2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Gerald Carter 2001
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
7 Copyright (C) Andrew Bartlett 2002
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * persistent connections: if using NSS LDAP, many connections are made
30 * however, using only one within Samba would be nice
32 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
34 * Other LDAP based login attributes: accountExpires, etc.
35 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
36 * structures don't have fields for some of these attributes)
38 * SSL is done, but can't get the certificate based authentication to work
39 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
42 /* NOTE: this will NOT work against an Active Directory server
43 * due to the fact that the two password fields cannot be retrieved
44 * from a server; recommend using security = domain in this situation
52 #define SAM_ACCOUNT struct sam_passwd
55 struct ldapsam_privates {
63 /* retrive-once info */
66 BOOL permit_non_unix_accounts;
72 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
74 /*******************************************************************
75 find the ldap password
76 ******************************************************************/
77 static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len)
86 if (*p == ',') *p = '/';
88 data=secrets_fetch(key, &size);
90 DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
96 DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
100 memcpy(pw, data, size);
107 /*******************************************************************
108 open a connection to the ldap server.
109 ******************************************************************/
110 static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
113 if (geteuid() != 0) {
114 DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n"));
118 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
119 DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
121 if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) {
122 DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
127 /* Parse the string manually */
131 int tls = LDAP_OPT_X_TLS_HARD;
136 const char *p = ldap_state->uri;
137 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
139 /* skip leading "URL:" (if any) */
140 if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
144 sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
147 if (strequal(protocol, "ldap")) {
149 } else if (strequal(protocol, "ldaps")) {
152 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
156 if ((*ldap_struct = ldap_init(host, port)) == NULL) {
157 DEBUG(0, ("ldap_init failed !\n"));
161 /* Connect to older servers using SSL and V2 rather than Start TLS */
162 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
164 if (version != LDAP_VERSION2)
166 version = LDAP_VERSION2;
167 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
171 if (strequal(protocol, "ldaps")) {
172 if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
173 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
174 &version) == LDAP_OPT_SUCCESS)
176 if (version < LDAP_VERSION3)
178 version = LDAP_VERSION3;
179 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
183 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
185 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
186 ldap_err2string(rc)));
189 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
192 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
194 DEBUG(0, ("Failed to setup a TLS session\n"));
199 * No special needs to setup options prior to the LDAP
200 * bind (which should be called next via ldap_connect_system()
206 DEBUG(2, ("ldap_open_connection: connection opened\n"));
210 /*******************************************************************
211 connect to the ldap server under system privilege.
212 ******************************************************************/
213 static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
216 static BOOL got_pw = False;
217 static pstring ldap_secret;
219 /* get the password if we don't have it already */
220 if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
222 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
223 lp_ldap_admin_dn()));
227 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
228 (OpenLDAP) doesnt' seem to support it */
230 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
231 lp_ldap_admin_dn()));
233 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
234 ldap_secret)) != LDAP_SUCCESS)
236 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
240 DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
244 /*******************************************************************
245 run the search by name.
246 ******************************************************************/
247 static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
249 int scope = LDAP_SCOPE_SUBTREE;
252 DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
254 rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result);
256 if (rc != LDAP_SUCCESS) {
257 DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
258 ldap_err2string (rc)));
259 DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
266 /*******************************************************************
267 run the search by name.
268 ******************************************************************/
269 static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user,
270 LDAPMessage ** result)
275 * in the filter expression, replace %u with the real name
276 * so in ldap filter, %u MUST exist :-)
278 pstrcpy(filter, lp_ldap_filter());
281 * have to use this here because $ is filtered out
284 all_string_sub(filter, "%u", user, sizeof(pstring));
286 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
289 /*******************************************************************
290 run the search by uid.
291 ******************************************************************/
292 static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
293 LDAP * ldap_struct, int uid,
294 LDAPMessage ** result)
299 /* Get the username from the system and look that up in the LDAP */
301 if ((user = getpwuid_alloc(uid)) == NULL) {
302 DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
303 return LDAP_NO_SUCH_OBJECT;
306 pstrcpy(filter, lp_ldap_filter());
308 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
312 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
315 /*******************************************************************
316 run the search by rid.
317 ******************************************************************/
318 static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
319 LDAP * ldap_struct, uint32 rid,
320 LDAPMessage ** result)
325 /* check if the user rid exsists, if not, try searching on the uid */
327 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
328 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
330 if (rc != LDAP_SUCCESS)
331 rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct,
332 pdb_user_rid_to_uid(rid),
338 /*******************************************************************
339 search an attribute and return the first value found.
340 ******************************************************************/
341 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
342 char *attribute, char *value)
346 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
348 DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
353 pstrcpy(value, values[0]);
354 ldap_value_free(values);
355 #ifdef DEBUG_PASSWORDS
356 DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
361 /************************************************************************
362 Routine to manage the LDAPMod structure array
363 manage memory used by the array, by each struct, and values
365 ************************************************************************/
366 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
374 if (attribute == NULL || *attribute == '\0')
377 if (value == NULL || *value == '\0')
382 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
385 DEBUG(0, ("make_a_mod: out of memory!\n"));
391 for (i = 0; mods[i] != NULL; ++i) {
392 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
398 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
401 DEBUG(0, ("make_a_mod: out of memory!\n"));
404 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
407 DEBUG(0, ("make_a_mod: out of memory!\n"));
410 mods[i]->mod_op = modop;
411 mods[i]->mod_values = NULL;
412 mods[i]->mod_type = strdup(attribute);
419 if (mods[i]->mod_values != NULL) {
420 for (; mods[i]->mod_values[j] != NULL; j++);
422 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
423 (j + 2) * sizeof (char *));
425 if (mods[i]->mod_values == NULL) {
426 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
429 mods[i]->mod_values[j] = strdup(value);
430 mods[i]->mod_values[j + 1] = NULL;
435 /* New Interface is being implemented here */
437 /**********************************************************************
438 Initialize SAM_ACCOUNT from an LDAP query
439 (Based on init_sam_from_buffer in pdb_tdb.c)
440 *********************************************************************/
441 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
442 SAM_ACCOUNT * sampass,
443 LDAP * ldap_struct, LDAPMessage * entry)
449 pass_can_change_time,
450 pass_must_change_time;
470 uint8 hours[MAX_HOURS_LEN];
473 gid_t gid = getegid();
477 * do a little initialization
481 nt_username[0] = '\0';
485 logon_script[0] = '\0';
486 profile_path[0] = '\0';
488 munged_dial[0] = '\0';
489 workstations[0] = '\0';
492 if (sampass == NULL || ldap_struct == NULL || entry == NULL) {
493 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
497 get_single_attribute(ldap_struct, entry, "uid", username);
498 DEBUG(2, ("Entry found for user: %s\n", username));
500 pstrcpy(nt_username, username);
502 pstrcpy(domain, lp_workgroup());
504 get_single_attribute(ldap_struct, entry, "rid", temp);
505 user_rid = (uint32)atol(temp);
506 if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) {
509 group_rid = (uint32)atol(temp);
512 if ((ldap_state->permit_non_unix_accounts)
513 && (user_rid >= ldap_state->low_nua_rid)
514 && (user_rid <= ldap_state->high_nua_rid)) {
518 /* These values MAY be in LDAP, but they can also be retrieved through
519 * sys_getpw*() which is how we're doing it
522 pw = getpwnam_alloc(username);
524 DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username));
532 pdb_set_uid(sampass, uid);
533 pdb_set_gid(sampass, gid);
535 if (group_rid == 0) {
537 /* call the mapping code here */
538 if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
539 sid_peek_rid(&map.sid, &group_rid);
542 group_rid=pdb_gid_to_group_rid(gid);
547 get_single_attribute(ldap_struct, entry, "pwdLastSet", temp);
548 pass_last_set_time = (time_t) atol(temp);
550 if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) {
551 logon_time = (time_t) atol(temp);
552 pdb_set_logon_time(sampass, logon_time, True);
555 if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) {
556 logoff_time = (time_t) atol(temp);
557 pdb_set_logoff_time(sampass, logoff_time, True);
560 if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) {
561 kickoff_time = (time_t) atol(temp);
562 pdb_set_kickoff_time(sampass, kickoff_time, True);
565 if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) {
566 pass_can_change_time = (time_t) atol(temp);
567 pdb_set_pass_can_change_time(sampass, pass_can_change_time, True);
570 if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) {
571 pass_must_change_time = (time_t) atol(temp);
572 pdb_set_pass_must_change_time(sampass, pass_must_change_time, True);
575 /* recommend that 'gecos' and 'displayName' should refer to the same
576 * attribute OID. userFullName depreciated, only used by Samba
577 * primary rules of LDAP: don't make a new attribute when one is already defined
578 * that fits your needs; using cn then displayName rather than 'userFullName'
581 if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) {
582 get_single_attribute(ldap_struct, entry, "displayName", fullname);
586 if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) {
587 pstrcpy(dir_drive, lp_logon_drive());
588 standard_sub_advanced(-1, username, "", gid, username, dir_drive);
589 DEBUG(5,("homeDrive fell back to %s\n",dir_drive));
590 pdb_set_dir_drive(sampass, dir_drive, False);
593 pdb_set_dir_drive(sampass, dir_drive, True);
595 if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) {
596 pstrcpy(homedir, lp_logon_home());
597 standard_sub_advanced(-1, username, "", gid, username, homedir);
598 DEBUG(5,("smbHome fell back to %s\n",homedir));
599 pdb_set_homedir(sampass, homedir, False);
602 pdb_set_homedir(sampass, homedir, True);
604 if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) {
605 pstrcpy(logon_script, lp_logon_script());
606 standard_sub_advanced(-1, username, "", gid, username, logon_script);
607 DEBUG(5,("scriptPath fell back to %s\n",logon_script));
608 pdb_set_logon_script(sampass, logon_script, False);
611 pdb_set_logon_script(sampass, logon_script, True);
613 if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) {
614 pstrcpy(profile_path, lp_logon_path());
615 standard_sub_advanced(-1, username, "", gid, username, profile_path);
616 DEBUG(5,("profilePath fell back to %s\n",profile_path));
617 pdb_set_profile_path(sampass, profile_path, False);
620 pdb_set_profile_path(sampass, profile_path, True);
622 get_single_attribute(ldap_struct, entry, "description", acct_desc);
623 get_single_attribute(ldap_struct, entry, "userWorkstations", workstations);
624 /* FIXME: hours stuff should be cleaner */
628 memset(hours, 0xff, hours_len);
630 get_single_attribute (ldap_struct, entry, "lmPassword", temp);
631 pdb_gethexpwd(temp, smblmpwd);
632 memset((char *)temp, '\0', sizeof(temp));
633 get_single_attribute (ldap_struct, entry, "ntPassword", temp);
634 pdb_gethexpwd(temp, smbntpwd);
635 memset((char *)temp, '\0', sizeof(temp));
636 get_single_attribute (ldap_struct, entry, "acctFlags", temp);
637 acct_ctrl = pdb_decode_acct_ctrl(temp);
640 acct_ctrl |= ACB_NORMAL;
642 pdb_set_acct_ctrl(sampass, acct_ctrl);
643 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
645 pdb_set_hours_len(sampass, hours_len);
646 pdb_set_logon_divs(sampass, logon_divs);
648 pdb_set_user_rid(sampass, user_rid);
649 pdb_set_group_rid(sampass, group_rid);
651 pdb_set_username(sampass, username);
653 pdb_set_domain(sampass, domain);
654 pdb_set_nt_username(sampass, nt_username);
656 pdb_set_fullname(sampass, fullname);
658 pdb_set_acct_desc(sampass, acct_desc);
659 pdb_set_workstations(sampass, workstations);
660 pdb_set_munged_dial(sampass, munged_dial);
662 if (!pdb_set_nt_passwd(sampass, smbntpwd))
664 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
667 /* pdb_set_unknown_3(sampass, unknown3); */
668 /* pdb_set_unknown_5(sampass, unknown5); */
669 /* pdb_set_unknown_6(sampass, unknown6); */
671 pdb_set_hours(sampass, hours);
676 /**********************************************************************
677 Initialize SAM_ACCOUNT from an LDAP query
678 (Based on init_buffer_from_sam in pdb_tdb.c)
679 *********************************************************************/
680 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
681 LDAPMod *** mods, int ldap_op,
682 const SAM_ACCOUNT * sampass)
687 if (mods == NULL || sampass == NULL) {
688 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
695 * took out adding "objectclass: sambaAccount"
696 * do this on a per-mod basis
699 make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
700 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
702 if ( pdb_get_user_rid(sampass) ) {
703 rid = pdb_get_user_rid(sampass);
704 } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) {
705 rid = pdb_uid_to_user_rid(pdb_get_uid(sampass));
706 } else if (ldap_state->permit_non_unix_accounts) {
707 rid = ldapsam_get_next_available_nua_rid(ldap_state);
709 DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
713 DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
717 slprintf(temp, sizeof(temp) - 1, "%i", rid);
718 make_a_mod(mods, ldap_op, "rid", temp);
720 if ( pdb_get_group_rid(sampass) ) {
721 rid = pdb_get_group_rid(sampass);
722 } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) {
723 rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
724 } else if (ldap_state->permit_non_unix_accounts) {
725 rid = DOMAIN_GROUP_RID_USERS;
727 DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
731 slprintf(temp, sizeof(temp) - 1, "%i", rid);
732 make_a_mod(mods, ldap_op, "primaryGroupID", temp);
734 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
735 make_a_mod(mods, ldap_op, "pwdLastSet", temp);
737 /* displayName, cn, and gecos should all be the same
738 * most easily accomplished by giving them the same OID
739 * gecos isn't set here b/c it should be handled by the
743 make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
744 make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
745 make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
746 make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
749 * Only updates fields which have been set (not defaults from smb.conf)
752 if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME))
753 make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
755 if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE))
756 make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass));
758 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT))
759 make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
761 if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE))
762 make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
764 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) {
765 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
766 make_a_mod(mods, ldap_op, "logonTime", temp);
769 if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) {
770 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
771 make_a_mod(mods, ldap_op, "logoffTime", temp);
774 if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) {
775 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
776 make_a_mod(mods, ldap_op, "kickoffTime", temp);
779 if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) {
780 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
781 make_a_mod(mods, ldap_op, "pwdCanChange", temp);
784 if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) {
785 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
786 make_a_mod(mods, ldap_op, "pwdMustChange", temp);
789 /* FIXME: Hours stuff goes in LDAP */
790 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
791 make_a_mod (mods, ldap_op, "lmPassword", temp);
793 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
794 make_a_mod (mods, ldap_op, "ntPassword", temp);
796 make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
797 NEW_PW_FORMAT_SPACE_PADDED_LEN));
803 /**********************************************************************
804 Connect to LDAP server and find the next available RID.
805 *********************************************************************/
806 static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct)
809 uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
814 if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
818 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) {
819 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
821 ldap_msgfree(result);
824 if (ldap_count_entries(ldap_struct, result) != 0)
826 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
828 ldap_msgfree(result);
831 DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
835 /**********************************************************************
836 Extract the RID from an LDAP entry
837 *********************************************************************/
838 static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) {
840 SAM_ACCOUNT *user = NULL;
841 if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
845 if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
846 rid = pdb_get_user_rid(user);
851 if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
858 /**********************************************************************
859 Connect to LDAP server and find the next available RID.
860 *********************************************************************/
861 static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct)
867 char *final_filter = NULL;
872 pstrcpy(filter, lp_ldap_filter());
873 all_string_sub(filter, "%u", "*", sizeof(pstring));
876 asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
878 final_filter = strdup(filter);
880 DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
882 rc = ldap_search_s(ldap_struct, lp_ldap_suffix(),
883 LDAP_SCOPE_SUBTREE, final_filter, NULL, 0,
886 if (rc != LDAP_SUCCESS)
889 DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
890 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
893 ldap_msgfree(result);
898 count = ldap_count_entries(ldap_struct, result);
899 DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
902 DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
903 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
905 ldap_msgfree(result);
907 return ldap_state->low_nua_rid;
911 entry = ldap_first_entry(ldap_struct,result);
913 top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
915 while ((entry = ldap_next_entry(ldap_struct, entry))) {
917 rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
923 ldap_msgfree(result);
927 /**********************************************************************
928 Connect to LDAP server and find the next available RID.
929 *********************************************************************/
930 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
935 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
939 if (!ldapsam_connect_system(ldap_state, ldap_struct))
941 ldap_unbind(ldap_struct);
945 top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct);
947 next_nua_rid = check_nua_rid_is_avail(ldap_state,
948 top_nua_rid, ldap_struct);
950 ldap_unbind(ldap_struct);
954 /**********************************************************************
955 Connect to LDAP server for password enumeration
956 *********************************************************************/
957 static BOOL ldapsam_setsampwent(struct pdb_context *context, BOOL update)
959 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
963 if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))
967 if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))
969 ldap_unbind(ldap_state->ldap_struct);
973 pstrcpy(filter, lp_ldap_filter());
974 all_string_sub(filter, "%u", "*", sizeof(pstring));
976 rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(),
977 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
978 &ldap_state->result);
980 if (rc != LDAP_SUCCESS)
982 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
983 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
984 ldap_msgfree(ldap_state->result);
985 ldap_unbind(ldap_state->ldap_struct);
986 ldap_state->ldap_struct = NULL;
987 ldap_state->result = NULL;
991 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
992 ldap_count_entries(ldap_state->ldap_struct,
993 ldap_state->result)));
995 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
997 ldap_state->index = 0;
1002 /**********************************************************************
1003 End enumeration of the LDAP password list
1004 *********************************************************************/
1005 static void ldapsam_endsampwent(struct pdb_context *context)
1007 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1008 if (ldap_state->ldap_struct && ldap_state->result)
1010 ldap_msgfree(ldap_state->result);
1011 ldap_unbind(ldap_state->ldap_struct);
1012 ldap_state->ldap_struct = NULL;
1013 ldap_state->result = NULL;
1017 /**********************************************************************
1018 Get the next entry in the LDAP password database
1019 *********************************************************************/
1020 static BOOL ldapsam_getsampwent(struct pdb_context *context, SAM_ACCOUNT * user)
1022 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1026 if (!ldap_state->entry)
1029 ldap_state->index++;
1030 ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct,
1033 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
1041 /**********************************************************************
1042 Get SAM_ACCOUNT entry from LDAP by username
1043 *********************************************************************/
1044 static BOOL ldapsam_getsampwnam(struct pdb_context *context, SAM_ACCOUNT * user, const char *sname)
1046 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1048 LDAPMessage *result;
1051 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1053 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1055 ldap_unbind(ldap_struct);
1058 if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS)
1060 ldap_unbind(ldap_struct);
1063 if (ldap_count_entries(ldap_struct, result) < 1)
1066 ("We don't find this user [%s] count=%d\n", sname,
1067 ldap_count_entries(ldap_struct, result)));
1068 ldap_unbind(ldap_struct);
1071 entry = ldap_first_entry(ldap_struct, result);
1074 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1075 DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n"));
1076 ldap_msgfree(result);
1077 ldap_unbind(ldap_struct);
1080 ldap_msgfree(result);
1081 ldap_unbind(ldap_struct);
1086 ldap_msgfree(result);
1087 ldap_unbind(ldap_struct);
1092 /**********************************************************************
1093 Get SAM_ACCOUNT entry from LDAP by rid
1094 *********************************************************************/
1095 static BOOL ldapsam_getsampwrid(struct pdb_context *context, SAM_ACCOUNT * user, uint32 rid)
1097 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1099 LDAPMessage *result;
1102 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1105 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1107 ldap_unbind(ldap_struct);
1110 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) !=
1113 ldap_unbind(ldap_struct);
1117 if (ldap_count_entries(ldap_struct, result) < 1)
1120 ("We don't find this rid [%i] count=%d\n", rid,
1121 ldap_count_entries(ldap_struct, result)));
1122 ldap_unbind(ldap_struct);
1126 entry = ldap_first_entry(ldap_struct, result);
1129 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1130 DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1131 ldap_msgfree(result);
1132 ldap_unbind(ldap_struct);
1135 ldap_msgfree(result);
1136 ldap_unbind(ldap_struct);
1141 ldap_msgfree(result);
1142 ldap_unbind(ldap_struct);
1147 /**********************************************************************
1148 Delete entry from LDAP for username
1149 *********************************************************************/
1150 static BOOL ldapsam_delete_sam_account(struct pdb_context *context, const SAM_ACCOUNT * sam_acct)
1152 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1158 LDAPMessage *result;
1161 DEBUG(0, ("sam_acct was NULL!\n"));
1165 sname = pdb_get_username(sam_acct);
1167 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1170 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
1172 if (!ldapsam_connect_system(ldap_state, ldap_struct)) {
1173 ldap_unbind (ldap_struct);
1174 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname));
1178 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result);
1179 if (ldap_count_entries (ldap_struct, result) == 0) {
1180 DEBUG (0, ("User doesn't exit!\n"));
1181 ldap_msgfree (result);
1182 ldap_unbind (ldap_struct);
1186 entry = ldap_first_entry (ldap_struct, result);
1187 dn = ldap_get_dn (ldap_struct, entry);
1189 rc = ldap_delete_s (ldap_struct, dn);
1192 if (rc != LDAP_SUCCESS) {
1194 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1195 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
1196 sname, ldap_err2string (rc), ld_error));
1198 ldap_unbind (ldap_struct);
1202 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
1203 ldap_unbind (ldap_struct);
1207 /**********************************************************************
1209 *********************************************************************/
1210 static BOOL ldapsam_update_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd)
1212 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1216 LDAPMessage *result;
1220 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1223 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1225 ldap_unbind(ldap_struct);
1229 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct,
1230 pdb_get_username(newpwd), &result);
1232 if (ldap_count_entries(ldap_struct, result) == 0)
1234 DEBUG(0, ("No user to modify!\n"));
1235 ldap_msgfree(result);
1236 ldap_unbind(ldap_struct);
1240 if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) {
1241 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1242 ldap_msgfree(result);
1243 ldap_unbind(ldap_struct);
1247 entry = ldap_first_entry(ldap_struct, result);
1248 dn = ldap_get_dn(ldap_struct, entry);
1250 rc = ldap_modify_s(ldap_struct, dn, mods);
1252 if (rc != LDAP_SUCCESS)
1255 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
1258 ("failed to modify user with uid = %s with: %s\n\t%s\n",
1259 pdb_get_username(newpwd), ldap_err2string(rc),
1262 ldap_unbind(ldap_struct);
1267 ("successfully modified uid = %s in the LDAP database\n",
1268 pdb_get_username(newpwd)));
1269 ldap_mods_free(mods, 1);
1270 ldap_unbind(ldap_struct);
1274 /**********************************************************************
1275 Add SAM_ACCOUNT to LDAP
1276 *********************************************************************/
1277 static BOOL ldapsam_add_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd)
1279 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1282 LDAP *ldap_struct = NULL;
1283 LDAPMessage *result = NULL;
1285 LDAPMod **mods = NULL;
1289 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1294 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1296 ldap_unbind(ldap_struct);
1300 rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, pdb_get_username(newpwd), &result);
1302 if (ldap_count_entries(ldap_struct, result) != 0)
1304 DEBUG(0,("User already in the base, with samba properties\n"));
1305 ldap_msgfree(result);
1306 ldap_unbind(ldap_struct);
1309 ldap_msgfree(result);
1311 slprintf (filter, sizeof (filter) - 1, "uid=%s", pdb_get_username(newpwd));
1312 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result);
1313 num_result = ldap_count_entries(ldap_struct, result);
1315 if (num_result > 1) {
1316 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1320 /* Check if we need to update an existing entry */
1321 if (num_result == 1) {
1325 DEBUG(3,("User exists without samba properties: adding them\n"));
1326 ldap_op = LDAP_MOD_REPLACE;
1327 entry = ldap_first_entry (ldap_struct, result);
1328 tmp = ldap_get_dn (ldap_struct, entry);
1329 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1333 /* Check if we need to add an entry */
1334 DEBUG(3,("Adding new user\n"));
1335 ldap_op = LDAP_MOD_ADD;
1336 if ( pdb_get_acct_ctrl( newpwd ) & ACB_WSTRUST ) {
1337 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_machine_suffix ());
1340 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_user_suffix ());
1344 ldap_msgfree(result);
1346 if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) {
1347 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1348 ldap_mods_free(mods, 1);
1349 ldap_unbind(ldap_struct);
1352 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
1354 if (ldap_op == LDAP_MOD_REPLACE) {
1355 rc = ldap_modify_s(ldap_struct, dn, mods);
1358 rc = ldap_add_s(ldap_struct, dn, mods);
1361 if (rc != LDAP_SUCCESS)
1365 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1366 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n",
1367 pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error));
1369 ldap_mods_free(mods, 1);
1370 ldap_unbind(ldap_struct);
1374 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
1375 ldap_mods_free(mods, 1);
1376 ldap_unbind(ldap_struct);
1380 static void free_private_data(void **vp)
1382 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
1384 if ((*ldap_state)->ldap_struct) {
1385 ldap_unbind((*ldap_state)->ldap_struct);
1390 /* No need to free any further, as it is talloc()ed */
1393 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1396 struct ldapsam_privates *ldap_state;
1398 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
1402 (*pdb_method)->name = "ldapsam";
1404 (*pdb_method)->setsampwent = ldapsam_setsampwent;
1405 (*pdb_method)->endsampwent = ldapsam_endsampwent;
1406 (*pdb_method)->getsampwent = ldapsam_getsampwent;
1407 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
1408 (*pdb_method)->getsampwrid = ldapsam_getsampwrid;
1409 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
1410 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
1411 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
1413 /* TODO: Setup private data and free */
1415 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
1418 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1419 return NT_STATUS_NO_MEMORY;
1423 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
1425 ldap_state->uri = "ldap://localhost";
1426 return NT_STATUS_INVALID_PARAMETER;
1429 (*pdb_method)->private_data = ldap_state;
1431 (*pdb_method)->free_private_data = free_private_data;
1433 return NT_STATUS_OK;
1436 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1439 struct ldapsam_privates *ldap_state;
1440 uint32 low_nua_uid, high_nua_uid;
1442 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
1446 (*pdb_method)->name = "ldapsam_nua";
1448 ldap_state = (*pdb_method)->private_data;
1450 ldap_state->permit_non_unix_accounts = True;
1452 if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
1453 DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
1454 return NT_STATUS_UNSUCCESSFUL;
1457 ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid);
1459 ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid);
1461 return NT_STATUS_OK;
1467 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1469 DEBUG(0, ("ldapsam not compiled in!\n"));
1470 return NT_STATUS_UNSUCCESSFUL;
1473 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1475 DEBUG(0, ("ldapsam_nua not compiled in!\n"));
1476 return NT_STATUS_UNSUCCESSFUL;