pdb_ldap: Raise level for debug message to avoid log file flooding.
[samba.git] / source3 / passdb / pdb_ldap.c
1 /* 
2    Unix SMB/CIFS implementation.
3    LDAP protocol helper functions for SAMBA
4    Copyright (C) Jean Fran├žois Micouleau        1998
5    Copyright (C) Gerald Carter                  2001-2003
6    Copyright (C) Shahms King                    2001
7    Copyright (C) Andrew Bartlett                2002-2003
8    Copyright (C) Stefan (metze) Metzmacher      2002-2003
9    Copyright (C) Simo Sorce                     2006
10     
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23    
24 */
25
26 /* TODO:
27 *  persistent connections: if using NSS LDAP, many connections are made
28 *      however, using only one within Samba would be nice
29 *  
30 *  Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 *  Other LDAP based login attributes: accountExpires, etc.
33 *  (should be the domain of Samba proper, but the sam_password/struct samu
34 *  structures don't have fields for some of these attributes)
35 *
36 *  SSL is done, but can't get the certificate based authentication to work
37 *  against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 *  due to the fact that the two password fields cannot be retrieved
42 *  from a server; recommend using security = domain in this situation
43 *  and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 /*
55  * Work around versions of the LDAP client libs that don't have the OIDs
56  * defined, or have them defined under the old name.  
57  * This functionality is really a factor of the server, not the client 
58  *
59  */
60
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65 #endif
66
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID        ((ber_tag_t) 0x80U)
71 #endif
72
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW       ((ber_tag_t) 0x82U)
77 #endif
78
79
80 #include "smbldap.h"
81
82 /**********************************************************************
83  Simple helper function to make stuff better readable
84  **********************************************************************/
85
86 static LDAP *priv2ld(struct ldapsam_privates *priv)
87 {
88         return priv->smbldap_state->ldap_struct;
89 }
90
91 /**********************************************************************
92  Get the attribute name given a user schame version.
93  **********************************************************************/
94  
95 static const char* get_userattr_key2string( int schema_ver, int key )
96 {
97         switch ( schema_ver ) {
98                 case SCHEMAVER_SAMBAACCOUNT:
99                         return get_attr_key2string( attrib_map_v22, key );
100                         
101                 case SCHEMAVER_SAMBASAMACCOUNT:
102                         return get_attr_key2string( attrib_map_v30, key );
103                         
104                 default:
105                         DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
106                         break;
107         }
108         return NULL;
109 }
110
111 /**********************************************************************
112  Return the list of attribute names given a user schema version.
113 **********************************************************************/
114
115 const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
116 {
117         switch ( schema_ver ) {
118                 case SCHEMAVER_SAMBAACCOUNT:
119                         return get_attr_list( mem_ctx, attrib_map_v22 );
120                         
121                 case SCHEMAVER_SAMBASAMACCOUNT:
122                         return get_attr_list( mem_ctx, attrib_map_v30 );
123                 default:
124                         DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
125                         break;
126         }
127         
128         return NULL;
129 }
130
131 /**************************************************************************
132  Return the list of attribute names to delete given a user schema version.
133 **************************************************************************/
134
135 static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
136                                               int schema_ver )
137 {
138         switch ( schema_ver ) {
139                 case SCHEMAVER_SAMBAACCOUNT:
140                         return get_attr_list( mem_ctx,
141                                               attrib_map_to_delete_v22 );
142                         
143                 case SCHEMAVER_SAMBASAMACCOUNT:
144                         return get_attr_list( mem_ctx,
145                                               attrib_map_to_delete_v30 );
146                 default:
147                         DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
148                         break;
149         }
150         
151         return NULL;
152 }
153
154
155 /*******************************************************************
156  Generate the LDAP search filter for the objectclass based on the 
157  version of the schema we are using.
158 ******************************************************************/
159
160 static const char* get_objclass_filter( int schema_ver )
161 {
162         fstring objclass_filter;
163         char *result;
164         
165         switch( schema_ver ) {
166                 case SCHEMAVER_SAMBAACCOUNT:
167                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
168                         break;
169                 case SCHEMAVER_SAMBASAMACCOUNT:
170                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
171                         break;
172                 default:
173                         DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174                         objclass_filter[0] = '\0';
175                         break;
176         }
177         
178         result = talloc_strdup(talloc_tos(), objclass_filter);
179         SMB_ASSERT(result != NULL);
180         return result;
181 }
182
183 /*****************************************************************
184  Scan a sequence number off OpenLDAP's syncrepl contextCSN
185 ******************************************************************/
186
187 static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
188 {
189         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
190         NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
191         LDAPMessage *msg = NULL;
192         LDAPMessage *entry = NULL;
193         TALLOC_CTX *mem_ctx;
194         char **values = NULL;
195         int rc, num_result, num_values, rid;
196         char *suffix = NULL;
197         char *tok;
198         const char *p;
199         const char **attrs;
200
201         /* Unfortunatly there is no proper way to detect syncrepl-support in
202          * smbldap_connect_system(). The syncrepl OIDs are submitted for publication
203          * but do not show up in the root-DSE yet. Neither we can query the
204          * subschema-context for the syncProviderSubentry or syncConsumerSubentry
205          * objectclass. Currently we require lp_ldap_suffix() to show up as
206          * namingContext.  -  Guenther
207          */
208
209         if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
210                 return ntstatus;
211         }
212
213         if (!seq_num) {
214                 DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
215                 return ntstatus;
216         }
217
218         if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) {
219                 DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
220                          "as top-level namingContext\n", lp_ldap_suffix()));
221                 return ntstatus;
222         }
223
224         mem_ctx = talloc_init("ldapsam_get_seq_num");
225
226         if (mem_ctx == NULL)
227                 return NT_STATUS_NO_MEMORY;
228
229         if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) {
230                 ntstatus = NT_STATUS_NO_MEMORY;
231                 goto done;
232         }
233
234         /* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
235         rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
236         if (rid > 0) {
237
238                 /* consumer syncreplCookie: */
239                 /* csn=20050126161620Z#0000001#00#00000 */
240                 attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
241                 attrs[1] = NULL;
242                 suffix = talloc_asprintf(mem_ctx,
243                                 "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
244                 if (!suffix) {
245                         ntstatus = NT_STATUS_NO_MEMORY;
246                         goto done;
247                 }
248         } else {
249
250                 /* provider contextCSN */
251                 /* 20050126161620Z#000009#00#000000 */
252                 attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
253                 attrs[1] = NULL;
254                 suffix = talloc_asprintf(mem_ctx,
255                                 "cn=ldapsync,%s", lp_ldap_suffix());
256
257                 if (!suffix) {
258                         ntstatus = NT_STATUS_NO_MEMORY;
259                         goto done;
260                 }
261         }
262
263         rc = smbldap_search(ldap_state->smbldap_state, suffix,
264                             LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
265
266         if (rc != LDAP_SUCCESS) {
267                 goto done;
268         }
269
270         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
271         if (num_result != 1) {
272                 DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
273                 goto done;
274         }
275
276         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
277         if (entry == NULL) {
278                 DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
279                 goto done;
280         }
281
282         values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
283         if (values == NULL) {
284                 DEBUG(3,("ldapsam_get_seq_num: no values\n"));
285                 goto done;
286         }
287
288         num_values = ldap_count_values(values);
289         if (num_values == 0) {
290                 DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
291                 goto done;
292         }
293
294         p = values[0];
295         if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
296                 DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
297                 goto done;
298         }
299
300         p = tok;
301         if (!strncmp(p, "csn=", strlen("csn=")))
302                 p += strlen("csn=");
303
304         DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
305
306         *seq_num = generalized_to_unix_time(p);
307
308         /* very basic sanity check */
309         if (*seq_num <= 0) {
310                 DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n", 
311                         (int)*seq_num));
312                 goto done;
313         }
314
315         ntstatus = NT_STATUS_OK;
316
317  done:
318         if (values != NULL)
319                 ldap_value_free(values);
320         if (msg != NULL)
321                 ldap_msgfree(msg);
322         if (mem_ctx)
323                 talloc_destroy(mem_ctx);
324
325         return ntstatus;
326 }
327
328 /*******************************************************************
329  Run the search by name.
330 ******************************************************************/
331
332 int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
333                                           const char *user,
334                                           LDAPMessage ** result,
335                                           const char **attr)
336 {
337         char *filter = NULL;
338         char *escape_user = escape_ldap_string_alloc(user);
339         int ret = -1;
340
341         if (!escape_user) {
342                 return LDAP_NO_MEMORY;
343         }
344
345         /*
346          * in the filter expression, replace %u with the real name
347          * so in ldap filter, %u MUST exist :-)
348          */
349         filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
350                 get_objclass_filter(ldap_state->schema_ver));
351         if (!filter) {
352                 SAFE_FREE(escape_user);
353                 return LDAP_NO_MEMORY;
354         }
355         /*
356          * have to use this here because $ is filtered out
357          * in string_sub
358          */
359
360         filter = talloc_all_string_sub(talloc_tos(),
361                                 filter, "%u", escape_user);
362         SAFE_FREE(escape_user);
363         if (!filter) {
364                 return LDAP_NO_MEMORY;
365         }
366
367         ret = smbldap_search_suffix(ldap_state->smbldap_state,
368                         filter, attr, result);
369         TALLOC_FREE(filter);
370         return ret;
371 }
372
373 /*******************************************************************
374  Run the search by rid.
375 ******************************************************************/
376
377 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
378                                          uint32 rid, LDAPMessage ** result,
379                                          const char **attr)
380 {
381         char *filter = NULL;
382         int rc;
383
384         filter = talloc_asprintf(talloc_tos(), "(&(rid=%i)%s)", rid,
385                 get_objclass_filter(ldap_state->schema_ver));
386         if (!filter) {
387                 return LDAP_NO_MEMORY;
388         }
389
390         rc = smbldap_search_suffix(ldap_state->smbldap_state,
391                         filter, attr, result);
392         TALLOC_FREE(filter);
393         return rc;
394 }
395
396 /*******************************************************************
397  Run the search by SID.
398 ******************************************************************/
399
400 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
401                                  const DOM_SID *sid, LDAPMessage ** result,
402                                  const char **attr)
403 {
404         char *filter = NULL;
405         int rc;
406         fstring sid_string;
407
408         filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
409                 get_userattr_key2string(ldap_state->schema_ver,
410                         LDAP_ATTR_USER_SID),
411                 sid_to_fstring(sid_string, sid),
412                 get_objclass_filter(ldap_state->schema_ver));
413         if (!filter) {
414                 return LDAP_NO_MEMORY;
415         }
416
417         rc = smbldap_search_suffix(ldap_state->smbldap_state,
418                         filter, attr, result);
419
420         TALLOC_FREE(filter);
421         return rc;
422 }
423
424 /*******************************************************************
425  Delete complete object or objectclass and attrs from
426  object found in search_result depending on lp_ldap_delete_dn
427 ******************************************************************/
428
429 static int ldapsam_delete_entry(struct ldapsam_privates *priv,
430                                 TALLOC_CTX *mem_ctx,
431                                 LDAPMessage *entry,
432                                 const char *objectclass,
433                                 const char **attrs)
434 {
435         LDAPMod **mods = NULL;
436         char *name;
437         const char *dn;
438         BerElement *ptr = NULL;
439
440         dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
441         if (dn == NULL) {
442                 return LDAP_NO_MEMORY;
443         }
444
445         if (lp_ldap_delete_dn()) {
446                 return smbldap_delete(priv->smbldap_state, dn);
447         }
448
449         /* Ok, delete only the SAM attributes */
450         
451         for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
452              name != NULL;
453              name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
454                 const char **attrib;
455
456                 /* We are only allowed to delete the attributes that
457                    really exist. */
458
459                 for (attrib = attrs; *attrib != NULL; attrib++) {
460                         if (strequal(*attrib, name)) {
461                                 DEBUG(10, ("ldapsam_delete_entry: deleting "
462                                            "attribute %s\n", name));
463                                 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
464                                                 NULL);
465                         }
466                 }
467                 ldap_memfree(name);
468         }
469
470         if (ptr != NULL) {
471                 ber_free(ptr, 0);
472         }
473
474         smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
475         talloc_autofree_ldapmod(mem_ctx, mods);
476
477         return smbldap_modify(priv->smbldap_state, dn, mods);
478 }
479
480 static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
481 {
482         char *temp;
483         struct tm tm;
484
485         temp = smbldap_talloc_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
486                         get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
487                         talloc_tos());
488         if (!temp) {
489                 return (time_t) 0;
490         }
491
492         if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
493                 DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
494                         (char*)temp));
495                 TALLOC_FREE(temp);
496                 return (time_t) 0;
497         }
498         TALLOC_FREE(temp);
499         tzset();
500         return timegm(&tm);
501 }
502
503 /**********************************************************************
504  Initialize struct samu from an LDAP query.
505  (Based on init_sam_from_buffer in pdb_tdb.c)
506 *********************************************************************/
507
508 static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
509                                 struct samu * sampass,
510                                 LDAPMessage * entry)
511 {
512         time_t  logon_time,
513                         logoff_time,
514                         kickoff_time,
515                         pass_last_set_time,
516                         pass_can_change_time,
517                         pass_must_change_time,
518                         ldap_entry_time,
519                         bad_password_time;
520         char *username = NULL,
521                         *domain = NULL,
522                         *nt_username = NULL,
523                         *fullname = NULL,
524                         *homedir = NULL,
525                         *dir_drive = NULL,
526                         *logon_script = NULL,
527                         *profile_path = NULL,
528                         *acct_desc = NULL,
529                         *workstations = NULL,
530                         *munged_dial = NULL;
531         uint32          user_rid;
532         uint8           smblmpwd[LM_HASH_LEN],
533                         smbntpwd[NT_HASH_LEN];
534         bool            use_samba_attrs = True;
535         uint32          acct_ctrl = 0;
536         uint16          logon_divs;
537         uint16          bad_password_count = 0,
538                         logon_count = 0;
539         uint32 hours_len;
540         uint8           hours[MAX_HOURS_LEN];
541         char *temp = NULL;
542         LOGIN_CACHE     *cache_entry = NULL;
543         uint32          pwHistLen;
544         bool expand_explicit = lp_passdb_expand_explicit();
545         bool ret = false;
546         TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
547
548         if (!ctx) {
549                 return false;
550         }
551         if (sampass == NULL || ldap_state == NULL || entry == NULL) {
552                 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
553                 goto fn_exit;
554         }
555
556         if (priv2ld(ldap_state) == NULL) {
557                 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
558                           "ldap_struct is NULL!\n"));
559                 goto fn_exit;
560         }
561
562         if (!(username = smbldap_talloc_single_attribute(priv2ld(ldap_state),
563                                         entry,
564                                         "uid",
565                                         ctx))) {
566                 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
567                           "this user!\n"));
568                 goto fn_exit;
569         }
570
571         DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
572
573         nt_username = talloc_strdup(ctx, username);
574         if (!nt_username) {
575                 goto fn_exit;
576         }
577
578         domain = talloc_strdup(ctx, ldap_state->domain_name);
579         if (!domain) {
580                 goto fn_exit;
581         }
582
583         pdb_set_username(sampass, username, PDB_SET);
584
585         pdb_set_domain(sampass, domain, PDB_DEFAULT);
586         pdb_set_nt_username(sampass, nt_username, PDB_SET);
587
588         /* deal with different attributes between the schema first */
589
590         if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
591                 if ((temp = smbldap_talloc_single_attribute(
592                                 ldap_state->smbldap_state->ldap_struct,
593                                 entry,
594                                 get_userattr_key2string(ldap_state->schema_ver,
595                                         LDAP_ATTR_USER_SID),
596                                 ctx))!=NULL) {
597                         pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
598                 }
599         } else {
600                 if ((temp = smbldap_talloc_single_attribute(
601                                 ldap_state->smbldap_state->ldap_struct,
602                                 entry,
603                                 get_userattr_key2string(ldap_state->schema_ver,
604                                         LDAP_ATTR_USER_RID),
605                                 ctx))!=NULL) {
606                         user_rid = (uint32)atol(temp);
607                         pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
608                 }
609         }
610
611         if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
612                 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n", 
613                         get_userattr_key2string(ldap_state->schema_ver,
614                                 LDAP_ATTR_USER_SID),
615                         get_userattr_key2string(ldap_state->schema_ver,
616                                 LDAP_ATTR_USER_RID),
617                         username));
618                 return False;
619         }
620
621         temp = smbldap_talloc_single_attribute(
622                         ldap_state->smbldap_state->ldap_struct,
623                         entry,
624                         get_userattr_key2string(ldap_state->schema_ver,
625                                 LDAP_ATTR_PWD_LAST_SET),
626                         ctx);
627         if (temp) {
628                 pass_last_set_time = (time_t) atol(temp);
629                 pdb_set_pass_last_set_time(sampass,
630                                 pass_last_set_time, PDB_SET);
631         }
632
633         temp = smbldap_talloc_single_attribute(
634                         ldap_state->smbldap_state->ldap_struct,
635                         entry,
636                         get_userattr_key2string(ldap_state->schema_ver,
637                                 LDAP_ATTR_LOGON_TIME),
638                         ctx);
639         if (temp) {
640                 logon_time = (time_t) atol(temp);
641                 pdb_set_logon_time(sampass, logon_time, PDB_SET);
642         }
643
644         temp = smbldap_talloc_single_attribute(
645                         ldap_state->smbldap_state->ldap_struct,
646                         entry,
647                         get_userattr_key2string(ldap_state->schema_ver,
648                                 LDAP_ATTR_LOGOFF_TIME),
649                         ctx);
650         if (temp) {
651                 logoff_time = (time_t) atol(temp);
652                 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
653         }
654
655         temp = smbldap_talloc_single_attribute(
656                         ldap_state->smbldap_state->ldap_struct,
657                         entry,
658                         get_userattr_key2string(ldap_state->schema_ver,
659                                 LDAP_ATTR_KICKOFF_TIME),
660                         ctx);
661         if (temp) {
662                 kickoff_time = (time_t) atol(temp);
663                 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
664         }
665
666         temp = smbldap_talloc_single_attribute(
667                         ldap_state->smbldap_state->ldap_struct,
668                         entry,
669                         get_userattr_key2string(ldap_state->schema_ver,
670                                 LDAP_ATTR_PWD_CAN_CHANGE),
671                         ctx);
672         if (temp) {
673                 pass_can_change_time = (time_t) atol(temp);
674                 pdb_set_pass_can_change_time(sampass,
675                                 pass_can_change_time, PDB_SET);
676         }
677
678         temp = smbldap_talloc_single_attribute(
679                         ldap_state->smbldap_state->ldap_struct,
680                         entry,
681                         get_userattr_key2string(ldap_state->schema_ver,
682                                 LDAP_ATTR_PWD_MUST_CHANGE),
683                         ctx);
684         if (temp) {
685                 pass_must_change_time = (time_t) atol(temp);
686                 pdb_set_pass_must_change_time(sampass,
687                                 pass_must_change_time, PDB_SET);
688         }
689
690         /* recommend that 'gecos' and 'displayName' should refer to the same
691          * attribute OID.  userFullName depreciated, only used by Samba
692          * primary rules of LDAP: don't make a new attribute when one is already defined
693          * that fits your needs; using cn then displayName rather than 'userFullName'
694          */
695
696         fullname = smbldap_talloc_single_attribute(
697                         ldap_state->smbldap_state->ldap_struct,
698                         entry,
699                         get_userattr_key2string(ldap_state->schema_ver,
700                                 LDAP_ATTR_DISPLAY_NAME),
701                         ctx);
702         if (fullname) {
703                 pdb_set_fullname(sampass, fullname, PDB_SET);
704         } else {
705                 fullname = smbldap_talloc_single_attribute(
706                                 ldap_state->smbldap_state->ldap_struct,
707                                 entry,
708                                 get_userattr_key2string(ldap_state->schema_ver,
709                                         LDAP_ATTR_CN),
710                                 ctx);
711                 if (fullname) {
712                         pdb_set_fullname(sampass, fullname, PDB_SET);
713                 }
714         }
715
716         dir_drive = smbldap_talloc_single_attribute(
717                         ldap_state->smbldap_state->ldap_struct,
718                         entry,
719                         get_userattr_key2string(ldap_state->schema_ver,
720                                 LDAP_ATTR_HOME_DRIVE),
721                         ctx);
722         if (dir_drive) {
723                 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
724         } else {
725                 pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
726         }
727
728         homedir = smbldap_talloc_single_attribute(
729                         ldap_state->smbldap_state->ldap_struct,
730                         entry,
731                         get_userattr_key2string(ldap_state->schema_ver,
732                                 LDAP_ATTR_HOME_PATH),
733                         ctx);
734         if (homedir) {
735                 if (expand_explicit) {
736                         homedir = talloc_sub_basic(ctx,
737                                                 username,
738                                                 domain,
739                                                 homedir);
740                         if (!homedir) {
741                                 goto fn_exit;
742                         }
743                 }
744                 pdb_set_homedir(sampass, homedir, PDB_SET);
745         } else {
746                 pdb_set_homedir(sampass,
747                         talloc_sub_basic(ctx, username, domain,
748                                          lp_logon_home()),
749                         PDB_DEFAULT);
750         }
751
752         logon_script = smbldap_talloc_single_attribute(
753                         ldap_state->smbldap_state->ldap_struct,
754                         entry,
755                         get_userattr_key2string(ldap_state->schema_ver,
756                                 LDAP_ATTR_LOGON_SCRIPT),
757                         ctx);
758         if (logon_script) {
759                 if (expand_explicit) {
760                         logon_script = talloc_sub_basic(ctx,
761                                                 username,
762                                                 domain,
763                                                 logon_script);
764                         if (!logon_script) {
765                                 goto fn_exit;
766                         }
767                 }
768                 pdb_set_logon_script(sampass, logon_script, PDB_SET);
769         } else {
770                 pdb_set_logon_script(sampass,
771                         talloc_sub_basic(ctx, username, domain,
772                                          lp_logon_script()),
773                         PDB_DEFAULT );
774         }
775
776         profile_path = smbldap_talloc_single_attribute(
777                         ldap_state->smbldap_state->ldap_struct,
778                         entry,
779                         get_userattr_key2string(ldap_state->schema_ver,
780                                 LDAP_ATTR_PROFILE_PATH),
781                         ctx);
782         if (profile_path) {
783                 if (expand_explicit) {
784                         profile_path = talloc_sub_basic(ctx,
785                                                 username,
786                                                 domain,
787                                                 profile_path);
788                         if (!profile_path) {
789                                 goto fn_exit;
790                         }
791                 }
792                 pdb_set_profile_path(sampass, profile_path, PDB_SET);
793         } else {
794                 pdb_set_profile_path(sampass,
795                         talloc_sub_basic(ctx, username, domain,
796                                           lp_logon_path()),
797                         PDB_DEFAULT );
798         }
799
800         acct_desc = smbldap_talloc_single_attribute(
801                         ldap_state->smbldap_state->ldap_struct,
802                         entry,
803                         get_userattr_key2string(ldap_state->schema_ver,
804                                 LDAP_ATTR_DESC),
805                         ctx);
806         if (acct_desc) {
807                 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
808         }
809
810         workstations = smbldap_talloc_single_attribute(
811                         ldap_state->smbldap_state->ldap_struct,
812                         entry,
813                         get_userattr_key2string(ldap_state->schema_ver,
814                                 LDAP_ATTR_USER_WKS),
815                         ctx);
816         if (workstations) {
817                 pdb_set_workstations(sampass, workstations, PDB_SET);
818         }
819
820         munged_dial = smbldap_talloc_single_attribute(
821                         ldap_state->smbldap_state->ldap_struct,
822                         entry,
823                         get_userattr_key2string(ldap_state->schema_ver,
824                                 LDAP_ATTR_MUNGED_DIAL),
825                         ctx);
826         if (munged_dial) {
827                 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
828         }
829
830         /* FIXME: hours stuff should be cleaner */
831
832         logon_divs = 168;
833         hours_len = 21;
834         memset(hours, 0xff, hours_len);
835
836         if (ldap_state->is_nds_ldap) {
837                 char *user_dn;
838                 size_t pwd_len;
839                 char clear_text_pw[512];
840
841                 /* Make call to Novell eDirectory ldap extension to get clear text password.
842                         NOTE: This will only work if we have an SSL connection to eDirectory. */
843                 user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
844                 if (user_dn != NULL) {
845                         DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
846
847                         pwd_len = sizeof(clear_text_pw);
848                         if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
849                                 nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
850                                 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
851                                         SAFE_FREE(user_dn);
852                                         return False;
853                                 }
854                                 ZERO_STRUCT(smblmpwd);
855                                 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
856                                         SAFE_FREE(user_dn);
857                                         return False;
858                                 }
859                                 ZERO_STRUCT(smbntpwd);
860                                 use_samba_attrs = False;
861                         }
862
863                         SAFE_FREE(user_dn);
864
865                 } else {
866                         DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
867                 }
868         }
869
870         if (use_samba_attrs) {
871                 temp = smbldap_talloc_single_attribute(
872                                 ldap_state->smbldap_state->ldap_struct,
873                                 entry,
874                                 get_userattr_key2string(ldap_state->schema_ver,
875                                         LDAP_ATTR_LMPW),
876                                 ctx);
877                 if (temp) {
878                         pdb_gethexpwd(temp, smblmpwd);
879                         memset((char *)temp, '\0', strlen(temp)+1);
880                         if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
881                                 goto fn_exit;
882                         }
883                         ZERO_STRUCT(smblmpwd);
884                 }
885
886                 temp = smbldap_talloc_single_attribute(
887                                 ldap_state->smbldap_state->ldap_struct,
888                                 entry,
889                                 get_userattr_key2string(ldap_state->schema_ver,
890                                         LDAP_ATTR_NTPW),
891                                 ctx);
892                 if (temp) {
893                         pdb_gethexpwd(temp, smbntpwd);
894                         memset((char *)temp, '\0', strlen(temp)+1);
895                         if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
896                                 goto fn_exit;
897                         }
898                         ZERO_STRUCT(smbntpwd);
899                 }
900         }
901
902         pwHistLen = 0;
903
904         pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
905         if (pwHistLen > 0){
906                 uint8 *pwhist = NULL;
907                 int i;
908                 char *history_string = TALLOC_ARRAY(ctx, char,
909                                                 MAX_PW_HISTORY_LEN*64);
910
911                 if (!history_string) {
912                         goto fn_exit;
913                 }
914
915                 pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
916
917                 if ((pwhist = TALLOC_ARRAY(ctx, uint8,
918                                         pwHistLen * PW_HISTORY_ENTRY_LEN)) ==
919                                 NULL){
920                         DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
921                         goto fn_exit;
922                 }
923                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
924
925                 if (smbldap_get_single_attribute(
926                                 ldap_state->smbldap_state->ldap_struct,
927                                 entry,
928                                 get_userattr_key2string(ldap_state->schema_ver,
929                                         LDAP_ATTR_PWD_HISTORY),
930                                 history_string,
931                                 MAX_PW_HISTORY_LEN*64)) {
932                         bool hex_failed = false;
933                         for (i = 0; i < pwHistLen; i++){
934                                 /* Get the 16 byte salt. */
935                                 if (!pdb_gethexpwd(&history_string[i*64],
936                                         &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
937                                         hex_failed = true;
938                                         break;
939                                 }
940                                 /* Get the 16 byte MD5 hash of salt+passwd. */
941                                 if (!pdb_gethexpwd(&history_string[(i*64)+32],
942                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+
943                                                 PW_HISTORY_SALT_LEN])) {
944                                         hex_failed = True;
945                                         break;
946                                 }
947                         }
948                         if (hex_failed) {
949                                 DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n",
950                                         username));
951                                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
952                         }
953                 }
954                 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
955                         goto fn_exit;
956                 }
957         }
958
959         temp = smbldap_talloc_single_attribute(
960                         ldap_state->smbldap_state->ldap_struct,
961                         entry,
962                         get_userattr_key2string(ldap_state->schema_ver,
963                                 LDAP_ATTR_ACB_INFO),
964                         ctx);
965         if (temp) {
966                 acct_ctrl = pdb_decode_acct_ctrl(temp);
967
968                 if (acct_ctrl == 0) {
969                         acct_ctrl |= ACB_NORMAL;
970                 }
971
972                 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
973         } else {
974                 acct_ctrl |= ACB_NORMAL;
975         }
976
977         pdb_set_hours_len(sampass, hours_len, PDB_SET);
978         pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
979
980         temp = smbldap_talloc_single_attribute(
981                         ldap_state->smbldap_state->ldap_struct,
982                         entry,
983                         get_userattr_key2string(ldap_state->schema_ver,
984                                 LDAP_ATTR_BAD_PASSWORD_COUNT),
985                         ctx);
986         if (temp) {
987                 bad_password_count = (uint32) atol(temp);
988                 pdb_set_bad_password_count(sampass,
989                                 bad_password_count, PDB_SET);
990         }
991
992         temp = smbldap_talloc_single_attribute(
993                         ldap_state->smbldap_state->ldap_struct,
994                         entry,
995                         get_userattr_key2string(ldap_state->schema_ver,
996                                 LDAP_ATTR_BAD_PASSWORD_TIME),
997                         ctx);
998         if (temp) {
999                 bad_password_time = (time_t) atol(temp);
1000                 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1001         }
1002
1003
1004         temp = smbldap_talloc_single_attribute(
1005                         ldap_state->smbldap_state->ldap_struct,
1006                         entry,
1007                         get_userattr_key2string(ldap_state->schema_ver,
1008                                 LDAP_ATTR_LOGON_COUNT),
1009                         ctx);
1010         if (temp) {
1011                 logon_count = (uint32) atol(temp);
1012                 pdb_set_logon_count(sampass, logon_count, PDB_SET);
1013         }
1014
1015         /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
1016
1017         temp = smbldap_talloc_single_attribute(
1018                         ldap_state->smbldap_state->ldap_struct,
1019                         entry,
1020                         get_userattr_key2string(ldap_state->schema_ver,
1021                                 LDAP_ATTR_LOGON_HOURS),
1022                         ctx);
1023         if (temp) {
1024                 pdb_gethexhours(temp, hours);
1025                 memset((char *)temp, '\0', strlen(temp) +1);
1026                 pdb_set_hours(sampass, hours, PDB_SET);
1027                 ZERO_STRUCT(hours);
1028         }
1029
1030         if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1031                 temp = smbldap_talloc_single_attribute(
1032                                 priv2ld(ldap_state),
1033                                 entry,
1034                                 "uidNumber",
1035                                 ctx);
1036                 if (temp) {
1037                         /* We've got a uid, feed the cache */
1038                         uid_t uid = strtoul(temp, NULL, 10);
1039                         store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
1040                 }
1041         }
1042
1043         /* check the timestamp of the cache vs ldap entry */
1044         if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1045                                                             entry))) {
1046                 ret = true;
1047                 goto fn_exit;
1048         }
1049
1050         /* see if we have newer updates */
1051         if (!(cache_entry = login_cache_read(sampass))) {
1052                 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1053                            (unsigned int)pdb_get_bad_password_count(sampass),
1054                            (unsigned int)pdb_get_bad_password_time(sampass)));
1055                 ret = true;
1056                 goto fn_exit;
1057         }
1058
1059         DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1060                   (unsigned int)ldap_entry_time,
1061                   (unsigned int)cache_entry->entry_timestamp,
1062                   (unsigned int)cache_entry->bad_password_time));
1063
1064         if (ldap_entry_time > cache_entry->entry_timestamp) {
1065                 /* cache is older than directory , so
1066                    we need to delete the entry but allow the
1067                    fields to be written out */
1068                 login_cache_delentry(sampass);
1069         } else {
1070                 /* read cache in */
1071                 pdb_set_acct_ctrl(sampass,
1072                                   pdb_get_acct_ctrl(sampass) |
1073                                   (cache_entry->acct_ctrl & ACB_AUTOLOCK),
1074                                   PDB_SET);
1075                 pdb_set_bad_password_count(sampass,
1076                                            cache_entry->bad_password_count,
1077                                            PDB_SET);
1078                 pdb_set_bad_password_time(sampass,
1079                                           cache_entry->bad_password_time,
1080                                           PDB_SET);
1081         }
1082
1083         ret = true;
1084
1085   fn_exit:
1086
1087         TALLOC_FREE(ctx);
1088         SAFE_FREE(cache_entry);
1089         return ret;
1090 }
1091
1092 /**********************************************************************
1093  Initialize the ldap db from a struct samu. Called on update.
1094  (Based on init_buffer_from_sam in pdb_tdb.c)
1095 *********************************************************************/
1096
1097 static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1098                                 LDAPMessage *existing,
1099                                 LDAPMod *** mods, struct samu * sampass,
1100                                 bool (*need_update)(const struct samu *,
1101                                                     enum pdb_elements))
1102 {
1103         char *temp = NULL;
1104         uint32 rid;
1105
1106         if (mods == NULL || sampass == NULL) {
1107                 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1108                 return False;
1109         }
1110
1111         *mods = NULL;
1112
1113         /*
1114          * took out adding "objectclass: sambaAccount"
1115          * do this on a per-mod basis
1116          */
1117         if (need_update(sampass, PDB_USERNAME)) {
1118                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1119                               "uid", pdb_get_username(sampass));
1120                 if (ldap_state->is_nds_ldap) {
1121                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1122                                       "cn", pdb_get_username(sampass));
1123                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
1124                                       "sn", pdb_get_username(sampass));
1125                 }
1126         }
1127
1128         DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1129
1130         /* only update the RID if we actually need to */
1131         if (need_update(sampass, PDB_USERSID)) {
1132                 fstring sid_string;
1133                 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
1134
1135                 switch ( ldap_state->schema_ver ) {
1136                         case SCHEMAVER_SAMBAACCOUNT:
1137                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
1138                                         DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
1139                                                   sid_string_dbg(user_sid),
1140                                                   sid_string_dbg(
1141                                                           &ldap_state->domain_sid)));
1142                                         return False;
1143                                 }
1144                                 if (asprintf(&temp, "%i", rid) < 0) {
1145                                         return false;
1146                                 }
1147                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1148                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 
1149                                         temp);
1150                                 SAFE_FREE(temp);
1151                                 break;
1152
1153                         case SCHEMAVER_SAMBASAMACCOUNT:
1154                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1155                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
1156                                         sid_to_fstring(sid_string, user_sid));
1157                                 break;
1158
1159                         default:
1160                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1161                                 break;
1162                 }
1163         }
1164
1165         /* we don't need to store the primary group RID - so leaving it
1166            'free' to hang off the unix primary group makes life easier */
1167
1168         if (need_update(sampass, PDB_GROUPSID)) {
1169                 fstring sid_string;
1170                 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1171
1172                 switch ( ldap_state->schema_ver ) {
1173                         case SCHEMAVER_SAMBAACCOUNT:
1174                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1175                                         DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1176                                                   sid_string_dbg(group_sid),
1177                                                   sid_string_dbg(
1178                                                           &ldap_state->domain_sid)));
1179                                         return False;
1180                                 }
1181
1182                                 if (asprintf(&temp, "%i", rid) < 0) {
1183                                         return false;
1184                                 }
1185                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1186                                         get_userattr_key2string(ldap_state->schema_ver, 
1187                                         LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1188                                 SAFE_FREE(temp);
1189                                 break;
1190
1191                         case SCHEMAVER_SAMBASAMACCOUNT:
1192                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1193                                         get_userattr_key2string(ldap_state->schema_ver, 
1194                                         LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid));
1195                                 break;
1196
1197                         default:
1198                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1199                                 break;
1200                 }
1201
1202         }
1203
1204         /* displayName, cn, and gecos should all be the same
1205          *  most easily accomplished by giving them the same OID
1206          *  gecos isn't set here b/c it should be handled by the
1207          *  add-user script
1208          *  We change displayName only and fall back to cn if
1209          *  it does not exist.
1210          */
1211
1212         if (need_update(sampass, PDB_FULLNAME))
1213                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1214                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
1215                         pdb_get_fullname(sampass));
1216
1217         if (need_update(sampass, PDB_ACCTDESC))
1218                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1219                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
1220                         pdb_get_acct_desc(sampass));
1221
1222         if (need_update(sampass, PDB_WORKSTATIONS))
1223                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1224                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
1225                         pdb_get_workstations(sampass));
1226
1227         if (need_update(sampass, PDB_MUNGEDDIAL))
1228                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1229                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), 
1230                         pdb_get_munged_dial(sampass));
1231
1232         if (need_update(sampass, PDB_SMBHOME))
1233                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1234                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
1235                         pdb_get_homedir(sampass));
1236
1237         if (need_update(sampass, PDB_DRIVE))
1238                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1239                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
1240                         pdb_get_dir_drive(sampass));
1241
1242         if (need_update(sampass, PDB_LOGONSCRIPT))
1243                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1244                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
1245                         pdb_get_logon_script(sampass));
1246
1247         if (need_update(sampass, PDB_PROFILE))
1248                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1249                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
1250                         pdb_get_profile_path(sampass));
1251
1252         if (asprintf(&temp, "%li", pdb_get_logon_time(sampass)) < 0) {
1253                 return false;
1254         }
1255         if (need_update(sampass, PDB_LOGONTIME))
1256                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1257                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1258         SAFE_FREE(temp);
1259
1260         if (asprintf(&temp, "%li", pdb_get_logoff_time(sampass)) < 0) {
1261                 return false;
1262         }
1263         if (need_update(sampass, PDB_LOGOFFTIME))
1264                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1265                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1266         SAFE_FREE(temp);
1267
1268         if (asprintf(&temp, "%li", pdb_get_kickoff_time(sampass)) < 0) {
1269                 return false;
1270         }
1271         if (need_update(sampass, PDB_KICKOFFTIME))
1272                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1273                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1274         SAFE_FREE(temp);
1275
1276         if (asprintf(&temp, "%li", pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
1277                 return false;
1278         }
1279         if (need_update(sampass, PDB_CANCHANGETIME))
1280                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1281                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1282         SAFE_FREE(temp);
1283
1284         if (asprintf(&temp, "%li", pdb_get_pass_must_change_time(sampass)) < 0) {
1285                 return false;
1286         }
1287         if (need_update(sampass, PDB_MUSTCHANGETIME))
1288                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1289                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1290         SAFE_FREE(temp);
1291
1292         if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1293                         || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1294
1295                 if (need_update(sampass, PDB_LMPASSWD)) {
1296                         const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1297                         if (lm_pw) {
1298                                 char pwstr[34];
1299                                 pdb_sethexpwd(pwstr, lm_pw,
1300                                               pdb_get_acct_ctrl(sampass));
1301                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1302                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1303                                                  pwstr);
1304                         } else {
1305                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1306                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1307                                                  NULL);
1308                         }
1309                 }
1310                 if (need_update(sampass, PDB_NTPASSWD)) {
1311                         const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1312                         if (nt_pw) {
1313                                 char pwstr[34];
1314                                 pdb_sethexpwd(pwstr, nt_pw,
1315                                               pdb_get_acct_ctrl(sampass));
1316                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1317                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1318                                                  pwstr);
1319                         } else {
1320                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1321                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1322                                                  NULL);
1323                         }
1324                 }
1325
1326                 if (need_update(sampass, PDB_PWHISTORY)) {
1327                         char *pwstr = NULL;
1328                         uint32 pwHistLen = 0;
1329                         pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1330
1331                         pwstr = SMB_MALLOC_ARRAY(char, 1024);
1332                         if (!pwstr) {
1333                                 return false;
1334                         }
1335                         if (pwHistLen == 0) {
1336                                 /* Remove any password history from the LDAP store. */
1337                                 memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1338                                 pwstr[64] = '\0';
1339                         } else {
1340                                 int i;
1341                                 uint32 currHistLen = 0;
1342                                 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1343                                 if (pwhist != NULL) {
1344                                         /* We can only store (1024-1/64 password history entries. */
1345                                         pwHistLen = MIN(pwHistLen, ((1024-1)/64));
1346                                         for (i=0; i< pwHistLen && i < currHistLen; i++) {
1347                                                 /* Store the salt. */
1348                                                 pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1349                                                 /* Followed by the md5 hash of salt + md4 hash */
1350                                                 pdb_sethexpwd(&pwstr[(i*64)+32],
1351                                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1352                                                 DEBUG(100, ("pwstr=%s\n", pwstr));
1353                                         }
1354                                 }
1355                         }
1356                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1357                                          get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), 
1358                                          pwstr);
1359                         SAFE_FREE(pwstr);
1360                 }
1361
1362                 if (need_update(sampass, PDB_PASSLASTSET)) {
1363                         if (asprintf(&temp, "%li",
1364                                 pdb_get_pass_last_set_time(sampass)) < 0) {
1365                                 return false;
1366                         }
1367                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1368                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
1369                                 temp);
1370                         SAFE_FREE(temp);
1371                 }
1372         }
1373
1374         if (need_update(sampass, PDB_HOURS)) {
1375                 const uint8 *hours = pdb_get_hours(sampass);
1376                 if (hours) {
1377                         char hourstr[44];
1378                         pdb_sethexhours(hourstr, hours);
1379                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1380                                 existing,
1381                                 mods,
1382                                 get_userattr_key2string(ldap_state->schema_ver,
1383                                                 LDAP_ATTR_LOGON_HOURS),
1384                                 hourstr);
1385                 }
1386         }
1387
1388         if (need_update(sampass, PDB_ACCTCTRL))
1389                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1390                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
1391                         pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1392
1393         /* password lockout cache:
1394            - If we are now autolocking or clearing, we write to ldap
1395            - If we are clearing, we delete the cache entry
1396            - If the count is > 0, we update the cache
1397
1398            This even means when autolocking, we cache, just in case the
1399            update doesn't work, and we have to cache the autolock flag */
1400
1401         if (need_update(sampass, PDB_BAD_PASSWORD_COUNT))  /* &&
1402             need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1403                 uint16 badcount = pdb_get_bad_password_count(sampass);
1404                 time_t badtime = pdb_get_bad_password_time(sampass);
1405                 uint32 pol;
1406                 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1407
1408                 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1409                         (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1410
1411                 if ((badcount >= pol) || (badcount == 0)) {
1412                         DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1413                                 (unsigned int)badcount, (unsigned int)badtime));
1414                         if (asprintf(&temp, "%li", (long)badcount) < 0) {
1415                                 return false;
1416                         }
1417                         smbldap_make_mod(
1418                                 ldap_state->smbldap_state->ldap_struct,
1419                                 existing, mods,
1420                                 get_userattr_key2string(
1421                                         ldap_state->schema_ver,
1422                                         LDAP_ATTR_BAD_PASSWORD_COUNT),
1423                                 temp);
1424                         SAFE_FREE(temp);
1425
1426                         if (asprintf(&temp, "%li", badtime) < 0) {
1427                                 return false;
1428                         }
1429                         smbldap_make_mod(
1430                                 ldap_state->smbldap_state->ldap_struct,
1431                                 existing, mods,
1432                                 get_userattr_key2string(
1433                                         ldap_state->schema_ver,
1434                                         LDAP_ATTR_BAD_PASSWORD_TIME),
1435                                 temp);
1436                         SAFE_FREE(temp);
1437                 }
1438                 if (badcount == 0) {
1439                         DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1440                         login_cache_delentry(sampass);
1441                 } else {
1442                         LOGIN_CACHE cache_entry;
1443
1444                         cache_entry.entry_timestamp = time(NULL);
1445                         cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1446                         cache_entry.bad_password_count = badcount;
1447                         cache_entry.bad_password_time = badtime;
1448
1449                         DEBUG(7, ("Updating bad password count and time in login cache\n"));
1450                         login_cache_write(sampass, cache_entry);
1451                 }
1452         }
1453
1454         return True;
1455 }
1456
1457 /**********************************************************************
1458  End enumeration of the LDAP password list.
1459 *********************************************************************/
1460
1461 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1462 {
1463         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1464         if (ldap_state->result) {
1465                 ldap_msgfree(ldap_state->result);
1466                 ldap_state->result = NULL;
1467         }
1468 }
1469
1470 static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
1471                         const char *new_attr)
1472 {
1473         int i;
1474
1475         if (new_attr == NULL) {
1476                 return;
1477         }
1478
1479         for (i=0; (*attr_list)[i] != NULL; i++) {
1480                 ;
1481         }
1482
1483         (*attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (*attr_list),
1484                                             const char *,  i+2);
1485         SMB_ASSERT((*attr_list) != NULL);
1486         (*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
1487         (*attr_list)[i+1] = NULL;
1488 }
1489
1490 /**********************************************************************
1491 Get struct samu entry from LDAP by username.
1492 *********************************************************************/
1493
1494 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
1495 {
1496         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1497         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1498         LDAPMessage *result = NULL;
1499         LDAPMessage *entry = NULL;
1500         int count;
1501         const char ** attr_list;
1502         int rc;
1503         
1504         attr_list = get_userattr_list( user, ldap_state->schema_ver );
1505         append_attr(user, &attr_list,
1506                     get_userattr_key2string(ldap_state->schema_ver,
1507                                             LDAP_ATTR_MOD_TIMESTAMP));
1508         append_attr(user, &attr_list, "uidNumber");
1509         rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1510                                            attr_list);
1511         TALLOC_FREE( attr_list );
1512
1513         if ( rc != LDAP_SUCCESS ) 
1514                 return NT_STATUS_NO_SUCH_USER;
1515         
1516         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1517         
1518         if (count < 1) {
1519                 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1520                 ldap_msgfree(result);
1521                 return NT_STATUS_NO_SUCH_USER;
1522         } else if (count > 1) {
1523                 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1524                 ldap_msgfree(result);
1525                 return NT_STATUS_NO_SUCH_USER;
1526         }
1527
1528         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1529         if (entry) {
1530                 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1531                         DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1532                         ldap_msgfree(result);
1533                         return NT_STATUS_NO_SUCH_USER;
1534                 }
1535                 pdb_set_backend_private_data(user, result, NULL,
1536                                              my_methods, PDB_CHANGED);
1537                 talloc_autofree_ldapmsg(user, result);
1538                 ret = NT_STATUS_OK;
1539         } else {
1540                 ldap_msgfree(result);
1541         }
1542         return ret;
1543 }
1544
1545 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 
1546                                    const DOM_SID *sid, LDAPMessage **result) 
1547 {
1548         int rc = -1;
1549         const char ** attr_list;
1550         uint32 rid;
1551
1552         switch ( ldap_state->schema_ver ) {
1553                 case SCHEMAVER_SAMBASAMACCOUNT: {
1554                         TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1555                         if (tmp_ctx == NULL) {
1556                                 return LDAP_NO_MEMORY;
1557                         }
1558
1559                         attr_list = get_userattr_list(tmp_ctx,
1560                                                       ldap_state->schema_ver);
1561                         append_attr(tmp_ctx, &attr_list,
1562                                     get_userattr_key2string(
1563                                             ldap_state->schema_ver,
1564                                             LDAP_ATTR_MOD_TIMESTAMP));
1565                         append_attr(tmp_ctx, &attr_list, "uidNumber");
1566                         rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1567                                                           result, attr_list);
1568                         TALLOC_FREE(tmp_ctx);
1569
1570                         if ( rc != LDAP_SUCCESS ) 
1571                                 return rc;
1572                         break;
1573                 }
1574                         
1575                 case SCHEMAVER_SAMBAACCOUNT:
1576                         if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1577                                 return rc;
1578                         }
1579                 
1580                         attr_list = get_userattr_list(NULL,
1581                                                       ldap_state->schema_ver);
1582                         rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1583                         TALLOC_FREE( attr_list );
1584
1585                         if ( rc != LDAP_SUCCESS ) 
1586                                 return rc;
1587                         break;
1588         }
1589         return rc;
1590 }
1591
1592 /**********************************************************************
1593  Get struct samu entry from LDAP by SID.
1594 *********************************************************************/
1595
1596 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const DOM_SID *sid)
1597 {
1598         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1599         LDAPMessage *result = NULL;
1600         LDAPMessage *entry = NULL;
1601         int count;
1602         int rc;
1603
1604         rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
1605                                           sid, &result); 
1606         if (rc != LDAP_SUCCESS)
1607                 return NT_STATUS_NO_SUCH_USER;
1608
1609         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1610         
1611         if (count < 1) {
1612                 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
1613                           "count=%d\n", sid_string_dbg(sid), count));
1614                 ldap_msgfree(result);
1615                 return NT_STATUS_NO_SUCH_USER;
1616         }  else if (count > 1) {
1617                 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
1618                           "[%s]. Failing. count=%d\n", sid_string_dbg(sid),
1619                           count));
1620                 ldap_msgfree(result);
1621                 return NT_STATUS_NO_SUCH_USER;
1622         }
1623
1624         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1625         if (!entry) {
1626                 ldap_msgfree(result);
1627                 return NT_STATUS_NO_SUCH_USER;
1628         }
1629
1630         if (!init_sam_from_ldap(ldap_state, user, entry)) {
1631                 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1632                 ldap_msgfree(result);
1633                 return NT_STATUS_NO_SUCH_USER;
1634         }
1635
1636         pdb_set_backend_private_data(user, result, NULL,
1637                                      my_methods, PDB_CHANGED);
1638         talloc_autofree_ldapmsg(user, result);
1639         return NT_STATUS_OK;
1640 }       
1641
1642 /********************************************************************
1643  Do the actual modification - also change a plaintext passord if 
1644  it it set.
1645 **********************************************************************/
1646
1647 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
1648                                      struct samu *newpwd, char *dn,
1649                                      LDAPMod **mods, int ldap_op, 
1650                                      bool (*need_update)(const struct samu *, enum pdb_elements))
1651 {
1652         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1653         int rc;
1654         
1655         if (!newpwd || !dn) {
1656                 return NT_STATUS_INVALID_PARAMETER;
1657         }
1658         
1659         if (!mods) {
1660                 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1661                 /* may be password change below however */
1662         } else {
1663                 switch(ldap_op) {
1664                         case LDAP_MOD_ADD:
1665                                 if (ldap_state->is_nds_ldap) {
1666                                         smbldap_set_mod(&mods, LDAP_MOD_ADD, 
1667                                                         "objectclass", 
1668                                                         "inetOrgPerson");
1669                                 } else {
1670                                         smbldap_set_mod(&mods, LDAP_MOD_ADD, 
1671                                                         "objectclass", 
1672                                                         LDAP_OBJ_ACCOUNT);
1673                                 }
1674                                 rc = smbldap_add(ldap_state->smbldap_state, 
1675                                                  dn, mods);
1676                                 break;
1677                         case LDAP_MOD_REPLACE: 
1678                                 rc = smbldap_modify(ldap_state->smbldap_state, 
1679                                                     dn ,mods);
1680                                 break;
1681                         default:        
1682                                 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n", 
1683                                          ldap_op));
1684                                 return NT_STATUS_INVALID_PARAMETER;
1685                 }
1686                 
1687                 if (rc!=LDAP_SUCCESS) {
1688                         return NT_STATUS_UNSUCCESSFUL;
1689                 }  
1690         }
1691         
1692         if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1693                         (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1694                         need_update(newpwd, PDB_PLAINTEXT_PW) &&
1695                         (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1696                 BerElement *ber;
1697                 struct berval *bv;
1698                 char *retoid = NULL;
1699                 struct berval *retdata = NULL;
1700                 char *utf8_password;
1701                 char *utf8_dn;
1702                 size_t converted_size;
1703
1704                 if (!ldap_state->is_nds_ldap) {
1705
1706                         if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct, 
1707                                                    LDAP_EXOP_MODIFY_PASSWD)) {
1708                                 DEBUG(2, ("ldap password change requested, but LDAP "
1709                                           "server does not support it -- ignoring\n"));
1710                                 return NT_STATUS_OK;
1711                         }
1712                 }
1713
1714                 if (!push_utf8_allocate(&utf8_password,
1715                                         pdb_get_plaintext_passwd(newpwd),
1716                                         &converted_size))
1717                 {
1718                         return NT_STATUS_NO_MEMORY;
1719                 }
1720
1721                 if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1722                         SAFE_FREE(utf8_password);
1723                         return NT_STATUS_NO_MEMORY;
1724                 }
1725
1726                 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1727                         DEBUG(0,("ber_alloc_t returns NULL\n"));
1728                         SAFE_FREE(utf8_password);
1729                         SAFE_FREE(utf8_dn);
1730                         return NT_STATUS_UNSUCCESSFUL;
1731                 }
1732
1733                 if ((ber_printf (ber, "{") < 0) ||
1734                     (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn) < 0) ||
1735                     (ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password) < 0) ||
1736                     (ber_printf (ber, "n}") < 0)) {
1737                         DEBUG(0,("ldapsam_modify_entry: ber_printf returns a value <0\n"));
1738                        ber_free(ber,1);
1739                        SAFE_FREE(utf8_dn);
1740                        SAFE_FREE(utf8_password);
1741                        return NT_STATUS_UNSUCCESSFUL;
1742                 }
1743
1744                 if ((rc = ber_flatten (ber, &bv))<0) {
1745                         DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1746                         ber_free(ber,1);
1747                         SAFE_FREE(utf8_dn);
1748                         SAFE_FREE(utf8_password);
1749                         return NT_STATUS_UNSUCCESSFUL;
1750                 }
1751                 
1752                 SAFE_FREE(utf8_dn);
1753                 SAFE_FREE(utf8_password);
1754                 ber_free(ber, 1);
1755
1756                 if (!ldap_state->is_nds_ldap) {
1757                         rc = smbldap_extended_operation(ldap_state->smbldap_state, 
1758                                                         LDAP_EXOP_MODIFY_PASSWD,
1759                                                         bv, NULL, NULL, &retoid, 
1760                                                         &retdata);
1761                 } else {
1762                         rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1763                                                         pdb_get_plaintext_passwd(newpwd));
1764                 }
1765                 if (rc != LDAP_SUCCESS) {
1766                         char *ld_error = NULL;
1767
1768                         if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1769                                 DEBUG(3, ("Could not set userPassword "
1770                                           "attribute due to an objectClass "
1771                                           "violation -- ignoring\n"));
1772                                 ber_bvfree(bv);
1773                                 return NT_STATUS_OK;
1774                         }
1775
1776                         ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1777                                         &ld_error);
1778                         DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1779                                 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1780                         SAFE_FREE(ld_error);
1781                         ber_bvfree(bv);
1782 #if defined(LDAP_CONSTRAINT_VIOLATION)
1783                         if (rc == LDAP_CONSTRAINT_VIOLATION)
1784                                 return NT_STATUS_PASSWORD_RESTRICTION;
1785 #endif
1786                         return NT_STATUS_UNSUCCESSFUL;
1787                 } else {
1788                         DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1789 #ifdef DEBUG_PASSWORD
1790                         DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1791 #endif    
1792                         if (retdata)
1793                                 ber_bvfree(retdata);
1794                         if (retoid)
1795                                 ldap_memfree(retoid);
1796                 }
1797                 ber_bvfree(bv);
1798         }
1799         return NT_STATUS_OK;
1800 }
1801
1802 /**********************************************************************
1803  Delete entry from LDAP for username.
1804 *********************************************************************/
1805
1806 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1807                                            struct samu * sam_acct)
1808 {
1809         struct ldapsam_privates *priv =
1810                 (struct ldapsam_privates *)my_methods->private_data;
1811         const char *sname;
1812         int rc;
1813         LDAPMessage *msg, *entry;
1814         NTSTATUS result = NT_STATUS_NO_MEMORY;
1815         const char **attr_list;
1816         TALLOC_CTX *mem_ctx;
1817
1818         if (!sam_acct) {
1819                 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1820                 return NT_STATUS_INVALID_PARAMETER;
1821         }
1822
1823         sname = pdb_get_username(sam_acct);
1824
1825         DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1826                   "LDAP.\n", sname));
1827
1828         mem_ctx = talloc_new(NULL);
1829         if (mem_ctx == NULL) {
1830                 DEBUG(0, ("talloc_new failed\n"));
1831                 goto done;
1832         }
1833
1834         attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1835         if (attr_list == NULL) {
1836                 goto done;
1837         }
1838
1839         rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1840
1841         if ((rc != LDAP_SUCCESS) ||
1842             (ldap_count_entries(priv2ld(priv), msg) != 1) ||
1843             ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1844                 DEBUG(5, ("Could not find user %s\n", sname));
1845                 result = NT_STATUS_NO_SUCH_USER;
1846                 goto done;
1847         }
1848         
1849         rc = ldapsam_delete_entry(
1850                 priv, mem_ctx, entry,
1851                 priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1852                 LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT,
1853                 attr_list);
1854
1855         result = (rc == LDAP_SUCCESS) ?
1856                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1857
1858  done:
1859         TALLOC_FREE(mem_ctx);
1860         return result;
1861 }
1862
1863 /**********************************************************************
1864  Helper function to determine for update_sam_account whether
1865  we need LDAP modification.
1866 *********************************************************************/
1867
1868 static bool element_is_changed(const struct samu *sampass,
1869                                enum pdb_elements element)
1870 {
1871         return IS_SAM_CHANGED(sampass, element);
1872 }
1873
1874 /**********************************************************************
1875  Update struct samu.
1876 *********************************************************************/
1877
1878 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
1879 {
1880         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1881         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1882         int rc = 0;
1883         char *dn;
1884         LDAPMessage *result = NULL;
1885         LDAPMessage *entry = NULL;
1886         LDAPMod **mods = NULL;
1887         const char **attr_list;
1888
1889         result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1890         if (!result) {
1891                 attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1892                 if (pdb_get_username(newpwd) == NULL) {
1893                         return NT_STATUS_INVALID_PARAMETER;
1894                 }
1895                 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1896                 TALLOC_FREE( attr_list );
1897                 if (rc != LDAP_SUCCESS) {
1898                         return NT_STATUS_UNSUCCESSFUL;
1899                 }
1900                 pdb_set_backend_private_data(newpwd, result, NULL,
1901                                              my_methods, PDB_CHANGED);
1902                 talloc_autofree_ldapmsg(newpwd, result);
1903         }
1904
1905         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1906                 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1907                 return NT_STATUS_UNSUCCESSFUL;
1908         }
1909
1910         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1911         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1912         if (!dn) {
1913                 return NT_STATUS_UNSUCCESSFUL;
1914         }
1915
1916         DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1917
1918         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1919                                 element_is_changed)) {
1920                 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1921                 SAFE_FREE(dn);
1922                 if (mods != NULL)
1923                         ldap_mods_free(mods,True);
1924                 return NT_STATUS_UNSUCCESSFUL;
1925         }
1926
1927         if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY)
1928             && (mods == NULL)) {
1929                 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1930                          pdb_get_username(newpwd)));
1931                 SAFE_FREE(dn);
1932                 return NT_STATUS_OK;
1933         }
1934         
1935         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1936
1937         if (mods != NULL) {
1938                 ldap_mods_free(mods,True);
1939         }
1940
1941         SAFE_FREE(dn);
1942
1943         /*
1944          * We need to set the backend private data to NULL here. For example
1945          * setuserinfo level 25 does a pdb_update_sam_account twice on the
1946          * same one, and with the explicit delete / add logic for attribute
1947          * values the second time we would use the wrong "old" value which
1948          * does not exist in LDAP anymore. Thus the LDAP server would refuse
1949          * the update.
1950          * The existing LDAPMessage is still being auto-freed by the
1951          * destructor.
1952          */
1953         pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
1954                                      PDB_CHANGED);
1955
1956         if (!NT_STATUS_IS_OK(ret)) {
1957                 return ret;
1958         }
1959
1960         DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1961                   pdb_get_username(newpwd)));
1962         return NT_STATUS_OK;
1963 }
1964
1965 /***************************************************************************
1966  Renames a struct samu
1967  - The "rename user script" has full responsibility for changing everything
1968 ***************************************************************************/
1969
1970 static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1971                                            struct samu *old_acct,
1972                                            const char *newname)
1973 {
1974         const char *oldname;
1975         int rc;
1976         char *rename_script = NULL;
1977         fstring oldname_lower, newname_lower;
1978
1979         if (!old_acct) {
1980                 DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1981                 return NT_STATUS_INVALID_PARAMETER;
1982         }
1983         if (!newname) {
1984                 DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1985                 return NT_STATUS_INVALID_PARAMETER;
1986         }
1987
1988         oldname = pdb_get_username(old_acct);
1989
1990         /* rename the posix user */
1991         rename_script = SMB_STRDUP(lp_renameuser_script());
1992         if (rename_script == NULL) {
1993                 return NT_STATUS_NO_MEMORY;
1994         }
1995
1996         if (!(*rename_script)) {
1997                 SAFE_FREE(rename_script);
1998                 return NT_STATUS_ACCESS_DENIED;
1999         }
2000
2001         DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
2002                    oldname, newname));
2003
2004         /* We have to allow the account name to end with a '$'.
2005            Also, follow the semantics in _samr_create_user() and lower case the
2006            posix name but preserve the case in passdb */
2007
2008         fstrcpy( oldname_lower, oldname );
2009         strlower_m( oldname_lower );
2010         fstrcpy( newname_lower, newname );
2011         strlower_m( newname_lower );
2012         rename_script = realloc_string_sub2(rename_script,
2013                                         "%unew",
2014                                         newname_lower,
2015                                         true,
2016                                         true);
2017         if (rename_script) {
2018                 return NT_STATUS_NO_MEMORY;
2019         }
2020         rename_script = realloc_string_sub2(rename_script,
2021                                         "%uold",
2022                                         oldname_lower,
2023                                         true,
2024                                         true);
2025         rc = smbrun(rename_script, NULL);
2026
2027         DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
2028                           rename_script, rc));
2029
2030         SAFE_FREE(rename_script);
2031
2032         if (rc == 0) {
2033                 smb_nscd_flush_user_cache();
2034         }
2035
2036         if (rc)
2037                 return NT_STATUS_UNSUCCESSFUL;
2038
2039         return NT_STATUS_OK;
2040 }
2041
2042 /**********************************************************************
2043  Helper function to determine for update_sam_account whether
2044  we need LDAP modification.
2045  *********************************************************************/
2046
2047 static bool element_is_set_or_changed(const struct samu *sampass,
2048                                       enum pdb_elements element)
2049 {
2050         return (IS_SAM_SET(sampass, element) ||
2051                 IS_SAM_CHANGED(sampass, element));
2052 }
2053
2054 /**********************************************************************
2055  Add struct samu to LDAP.
2056 *********************************************************************/
2057
2058 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
2059 {
2060         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2061         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2062         int rc;
2063         LDAPMessage     *result = NULL;
2064         LDAPMessage     *entry  = NULL;
2065         LDAPMod         **mods = NULL;
2066         int             ldap_op = LDAP_MOD_REPLACE;
2067         uint32          num_result;
2068         const char      **attr_list;
2069         char *escape_user = NULL;
2070         const char      *username = pdb_get_username(newpwd);
2071         const DOM_SID   *sid = pdb_get_user_sid(newpwd);
2072         char *filter = NULL;
2073         char *dn = NULL;
2074         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2075         TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
2076
2077         if (!ctx) {
2078                 return NT_STATUS_NO_MEMORY;
2079         }
2080
2081         if (!username || !*username) {
2082                 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
2083                 status = NT_STATUS_INVALID_PARAMETER;
2084                 goto fn_exit;
2085         }
2086
2087         /* free this list after the second search or in case we exit on failure */
2088         attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
2089
2090         rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2091
2092         if (rc != LDAP_SUCCESS) {
2093                 goto fn_exit;
2094         }
2095
2096         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2097                 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n", 
2098                          username));
2099                 goto fn_exit;
2100         }
2101         ldap_msgfree(result);
2102         result = NULL;
2103
2104         if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
2105                 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
2106                                                   sid, &result);
2107                 if (rc == LDAP_SUCCESS) {
2108                         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2109                                 DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
2110                                          "already in the base, with samba "
2111                                          "attributes\n", sid_string_dbg(sid)));
2112                                 goto fn_exit;
2113                         }
2114                         ldap_msgfree(result);
2115                         result = NULL;
2116                 }
2117         }
2118
2119         /* does the entry already exist but without a samba attributes?
2120            we need to return the samba attributes here */
2121
2122         escape_user = escape_ldap_string_alloc( username );
2123         filter = talloc_strdup(attr_list, "(uid=%u)");
2124         if (!filter) {
2125                 status = NT_STATUS_NO_MEMORY;
2126                 goto fn_exit;
2127         }
2128         filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
2129         if (!filter) {
2130                 status = NT_STATUS_NO_MEMORY;
2131                 goto fn_exit;
2132         }
2133         SAFE_FREE(escape_user);
2134
2135         rc = smbldap_search_suffix(ldap_state->smbldap_state,
2136                                    filter, attr_list, &result);
2137         if ( rc != LDAP_SUCCESS ) {
2138                 goto fn_exit;
2139         }
2140
2141         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2142
2143         if (num_result > 1) {
2144                 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2145                 goto fn_exit;
2146         }
2147
2148         /* Check if we need to update an existing entry */
2149         if (num_result == 1) {
2150                 char *tmp;
2151
2152                 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2153                 ldap_op = LDAP_MOD_REPLACE;
2154                 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2155                 tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2156                 if (!tmp) {
2157                         goto fn_exit;
2158                 }
2159                 dn = talloc_asprintf(ctx, "%s", tmp);
2160                 SAFE_FREE(tmp);
2161                 if (!dn) {
2162                         status = NT_STATUS_NO_MEMORY;
2163                         goto fn_exit;
2164                 }
2165
2166         } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2167
2168                 /* There might be a SID for this account already - say an idmap entry */
2169
2170                 filter = talloc_asprintf(ctx,
2171                                 "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
2172                                  get_userattr_key2string(ldap_state->schema_ver,
2173                                          LDAP_ATTR_USER_SID),
2174                                  sid_string_talloc(ctx, sid),
2175                                  LDAP_OBJ_IDMAP_ENTRY,
2176                                  LDAP_OBJ_SID_ENTRY);
2177                 if (!filter) {
2178                         status = NT_STATUS_NO_MEMORY;
2179                         goto fn_exit;
2180                 }
2181
2182                 /* free old result before doing a new search */
2183                 if (result != NULL) {
2184                         ldap_msgfree(result);
2185                         result = NULL;
2186                 }
2187                 rc = smbldap_search_suffix(ldap_state->smbldap_state,
2188                                            filter, attr_list, &result);
2189
2190                 if ( rc != LDAP_SUCCESS ) {
2191                         goto fn_exit;
2192                 }
2193
2194                 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2195
2196                 if (num_result > 1) {
2197                         DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2198                         goto fn_exit;
2199                 }
2200
2201                 /* Check if we need to update an existing entry */
2202                 if (num_result == 1) {
2203                         char *tmp;
2204
2205                         DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2206                         ldap_op = LDAP_MOD_REPLACE;
2207                         entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2208                         tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2209                         if (!tmp) {
2210                                 goto fn_exit;
2211                         }
2212                         dn = talloc_asprintf(ctx, "%s", tmp);
2213                         SAFE_FREE(tmp);
2214                         if (!dn) {
2215                                 status = NT_STATUS_NO_MEMORY;
2216                                 goto fn_exit;
2217                         }
2218                 }
2219         }
2220
2221         if (num_result == 0) {
2222                 char *escape_username;
2223                 /* Check if we need to add an entry */
2224                 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2225                 ldap_op = LDAP_MOD_ADD;
2226
2227                 escape_username = escape_rdn_val_string_alloc(username);
2228                 if (!escape_username) {
2229                         status = NT_STATUS_NO_MEMORY;
2230                         goto fn_exit;
2231                 }
2232
2233                 if (username[strlen(username)-1] == '$') {
2234                         dn = talloc_asprintf(ctx,
2235                                         "uid=%s,%s",
2236                                         escape_username,
2237                                         lp_ldap_machine_suffix());
2238                 } else {
2239                         dn = talloc_asprintf(ctx,
2240                                         "uid=%s,%s",
2241                                         escape_username,
2242                                         lp_ldap_user_suffix());
2243                 }
2244
2245                 SAFE_FREE(escape_username);
2246                 if (!dn) {
2247                         status = NT_STATUS_NO_MEMORY;
2248                         goto fn_exit;
2249                 }
2250         }
2251
2252         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2253                                 element_is_set_or_changed)) {
2254                 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2255                 if (mods != NULL) {
2256                         ldap_mods_free(mods, true);
2257                 }
2258                 goto fn_exit;
2259         }
2260
2261         if (mods == NULL) {
2262                 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2263                 goto fn_exit;
2264         }
2265         switch ( ldap_state->schema_ver ) {
2266                 case SCHEMAVER_SAMBAACCOUNT:
2267                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2268                         break;
2269                 case SCHEMAVER_SAMBASAMACCOUNT:
2270                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2271                         break;
2272                 default:
2273                         DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2274                         break;
2275         }
2276
2277         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2278         if (!NT_STATUS_IS_OK(ret)) {
2279                 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2280                          pdb_get_username(newpwd),dn));
2281                 ldap_mods_free(mods, true);
2282                 goto fn_exit;
2283         }
2284
2285         DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2286         ldap_mods_free(mods, true);
2287
2288         status = NT_STATUS_OK;
2289
2290   fn_exit:
2291
2292         TALLOC_FREE(ctx);
2293         SAFE_FREE(escape_user);
2294         if (result) {
2295                 ldap_msgfree(result);
2296         }
2297         return status;
2298 }
2299
2300 /**********************************************************************
2301  *********************************************************************/
2302
2303 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2304                                      const char *filter,
2305                                      LDAPMessage ** result)
2306 {
2307         int scope = LDAP_SCOPE_SUBTREE;
2308         int rc;
2309         const char **attr_list;
2310
2311         attr_list = get_attr_list(NULL, groupmap_attr_list);
2312         rc = smbldap_search(ldap_state->smbldap_state,
2313                             lp_ldap_group_suffix (), scope,
2314                             filter, attr_list, 0, result);
2315         TALLOC_FREE(attr_list);
2316
2317         return rc;
2318 }
2319
2320 /**********************************************************************
2321  *********************************************************************/
2322
2323 static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
2324                                  GROUP_MAP *map, LDAPMessage *entry)
2325 {
2326         char *temp = NULL;
2327         TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
2328
2329         if (ldap_state == NULL || map == NULL || entry == NULL ||
2330                         ldap_state->smbldap_state->ldap_struct == NULL) {
2331                 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2332                 TALLOC_FREE(ctx);
2333                 return false;
2334         }
2335
2336         temp = smbldap_talloc_single_attribute(
2337                         ldap_state->smbldap_state->ldap_struct,
2338                         entry,
2339                         get_attr_key2string(groupmap_attr_list,
2340                                 LDAP_ATTR_GIDNUMBER),
2341                         ctx);
2342         if (!temp) {
2343                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 
2344                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2345                 TALLOC_FREE(ctx);
2346                 return false;
2347         }
2348         DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2349
2350         map->gid = (gid_t)atol(temp);
2351
2352         TALLOC_FREE(temp);
2353         temp = smbldap_talloc_single_attribute(
2354                         ldap_state->smbldap_state->ldap_struct,
2355                         entry,
2356                         get_attr_key2string(groupmap_attr_list,
2357                                 LDAP_ATTR_GROUP_SID),
2358                         ctx);
2359         if (!temp) {
2360                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2361                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2362                 TALLOC_FREE(ctx);
2363                 return false;
2364         }
2365
2366         if (!string_to_sid(&map->sid, temp)) {
2367                 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2368                 TALLOC_FREE(ctx);
2369                 return false;
2370         }
2371
2372         TALLOC_FREE(temp);
2373         temp = smbldap_talloc_single_attribute(
2374                         ldap_state->smbldap_state->ldap_struct,
2375                         entry,
2376                         get_attr_key2string(groupmap_attr_list,
2377                                 LDAP_ATTR_GROUP_TYPE),
2378                         ctx);
2379         if (!temp) {
2380                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2381                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2382                 TALLOC_FREE(ctx);
2383                 return false;
2384         }
2385         map->sid_name_use = (enum lsa_SidType)atol(temp);
2386
2387         if ((map->sid_name_use < SID_NAME_USER) ||
2388                         (map->sid_name_use > SID_NAME_UNKNOWN)) {
2389                 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2390                 TALLOC_FREE(ctx);
2391                 return false;
2392         }
2393
2394         TALLOC_FREE(temp);
2395         temp = smbldap_talloc_single_attribute(
2396                         ldap_state->smbldap_state->ldap_struct,
2397                         entry,
2398                         get_attr_key2string(groupmap_attr_list,
2399                                 LDAP_ATTR_DISPLAY_NAME),
2400                         ctx);
2401         if (!temp) {
2402                 temp = smbldap_talloc_single_attribute(
2403                                 ldap_state->smbldap_state->ldap_struct,
2404                                 entry,
2405                                 get_attr_key2string(groupmap_attr_list,
2406                                         LDAP_ATTR_CN),
2407                                 ctx);
2408                 if (!temp) {
2409                         DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2410 for gidNumber(%lu)\n",(unsigned long)map->gid));
2411                         TALLOC_FREE(ctx);
2412                         return false;
2413                 }
2414         }
2415         fstrcpy(map->nt_name, temp);
2416
2417         TALLOC_FREE(temp);
2418         temp = smbldap_talloc_single_attribute(
2419                         ldap_state->smbldap_state->ldap_struct,
2420                         entry,
2421                         get_attr_key2string(groupmap_attr_list,
2422                                 LDAP_ATTR_DESC),
2423                         ctx);
2424         if (!temp) {
2425                 temp = talloc_strdup(ctx, "");
2426                 if (!temp) {
2427                         TALLOC_FREE(ctx);
2428                         return false;
2429                 }
2430         }
2431         fstrcpy(map->comment, temp);
2432
2433         if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
2434                 store_gid_sid_cache(&map->sid, map->gid);
2435         }
2436
2437         TALLOC_FREE(ctx);
2438         return true;
2439 }
2440
2441 /**********************************************************************
2442  *********************************************************************/
2443
2444 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2445                                  const char *filter,
2446                                  GROUP_MAP *map)
2447 {
2448         struct ldapsam_privates *ldap_state =
2449                 (struct ldapsam_privates *)methods->private_data;
2450         LDAPMessage *result = NULL;
2451         LDAPMessage *entry = NULL;
2452         int count;
2453
2454         if (ldapsam_search_one_group(ldap_state, filter, &result)
2455             != LDAP_SUCCESS) {
2456                 return NT_STATUS_NO_SUCH_GROUP;
2457         }
2458
2459         count = ldap_count_entries(priv2ld(ldap_state), result);
2460
2461         if (count < 1) {
2462                 DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
2463                           "%s\n", filter));
2464                 ldap_msgfree(result);
2465                 return NT_STATUS_NO_SUCH_GROUP;
2466         }
2467
2468         if (count > 1) {
2469                 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2470                           "count=%d\n", filter, count));
2471                 ldap_msgfree(result);
2472                 return NT_STATUS_NO_SUCH_GROUP;
2473         }
2474
2475         entry = ldap_first_entry(priv2ld(ldap_state), result);
2476
2477         if (!entry) {
2478                 ldap_msgfree(result);
2479                 return NT_STATUS_UNSUCCESSFUL;
2480         }
2481
2482         if (!init_group_from_ldap(ldap_state, map, entry)) {
2483                 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2484                           "group filter %s\n", filter));
2485                 ldap_msgfree(result);
2486                 return NT_STATUS_NO_SUCH_GROUP;
2487         }
2488
2489         ldap_msgfree(result);
2490         return NT_STATUS_OK;
2491 }
2492
2493 /**********************************************************************
2494  *********************************************************************/
2495
2496 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2497                                  DOM_SID sid)
2498 {
2499         char *filter = NULL;
2500         NTSTATUS status;
2501         fstring tmp;
2502
2503         if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
2504                 LDAP_OBJ_GROUPMAP,
2505                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2506                 sid_to_fstring(tmp, &sid)) < 0) {
2507                 return NT_STATUS_NO_MEMORY;
2508         }
2509
2510         status = ldapsam_getgroup(methods, filter, map);
2511         SAFE_FREE(filter);
2512         return status;
2513 }
2514
2515 /**********************************************************************
2516  *********************************************************************/
2517
2518 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2519                                  gid_t gid)
2520 {
2521         char *filter = NULL;
2522         NTSTATUS status;
2523
2524         if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
2525                 LDAP_OBJ_GROUPMAP,
2526                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2527                 (unsigned long)gid) < 0) {
2528                 return NT_STATUS_NO_MEMORY;
2529         }
2530
2531         status = ldapsam_getgroup(methods, filter, map);
2532         SAFE_FREE(filter);
2533         return status;
2534 }
2535
2536 /**********************************************************************
2537  *********************************************************************/
2538
2539 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2540                                  const char *name)
2541 {
2542         char *filter = NULL;
2543         char *escape_name = escape_ldap_string_alloc(name);
2544         NTSTATUS status;
2545
2546         if (!escape_name) {
2547                 return NT_STATUS_NO_MEMORY;
2548         }
2549
2550         if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2551                 LDAP_OBJ_GROUPMAP,
2552                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2553                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
2554                 escape_name) < 0) {
2555                 SAFE_FREE(escape_name);
2556                 return NT_STATUS_NO_MEMORY;
2557         }
2558
2559         SAFE_FREE(escape_name);
2560         status = ldapsam_getgroup(methods, filter, map);
2561         SAFE_FREE(filter);
2562         return status;
2563 }
2564
2565 static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2566                                            LDAPMessage *entry,
2567                                            const DOM_SID *domain_sid,
2568                                            uint32 *rid)
2569 {
2570         fstring str;
2571         DOM_SID sid;
2572
2573         if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2574                                           str, sizeof(str)-1)) {
2575                 DEBUG(10, ("Could not find sambaSID attribute\n"));
2576                 return False;
2577         }
2578
2579         if (!string_to_sid(&sid, str)) {
2580                 DEBUG(10, ("Could not convert string %s to sid\n", str));
2581                 return False;
2582         }
2583
2584         if (sid_compare_domain(&sid, domain_sid) != 0) {
2585                 DEBUG(10, ("SID %s is not in expected domain %s\n",
2586                            str, sid_string_dbg(domain_sid)));
2587                 return False;
2588         }
2589
2590         if (!sid_peek_rid(&sid, rid)) {
2591                 DEBUG(10, ("Could not peek into RID\n"));
2592                 return False;
2593         }
2594
2595         return True;
2596 }
2597
2598 static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2599                                            TALLOC_CTX *mem_ctx,
2600                                            const DOM_SID *group,
2601                                            uint32 **pp_member_rids,
2602                                            size_t *p_num_members)
2603 {
2604         struct ldapsam_privates *ldap_state =
2605                 (struct ldapsam_privates *)methods->private_data;
2606         struct smbldap_state *conn = ldap_state->smbldap_state;
2607         const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2608         const char *sid_attrs[] = { "sambaSID", NULL };
2609         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2610         LDAPMessage *result = NULL;
2611         LDAPMessage *entry;
2612         char *filter;
2613         char **values = NULL;
2614         char **memberuid;
2615         char *gidstr;
2616         int rc, count;
2617
2618         *pp_member_rids = NULL;
2619         *p_num_members = 0;
2620
2621         filter = talloc_asprintf(mem_ctx,
2622                                  "(&(objectClass=%s)"
2623                                  "(objectClass=%s)"
2624                                  "(sambaSID=%s))",
2625                                  LDAP_OBJ_POSIXGROUP,
2626                                  LDAP_OBJ_GROUPMAP,
2627                                  sid_string_talloc(mem_ctx, group));
2628         if (filter == NULL) {
2629                 ret = NT_STATUS_NO_MEMORY;
2630                 goto done;
2631         }
2632
2633         rc = smbldap_search(conn, lp_ldap_group_suffix(),
2634                             LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2635                             &result);
2636
2637         if (rc != LDAP_SUCCESS)
2638                 goto done;
2639
2640         talloc_autofree_ldapmsg(mem_ctx, result);
2641
2642         count = ldap_count_entries(conn->ldap_struct, result);
2643
2644         if (count > 1) {
2645                 DEBUG(1, ("Found more than one groupmap entry for %s\n",
2646                           sid_string_dbg(group)));
2647                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2648                 goto done;
2649         }
2650
2651         if (count == 0) {
2652                 ret = NT_STATUS_NO_SUCH_GROUP;
2653                 goto done;
2654         }
2655
2656         entry = ldap_first_entry(conn->ldap_struct, result);
2657         if (entry == NULL)
2658                 goto done;
2659
2660         gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2661         if (!gidstr) {
2662                 DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2663                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2664                 goto done;
2665         }
2666
2667         values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
2668
2669         if (values) {
2670
2671                 filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
2672                 if (filter == NULL) {
2673                         ret = NT_STATUS_NO_MEMORY;
2674                         goto done;
2675                 }
2676
2677                 for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2678                         char *escape_memberuid;
2679
2680                         escape_memberuid = escape_ldap_string_alloc(*memberuid);
2681                         if (escape_memberuid == NULL) {
2682                                 ret = NT_STATUS_NO_MEMORY;
2683                                 goto done;
2684                         }
2685                         
2686                         filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
2687                         if (filter == NULL) {
2688                                 SAFE_FREE(escape_memberuid);
2689                                 ret = NT_STATUS_NO_MEMORY;
2690                                 goto done;
2691                         }
2692
2693                         SAFE_FREE(escape_memberuid);
2694                 }
2695
2696                 filter = talloc_asprintf_append_buffer(filter, "))");
2697                 if (filter == NULL) {
2698                         ret = NT_STATUS_NO_MEMORY;
2699                         goto done;
2700                 }
2701
2702                 rc = smbldap_search(conn, lp_ldap_suffix(),
2703                                     LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2704                                     &result);
2705
2706                 if (rc != LDAP_SUCCESS)
2707                         goto done;
2708
2709                 count = ldap_count_entries(conn->ldap_struct, result);
2710                 DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2711
2712                 talloc_autofree_ldapmsg(mem_ctx, result);
2713
2714                 for (entry = ldap_first_entry(conn->ldap_struct, result);
2715                      entry != NULL;
2716                      entry = ldap_next_entry(conn->ldap_struct, entry))
2717                 {
2718                         char *sidstr;
2719                         DOM_SID sid;
2720                         uint32 rid;
2721
2722                         sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
2723                                                                  entry, "sambaSID",
2724                                                                  mem_ctx);
2725                         if (!sidstr) {
2726                                 DEBUG(0, ("Severe DB error, %s can't miss the sambaSID"
2727                                           "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2728                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2729                                 goto done;
2730                         }
2731
2732                         if (!string_to_sid(&sid, sidstr))
2733                                 goto done;
2734
2735                         if (!sid_check_is_in_our_domain(&sid)) {
2736                                 DEBUG(0, ("Inconsistent SAM -- group member uid not "
2737                                           "in our domain\n"));
2738                                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2739                                 goto done;
2740                         }
2741
2742                         sid_peek_rid(&sid, &rid);
2743
2744                         if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2745                                                 p_num_members)) {
2746                                 ret = NT_STATUS_NO_MEMORY;
2747                                 goto done;
2748                         }
2749                 }
2750         }
2751
2752         filter = talloc_asprintf(mem_ctx,
2753                                  "(&(objectClass=%s)"
2754                                  "(gidNumber=%s))",
2755                                  LDAP_OBJ_SAMBASAMACCOUNT,
2756                                  gidstr);
2757
2758         rc = smbldap_search(conn, lp_ldap_suffix(),
2759                             LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2760                             &result);
2761
2762         if (rc != LDAP_SUCCESS)
2763                 goto done;
2764
2765         talloc_autofree_ldapmsg(mem_ctx, result);
2766
2767         for (entry = ldap_first_entry(conn->ldap_struct, result);
2768              entry != NULL;
2769              entry = ldap_next_entry(conn->ldap_struct, entry))
2770         {
2771                 uint32 rid;
2772
2773                 if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2774                                                     entry,
2775                                                     get_global_sam_sid(),
2776                                                     &rid)) {
2777                         DEBUG(0, ("Severe DB error, %s can't miss the samba SID"                                                                "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
2778                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2779                         goto done;
2780                 }
2781
2782                 if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2783                                         p_num_members)) {
2784                         ret = NT_STATUS_NO_MEMORY;
2785                         goto done;
2786                 }
2787         }
2788
2789         ret = NT_STATUS_OK;
2790         
2791  done:
2792
2793         if (values)
2794                 ldap_value_free(values);
2795
2796         return ret;
2797 }
2798
2799 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2800                                                TALLOC_CTX *mem_ctx,
2801                                                struct samu *user,
2802                                                DOM_SID **pp_sids,
2803                                                gid_t **pp_gids,
2804                                                size_t *p_num_groups)
2805 {
2806         struct ldapsam_privates *ldap_state =
2807                 (struct ldapsam_privates *)methods->private_data;
2808         struct smbldap_state *conn = ldap_state->smbldap_state;
2809         char *filter;
2810         const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2811         char *escape_name;
2812         int rc, count;
2813         LDAPMessage *result = NULL;
2814         LDAPMessage *entry;
2815         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2816         size_t num_sids, num_gids;
2817         char *gidstr;
2818         gid_t primary_gid = -1;
2819
2820         *pp_sids = NULL;
2821         num_sids = 0;
2822
2823         if (pdb_get_username(user) == NULL) {
2824                 return NT_STATUS_INVALID_PARAMETER;
2825         }
2826
2827         escape_name = escape_ldap_string_alloc(pdb_get_username(user));
2828         if (escape_name == NULL)
2829                 return NT_STATUS_NO_MEMORY;
2830
2831         /* retrieve the users primary gid */
2832         filter = talloc_asprintf(mem_ctx,
2833                                  "(&(objectClass=%s)(uid=%s))",
2834                                  LDAP_OBJ_SAMBASAMACCOUNT,
2835                                  escape_name);
2836         if (filter == NULL) {
2837                 ret = NT_STATUS_NO_MEMORY;
2838                 goto done;
2839         }
2840
2841         rc = smbldap_search(conn, lp_ldap_suffix(),
2842                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2843
2844         if (rc != LDAP_SUCCESS)
2845                 goto done;
2846
2847         talloc_autofree_ldapmsg(mem_ctx, result);
2848
2849         count = ldap_count_entries(priv2ld(ldap_state), result);
2850
2851         switch (count) {
2852         case 0: 
2853                 DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2854                 ret = NT_STATUS_NO_SUCH_USER;
2855                 goto done;
2856         case 1:
2857                 entry = ldap_first_entry(priv2ld(ldap_state), result);
2858
2859                 gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2860                 if (!gidstr) {
2861                         DEBUG (1, ("Unable to find the member's gid!\n"));
2862                         ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2863                         goto done;
2864                 }
2865                 primary_gid = strtoul(gidstr, NULL, 10);
2866                 break;
2867         default:
2868                 DEBUG(1, ("found more than one account with the same user name ?!\n"));
2869                 ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2870                 goto done;
2871         }
2872
2873         filter = talloc_asprintf(mem_ctx,
2874                                  "(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%d)))",
2875                                  LDAP_OBJ_POSIXGROUP, escape_name, primary_gid);
2876         if (filter == NULL) {
2877                 ret = NT_STATUS_NO_MEMORY;
2878                 goto done;
2879         }
2880
2881         rc = smbldap_search(conn, lp_ldap_group_suffix(),
2882                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2883
2884         if (rc != LDAP_SUCCESS)
2885                 goto done;
2886
2887         talloc_autofree_ldapmsg(mem_ctx, result);
2888
2889         num_gids = 0;
2890         *pp_gids = NULL;
2891
2892         num_sids = 0;
2893         *pp_sids = NULL;
2894
2895         /* We need to add the primary group as the first gid/sid */
2896
2897         if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
2898                 ret = NT_STATUS_NO_MEMORY;
2899                 goto done;
2900         }
2901
2902         /* This sid will be replaced later */
2903
2904         ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
2905                                       &num_sids);
2906         if (!NT_STATUS_IS_OK(ret)) {
2907                 goto done;
2908         }
2909
2910         for (entry = ldap_first_entry(conn->ldap_struct, result);
2911              entry != NULL;
2912              entry = ldap_next_entry(conn->ldap_struct, entry))
2913         {
2914                 fstring str;
2915                 DOM_SID sid;
2916                 gid_t gid;
2917                 char *end;
2918
2919                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2920                                                   entry, "sambaSID",
2921                                                   str, sizeof(str)-1))
2922                         continue;
2923
2924                 if (!string_to_sid(&sid, str))
2925                         goto done;
2926
2927                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2928                                                   entry, "gidNumber",
2929                                                   str, sizeof(str)-1))
2930                         continue;
2931
2932                 gid = strtoul(str, &end, 10);
2933
2934                 if (PTR_DIFF(end, str) != strlen(str))
2935                         goto done;
2936
2937                 if (gid == primary_gid) {
2938                         sid_copy(&(*pp_sids)[0], &sid);
2939                 } else {
2940                         if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
2941                                                 &num_gids)) {
2942                                 ret = NT_STATUS_NO_MEMORY;
2943                                 goto done;
2944                         }
2945                         ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
2946                                                       &num_sids);
2947                         if (!NT_STATUS_IS_OK(ret)) {
2948                                 goto done;
2949                         }
2950                 }
2951         }
2952
2953         if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2954                 DEBUG(3, ("primary group of [%s] not found\n",
2955                           pdb_get_username(user)));
2956                 goto done;
2957         }
2958
2959         *p_num_groups = num_sids;
2960
2961         ret = NT_STATUS_OK;
2962
2963  done:
2964
2965         SAFE_FREE(escape_name);
2966         return ret;
2967 }
2968
2969 /**********************************************************************
2970  * Augment a posixGroup object with a sambaGroupMapping domgroup
2971  *********************************************************************/
2972
2973 static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
2974                                        struct ldapsam_privates *ldap_state,
2975                                        GROUP_MAP *map)
2976 {
2977         const char *filter, *dn;
2978         LDAPMessage *msg, *entry;
2979         LDAPMod **mods;
2980         int rc;
2981
2982         filter = talloc_asprintf(mem_ctx,
2983                                  "(&(objectClass=%s)(gidNumber=%u))",
2984                                  LDAP_OBJ_POSIXGROUP, map->gid);
2985         if (filter == NULL) {
2986                 return NT_STATUS_NO_MEMORY;
2987         }
2988
2989         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2990                                    get_attr_list(mem_ctx, groupmap_attr_list),
2991                                    &msg);
2992         talloc_autofree_ldapmsg(mem_ctx, msg);
2993
2994         if ((rc != LDAP_SUCCESS) ||
2995             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
2996             ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2997                 return NT_STATUS_NO_SUCH_GROUP;
2998         }
2999
3000         dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
3001         if (dn == NULL) {
3002                 return NT_STATUS_NO_MEMORY;
3003         }
3004
3005         mods = NULL;
3006         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
3007                         LDAP_OBJ_GROUPMAP);
3008         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
3009                          sid_string_talloc(mem_ctx, &map->sid));
3010         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
3011                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3012         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
3013                          map->nt_name);
3014         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3015                          map->comment);
3016         talloc_autofree_ldapmod(mem_ctx, mods);
3017
3018         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3019         if (rc != LDAP_SUCCESS) {
3020                 return NT_STATUS_ACCESS_DENIED;
3021         }
3022
3023         return NT_STATUS_OK;
3024 }
3025
3026 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3027                                                 GROUP_MAP *map)
3028 {
3029         struct ldapsam_privates *ldap_state =
3030                 (struct ldapsam_privates *)methods->private_data;
3031         LDAPMessage *msg = NULL;
3032         LDAPMod **mods = NULL;
3033         const char *attrs[] = { NULL };
3034         char *filter;
3035
3036         char *dn;
3037         TALLOC_CTX *mem_ctx;
3038         NTSTATUS result;
3039
3040         DOM_SID sid;
3041
3042         int rc;
3043
3044         mem_ctx = talloc_new(NULL);
3045         if (mem_ctx == NULL) {
3046                 DEBUG(0, ("talloc_new failed\n"));
3047                 return NT_STATUS_NO_MEMORY;
3048         }
3049
3050         filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
3051                                  sid_string_talloc(mem_ctx, &map->sid));
3052         if (filter == NULL) {
3053                 result = NT_STATUS_NO_MEMORY;
3054                 goto done;
3055         }
3056
3057         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3058                             LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
3059         talloc_autofree_ldapmsg(mem_ctx, msg);
3060
3061         if ((rc == LDAP_SUCCESS) &&
3062             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
3063
3064                 DEBUG(3, ("SID %s already present in LDAP, refusing to add "
3065                           "group mapping entry\n", sid_string_dbg(&map->sid)));
3066                 result = NT_STATUS_GROUP_EXISTS;
3067                 goto done;
3068         }
3069
3070         switch (map->sid_name_use) {
3071
3072         case SID_NAME_DOM_GRP:
3073                 /* To map a domain group we need to have a posix group
3074                    to attach to. */
3075                 result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
3076                 goto done;
3077                 break;
3078
3079         case SID_NAME_ALIAS:
3080                 if (!sid_check_is_in_our_domain(&map->sid) 
3081                         && !sid_check_is_in_builtin(&map->sid) ) 
3082                 {
3083                         DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
3084                                   sid_string_dbg(&map->sid)));
3085                         result = NT_STATUS_INVALID_PARAMETER;
3086                         goto done;
3087                 }
3088                 break;
3089
3090         default:
3091                 DEBUG(3, ("Got invalid use '%s' for mapping\n",
3092                           sid_type_lookup(map->sid_name_use)));
3093                 result = NT_STATUS_INVALID_PARAMETER;
3094                 goto done;
3095         }
3096
3097         /* Domain groups have been mapped in a separate routine, we have to
3098          * create an alias now */
3099
3100         if (map->gid == -1) {
3101                 DEBUG(10, ("Refusing to map gid==-1\n"));
3102                 result = NT_STATUS_INVALID_PARAMETER;
3103                 goto done;
3104         }
3105
3106         if (pdb_gid_to_sid(map->gid, &sid)) {
3107                 DEBUG(3, ("Gid %d is already mapped to SID %s, refusing to "
3108                           "add\n", map->gid, sid_string_dbg(&sid)));
3109                 result = NT_STATUS_GROUP_EXISTS;
3110                 goto done;
3111         }
3112
3113         /* Ok, enough checks done. It's still racy to go ahead now, but that's
3114          * the best we can get out of LDAP. */
3115
3116         dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
3117                              sid_string_talloc(mem_ctx, &map->sid),
3118                              lp_ldap_group_suffix());
3119         if (dn == NULL) {
3120                 result = NT_STATUS_NO_MEMORY;
3121                 goto done;
3122         }
3123
3124         mods = NULL;
3125
3126         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3127                          LDAP_OBJ_SID_ENTRY);
3128         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3129                          LDAP_OBJ_GROUPMAP);
3130         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
3131                          sid_string_talloc(mem_ctx, &map->sid));
3132         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
3133                          talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3134         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
3135                          map->nt_name);
3136         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
3137                          map->comment);
3138         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
3139                          talloc_asprintf(mem_ctx, "%u", map->gid));
3140         talloc_autofree_ldapmod(mem_ctx, mods);
3141
3142         rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
3143
3144         result = (rc == LDAP_SUCCESS) ?
3145                 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3146
3147  done:
3148         TALLOC_FREE(mem_ctx);
3149         return result;
3150 }
3151
3152 /**********************************************************************
3153  * Update a group mapping entry. We're quite strict about what can be changed:
3154  * Only the description and displayname may be changed. It simply does not
3155  * make any sense to change the SID, gid or the type in a mapping.
3156  *********************************************************************/
3157
3158 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
3159                                                    GROUP_MAP *map)
3160 {
3161         struct ldapsam_privates *ldap_state =
3162                 (struct ldapsam_privates *)methods->private_data;
3163         int rc;
3164         const char *filter, *dn;
3165         LDAPMessage *msg = NULL;
3166         LDAPMessage *entry = NULL;
3167         LDAPMod **mods = NULL;
3168         TALLOC_CTX *mem_ctx;
3169         NTSTATUS result;
3170
3171         mem_ctx = talloc_new(NULL);
3172         if (mem_ctx == NULL) {
3173                 DEBUG(0, ("talloc_new failed\n"));
3174                 return NT_STATUS_NO_MEMORY;
3175         }
3176
3177         /* Make 100% sure that sid, gid and type are not changed by looking up
3178          * exactly the values we're given in LDAP. */
3179
3180         filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
3181                                  "(sambaSid=%s)(gidNumber=%u)"
3182                                  "(sambaGroupType=%d))",
3183                                  LDAP_OBJ_GROUPMAP,
3184                                  sid_string_talloc(mem_ctx, &map->sid),
3185                                  map->gid, map->sid_name_use);
3186         if (filter == NULL) {
3187                 result = NT_STATUS_NO_MEMORY;
3188                 goto done;
3189         }
3190
3191         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
3192                                    get_attr_list(mem_ctx, groupmap_attr_list),
3193                                    &msg);
3194         talloc_autofree_ldapmsg(mem_ctx, msg);
3195
3196         if ((rc != LDAP_SUCCESS) ||
3197             (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
3198             ((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
3199                 result = NT_STATUS_NO_SUCH_GROUP;
3200                 goto done;
3201         }
3202
3203         dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
3204
3205         if (dn == NULL) {
3206                 result = NT_STATUS_NO_MEMORY;
3207                 goto done;
3208         }
3209
3210         mods = NULL;
3211         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
3212                          map->nt_name);
3213         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3214                          map->comment);
3215         talloc_autofree_ldapmod(mem_ctx, mods);
3216
3217         if (mods == NULL) {
3218                 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
3219                           "nothing to do\n"));
3220                 result = NT_STATUS_OK;
3221                 goto done;
3222         }
3223
3224         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3225
3226         if (rc != LDAP_SUCCESS) {
3227                 result = NT_STATUS_ACCESS_DENIED;
3228                 goto done;
3229         }
3230
3231         DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
3232                   "group %lu in LDAP\n", (unsigned long)map->gid));
3233
3234         result = NT_STATUS_OK;
3235
3236  done:
3237         TALLOC_FREE(mem_ctx);
3238         return result;
3239 }
3240
3241 /**********************************************************************
3242  *********************************************************************/
3243
3244 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
3245                                                    DOM_SID sid)
3246 {
3247         struct ldapsam_privates *priv =
3248                 (struct ldapsam_privates *)methods->private_data;
3249         LDAPMessage *msg, *entry;
3250         int rc;
3251         NTSTATUS result;
3252         TALLOC_CTX *mem_ctx;
3253         char *filter;
3254
3255         mem_ctx = talloc_new(NULL);
3256         if (mem_ctx == NULL) {
3257                 DEBUG(0, ("talloc_new failed\n"));
3258                 return NT_STATUS_NO_MEMORY;
3259         }
3260
3261         filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
3262                                  LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
3263                                  sid_string_talloc(mem_ctx, &sid));
3264         if (filter == NULL) {
3265                 result = NT_STATUS_NO_MEMORY;
3266                 goto done;
3267         }
3268         rc = smbldap_search_suffix(priv->smbldap_state, filter,
3269                                    get_attr_list(mem_ctx, groupmap_attr_list),
3270                                    &msg);
3271         talloc_autofree_ldapmsg(mem_ctx, msg);
3272
3273         if ((rc != LDAP_SUCCESS) ||
3274             (ldap_count_entries(priv2ld(priv), msg) != 1) ||
3275             ((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
3276                 result = NT_STATUS_NO_SUCH_GROUP;
3277                 goto done;
3278         }
3279
3280         rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
3281                                   get_attr_list(mem_ctx,
3282                                                 groupmap_attr_list_to_delete));
3283  
3284         if ((rc == LDAP_NAMING_VIOLATION) ||
3285             (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3286                 const char *attrs[] = { "sambaGroupType", "description",
3287                                         "displayName", "sambaSIDList",
3288                                         NULL };
3289
3290                 /* Second try. Don't delete the sambaSID attribute, this is
3291                    for "old" entries that are tacked on a winbind
3292                    sambaIdmapEntry. */
3293
3294                 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3295                                           LDAP_OBJ_GROUPMAP, attrs);
3296         }
3297
3298         if ((rc == LDAP_NAMING_VIOLATION) ||
3299             (rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3300                 const char *attrs[] = { "sambaGroupType", "description",
3301                                         "displayName", "sambaSIDList",
3302                                         "gidNumber", NULL };
3303
3304                 /* Third try. This is a post-3.0.21 alias (containing only
3305                  * sambaSidEntry and sambaGroupMapping classes), we also have
3306                  * to delete the gidNumber attribute, only the sambaSidEntry
3307                  * remains */
3308
3309                 rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3310                                           LDAP_OBJ_GROUPMAP, attrs);
3311         }
3312
3313         result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3314
3315  done:
3316         TALLOC_FREE(mem_ctx);
3317         return result;
3318  }
3319
3320 /**********************************************************************
3321  *********************************************************************/
3322
3323 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
3324                                     bool update)
3325 {
3326         struct ldapsam_privates *ldap_state =
3327                 (struct ldapsam_privates *)my_methods->private_data;
3328         char *filter = NULL;
3329         int rc;
3330         const char **attr_list;
3331
3332         filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
3333         if (!filter) {
3334                 return NT_STATUS_NO_MEMORY;
3335         }
3336         attr_list = get_attr_list( NULL, groupmap_attr_list );
3337         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3338                             LDAP_SCOPE_SUBTREE, filter,
3339                             attr_list, 0, &ldap_state->result);
3340         TALLOC_FREE(attr_list);
3341
3342         if (rc != LDAP_SUCCESS) {
3343                 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
3344                           ldap_err2string(rc)));
3345                 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
3346                           lp_ldap_group_suffix(), filter));
3347                 ldap_msgfree(ldap_state->result);
3348                 ldap_state->result = NULL;
3349                 TALLOC_FREE(filter);
3350                 return NT_STATUS_UNSUCCESSFUL;
3351         }
3352
3353         TALLOC_FREE(filter);
3354
3355         DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
3356                   ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3357                                      ldap_state->result)));
3358
3359         ldap_state->entry =
3360                 ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3361                                  ldap_state->result);
3362         ldap_state->index = 0;
3363
3364         return NT_STATUS_OK;
3365 }
3366
3367 /**********************************************************************
3368  *********************************************************************/
3369
3370 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3371 {
3372         ldapsam_endsampwent(my_methods);
3373 }
3374
3375 /**********************************************************************
3376  *********************************************************************/
3377
3378 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3379                                     GROUP_MAP *map)
3380 {
3381         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3382         struct ldapsam_privates *ldap_state =
3383                 (struct ldapsam_privates *)my_methods->private_data;
3384         bool bret = False;
3385
3386         while (!bret) {
3387                 if (!ldap_state->entry)
3388                         return ret;
3389                 
3390                 ldap_state->index++;
3391                 bret = init_group_from_ldap(ldap_state, map,
3392                                             ldap_state->entry);
3393                 
3394                 ldap_state->entry =
3395                         ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
3396                                         ldap_state->entry);     
3397         }
3398
3399         return NT_STATUS_OK;
3400 }
3401
3402 /**********************************************************************
3403  *********************************************************************/
3404
3405 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3406                                            const DOM_SID *domsid, enum lsa_SidType sid_name_use,
3407                                            GROUP_MAP **pp_rmap,
3408                                            size_t *p_num_entries,
3409                                            bool unix_only)
3410 {
3411         GROUP_MAP map;
3412         size_t entries = 0;
3413
3414         *p_num_entries = 0;
3415         *pp_rmap = NULL;
3416
3417         if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3418                 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
3419                           "passdb\n"));
3420                 return NT_STATUS_ACCESS_DENIED;
3421         }
3422
3423         while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
3424                 if (sid_name_use != SID_NAME_UNKNOWN &&
3425                     sid_name_use != map.sid_name_use) {
3426                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3427                                   "not of the requested type\n", map.nt_name));
3428                         continue;
3429                 }
3430                 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3431                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3432                                   "non mapped\n", map.nt_name));
3433                         continue;
3434                 }
3435
3436                 (*pp_rmap)=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
3437                 if (!(*pp_rmap)) {
3438                         DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
3439                                  "enlarge group map!\n"));
3440                         return NT_STATUS_UNSUCCESSFUL;
3441                 }
3442
3443                 (*pp_rmap)[entries] = map;
3444
3445                 entries += 1;
3446
3447         }
3448         ldapsam_endsamgrent(methods);
3449
3450         *p_num_entries = entries;
3451
3452         return NT_STATUS_OK;
3453 }
3454
3455 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3456                                         const DOM_SID *alias,
3457                                         const DOM_SID *member,
3458                                         int modop)
3459 {
3460         struct ldapsam_privates *ldap_state =
3461                 (struct ldapsam_privates *)methods->private_data;
3462         char *dn = NULL;
3463         LDAPMessage *result = NULL;
3464         LDAPMessage *entry = NULL;
3465         int count;
3466         LDAPMod **mods = NULL;
3467         int rc;
3468         enum lsa_SidType type = SID_NAME_USE_NONE;
3469         fstring tmp;
3470
3471         char *filter = NULL;
3472
3473         if (sid_check_is_in_builtin(alias)) {
3474                 type = SID_NAME_ALIAS;
3475         }
3476
3477         if (sid_check_is_in_our_domain(alias)) {
3478                 type = SID_NAME_ALIAS;
3479         }
3480
3481         if (type == SID_NAME_USE_NONE) {
3482                 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3483                           sid_string_dbg(alias)));
3484                 return NT_STATUS_NO_SUCH_ALIAS;
3485         }
3486
3487         if (asprintf(&filter,
3488                      "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3489                      LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3490                      type) < 0) {
3491                 return NT_STATUS_NO_MEMORY;
3492         }
3493
3494         if (ldapsam_search_one_group(ldap_state, filter,
3495                                      &result) != LDAP_SUCCESS) {
3496                 SAFE_FREE(filter);
3497                 return NT_STATUS_NO_SUCH_ALIAS;
3498         }
3499
3500         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3501                                    result);
3502
3503         if (count < 1) {
3504                 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3505                 ldap_msgfree(result);
3506                 SAFE_FREE(filter);
3507                 return NT_STATUS_NO_SUCH_ALIAS;
3508         }
3509
3510         if (count > 1) {
3511                 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
3512                           "filter %s: count=%d\n", filter, count));
3513                 ldap_msgfree(result);
3514                 SAFE_FREE(filter);
3515                 return NT_STATUS_NO_SUCH_ALIAS;
3516         }
3517
3518         SAFE_FREE(filter);
3519
3520         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3521                                  result);
3522
3523         if (!entry) {
3524                 ldap_msgfree(result);
3525                 return NT_STATUS_UNSUCCESSFUL;
3526         }
3527
3528         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
3529         if (!dn) {
3530                 ldap_msgfree(result);
3531                 return NT_STATUS_UNSUCCESSFUL;
3532         }
3533
3534         smbldap_set_mod(&mods, modop,
3535                         get_attr_key2string(groupmap_attr_list,
3536                                             LDAP_ATTR_SID_LIST),
3537                         sid_to_fstring(tmp, member));
3538
3539         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3540
3541         ldap_mods_free(mods, True);
3542         ldap_msgfree(result);
3543         SAFE_FREE(dn);
3544
3545         if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
3546                 return NT_STATUS_MEMBER_IN_ALIAS;
3547         }
3548
3549         if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
3550                 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3551         }
3552
3553         if (rc != LDAP_SUCCESS) {
3554                 return NT_STATUS_UNSUCCESSFUL;
3555         }
3556
3557         return NT_STATUS_OK;
3558 }
3559
3560 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3561                                      const DOM_SID *alias,
3562                                      const DOM_SID *member)
3563 {
3564         return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3565 }
3566
3567 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3568                                      const DOM_SID *alias,
3569                                      const DOM_SID *member)
3570 {
3571         return ldapsam_modify_aliasmem(methods, alias, member,
3572                                        LDAP_MOD_DELETE);
3573 }
3574
3575 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3576                                       const DOM_SID *alias,
3577                                       DOM_SID **pp_members,
3578                                       size_t *p_num_members)
3579 {
3580         struct ldapsam_privates *ldap_state =
3581                 (struct ldapsam_privates *)methods->private_data;
3582         LDAPMessage *result = NULL;
3583         LDAPMessage *entry = NULL;
3584         int count;
3585         char **values = NULL;
3586         int i;
3587         char *filter = NULL;
3588         size_t num_members = 0;
3589         enum lsa_SidType type = SID_NAME_USE_NONE;
3590         fstring tmp;
3591
3592         *pp_members = NULL;
3593         *p_num_members = 0;
3594
3595         if (sid_check_is_in_builtin(alias)) {
3596                 type = SID_NAME_ALIAS;
3597         }
3598
3599         if (sid_check_is_in_our_domain(alias)) {
3600                 type = SID_NAME_ALIAS;
3601         }
3602
3603         if (type == SID_NAME_USE_NONE) {
3604                 DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3605                           sid_string_dbg(alias)));
3606                 return NT_STATUS_NO_SUCH_ALIAS;
3607         }
3608
3609         if (asprintf(&filter,
3610                      "(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3611                      LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3612                      type) < 0) {
3613                 return NT_STATUS_NO_MEMORY;
3614         }
3615
3616         if (ldapsam_search_one_group(ldap_state, filter,
3617                                      &result) != LDAP_SUCCESS) {
3618                 SAFE_FREE(filter);
3619                 return NT_STATUS_NO_SUCH_ALIAS;
3620         }
3621
3622         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3623                                    result);
3624
3625         if (count < 1) {
3626                 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3627                 ldap_msgfree(result);
3628                 SAFE_FREE(filter);
3629                 return NT_STATUS_NO_SUCH_ALIAS;
3630         }
3631
3632         if (count > 1) {
3633