2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #define LDAP_TRUST_CONTAINER "ou=system"
26 #define LDAP_ATTRIBUTE_CN "cn"
27 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
28 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
29 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
30 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
31 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
32 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
33 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
34 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
36 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
40 time_t *pass_last_set_time)
45 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
48 const struct dom_sid *sid)
53 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
59 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
62 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
63 LDAP_ATTRIBUTE_CN, domain,
64 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
67 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
69 return talloc_asprintf(talloc_tos(), "%s,%s",
70 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
73 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
75 const char *filter, LDAPMessage **entry)
79 LDAPMessage *result = NULL;
82 base_dn = trusted_domain_base_dn(ldap_state);
83 if (base_dn == NULL) {
87 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
88 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
92 talloc_autofree_ldapmsg(mem_ctx, result);
95 if (rc == LDAP_NO_SUCH_OBJECT) {
100 if (rc != LDAP_SUCCESS) {
104 num_result = ldap_count_entries(priv2ld(ldap_state), result);
106 if (num_result > 1) {
107 DEBUG(1, ("get_trusted_domain_int: more than one "
108 "%s object with filter '%s'?!\n",
109 LDAP_OBJ_TRUSTED_DOMAIN, filter));
113 if (num_result == 0) {
114 DEBUG(1, ("get_trusted_domain_int: no "
115 "%s object with filter '%s'.\n",
116 LDAP_OBJ_TRUSTED_DOMAIN, filter));
119 *entry = ldap_first_entry(priv2ld(ldap_state), result);
125 static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state,
132 filter = talloc_asprintf(talloc_tos(),
133 "(&(objectClass=%s)(|(%s=%s)(%s=%s)(cn=%s)))",
134 LDAP_OBJ_TRUSTED_DOMAIN,
135 LDAP_ATTRIBUTE_FLAT_NAME, domain,
136 LDAP_ATTRIBUTE_TRUST_PARTNER, domain, domain);
137 if (filter == NULL) {
141 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
144 static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state,
146 const char *sid, LDAPMessage **entry)
150 filter = talloc_asprintf(talloc_tos(), "(&(objectClass=%s)(%s=%s))",
151 LDAP_OBJ_TRUSTED_DOMAIN,
152 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, sid);
153 if (filter == NULL) {
157 return get_trusted_domain_int(ldap_state, mem_ctx, filter, entry);
160 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
169 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
172 DEBUG(9, ("Attribute %s not present.\n", attr));
177 l = strtoul(dummy, &endptr, 10);
180 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
189 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
190 struct ldapsam_privates *ldap_state,
191 LDAPMessage *entry, const char *attr,
197 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
200 DEBUG(9, ("Attribute %s not present.\n", attr));
203 blob = base64_decode_data_blob(dummy);
204 if (blob.length == 0) {
207 _blob->length = blob.length;
208 _blob->data = talloc_steal(mem_ctx, blob.data);
214 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
215 struct ldapsam_privates *ldap_state,
217 struct pdb_trusted_domain **_td)
221 struct pdb_trusted_domain *td;
227 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
232 /* All attributes are MAY */
234 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
235 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
238 DEBUG(9, ("Attribute %s not present.\n",
239 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
240 ZERO_STRUCT(td->security_identifier);
242 res = string_to_sid(&td->security_identifier, dummy);
249 get_data_blob_from_ldap_msg(td, ldap_state, entry,
250 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
251 &td->trust_auth_incoming);
253 get_data_blob_from_ldap_msg(td, ldap_state, entry,
254 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
255 &td->trust_auth_outgoing);
257 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
259 LDAP_ATTRIBUTE_FLAT_NAME,
261 if (td->netbios_name == NULL) {
262 DEBUG(9, ("Attribute %s not present.\n",
263 LDAP_ATTRIBUTE_FLAT_NAME));
266 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
268 LDAP_ATTRIBUTE_TRUST_PARTNER,
270 if (td->domain_name == NULL) {
271 DEBUG(9, ("Attribute %s not present.\n",
272 LDAP_ATTRIBUTE_TRUST_PARTNER));
275 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
276 LDAP_ATTRIBUTE_TRUST_DIRECTION,
277 &td->trust_direction);
282 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
283 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
284 &td->trust_attributes);
289 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
290 LDAP_ATTRIBUTE_TRUST_TYPE,
301 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
304 struct pdb_trusted_domain **td)
306 struct ldapsam_privates *ldap_state =
307 (struct ldapsam_privates *)methods->private_data;
308 LDAPMessage *entry = NULL;
310 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
312 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
314 return NT_STATUS_UNSUCCESSFUL;
317 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
319 return NT_STATUS_NO_SUCH_DOMAIN;
322 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
323 return NT_STATUS_UNSUCCESSFUL;
329 static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
332 struct pdb_trusted_domain **td)
334 struct ldapsam_privates *ldap_state =
335 (struct ldapsam_privates *)methods->private_data;
336 LDAPMessage *entry = NULL;
339 sid_str = sid_string_tos(sid);
341 DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n",
344 if (!get_trusted_domain_by_sid_int(ldap_state, talloc_tos(), sid_str,
346 return NT_STATUS_UNSUCCESSFUL;
349 DEBUG(5, ("ipasam_get_trusted_domain_by_sid: no trusted domain "
350 "with sid: %s\n", sid_str));
351 return NT_STATUS_NO_SUCH_DOMAIN;
354 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
355 return NT_STATUS_UNSUCCESSFUL;
361 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
362 LDAPMod ***mods, const char *attribute,
367 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
371 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
377 static bool smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *entry,
378 LDAPMod ***mods, const char *attribute,
383 dummy = base64_encode_data_blob(talloc_tos(), blob);
388 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
394 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
396 const struct pdb_trusted_domain *td)
398 struct ldapsam_privates *ldap_state =
399 (struct ldapsam_privates *)methods->private_data;
400 LDAPMessage *entry = NULL;
403 char *trusted_dn = NULL;
406 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
408 res = get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
411 return NT_STATUS_UNSUCCESSFUL;
415 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
416 LDAP_OBJ_TRUSTED_DOMAIN);
418 if (td->netbios_name != NULL) {
419 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
420 LDAP_ATTRIBUTE_FLAT_NAME,
424 if (td->domain_name != NULL) {
425 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
426 LDAP_ATTRIBUTE_TRUST_PARTNER,
430 if (!is_null_sid(&td->security_identifier)) {
431 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
432 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
433 sid_string_tos(&td->security_identifier));
436 if (td->trust_type != 0) {
437 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
438 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
441 return NT_STATUS_UNSUCCESSFUL;
445 if (td->trust_attributes != 0) {
446 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
448 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
449 td->trust_attributes);
451 return NT_STATUS_UNSUCCESSFUL;
455 if (td->trust_direction != 0) {
456 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
458 LDAP_ATTRIBUTE_TRUST_DIRECTION,
459 td->trust_direction);
461 return NT_STATUS_UNSUCCESSFUL;
465 if (td->trust_auth_outgoing.data != NULL) {
466 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
468 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
469 td->trust_auth_outgoing);
471 return NT_STATUS_UNSUCCESSFUL;
475 if (td->trust_auth_incoming.data != NULL) {
476 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
478 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
479 td->trust_auth_incoming);
481 return NT_STATUS_UNSUCCESSFUL;
485 talloc_autofree_ldapmod(talloc_tos(), mods);
487 trusted_dn = trusted_domain_dn(ldap_state, domain);
488 if (trusted_dn == NULL) {
489 return NT_STATUS_NO_MEMORY;
492 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
494 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
497 if (ret != LDAP_SUCCESS) {
498 DEBUG(1, ("error writing trusted domain data!\n"));
499 return NT_STATUS_UNSUCCESSFUL;
504 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
508 struct ldapsam_privates *ldap_state =
509 (struct ldapsam_privates *)methods->private_data;
510 LDAPMessage *entry = NULL;
513 if (!get_trusted_domain_by_name_int(ldap_state, talloc_tos(), domain,
515 return NT_STATUS_UNSUCCESSFUL;
519 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
521 return NT_STATUS_NO_SUCH_DOMAIN;
524 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
526 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
527 return NT_STATUS_NO_MEMORY;
530 ret = smbldap_delete(ldap_state->smbldap_state, dn);
531 if (ret != LDAP_SUCCESS) {
532 return NT_STATUS_UNSUCCESSFUL;
538 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
540 uint32_t *num_domains,
541 struct pdb_trusted_domain ***domains)
544 struct ldapsam_privates *ldap_state =
545 (struct ldapsam_privates *)methods->private_data;
546 char *base_dn = NULL;
548 int scope = LDAP_SCOPE_SUBTREE;
549 LDAPMessage *result = NULL;
550 LDAPMessage *entry = NULL;
552 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
553 LDAP_OBJ_TRUSTED_DOMAIN);
554 if (filter == NULL) {
555 return NT_STATUS_NO_MEMORY;
558 base_dn = trusted_domain_base_dn(ldap_state);
559 if (base_dn == NULL) {
561 return NT_STATUS_NO_MEMORY;
564 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
567 TALLOC_FREE(base_dn);
569 if (result != NULL) {
570 talloc_autofree_ldapmsg(mem_ctx, result);
573 if (rc == LDAP_NO_SUCH_OBJECT) {
579 if (rc != LDAP_SUCCESS) {
580 return NT_STATUS_UNSUCCESSFUL;
584 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
585 DEBUG(1, ("talloc failed\n"));
586 return NT_STATUS_NO_MEMORY;
589 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
591 entry = ldap_next_entry(priv2ld(ldap_state), entry))
593 struct pdb_trusted_domain *dom_info;
595 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
597 return NT_STATUS_UNSUCCESSFUL;
600 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
601 domains, num_domains);
603 if (*domains == NULL) {
604 DEBUG(1, ("talloc failed\n"));
605 return NT_STATUS_NO_MEMORY;
609 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
613 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
615 uint32_t *num_domains,
616 struct trustdom_info ***domains)
619 struct pdb_trusted_domain **td;
622 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
624 if (!NT_STATUS_IS_OK(status)) {
628 if (*num_domains == 0) {
632 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
634 DEBUG(1, ("talloc failed\n"));
635 return NT_STATUS_NO_MEMORY;
638 for (i = 0; i < *num_domains; i++) {
639 struct trustdom_info *dom_info;
641 dom_info = TALLOC_P(*domains, struct trustdom_info);
642 if (dom_info == NULL) {
643 DEBUG(1, ("talloc failed\n"));
644 return NT_STATUS_NO_MEMORY;
647 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
648 sid_copy(&dom_info->sid, &td[i]->security_identifier);
650 (*domains)[i] = dom_info;
656 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
658 struct ldapsam_privates *ldap_state;
660 NTSTATUS nt_status = pdb_init_ldapsam(pdb_method, location);
662 (*pdb_method)->name = "IPA_ldapsam";
664 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
665 ldap_state->is_ipa_ldap = true;
667 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
668 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
669 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
670 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
672 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
673 (*pdb_method)->get_trusted_domain_by_sid = ipasam_get_trusted_domain_by_sid;
674 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
675 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
676 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
681 NTSTATUS pdb_ipa_init(void)
685 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))