sid_string_dbg(sid), count));
1613                 ldap_msgfree(result);
1614                 return NT_STATUS_NO_SUCH_USER;
1615         }  else if (count > 1) {
1616                 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
1617                           "[%s]. Failing. count=%d\n", sid_string_dbg(sid),
1618                           count));
1619                 ldap_msgfree(result);
1620                 return NT_STATUS_NO_SUCH_USER;
1621         }
1622
1623         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1624         if (!entry) {
1625                 ldap_msgfree(result);
1626                 return NT_STATUS_NO_SUCH_USER;
1627         }
1628
1629         if (!init_sam_from_ldap(ldap_state, user, entry)) {
1630                 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1631                 ldap_msgfree(result);
1632                 return NT_STATUS_NO_SUCH_USER;
1633         }
1634
1635         pdb_set_backend_private_data(user, result, NULL,
1636                                      my_methods, PDB_CHANGED);
1637         talloc_autofree_ldapmsg(user, result);
1638         return NT_STATUS_OK;
1639 }       
1640
1641 /********************************************************************
1642  Do the actual modification - also change a plaintext passord if 
1643  it it set.
1644 **********************************************************************/
1645
1646 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
1647                                      struct samu *newpwd, char *dn,
1648                                      LDAPMod **mods, int ldap_op, 
1649                                      bool (*need_update)(const struct samu *, enum pdb_elements))
1650 {
1651         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1652         int rc;
1653         
1654         if (!newpwd || !dn) {
1655                 return NT_STATUS_INVALID_PARAMETER;
1656         }
1657         
1658         if (!mods) {
1659                 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1660                 /* may be password change below however */
1661         } else {
1662                 switch(ldap_op) {
1663                         case LDAP_MOD_ADD:
1664                                 if (ldap_state->is_nds_ldap) {
1665                                         smbldap_set_mod(&mods, LDAP_MOD_ADD, 
1666                                                         "objectclass", 
1667                                                         "inetOrgPerson");
1668                                 } else {
1669                                         smbldap_set_mod(&mods, LDAP_MOD_ADD, 
1670                                                         "objectclass", 
1671                                                         LDAP_OBJ_ACCOUNT);
1672                                 }
1673                                 rc = smbldap_add(ldap_state->smbldap_state, 
1674                                                  dn, mods);
1675                                 break;
1676                         case LDAP_MOD_REPLACE: 
1677                                 rc = smbldap_modify(ldap_state->smbldap_state, 
1678                                                     dn ,mods);
1679                                 break;
1680                         default:        
1681                                 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n", 
1682                                          ldap_op));
1683                                 return NT_STATUS_INVALID_PARAMETER;
1684                 }
1685                 
1686                 if (rc!=LDAP_SUCCESS) {
1687                         return NT_STATUS_UNSUCCESSFUL;
1688                 }  
1689         }
1690         
1691         if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1692                         (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1693                         need_update(newpwd, PDB_PLAINTEXT_PW) &&
1694                         (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1695                 BerElement *ber;
1696                 struct berval *bv;
1697                 char *retoid = NULL;
1698                 struct berval *retdata = NULL;
1699                 char *utf8_password;
1700                 char *utf8_dn;
1701
1702                 if (!ldap_state->is_nds_ldap) {
1703
1704                         if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct, 
1705                                                    LDAP_EXOP_MODIFY_PASSWD)) {
1706                                 DEBUG(2, ("ldap password change requested, but LDAP "
1707                                           "server does not support it -- ignoring\n"));
1708                                 return NT_STATUS_OK;
1709                         }
1710                 }
1711
1712                 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1713                         return NT_STATUS_NO_MEMORY;
1714                 }
1715
1716                 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1717                         SAFE_FREE(utf8_password);
1718                         return NT_STATUS_NO_MEMORY;
1719                 }
1720
1721                 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1722                         DEBUG(0,("ber_alloc_t returns NULL\n"));
1723                         SAFE_FREE(utf8_password);
1724                         SAFE_FREE(utf8_dn);
1725                         return NT_STATUS_UNSUCCESSFUL;
1726                 }
1727
1728                 ber_printf (ber, "{");
1729                 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1730                 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1731                 ber_printf (ber, "n}");
1732
1733                 if ((rc = ber_flatten (ber, &bv))<0) {
1734                         DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1735                         ber_free(ber,1);
1736                         SAFE_FREE(utf8_dn);
1737                         SAFE_FREE(utf8_password);
1738                         return NT_STATUS_UNSUCCESSFUL;
1739                 }
1740                 
1741                 SAFE_FREE(utf8_dn);
1742                 SAFE_FREE(utf8_password);
1743                 ber_free(ber, 1);
1744
1745                 if (!ldap_state->is_nds_ldap) {
1746                         rc = smbldap_extended_operation(ldap_state->smbldap_state, 
1747                                                         LDAP_EXOP_MODIFY_PASSWD,
1748                                                         bv, NULL, NULL, &retoid, 
1749                                                         &retdata);
1750                 } else {
1751                         rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1752                                                         pdb_get_plaintext_passwd(newpwd));
1753                 }
1754                 if (rc != LDAP_SUCCESS) {
1755                         char *ld_error = NULL;
1756
1757                         if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1758                                 DEBUG(3, ("Could not set userPassword "
1759                                           "attribute due to an objectClass "
1760                                           "violation -- ignoring\n"));
1761                                 ber_bvfree(bv);
1762                                 return NT_STATUS_OK;
1763                         }
1764
1765                         ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1766                                         &ld_error);
1767                         DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1768                                 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1769                         SAFE_FREE(ld_error);
1770                         ber_bvfree(bv);
1771 #if defined(LDAP_CONSTRAINT_VIOLATION)
1772                         if (rc == LDAP_CONSTRAINT_VIOLATION)
1773                                 return NT_STATUS_PASSWORD_RESTRICTION;
1774 #endif
1775                         return NT_STATUS_UNSUCCESSFUL;
1776                 } else {
1777                         DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1778 #ifdef DEBUG_PASSWORD
1779                         DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1780 #endif    
1781                         if (retdata)
1782                                 ber_bvfree(retdata);
1783                         if (retoid)
1784                                 ldap_memfree(retoid);
1785                 }
1786                 ber_bvfree(bv);
1787         }
1788         return NT_STATUS_OK;
1789 }
1790
1791 /**********************************************************************
1792  Delete entry from LDAP for username.
1793 *********************************************************************/
1794
1795 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1796                                            struct samu * sam_acct)
1797 {
1798         struct ldapsam_privates *priv =
1799                 (struct ldapsam_privates *)my_methods->private_data;
1800         const char *sname;
1801         int rc;
1802         LDAPMessage *msg, *entry;
1803         NTSTATUS result = NT_STATUS_NO_MEMORY;
1804         const char **attr_list;
1805         TALLOC_CTX *mem_ctx;
1806
1807         if (!sam_acct) {
1808                 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1809                 return NT_STATUS_INVALID_PARAMETER;
1810         }
1811
1812         sname = pdb_get_username(sam_acct);
1813
1814         DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1815                   "LDAP.\n", sname));
1816
1817         mem_ctx = talloc_new(NULL);
1818         if (mem_ctx == NULL) {
1819                 DEBUG(0, ("talloc_new failed\n"));
1820                 goto done;
1821         }
1822
1823         attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1824         if (attr_list == NULL) {
1825                 goto done;
1826         }
1827
1828         rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1829
1830         if ((rc != LDAP_SUCCESS) ||
1831             (ldap_count_entries(priv2ld(priv), msg) != 1) ||
1832             ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1833                 DEBUG(5, ("Could not find user %s\n", sname));
1834                 result = NT_STATUS_NO_SUCH_USER;
1835                 goto done;
1836         }
1837         
1838         rc = ldapsam_delete_entry(
1839                 priv, mem_ctx, entry,
1840                 priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1841                 LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT,
1842                 attr_list);
1843
1844         result = (rc == LDAP_SUCCESS) ?
1845                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1846
1847  done:
1848         TALLOC_FREE(mem_ctx);
1849         return result;
1850 }
1851
1852 /**********************************************************************
1853  Helper function to determine for update_sam_account whether
1854  we need LDAP modification.
1855 *********************************************************************/
1856
1857 static bool element_is_changed(const struct samu *sampass,
1858                                enum pdb_elements element)
1859 {
1860         return IS_SAM_CHANGED(sampass, element);
1861 }
1862
1863 /**********************************************************************
1864  Update struct samu.
1865 *********************************************************************/
1866
1867 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1868 {
1869         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1870         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1871         int rc = 0;
1872         char *dn;
1873         LDAPMessage *result = NULL;
1874         LDAPMessage *entry = NULL;
1875         LDAPMod **mods = NULL;
1876         const char **attr_list;
1877
1878         result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1879         if (!result) {
1880                 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1881                 if (pdb_get_username(newpwd) == NULL) {
1882                         return NT_STATUS_INVALID_PARAMETER;
1883                 }
1884                 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1885                 TALLOC_FREE( attr_list );
1886                 if (rc != LDAP_SUCCESS) {
1887                         return NT_STATUS_UNSUCCESSFUL;
1888                 }
1889                 pdb_set_backend_private_data(newpwd, result, NULL,
1890                                              my_methods, PDB_CHANGED);
1891                 talloc_autofree_ldapmsg(newpwd, result);
1892         }
1893
1894         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1895                 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1896                 return NT_STATUS_UNSUCCESSFUL;
1897         }
1898
1899         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1900         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1901         if (!dn) {
1902                 return NT_STATUS_UNSUCCESSFUL;
1903         }
1904
1905         DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1906
1907         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1908                                 element_is_changed)) {
1909                 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1910                 SAFE_FREE(dn);
1911                 if (mods != NULL)
1912                         ldap_mods_free(mods,True);
1913                 return NT_STATUS_UNSUCCESSFUL;
1914         }
1915         
1916         if (mods == NULL) {
1917                 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1918                          pdb_get_username(newpwd)));
1919                 SAFE_FREE(dn);
1920                 return NT_STATUS_OK;
1921         }
1922         
1923         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1924         ldap_mods_free(mods,True);
1925         SAFE_FREE(dn);
1926
1927         /*
1928          * We need to set the backend private data to NULL here. For example
1929          * setuserinfo level 25 does a pdb_update_sam_account twice on the
1930          * same one, and with the explicit delete / add logic for attribute
1931          * values the second time we would use the wrong "old" value which
1932          * does not exist in LDAP anymore. Thus the LDAP server would refuse
1933          * the update.
1934          * The existing LDAPMessage is still being auto-freed by the
1935          * destructor.
1936          */
1937         pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
1938                                      PDB_CHANGED);
1939
1940         if (!NT_STATUS_IS_OK(ret)) {
1941                 return ret;
1942         }
1943
1944         DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1945                   pdb_get_username(newpwd)));
1946         return NT_STATUS_OK;
1947 }
1948
1949 /***************************************************************************
1950  Renames a struct samu
1951  - The "rename user script" has full responsibility for changing everything
1952 ***************************************************************************/
1953
1954 static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1955                                            struct samu *old_acct,
1956                                            const char *newname)
1957 {
1958         const char *oldname;
1959         int rc;
1960         char *rename_script = NULL;
1961         fstring oldname_lower, newname_lower;
1962
1963         if (!old_acct) {
1964                 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1965                 return NT_STATUS_INVALID_PARAMETER;
1966         }
1967         if (!newname) {
1968                 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1969                 return NT_STATUS_INVALID_PARAMETER;
1970         }
1971
1972         oldname = pdb_get_username(old_acct);
1973
1974         /* rename the posix user */
1975         rename_script = SMB_STRDUP(lp_renameuser_script());
1976         if (rename_script == NULL) {
1977                 return NT_STATUS_NO_MEMORY;
1978         }
1979
1980         if (!(*rename_script)) {
1981                 SAFE_FREE(rename_script);
1982                 return NT_STATUS_ACCESS_DENIED;
1983         }
1984
1985         DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
1986                    oldname, newname));
1987
1988         /* We have to allow the account name to end with a '$'.
1989            Also, follow the semantics in _samr_create_user() and lower case the
1990            posix name but preserve the case in passdb */
1991
1992         fstrcpy( oldname_lower, oldname );
1993         strlower_m( oldname_lower );
1994         fstrcpy( newname_lower, newname );
1995         strlower_m( newname_lower );
1996         rename_script = realloc_string_sub2(rename_script,
1997                                         "%unew",
1998                                         newname_lower,
1999                                         true,
2000                                         true);
2001         if (rename_script) {
2002                 return NT_STATUS_NO_MEMORY;
2003         }
2004         rename_script = realloc_string_sub2(rename_script,
2005                                         "%uold",
2006                                         oldname_lower,
2007                                         true,
2008                                         true);
2009         rc = smbrun(rename_script, NULL);
2010
2011         DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
2012                           rename_script, rc));
2013
2014         SAFE_FREE(rename_script);
2015
2016         if (rc == 0) {
2017                 smb_nscd_flush_user_cache();
2018         }
2019
2020         if (rc)
2021                 return NT_STATUS_UNSUCCESSFUL;
2022
2023         return NT_STATUS_OK;
2024 }
2025
2026 /**********************************************************************
2027  Helper function to determine for update_sam_account whether
2028  we need LDAP modification.
2029  *********************************************************************/
2030
2031 static bool element_is_set_or_changed(const struct samu *sampass,
2032                                       enum pdb_elements element)
2033 {
2034         return (IS_SAM_SET(sampass, element) ||
2035                 IS_SAM_CHANGED(sampass, element));
2036 }
2037
2038 /**********************************************************************
2039  Add struct samu to LDAP.
2040 *********************************************************************/
2041
2042 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
2043 {
2044         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2045         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2046         int rc;
2047         LDAPMessage     *result = NULL;
2048         LDAPMessage     *entry  = NULL;
2049         LDAPMod         **mods = NULL;
2050         int             ldap_op = LDAP_MOD_REPLACE;
2051         uint32          num_result;
2052         const char      **attr_list;
2053         char *escape_user = NULL;
2054         const char      *username = pdb_get_username(newpwd);
2055         const DOM_SID   *sid = pdb_get_user_sid(newpwd);
2056         char *filter = NULL;
2057         char *dn = NULL;
2058         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2059         TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
2060
2061         if (!ctx) {
2062                 return NT_STATUS_NO_MEMORY;
2063         }
2064
2065         if (!username || !*username) {
2066                 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
2067                 status = NT_STATUS_INVALID_PARAMETER;
2068                 goto fn_exit;
2069         }
2070
2071         /* free this list after the second search or in case we exit on failure */
2072         attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
2073
2074         rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2075
2076         if (rc != LDAP_SUCCESS) {
2077                 goto fn_exit;
2078         }
2079
2080         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2081                 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n", 
2082                          username));
2083                 goto fn_exit;
2084         }
2085         ldap_msgfree(result);
2086         result = NULL;
2087
2088         if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
2089                 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
2090                                                   sid, &result);
2091                 if (rc == LDAP_SUCCESS) {
2092                         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2093                                 DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
2094                                          "already in the base, with samba "
2095                                          "attributes\n", sid_string_dbg(sid)));
2096                                 goto fn_exit;
2097                         }
2098                         ldap_msgfree(result);
2099                         result = NULL;
2100                 }
2101         }
2102
2103         /* does the entry already exist but without a samba attributes?
2104            we need to return the samba attributes here */
2105
2106         escape_user = escape_ldap_string_alloc( username );
2107         filter = talloc_strdup(attr_list, "(uid=%u)");
2108         if (!filter) {
2109                 status = NT_STATUS_NO_MEMORY;
2110                 goto fn_exit;
2111         }
2112         filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
2113         if (!filter) {
2114                 status = NT_STATUS_NO_MEMORY;
2115                 goto fn_exit;
2116         }
2117         SAFE_FREE(escape_user);
2118
2119         rc = smbldap_search_suffix(ldap_state->smbldap_state,
2120                                    filter, attr_list, &result);
2121         if ( rc != LDAP_SUCCESS ) {
2122                 goto fn_exit;
2123         }
2124
2125         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2126
2127         if (num_result > 1) {
2128                 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2129                 goto fn_exit;
2130         }
2131
2132         /* Check if we need to update an existing entry */
2133         if (num_result == 1) {
2134                 char *tmp;
2135
2136                 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2137                 ldap_op = LDAP_MOD_REPLACE;
2138                 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2139                 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2140                 if (!tmp) {
2141                         goto fn_exit;
2142                 }
2143                 dn = talloc_asprintf(ctx, "%s", tmp);
2144                 SAFE_FREE(tmp);
2145                 if (!dn) {
2146                         status = NT_STATUS_NO_MEMORY;
2147                         goto fn_exit;
2148                 }
2149
2150         } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2151
2152                 /* There might be a SID for this account already - say an idmap entry */
2153
2154                 filter = talloc_asprintf(ctx,
2155                                 "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
2156                                  get_userattr_key2string(ldap_state->schema_ver,
2157                                          LDAP_ATTR_USER_SID),
2158                                  sid_string_talloc(ctx, sid),
2159                                  LDAP_OBJ_IDMAP_ENTRY,
2160                                  LDAP_OBJ_SID_ENTRY);
2161                 if (!filter) {
2162                         status = NT_STATUS_NO_MEMORY;
2163                         goto fn_exit;
2164                 }
2165
2166                 /* free old result before doing a new search */
2167                 if (result != NULL) {
2168                         ldap_msgfree(result);
2169                         result = NULL;
2170                 }
2171                 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2172                                            filter, attr_list, &result);
2173
2174                 if ( rc != LDAP_SUCCESS ) {
2175                         goto fn_exit;
2176                 }
2177
2178                 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2179
2180                 if (num_result > 1) {
2181                         DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2182                         goto fn_exit;
2183                 }
2184
2185                 /* Check if we need to update an existing entry */
2186                 if (num_result == 1) {
2187                         char *tmp;
2188
2189                         DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2190                         ldap_op = LDAP_MOD_REPLACE;
2191                         entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2192                         tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2193                         if (!tmp) {
2194                                 goto fn_exit;
2195                         }
2196                         dn = talloc_asprintf(ctx, "%s", tmp);
2197                         SAFE_FREE(tmp);
2198                         if (!dn) {
2199                                 status = NT_STATUS_NO_MEMORY;
2200                                 goto fn_exit;
2201                         }
2202                 }
2203         }
2204
2205         if (num_result == 0) {
2206                 char *escape_username;
2207                 /* Check if we need to add an entry */
2208                 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2209                 ldap_op = LDAP_MOD_ADD;
2210
2211                 escape_username = escape_rdn_val_string_alloc(username);
2212                 if (!escape_username) {
2213                         status = NT_STATUS_NO_MEMORY;
2214                         goto fn_exit;
2215                 }
2216
2217                 if (username[strlen(username)-1] == '$') {
2218                         dn = talloc_asprintf(ctx,
2219                                         "uid=%s,%s",
2220                                         escape_username,
2221                                         lp_ldap_machine_suffix());
2222                 } else {
2223                         dn = talloc_asprintf(ctx,
2224                                         "uid=%s,%s",
2225                                         escape_username,
2226                                         lp_ldap_user_suffix());
2227                 }
2228
2229                 SAFE_FREE(escape_username);
2230                 if (!dn) {
2231                         status = NT_STATUS_NO_MEMORY;
2232                         goto fn_exit;
2233                 }
2234         }
2235
2236         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2237                                 element_is_set_or_changed)) {
2238                 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2239                 if (mods != NULL) {
2240                         ldap_mods_free(mods, true);
2241                 }
2242                 goto fn_exit;
2243         }
2244
2245         if (mods == NULL) {
2246                 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2247                 goto fn_exit;
2248         }
2249         switch ( ldap_state->schema_ver ) {
2250                 case SCHEMAVER_SAMBAACCOUNT:
2251                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2252                         break;
2253                 case SCHEMAVER_SAMBASAMACCOUNT:
2254                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2255                         break;
2256                 default:
2257                         DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2258                         break;
2259         }
2260
2261         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2262         if (!NT_STATUS_IS_OK(ret)) {
2263                 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2264                          pdb_get_username(newpwd),dn));
2265                 ldap_mods_free(mods, true);
2266                 goto fn_exit;
2267         }
2268
2269         DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2270         ldap_mods_free(mods, true);
2271
2272         status = NT_STATUS_OK;
2273
2274   fn_exit:
2275
2276         TALLOC_FREE(ctx);
2277         SAFE_FREE(escape_user);
2278         if (result) {
2279                 ldap_msgfree(result);
2280         }
2281         return status;
2282 }
2283
2284 /**********************************************************************
2285  *********************************************************************/
2286
2287 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2288                                      const char *filter,
2289                                      LDAPMessage ** result)
2290 {
2291         int scope = LDAP_SCOPE_SUBTREE;
2292         int rc;
2293         const char **attr_list;
2294
2295         attr_list = get_attr_list(NULL, groupmap_attr_list);
2296         rc = smbldap_search(ldap_state->smbldap_state,
2297                             lp_ldap_group_suffix (), scope,
2298                             filter, attr_list, 0, result);
2299         TALLOC_FREE(attr_list);
2300
2301         return rc;
2302 }
2303
2304 /**********************************************************************
2305  *********************************************************************/
2306
2307 static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
2308                                  GROUP_MAP *map, LDAPMessage *entry)
2309 {
2310         char *temp = NULL;
2311         TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
2312
2313         if (ldap_state == NULL || map == NULL || entry == NULL ||
2314                         ldap_state->smbldap_state->ldap_struct == NULL) {
2315                 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2316                 TALLOC_FREE(ctx);
2317                 return false;
2318         }
2319
2320         temp = smbldap_talloc_single_attribute(
2321                         ldap_state->smbldap_state->ldap_struct,
2322                         entry,
2323                         get_attr_key2string(groupmap_attr_list,
2324                                 LDAP_ATTR_GIDNUMBER),
2325                         ctx);
2326         if (!temp) {
2327                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 
2328                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2329                 TALLOC_FREE(ctx);
2330                 return false;
2331         }
2332         DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2333
2334         map->gid = (gid_t)atol(temp);
2335
2336         TALLOC_FREE(temp);
2337         temp = smbldap_talloc_single_attribute(
2338                         ldap_state->smbldap_state->ldap_struct,
2339                         entry,
2340                         get_attr_key2string(groupmap_attr_list,
2341                                 LDAP_ATTR_GROUP_SID),
2342                         ctx);
2343         if (!temp) {
2344                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2345                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2346                 TALLOC_FREE(ctx);
2347                 return false;
2348         }
2349
2350         if (!string_to_sid(&map->sid, temp)) {
2351                 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2352                 TALLOC_FREE(ctx);
2353                 return false;
2354         }
2355
2356         TALLOC_FREE(temp);
2357         temp = smbldap_talloc_single_attribute(
2358                         ldap_state->smbldap_state->ldap_struct,
2359                         entry,
2360                         get_attr_key2string(groupmap_attr_list,
2361                                 LDAP_ATTR_GROUP_TYPE),
2362                         ctx);
2363         if (!temp) {
2364                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2365                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2366                 TALLOC_FREE(ctx);
2367                 return false;
2368         }
2369         map->sid_name_use = (enum lsa_SidType)atol(temp);
2370
2371         if ((map->sid_name_use < SID_NAME_USER) ||
2372                         (map->sid_name_use > SID_NAME_UNKNOWN)) {
2373                 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2374                 TALLOC_FREE(ctx);
2375                 return false;
2376         }
2377
2378         TALLOC_FREE(temp);
2379         temp = smbldap_talloc_single_attribute(
2380                         ldap_state->smbldap_state->ldap_struct,
2381                         entry,
2382                         get_attr_key2string(groupmap_attr_list,
2383                                 LDAP_ATTR_DISPLAY_NAME),
2384                         ctx);
2385         if (!temp) {
2386                 temp = smbldap_talloc_single_attribute(
2387                                 ldap_state->smbldap_state->ldap_struct,
2388                                 entry,
2389                                 get_attr_key2string(groupmap_attr_list,
2390                                         LDAP_ATTR_CN),
2391                                 ctx);
2392                 if (!temp) {
2393                         DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2394 for gidNumber(%lu)\n",(unsigned long)map->gid));
2395                         TALLOC_FREE(ctx);
2396                         return false;
2397                 }
2398         }
2399         fstrcpy(map->nt_name, temp);
2400
2401         TALLOC_FREE(temp);
2402         temp = smbldap_talloc_single_attribute(
2403                         ldap_state->smbldap_state->ldap_struct,
2404                         entry,
2405                         get_attr_key2string(groupmap_attr_list,
2406                                 LDAP_ATTR_DESC),
2407                         ctx);
2408         if (!temp) {
2409                 temp = talloc_strdup(ctx, "");
2410                 if (!temp) {
2411                         TALLOC_FREE(ctx);
2412                         return false;
2413                 }
2414         }
2415         fstrcpy(map->comment, temp);
2416
2417         if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
2418                 store_gid_sid_cache(&map->sid, map->gid);
2419         }
2420
2421         TALLOC_FREE(ctx);
2422         return true;
2423 }
2424
2425 /**********************************************************************
2426  *********************************************************************/
2427
2428 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2429                                  const char *filter,
2430                                  GROUP_MAP *map)
2431 {
2432         struct ldapsam_privates *ldap_state =
2433                 (struct ldapsam_privates *)methods->private_data;
2434         LDAPMessage *result = NULL;
2435         LDAPMessage *entry = NULL;
2436         int count;
2437
2438         if (ldapsam_search_one_group(ldap_state, filter, &result)
2439             != LDAP_SUCCESS) {
2440                 return NT_STATUS_NO_SUCH_GROUP;
2441         }
2442
2443         count = ldap_count_entries(priv2ld(ldap_state), result);
2444
2445         if (count < 1) {
2446                 DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
2447                           "%s\n", filter));
2448                 ldap_msgfree(result);
2449                 return NT_STATUS_NO_SUCH_GROUP;
2450         }
2451
2452         if (count > 1) {
2453                 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2454                           "count=%d\n", filter, count));
2455                 ldap_msgfree(result);
2456                 return NT_STATUS_NO_SUCH_GROUP;
2457         }
2458
2459         entry = ldap_first_entry(priv2ld(ldap_state), result);
2460
2461         if (!entry) {
2462                 ldap_msgfree(result);
2463                 return NT_STATUS_UNSUCCESSFUL;
2464         }
2465
2466         if (!init_group_from_ldap(ldap_state, map, entry)) {
2467                 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2468                           "group filter %s\n", filter));
2469                 ldap_msgfree(result);
2470                 return NT_STATUS_NO_SUCH_GROUP;
2471         }
2472
2473         ldap_msgfree(result);
2474         return NT_STATUS_OK;
2475 }
2476
2477 /**********************************************************************
2478  *********************************************************************/
2479
2480 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2481                                  DOM_SID sid)
2482 {
2483         char *filter = NULL;
2484         NTSTATUS status;
2485         fstring tmp;
2486
2487         if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
2488                 LDAP_OBJ_GROUPMAP,
2489                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2490                 sid_to_fstring(tmp, &sid)) < 0) {
2491                 return NT_STATUS_NO_MEMORY;
2492         }
2493
2494         status = ldapsam_getgroup(methods, filter, map);
2495         SAFE_FREE(filter);
2496         return status;
2497 }
2498
2499 /**********************************************************************
2500  *********************************************************************/
2501
2502 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2503                                  gid_t gid)
2504 {
2505         char *filter = NULL;
2506         NTSTATUS status;
2507
2508         if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
2509                 LDAP_OBJ_GROUPMAP,
2510                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2511                 (unsigned long)gid) < 0) {
2512                 return NT_STATUS_NO_MEMORY;
2513         }
2514
2515         status = ldapsam_getgroup(methods, filter, map);
2516         SAFE_FREE(filter);
2517         return status;
2518 }
2519
2520 /**********************************************************************
2521  *********************************************************************/
2522
2523 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2524                                  const char *name)
2525 {
2526         char *filter = NULL;
2527         char *escape_name = escape_ldap_string_alloc(name);
2528         NTSTATUS status;
2529
2530         if (!escape_name) {
2531                 return NT_STATUS_NO_MEMORY;
2532         }
2533
2534         if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2535                 LDAP_OBJ_GROUPMAP,
2536                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2537                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
2538                 escape_name) < 0) {
2539                 SAFE_FREE(escape_name);
2540                 return NT_STATUS_NO_MEMORY;
2541         }
2542
2543         SAFE_FREE(escape_name);
2544         status = ldapsam_getgroup(methods, filter, map);
2545         SAFE_FREE(filter);
2546         return status;
2547 }
2548
2549 static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2550                                            LDAPMessage *entry,
2551                                            const DOM_SID *domain_sid,
2552                                            uint32 *rid)
2553 {
2554         fstring str;
2555         DOM_SID sid;
2556
2557         if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2558                                           str, sizeof(str)-1)) {
2559                 DEBUG(10, ("Could not find sambaSID attribute\n"));
2560                 return False;
2561         }
2562
2563         if (!string_to_sid(&sid, str)) {
2564                 DEBUG(10, ("Could not convert string %s to sid\n", str));
2565                 return False;
2566         }
2567
2568         if (sid_compare_domain(&sid, domain_sid) != 0) {
2569                 DEBUG(10, ("SID %s is not in expected domain %s\n",
2570                            str, sid_string_dbg(domain_sid)));
2571                 return False;
2572         }
2573
2574         if (!sid_peek_rid(&sid, rid)) {
2575                 DEBUG(10, ("Could not peek into RID\n"));
2576                 return False;
2577         }
2578
2579         return True;
2580 }
2581
2582 static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2583                                            TALLOC_CTX *mem_ctx,
2584                                            const DOM_SID *group,
2585                                            uint32 **pp_member_rids,
2586                                            size_t *p_num_members)
2587 {
2588         struct ldapsam_privates *ldap_state =
2589                 (struct ldapsam_privates *)methods->private_data;
2590         struct smbldap_state *conn = ldap_state->smbldap_state;
2591         const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2592         const char *sid_attrs[] = { "sambaSID", NULL };
2593         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2594         LDAPMessage *result = NULL;
2595         LDAPMessage *entry;
2596         char *filter;
2597         char **values = NULL;
2598         char **memberuid;
2599         char *gidstr;
2600         int rc, count;
2601
2602         *pp_member_rids = NULL;
2603         *p_num_members = 0;
2604
2605         filter = talloc_asprintf(mem_ctx,
2606                                  "(&(objectClass=%s)"
2607                                  "(objectClass=%s)"
2608                                  "(sambaSID=%s))",
2609                                  LDAP_OBJ_POSIXGROUP,
2610                                  LDAP_OBJ_GROUPMAP,
2611                                  sid_string_talloc(mem_ctx, group));
2612         if (filter == NULL) {
2613                 ret = NT_STATUS_NO_MEMORY;
2614                 goto done;
2615         }
2616
2617         rc = smbldap_search(conn, lp_ldap_group_suffix(),
2618                             LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2619                             &result);
2620
2621         if (rc != LDAP_SUCCESS)
2622                 goto done;
2623
2624         talloc_autofree_ldapmsg(mem_ctx, result);
2625
2626         count = ldap_count_entries(conn->ldap_struct, result);
2627
2628         if (count > 1) {
2629                 DEBUG(1, ("Found more than one groupmap entry for %s\n",
2630                           sid_string_dbg(group)));
2631                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2632                 goto done;
2633         }
2634
2635         if (count == 0) {
2636                 ret = NT_STATUS_NO_SUCH_GROUP;
2637                 goto done;
2638         }
2639
2640         entry = ldap_first_entry(conn->ldap_struct, result);
2641         if (entry == NULL)
2642                 goto done;
2643
2644         gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2645         if (!gidstr) {
2646                 DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2647                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2648                 goto done;
2649         }
2650
2651         values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
2652
2653         if (values) {
2654
2655                 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
2656                 if (filter == NULL) {
2657                         ret = NT_STATUS_NO_MEMORY;
2658                         goto done;
2659                 }
2660
2661                 for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2662                         char *escape_memberuid;
2663
2664                         escape_memberuid = escape_ldap_string_alloc(*memberuid);
2665                         if (escape_memberuid == NULL) {
2666                                 ret = NT_STATUS_NO_MEMORY;
2667                                 goto done;
2668                         }
2669                         
2670                         filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
2671                         if (filter == NULL) {
2672                                 SAFE_FREE(escape_memberuid);
2673                                 ret = NT_STATUS_NO_MEMORY;
2674                                 goto done;
2675                         }
2676
2677                         SAFE_FREE(escape_memberuid);
2678                 }
2679
2680                 filter = talloc_asprintf_append_buffer(filter, "))");
2681                 if (filter == NULL) {
2682                         ret = NT_STATUS_NO_MEMORY;
2683                         goto done;
2684                 }
2685
2686                 rc = smbldap_search(conn, lp_ldap_user_suffix(),
2687                                     LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2688                                     &result);
2689
2690                 if (rc != LDAP_SUCCESS)
2691                         goto done;
2692
2693                 count = ldap_count_entries(conn->ldap_struct, result);
2694                 DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2695
2696                 talloc_autofree_ldapmsg(mem_ctx, result);
2697
2698                 for (entry = ldap_first_entry(conn->ldap_struct, result);
2699                      entry != NULL;
2700                      entry = ldap_next_entry(conn->ldap_struct, entry))
2701                 {
2702                         char *sidstr;
2703                         DOM_SID sid;
2704                         uint32 rid;
2705
2706                         sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
2707                                                                  entry, "sambaSID",
2708                                                                  mem_ctx);
2709                         if (!sidstr) {
2710                                 DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2711                                           "the sambaSID attribute\n"));
2712                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2713                                 goto done;
2714                         }
2715
2716                         if (!string_to_sid(&sid, sidstr))
2717                                 goto done;
2718
2719                         if (!sid_check_is_in_our_domain(&sid)) {
2720                                 DEBUG(0, ("Inconsistent SAM -- group member uid not "
2721                                           "in our domain\n"));
2722                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2723                                 goto done;
2724                         }
2725
2726                         sid_peek_rid(&sid, &rid);
2727
2728                         if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2729                                                 p_num_members)) {
2730                                 ret = NT_STATUS_NO_MEMORY;
2731                                 goto done;
2732                         }
2733                 }
2734         }
2735
2736         filter = talloc_asprintf(mem_ctx,
2737                                  "(&(objectClass=%s)"
2738                                  "(gidNumber=%s))",
2739                                  LDAP_OBJ_SAMBASAMACCOUNT,
2740                                  gidstr);
2741
2742         rc = smbldap_search(conn, lp_ldap_user_suffix(),
2743                             LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2744                             &result);
2745
2746         if (rc != LDAP_SUCCESS)
2747                 goto done;
2748
2749         talloc_autofree_ldapmsg(mem_ctx, result);
2750
2751         for (entry = ldap_first_entry(conn->ldap_struct, result);
2752              entry != NULL;
2753              entry = ldap_next_entry(conn->ldap_struct, entry))
2754         {
2755                 uint32 rid;
2756
2757                 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2758                                                     entry,
2759                                                     get_global_sam_sid(),
2760                                                     &rid)) {
2761                         DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2762                                   "the sambaSID attribute\n"));
2763                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2764                         goto done;
2765                 }
2766
2767                 if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2768                                         p_num_members)) {
2769                         ret = NT_STATUS_NO_MEMORY;
2770                         goto done;
2771                 }
2772         }
2773
2774         ret = NT_STATUS_OK;
2775         
2776  done:
2777
2778         if (values)
2779                 ldap_value_free(values);
2780
2781         return ret;
2782 }
2783
2784 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2785                                                TALLOC_CTX *mem_ctx,
2786                                                struct samu *user,
2787                                                DOM_SID **pp_sids,
2788                                                gid_t **pp_gids,
2789                                                size_t *p_num_groups)
2790 {
2791         struct ldapsam_privates *ldap_state =
2792                 (struct ldapsam_privates *)methods->private_data;
2793         struct smbldap_state *conn = ldap_state->smbldap_state;
2794         char *filter;
2795         const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2796         char *escape_name;
2797         int rc, count;
2798         LDAPMessage *result = NULL;
2799         LDAPMessage *entry;
2800         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2801         size_t num_sids, num_gids;
2802         char *gidstr;
2803         gid_t primary_gid = -1;
2804
2805         *pp_sids = NULL;
2806         num_sids = 0;
2807
2808         if (pdb_get_username(user) == NULL) {
2809                 return NT_STATUS_INVALID_PARAMETER;
2810         }
2811
2812         escape_name = escape_ldap_string_alloc(pdb_get_username(user));
2813         if (escape_name == NULL)
2814                 return NT_STATUS_NO_MEMORY;
2815
2816         /* retrieve the users primary gid */
2817         filter = talloc_asprintf(mem_ctx,
2818                                  "(&(objectClass=%s)(uid=%s))",
2819                                  LDAP_OBJ_SAMBASAMACCOUNT,
2820                                  escape_name);
2821         if (filter == NULL) {
2822                 ret = NT_STATUS_NO_MEMORY;
2823                 goto done;
2824         }
2825
2826         rc = smbldap_search(conn, lp_ldap_user_suffix(),
2827                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2828
2829         if (rc != LDAP_SUCCESS)
2830                 goto done;
2831
2832         talloc_autofree_ldapmsg(mem_ctx, result);
2833
2834         count = ldap_count_entries(priv2ld(ldap_state), result);
2835
2836         switch (count) {
2837         case 0: 
2838                 DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2839                 ret = NT_STATUS_NO_SUCH_USER;
2840                 goto done;
2841         case 1:
2842                 entry = ldap_first_entry(priv2ld(ldap_state), result);
2843
2844                 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2845                 if (!gidstr) {
2846                         DEBUG (1, ("Unable to find the member's gid!\n"));
2847                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2848                         goto done;
2849                 }
2850                 primary_gid = strtoul(gidstr, NULL, 10);
2851                 break;
2852         default:
2853                 DEBUG(1, ("found more than one account with the same user name ?!\n"));
2854                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2855                 goto done;
2856         }
2857
2858         filter = talloc_asprintf(mem_ctx,
2859                                  "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%d)))",
2860                                  LDAP_OBJ_POSIXGROUP, escape_name, primary_gid);
2861         if (filter == NULL) {
2862                 ret = NT_STATUS_NO_MEMORY;
2863                 goto done;
2864         }
2865
2866         rc = smbldap_search(conn, lp_ldap_group_suffix(),
2867                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2868
2869         if (rc != LDAP_SUCCESS)
2870                 goto done;
2871
2872         talloc_autofree_ldapmsg(mem_ctx, result);
2873
2874         num_gids = 0;
2875         *pp_gids = NULL;
2876
2877         num_sids = 0;
2878         *pp_sids = NULL;
2879
2880         /* We need to add the primary group as the first gid/sid */
2881
2882         if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
2883                 ret = NT_STATUS_NO_MEMORY;
2884                 goto done;
2885         }
2886
2887         /* This sid will be replaced later */
2888
2889         ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
2890                                       &num_sids);
2891         if (!NT_STATUS_IS_OK(ret)) {
2892                 goto done;
2893         }
2894
2895         for (entry = ldap_first_entry(conn->ldap_struct, result);
2896              entry != NULL;
2897              entry = ldap_next_entry(conn->ldap_struct, entry))
2898         {
2899                 fstring str;
2900                 DOM_SID sid;
2901                 gid_t gid;
2902                 char *end;
2903
2904                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2905                                                   entry, "sambaSID",
2906                                                   str, sizeof(str)-1))
2907                         continue;
2908
2909                 if (!string_to_sid(&sid, str))
2910                         goto done;
2911
2912                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2913                                                   entry, "gidNumber",
2914                                                   str, sizeof(str)-1))
2915                         continue;
2916
2917                 gid = strtoul(str, &end, 10);
2918
2919                 if (PTR_DIFF(end, str) != strlen(str))
2920                         goto done;
2921
2922                 if (gid == primary_gid) {
2923                         sid_copy(&(*pp_sids)[0], &sid);
2924                 } else {
2925                         if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
2926                                                 &num_gids)) {
2927                                 ret = NT_STATUS_NO_MEMORY;
2928                                 goto done;
2929                         }
2930                         ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
2931                                                       &num_sids);
2932                         if (!NT_STATUS_IS_OK(ret)) {
2933                                 goto done;
2934                         }
2935                 }
2936         }
2937
2938         if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2939                 DEBUG(3, ("primary group of [%s] not found\n",
2940                           pdb_get_username(user)));
2941                 goto done;
2942         }
2943
2944         *p_num_groups = num_sids;
2945
2946         ret = NT_STATUS_OK;
2947
2948  done:
2949
2950         SAFE_FREE(escape_name);
2951         return ret;
2952 }
2953
2954 /**********************************************************************
2955  * Augment a posixGroup object with a sambaGroupMapping domgroup
2956  *********************************************************************/
2957
2958 static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
2959                                        struct ldapsam_privates *ldap_state,
2960                                        GROUP_MAP *map)
2961 {
2962         const char *filter, *dn;
2963         LDAPMessage *msg, *entry;
2964         LDAPMod **mods;
2965         int rc;
2966
2967         filter = talloc_asprintf(mem_ctx,
2968                                  "(&(objectClass=posixGroup)(gidNumber=%u))",
2969                                  map->gid);
2970         if (filter == NULL) {
2971                 return NT_STATUS_NO_MEMORY;
2972         }
2973
2974         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2975                                    get_attr_list(mem_ctx, groupmap_attr_list),
2976                                    &msg);
2977         talloc_autofree_ldapmsg(mem_ctx, msg);
2978
2979         if ((rc != LDAP_SUCCESS) ||
2980             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
2981             ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2982                 return NT_STATUS_NO_SUCH_GROUP;
2983         }
2984
2985         dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
2986         if (dn == NULL) {
2987                 return NT_STATUS_NO_MEMORY;
2988         }
2989
2990         mods = NULL;
2991         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
2992                         "sambaGroupMapping");
2993         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
2994                          sid_string_talloc(mem_ctx, &map->sid));
2995         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
2996                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
2997         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
2998                          map->nt_name);
2999         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3000                          map->comment);
3001         talloc_autofree_ldapmod(mem_ctx, mods);
3002
3003         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3004         if (rc != LDAP_SUCCESS) {
3005                 return NT_STATUS_ACCESS_DENIED;
3006         }
3007
3008         return NT_STATUS_OK;
3009 }
3010
3011 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3012                                                 GROUP_MAP *map)
3013 {
3014         struct ldapsam_privates *ldap_state =
3015                 (struct ldapsam_privates *)methods->private_data;
3016         LDAPMessage *msg = NULL;
3017         LDAPMod **mods = NULL;
3018         const char *attrs[] = { NULL };
3019         char *filter;
3020
3021         char *dn;
3022         TALLOC_CTX *mem_ctx;
3023         NTSTATUS result;
3024
3025         DOM_SID sid;
3026
3027         int rc;
3028
3029         mem_ctx = talloc_new(NULL);
3030         if (mem_ctx == NULL) {
3031                 DEBUG(0, ("talloc_new failed\n"));
3032                 return NT_STATUS_NO_MEMORY;
3033         }
3034
3035         filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
3036                                  sid_string_talloc(mem_ctx, &map->sid));
3037         if (filter == NULL) {
3038                 result = NT_STATUS_NO_MEMORY;
3039                 goto done;
3040         }
3041
3042         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3043                             LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
3044         talloc_autofree_ldapmsg(mem_ctx, msg);
3045
3046         if ((rc == LDAP_SUCCESS) &&
3047             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
3048
3049                 DEBUG(3, ("SID %s already present in LDAP, refusing to add "
3050                           "group mapping entry\n", sid_string_dbg(&map->sid)));
3051                 result = NT_STATUS_GROUP_EXISTS;
3052                 goto done;
3053         }
3054
3055         switch (map->sid_name_use) {
3056
3057         case SID_NAME_DOM_GRP:
3058                 /* To map a domain group we need to have a posix group
3059                    to attach to. */
3060                 result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
3061                 goto done;
3062                 break;
3063
3064         case SID_NAME_ALIAS:
3065                 if (!sid_check_is_in_our_domain(&map->sid) 
3066                         && !sid_check_is_in_builtin(&map->sid) ) 
3067                 {
3068                         DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
3069                                   sid_string_dbg(&map->sid)));
3070                         result = NT_STATUS_INVALID_PARAMETER;
3071                         goto done;
3072                 }
3073                 break;
3074
3075         default:
3076                 DEBUG(3, ("Got invalid use '%s' for mapping\n",
3077                           sid_type_lookup(map->sid_name_use)));
3078                 result = NT_STATUS_INVALID_PARAMETER;
3079                 goto done;
3080         }
3081
3082         /* Domain groups have been mapped in a separate routine, we have to
3083          * create an alias now */
3084
3085         if (map->gid == -1) {
3086                 DEBUG(10, ("Refusing to map gid==-1\n"));
3087                 result = NT_STATUS_INVALID_PARAMETER;
3088                 goto done;
3089         }
3090
3091         if (pdb_gid_to_sid(map->gid, &sid)) {
3092                 DEBUG(3, ("Gid %d is already mapped to SID %s, refusing to "
3093                           "add\n", map->gid, sid_string_dbg(&sid)));
3094                 result = NT_STATUS_GROUP_EXISTS;
3095                 goto done;
3096         }
3097
3098         /* Ok, enough checks done. It's still racy to go ahead now, but that's
3099          * the best we can get out of LDAP. */
3100
3101         dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
3102                              sid_string_talloc(mem_ctx, &map->sid),
3103                              lp_ldap_group_suffix());
3104         if (dn == NULL) {
3105                 result = NT_STATUS_NO_MEMORY;
3106                 goto done;
3107         }
3108
3109         mods = NULL;
3110
3111         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3112                          "sambaSidEntry");
3113         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3114                          "sambaGroupMapping");
3115
3116         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
3117                          sid_string_talloc(mem_ctx, &map->sid));
3118         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
3119                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3120         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
3121                          map->nt_name);
3122         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
3123                          map->comment);
3124         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
3125                          talloc_asprintf(mem_ctx, "%u", map->gid));
3126         talloc_autofree_ldapmod(mem_ctx, mods);
3127
3128         rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
3129
3130         result = (rc == LDAP_SUCCESS) ?
3131                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3132
3133  done:
3134         TALLOC_FREE(mem_ctx);
3135         return result;
3136 }
3137
3138 /**********************************************************************
3139  * Update a group mapping entry. We're quite strict about what can be changed:
3140  * Only the description and displayname may be changed. It simply does not
3141  * make any sense to change the SID, gid or the type in a mapping.
3142  *********************************************************************/
3143
3144 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
3145                                                    GROUP_MAP *map)
3146 {
3147         struct ldapsam_privates *ldap_state =
3148                 (struct ldapsam_privates *)methods->private_data;
3149         int rc;
3150         const char *filter, *dn;
3151         LDAPMessage *msg = NULL;
3152         LDAPMessage *entry = NULL;
3153         LDAPMod **mods = NULL;
3154         TALLOC_CTX *mem_ctx;
3155         NTSTATUS result;
3156
3157         mem_ctx = talloc_new(NULL);
3158         if (mem_ctx == NULL) {
3159                 DEBUG(0, ("talloc_new failed\n"));
3160                 return NT_STATUS_NO_MEMORY;
3161         }
3162
3163         /* Make 100% sure that sid, gid and type are not changed by looking up
3164          * exactly the values we're given in LDAP. */
3165
3166         filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
3167                                  "(sambaSid=%s)(gidNumber=%u)"
3168                                  "(sambaGroupType=%d))",
3169                                  LDAP_OBJ_GROUPMAP,
3170                                  sid_string_talloc(mem_ctx, &map->sid),
3171                                  map->gid, map->sid_name_use);
3172         if (filter == NULL) {
3173                 result = NT_STATUS_NO_MEMORY;
3174                 goto done;
3175         }
3176
3177         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
3178                                    get_attr_list(mem_ctx, groupmap_attr_list),
3179                                    &msg);
3180         talloc_autofree_ldapmsg(mem_ctx, msg);
3181
3182         if ((rc != LDAP_SUCCESS) ||
3183             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
3184             ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
3185                 result = NT_STATUS_NO_SUCH_GROUP;
3186                 goto done;
3187         }
3188
3189         dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
3190
3191         if (dn == NULL) {
3192                 result = NT_STATUS_NO_MEMORY;
3193                 goto done;
3194         }
3195
3196         mods = NULL;
3197         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
3198                          map->nt_name);
3199         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3200                          map->comment);
3201         talloc_autofree_ldapmod(mem_ctx, mods);
3202
3203         if (mods == NULL) {
3204                 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
3205                           "nothing to do\n"));
3206                 result = NT_STATUS_OK;
3207                 goto done;
3208         }
3209
3210         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3211
3212         if (rc != LDAP_SUCCESS) {
3213                 result = NT_STATUS_ACCESS_DENIED;
3214                 goto done;
3215         }
3216
3217         DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
3218                   "group %lu in LDAP\n", (unsigned long)map->gid));
3219
3220         result = NT_STATUS_OK;
3221
3222  done:
3223         TALLOC_FREE(mem_ctx);
3224         return result;
3225 }
3226
3227 /**********************************************************************
3228  *********************************************************************/
3229
3230 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
3231                                                    DOM_SID sid)
3232 {
3233         struct ldapsam_privates *priv =
3234                 (struct ldapsam_privates *)methods->private_data;
3235         LDAPMessage *msg, *entry;
3236         int rc;
3237         NTSTATUS result;
3238         TALLOC_CTX *mem_ctx;
3239         char *filter;
3240
3241         mem_ctx = talloc_new(NULL);
3242         if (mem_ctx == NULL) {
3243                 DEBUG(0, ("talloc_new failed\n"));
3244                 return NT_STATUS_NO_MEMORY;
3245         }
3246
3247         filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
3248                                  LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
3249                                  sid_string_talloc(mem_ctx, &sid));
3250         if (filter == NULL) {
3251                 result = NT_STATUS_NO_MEMORY;
3252                 goto done;
3253         }
3254         rc = smbldap_search_suffix(priv->smbldap_state, filter,
3255                                    get_attr_list(mem_ctx, groupmap_attr_list),
3256                                    &msg);
3257         talloc_autofree_ldapmsg(mem_ctx, msg);
3258
3259         if ((rc != LDAP_SUCCESS) ||
3260             (ldap_count_entries(priv2ld(priv), msg) != 1) ||
3261             ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
3262                 result = NT_STATUS_NO_SUCH_GROUP;
3263                 goto done;
3264         }
3265
3266         rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
3267                                   get_attr_list(mem_ctx,
3268                                                 groupmap_attr_list_to_delete));
3269  
3270         if ((rc == LDAP_NAMING_VIOLATION) ||
3271             (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3272                 const char *attrs[] = { "sambaGroupType", "description",
3273                                         "displayName", "sambaSIDList",
3274                                         NULL };
3275
3276                 /* Second try. Don't delete the sambaSID attribute, this is
3277                    for "old" entries that are tacked on a winbind
3278                    sambaIdmapEntry. */
3279
3280                 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3281                                           LDAP_OBJ_GROUPMAP, attrs);
3282         }
3283
3284         if ((rc == LDAP_NAMING_VIOLATION) ||
3285             (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3286                 const char *attrs[] = { "sambaGroupType", "description",
3287                                         "displayName", "sambaSIDList",
3288                                         "gidNumber", NULL };
3289
3290                 /* Third try. This is a post-3.0.21 alias (containing only
3291                  * sambaSidEntry and sambaGroupMapping classes), we also have
3292                  * to delete the gidNumber attribute, only the sambaSidEntry
3293                  * remains */
3294
3295                 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3296                                           LDAP_OBJ_GROUPMAP, attrs);
3297         }
3298
3299         result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3300
3301  done:
3302         TALLOC_FREE(mem_ctx);
3303         return result;
3304  }
3305
3306 /**********************************************************************
3307  *********************************************************************/
3308
3309 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
3310                                     bool update)
3311 {
3312         struct ldapsam_privates *ldap_state =
3313                 (struct ldapsam_privates *)my_methods->private_data;
3314         char *filter = NULL;
3315         int rc;
3316         const char **attr_list;
3317
3318         filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
3319         if (!filter) {
3320                 return NT_STATUS_NO_MEMORY;
3321         }
3322         attr_list = get_attr_list( NULL, groupmap_attr_list );
3323         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3324                             LDAP_SCOPE_SUBTREE, filter,
3325                             attr_list, 0, &ldap_state->result);
3326         TALLOC_FREE(attr_list);
3327
3328         if (rc != LDAP_SUCCESS) {
3329                 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
3330                           ldap_err2string(rc)));
3331                 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
3332                           lp_ldap_group_suffix(), filter));
3333                 ldap_msgfree(ldap_state->result);
3334                 ldap_state->result = NULL;
3335                 TALLOC_FREE(filter);
3336                 return NT_STATUS_UNSUCCESSFUL;
3337         }
3338
3339         TALLOC_FREE(filter);
3340
3341         DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
3342                   ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3343                                      ldap_state->result)));
3344
3345         ldap_state->entry =
3346                 ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3347                                  ldap_state->result);
3348         ldap_state->index = 0;
3349
3350         return NT_STATUS_OK;
3351 }
3352
3353 /**********************************************************************
3354  *********************************************************************/
3355
3356 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3357 {
3358         ldapsam_endsampwent(my_methods);
3359 }
3360
3361 /**********************************************************************
3362  *********************************************************************/
3363
3364 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3365                                     GROUP_MAP *map)
3366 {
3367         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3368         struct ldapsam_privates *ldap_state =
3369                 (struct ldapsam_privates *)my_methods->private_data;
3370         bool bret = False;
3371
3372         while (!bret) {
3373                 if (!ldap_state->entry)
3374                         return ret;
3375                 
3376                 ldap_state->index++;
3377                 bret = init_group_from_ldap(ldap_state, map,
3378                                             ldap_state->entry);
3379                 
3380                 ldap_state->entry =
3381                         ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
3382                                         ldap_state->entry);     
3383         }
3384
3385         return NT_STATUS_OK;
3386 }
3387
3388 /**********************************************************************
3389  *********************************************************************/
3390
3391 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3392                                            const DOM_SID *domsid, enum lsa_SidType sid_name_use,
3393                                            GROUP_MAP **pp_rmap,
3394                                            size_t *p_num_entries,
3395                                            bool unix_only)
3396 {
3397         GROUP_MAP map;
3398         size_t entries = 0;
3399
3400         *p_num_entries = 0;
3401         *pp_rmap = NULL;
3402
3403         if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3404                 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
3405                           "passdb\n"));
3406                 return NT_STATUS_ACCESS_DENIED;
3407         }
3408
3409         while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
3410                 if (sid_name_use != SID_NAME_UNKNOWN &&
3411                     sid_name_use != map.sid_name_use) {
3412                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3413                                   "not of the requested type\n", map.nt_name));
3414                         continue;
3415                 }
3416                 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3417                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3418                                   "non mapped\n", map.nt_name));
3419                         continue;
3420                 }
3421
3422                 (*pp_rmap)=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
3423                 if (!(*pp_rmap)) {
3424                         DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
3425                                  "enlarge group map!\n"));
3426                         return NT_STATUS_UNSUCCESSFUL;
3427                 }
3428
3429                 (*pp_rmap)[entries] = map;
3430
3431                 entries += 1;
3432
3433         }
3434         ldapsam_endsamgrent(methods);
3435
3436         *p_num_entries = entries;
3437
3438         return NT_STATUS_OK;
3439 }
3440
3441 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3442                                         const DOM_SID *alias,
3443                                         const DOM_SID *member,
3444                                         int modop)
3445 {
3446         struct ldapsam_privates *ldap_state =
3447                 (struct ldapsam_privates *)methods->private_data;
3448         char *dn = NULL;
3449         LDAPMessage *result = NULL;
3450         LDAPMessage *entry = NULL;
3451         int count;
3452         LDAPMod **mods = NULL;
3453         int rc;
3454         enum lsa_SidType type = SID_NAME_USE_NONE;
3455         fstring tmp;
3456
3457         char *filter = NULL;
3458
3459         if (sid_check_is_in_builtin(alias)) {
3460                 type = SID_NAME_ALIAS;
3461         }
3462
3463         if (sid_check_is_in_our_domain(alias)) {
3464                 type = SID_NAME_ALIAS;
3465         }
3466
3467         if (type == SID_NAME_USE_NONE) {
3468                 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3469                           sid_string_dbg(alias)));
3470                 return NT_STATUS_NO_SUCH_ALIAS;
3471         }
3472
3473         if (asprintf(&filter,
3474                      "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3475                      LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3476                      type) < 0) {
3477                 return NT_STATUS_NO_MEMORY;
3478         }
3479
3480         if (ldapsam_search_one_group(ldap_state, filter,
3481                                      &result) != LDAP_SUCCESS) {
3482                 SAFE_FREE(filter);
3483                 return NT_STATUS_NO_SUCH_ALIAS;
3484         }
3485
3486         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3487                                    result);
3488
3489         if (count < 1) {
3490                 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3491                 ldap_msgfree(result);
3492                 SAFE_FREE(filter);
3493                 return NT_STATUS_NO_SUCH_ALIAS;
3494         }
3495
3496         if (count > 1) {
3497                 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
3498                           "filter %s: count=%d\n", filter, count));
3499                 ldap_msgfree(result);
3500                 SAFE_FREE(filter);
3501                 return NT_STATUS_NO_SUCH_ALIAS;
3502         }
3503
3504         SAFE_FREE(filter);
3505
3506         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3507                                  result);
3508
3509         if (!entry) {
3510                 ldap_msgfree(result);
3511                 return NT_STATUS_UNSUCCESSFUL;
3512         }
3513
3514         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
3515         if (!dn) {
3516                 ldap_msgfree(result);
3517                 return NT_STATUS_UNSUCCESSFUL;
3518         }
3519
3520         smbldap_set_mod(&mods, modop,
3521                         get_attr_key2string(groupmap_attr_list,
3522                                             LDAP_ATTR_SID_LIST),
3523                         sid_to_fstring(tmp, member));
3524
3525         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3526
3527         ldap_mods_free(mods, True);
3528         ldap_msgfree(result);
3529         SAFE_FREE(dn);
3530
3531         if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
3532                 return NT_STATUS_MEMBER_IN_ALIAS;
3533         }
3534
3535         if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
3536                 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3537         }
3538
3539         if (rc != LDAP_SUCCESS) {
3540                 return NT_STATUS_UNSUCCESSFUL;
3541         }
3542
3543         return NT_STATUS_OK;
3544 }
3545
3546 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3547                                      const DOM_SID *alias,
3548                                      const DOM_SID *member)
3549 {
3550         return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3551 }
3552
3553 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3554                                      const DOM_SID *alias,
3555                                      const DOM_SID *member)
3556 {
3557         return ldapsam_modify_aliasmem(methods, alias, member,
3558                                        LDAP_MOD_DELETE);
3559 }
3560
3561 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3562                                       const DOM_SID *alias,
3563                                       DOM_SID **pp_members,
3564                                       size_t *p_num_members)
3565 {
3566         struct ldapsam_privates *ldap_state =
3567                 (struct ldapsam_privates *)methods->private_data;
3568         LDAPMessage *result = NULL;
3569         LDAPMessage *entry = NULL;
3570         int count;
3571         char **values = NULL;
3572         int i;
3573         char *filter = NULL;
3574         size_t num_members = 0;
3575         enum lsa_SidType type = SID_NAME_USE_NONE;
3576         fstring tmp;
3577
3578         *pp_members = NULL;
3579         *p_num_members = 0;
3580
3581         if (sid_check_is_in_builtin(alias)) {
3582                 type = SID_NAME_ALIAS;
3583         }
3584
3585         if (sid_check_is_in_our_domain(alias)) {
3586                 type = SID_NAME_ALIAS;
3587         }
3588
3589         if (type == SID_NAME_USE_NONE) {
3590                 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3591                           sid_string_dbg(alias)));
3592                 return NT_STATUS_NO_SUCH_ALIAS;
3593         }
3594
3595         if (asprintf(&filter,
3596                      "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3597                      LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3598                      type) < 0) {
3599                 return NT_STATUS_NO_MEMORY;
3600         }
3601
3602         if (ldapsam_search_one_group(ldap_state, filter,
3603                                      &result) != LDAP_SUCCESS) {
3604                 SAFE_FREE(filter);
3605                 return NT_STATUS_NO_SUCH_ALIAS;
3606         }
3607
3608         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3609                                    result);
3610
3611         if (count < 1) {
3612                 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3613                 ldap_msgfree(result);
3614                 SAFE_FREE(filter);
3615                 return NT_STATUS_NO_SUCH_ALIAS;
3616         }
3617
3618         if (count > 1) {
3619                 DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
3620                           "filter %s: count=%d\n", filter, count));
3621                 ldap_msgfree(result);
3622                 SAFE_FREE(filter);
3623                 return NT_STATUS_NO_SUCH_ALIAS;
3624         }
3625
3626         SAFE_FREE(filter);
3627
3628         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3629                                  result);
3630
3631         if (!entry) {
3632                 ldap_msgfree(result);
3633                 return NT_STATUS_UNSUCCESSFUL;
3634         }
3635
3636         values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
3637           &nb