r16719: Automatically chase referrals, support LDAP fast bind exended operation
[gd/samba/.git] / examples / misc / adssearch.pl
1 #!/usr/bin/perl -w
2
3 # adssearch.pl  - query an Active Directory server and
4 #                 display objects in a human readable format
5 #
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2005
7 #
8 # TODO: add range retrieval
9 #       write sddl-converter, decode userParameters
10 #       chase referrals
11 #       apparently only win2k3 allows simple-binds with machine-accounts.
12 #       make sasl support independent from Authen::SASL::Cyrus v >0.11
13 use strict;
14
15 use Net::LDAP;
16 use Net::LDAP::Control;
17 use Net::LDAP::Constant qw(LDAP_REFERRAL);
18 use Convert::ASN1;
19 use Time::Local;
20 use POSIX qw(strftime);
21 use Getopt::Long;
22
23 my $have_sasl;
24 my $works_sasl;
25 my $pref_version;
26 BEGIN {
27         my $class = 'Authen::SASL';
28         $pref_version = "0.32";
29         if ( eval "require $class;" ) {
30                 $have_sasl = 1;
31         }
32         if ( eval "Net::LDAP->VERSION($pref_version);" ) {
33                 $works_sasl = 1;
34         }
35 }
36
37 # users may set defaults here
38 my $base        = "";
39 my $binddn      = "";
40 my $password    = "";
41 my $server      = "";
42 my $rebind_url;
43
44
45 my $tdbdump     = "/usr/bin/tdbdump";
46 my $testparm    = "/usr/bin/testparm";
47 my $net         = "/usr/bin/net";
48 my $dig         = "/usr/bin/dig";
49 my $nmblookup   = "/usr/bin/nmblookup";
50 my $secrets_tdb = "/etc/samba/secrets.tdb";
51 my $klist       = "/usr/bin/klist";
52 my $kinit       = "/usr/bin/kinit";
53 my $ads_h       = "/home/gd/ads.h";
54 my $workgroup   = "";
55 my $machine     = "";
56 my $realm       = "";
57
58 # parse input
59 my (
60         $opt_asq,
61         $opt_base, 
62         $opt_binddn,
63         $opt_debug,
64         $opt_display_extendeddn,
65         $opt_display_metadata,
66         $opt_display_raw,
67         $opt_domain_scope,
68         $opt_dump_rootdse,
69         $opt_dump_schema,
70         $opt_dump_wknguid,
71         $opt_fastbind,
72         $opt_help, 
73         $opt_host, 
74         $opt_machine,
75         $opt_notify, 
76         $opt_notify_nodiffs,
77         $opt_paging,
78         $opt_password,
79         $opt_port,
80         $opt_realm,
81         $opt_saslmech,
82         $opt_scope, 
83         $opt_simpleauth,
84         $opt_starttls,
85         $opt_user,
86         $opt_verbose,
87         $opt_workgroup,
88 );
89
90 GetOptions(
91         'asq=s'         => \$opt_asq,
92         'base|b=s'      => \$opt_base,
93         'D|DN=s'        => \$opt_binddn,
94         'debug=i'       => \$opt_debug,
95         'domain_scope'  => \$opt_domain_scope,
96         'extendeddn|e:i'        => \$opt_display_extendeddn,
97         'fastbind'      => \$opt_fastbind,
98         'help'          => \$opt_help,
99         'host|h=s'      => \$opt_host,
100         'machine|P'     => \$opt_machine,
101         'metadata|m'    => \$opt_display_metadata,
102         'nodiffs'       => \$opt_notify_nodiffs,
103         'notify|n'      => \$opt_notify,
104         'paging:i'      => \$opt_paging,
105         'password|w=s'  => \$opt_password,
106         'port=i'        => \$opt_port,
107         'rawdisplay'    => \$opt_display_raw,
108         'realm|R=s'     => \$opt_realm,
109         'rootDSE'       => \$opt_dump_rootdse,
110         'saslmech|Y=s'  => \$opt_saslmech,
111         'schema|c'      => \$opt_dump_schema,
112         'scope|s=s'     => \$opt_scope,
113         'simpleauth|x'  => \$opt_simpleauth,
114         'tls|Z'         => \$opt_starttls,
115         'user|U=s'      => \$opt_user,
116         'verbose|v'     => \$opt_verbose,
117         'wknguid'       => \$opt_dump_wknguid,
118         'workgroup|k=s' => \$opt_workgroup,
119         );
120
121
122 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
123         usage();
124         exit 1;
125 }
126
127 if ($opt_fastbind && !$opt_simpleauth) {
128         printf("LDAP fast bind can only be performed with simple binds\n");
129         exit 1;
130 }
131
132 if ($opt_notify) {
133         $opt_paging = 0;
134 }
135
136 # get the query
137 my $query       = shift;
138 my @attrs       = @ARGV;
139
140 # some global vars
141 my $filter = "";
142 my ($dse, $uri);
143 my ($attr, $value);
144 my (@ctrls, @ctrls_s);
145 my ($ctl_paged, $cookie);
146 my ($page_count, $total_entry_count);
147 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
148 my ($mesg, $usn);
149 my (%entry_store);
150 my $async_search;
151 my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf);
152
153 # fixed values and vars
154 my $set         = "X";
155 my $unset       = "-";
156 my $tabsize     = "\t\t\t";
157
158 # get defaults
159 my $scope       = $opt_scope    || "sub"; 
160 my $port        = $opt_port;
161
162 my %ads_controls = (
163 "LDAP_SERVER_NOTIFICATION_OID"          => "1.2.840.113556.1.4.528",
164 "LDAP_SERVER_EXTENDED_DN_OID"           => "1.2.840.113556.1.4.529",
165 "LDAP_PAGED_RESULT_OID_STRING"          => "1.2.840.113556.1.4.319",
166 "LDAP_SERVER_SD_FLAGS_OID"              => "1.2.840.113556.1.4.801",
167 "LDAP_SERVER_SORT_OID"                  => "1.2.840.113556.1.4.473",
168 "LDAP_SERVER_RESP_SORT_OID"             => "1.2.840.113556.1.4.474",
169 "LDAP_CONTROL_VLVREQUEST"               => "2.16.840.1.113730.3.4.9",
170 "LDAP_CONTROL_VLVRESPONSE"              => "2.16.840.1.113730.3.4.10",
171 "LDAP_SERVER_RANGE_RETRIEVAL"           => "1.2.840.113556.1.4.802", #unsure
172 "LDAP_SERVER_SHOW_DELETED_OID"          => "1.2.840.113556.1.4.417",
173 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID"  => "1.2.840.113556.1.4.521",
174 "LDAP_SERVER_LAZY_COMMIT_OID"           => "1.2.840.113556.1.4.619",
175 "LDAP_SERVER_TREE_DELETE_OID"           => "1.2.840.113556.1.4.805",
176 "LDAP_SERVER_DIRSYNC_OID"               => "1.2.840.113556.1.4.841",
177 "LDAP_SERVER_VERIFY_NAME_OID"           => "1.2.840.113556.1.4.1338",
178 "LDAP_SERVER_DOMAIN_SCOPE_OID"          => "1.2.840.113556.1.4.1339",
179 "LDAP_SERVER_SEARCH_OPTIONS_OID"        => "1.2.840.113556.1.4.1340",
180 "LDAP_SERVER_PERMISSIVE_MODIFY_OID"     => "1.2.840.113556.1.4.1413",
181 "LDAP_SERVER_ASQ_OID"                   => "1.2.840.113556.1.4.1504",
182 "NONE (Get stats control)"              => "1.2.840.113556.1.4.970",
183 "LDAP_SERVER_QUOTA_CONTROL_OID"         => "1.2.840.113556.1.4.1852",
184 );
185
186 my %ads_capabilities = (
187 "LDAP_CAP_ACTIVE_DIRECTORY_OID"         => "1.2.840.113556.1.4.800",
188 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID"     => "1.2.840.113556.1.4.1670",
189 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
190 );
191
192 my %ads_extensions = (
193 "LDAP_START_TLS_OID"                    => "1.3.6.1.4.1.1466.20037",
194 "LDAP_TTL_EXTENDED_OP_OID"              => "1.3.6.1.4.1.1466.101.119.1",
195 "LDAP_SERVER_FAST_BIND_OID"             => "1.2.840.113556.1.4.1781", 
196 "NONE (TTL refresh extended op)"        => "1.3.6.1.4.1.1466.101.119.1",
197 );
198
199 my %ads_matching_rules = (
200 "LDAP_MATCHING_RULE_BIT_AND"            => "1.2.840.113556.1.4.803",
201 "LDAP_MATCHING_RULE_BIT_OR"             => "1.2.840.113556.1.4.804",
202 );
203
204 my %wknguids = (
205 "WELL_KNOWN_GUID_COMPUTERS"             => "AA312825768811D1ADED00C04FD8D5CD",
206 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS"    => "A361B2FFFFD211D1AA4B00C04FD7D83A",
207 "WELL_KNOWN_GUID_SYSTEM"                => "AB1D30F3768811D1ADED00C04FD8D5CD",
208 "WELL_KNOWN_GUID_USERS"                 => "A9D1CA15768811D1ADED00C04FD8D5CD",
209 );
210
211 my %ads_systemflags = (
212 "FLAG_DONT_REPLICATE"                   => 0x00000001,  # 1
213 "FLAG_REPLICATE_TO_GC"                  => 0x00000002,  # 2
214 "FLAG_ATTRIBUTE_CONSTRUCT"              => 0x00000004,  # 4
215 "FLAG_CATEGORY_1_OBJECT"                => 0x00000010,  # 16
216 "FLAG_DELETE_WITHOUT_TOMBSTONE"         => 0x02000000,  # 33554432
217 "FLAG_DOMAIN_DISALLOW_MOVE"             => 0x04000000,  # 67108864
218 "FLAG_DOMAIN_DISALLOW_RENAME"           => 0x08000000,  # 134217728
219 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED"      => 0x10000000,  # 268435456     # only setable on creation
220 #"FLAG_CONFIG_CAN_MOVE"                 => 0x20000000,  # 536870912     # only setable on creation
221 #"FLAG_CONFIG_CAN_RENAME"               => 0x40000000,  # 1073741824    # only setable on creation
222 "FLAG_DISALLOW_DELETE"                  => 0x80000000,  # 2147483648
223 );
224
225 my %ads_mixed_domain = (
226 "NATIVE_LEVEL_DOMAIN"                   => 0,
227 "MIXED_LEVEL_DOMAIN"                    => 1,
228 );
229
230 my %ads_ds_func = (
231 "DS_BEHAVIOR_WIN2000"                   => 0,   # untested
232 "DS_BEHAVIOR_WIN2003"                   => 2,
233 );
234
235 my %ads_instance_type = (
236 "DS_INSTANCETYPE_IS_NC_HEAD"            => 0x1,
237 "IT_WRITE"                              => 0x4,
238 "IT_NC_ABOVE"                           => 0x8,
239 );
240
241 my %ads_uacc = (
242         "ACCOUNT_NEVER_EXPIRES"         => 0x000000, # 0 
243         "ACCOUNT_OK"                    => 0x800000, # 8388608
244         "ACCOUNT_LOCKED_OUT"            => 0x800010, # 8388624
245 );
246
247 my %ads_gpoptions = (
248         "GPOPTIONS_INHERIT"             => 0,
249         "GPOPTIONS_BLOCK_INHERITANCE"   => 1,
250 );
251
252 my %ads_gplink_opts = (
253         "GPLINK_OPT_NONE"               => 0,
254         "GPLINK_OPT_DISABLED"           => 1,
255         "GPLINK_OPT_ENFORCED"           => 2,
256 );
257
258 my %ads_gpflags = (
259         "GPFLAGS_ALL_ENABLED"                   => 0,
260         "GPFLAGS_USER_SETTINGS_DISABLED"        => 1,
261         "GPFLAGS_MACHINE_SETTINGS_DISABLED"     => 2,
262         "GPFLAGS_ALL_DISABLED"                  => 3,
263 );
264
265 my %ads_serverstate = (
266         "SERVER_ENABLED"                => 1,
267         "SERVER_DISABLED"               => 2,
268 );
269
270 my %ads_sdeffective = (
271         "OWNER_SECURITY_INFORMATION"    => 0x01,
272         "DACL_SECURITY_INFORMATION"     => 0x04,
273         "SACL_SECURITY_INFORMATION"     => 0x10,
274 );
275
276 my %ads_trustattrs = (
277         "TRUST_ATTRIBUTE_NON_TRANSITIVE"        => 1,
278         "TRUST_ATTRIBUTE_TREE_PARENT"           => 2,
279         "TRUST_ATTRIBUTE_TREE_ROOT"             => 3,
280         "TRUST_ATTRIBUTE_UPLEVEL_ONLY"          => 4,
281 );
282
283 my %ads_trustdirection = (
284         "TRUST_DIRECTION_INBOUND"               => 1,
285         "TRUST_DIRECTION_OUTBOUND"              => 2,
286         "TRUST_DIRECTION_BIDIRECTIONAL"         => 3,
287 );
288
289 my %ads_trusttype = (
290         "TRUST_TYPE_DOWNLEVEL"                  => 1,
291         "TRUST_TYPE_UPLEVEL"                    => 2,
292         "TRUST_TYPE_KERBEROS"                   => 3,
293         "TRUST_TYPE_DCE"                        => 4,
294 );
295
296 my %ads_pwdproperties = (
297         "DOMAIN_PASSWORD_COMPLEX"               => 1, 
298         "DOMAIN_PASSWORD_NO_ANON_CHANGE"        => 2, 
299         "DOMAIN_PASSWORD_NO_CLEAR_CHANGE"       => 4, 
300         "DOMAIN_LOCKOUT_ADMINS"                 => 8, 
301         "DOMAIN_PASSWORD_STORE_CLEARTEXT"       => 16, 
302         "DOMAIN_REFUSE_PASSWORD_CHANGE"         => 32,
303 );
304
305 my %ads_uascompat = (
306         "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS"   => 0,
307         "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT"     => 1,
308 );
309
310 my %ads_frstypes = (
311         "REPLICA_SET_SYSVOL"            => 2,   # unsure
312         "REPLICA_SET_DFS"               => 1,   # unsure
313         "REPLICA_SET_OTHER"             => 0,   # unsure
314 );
315
316 my %ads_gp_cse_extensions = (
317 "Administrative Templates Extension"    => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
318 "Disk Quotas"                           => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
319 "EFS Recovery"                          => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
320 "Folder Redirection"                    => "25537BA6-77A8-11D2-9B6C-0000F8080861",
321 "IP Security"                           => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
322 "Internet Explorer Maintenance"         => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
323 "QoS Packet Scheduler"                  => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
324 "Scripts"                               => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
325 "Security"                              => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
326 "Software Installation"                 => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
327 );
328
329 # guess work
330 my %ads_gpcextensions = (
331 "Administrative Templates"              => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
332 "Certificates"                          => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
333 "EFS recovery policy processing"        => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
334 "Folder Redirection policy processing"  => "25537BA6-77A8-11D2-9B6C-0000F8080861",
335 "Folder Redirection"                    => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
336 "Registry policy processing"            => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
337 "Remote Installation Services"          => "3060E8CE-7020-11D2-842D-00C04FA372D4",
338 "Security Settings"                     => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
339 "Security policy processing"            => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
340 "unknown"                               => "3060E8D0-7020-11D2-842D-00C04FA372D4",
341 "unknown2"                              => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
342 );
343
344 my %ads_gpo_default_guids = (
345 "Default Domain Policy"                 => "31B2F340-016D-11D2-945F-00C04FB984F9",
346 "Default Domain Controllers Policy"     => "6AC1786C-016F-11D2-945F-00C04fB984F9",
347 "mist"                                  => "61718096-3D3F-4398-8318-203A48976F9E",
348 );
349
350 my %munged_dial = (
351         "CtxCfgPresent"         => \&dump_int,
352         "CtxCfgFlags1"          => \&dump_int,
353         "CtxCallback"           => \&dump_string,
354         "CtxShadow"             => \&dump_string,
355         "CtxMaxConnectionTime"  => \&dump_int,
356         "CtxMaxDisconnectionTime"=> \&dump_int,
357         "CtxMaxIdleTime"        => \&dump_int,
358         "CtxKeyboardLayout"     => \&dump_int,
359         "CtxMinEncryptionLevel" => \&dump_int,
360         "CtxWorkDirectory"      => \&dump_string,
361         "CtxNWLogonServer"      => \&dump_string,
362         "CtxWFHomeDir"          => \&dump_string,
363         "CtxWFHomeDirDrive"     => \&dump_string,
364         "CtxWFProfilePath"      => \&dump_string,
365         "CtxInitialProgram"     => \&dump_string,
366         "CtxCallbackNumber"     => \&dump_string,
367 );
368
369 $SIG{__WARN__} = sub {
370         use Carp;
371         Carp::cluck (shift);
372 };
373
374 # parse ads.h
375 parse_ads_h();
376
377 # if there is data missing, we try to autodetect with samba-tools (if installed)
378 # this might fill up workgroup, machine, realm
379 get_samba_info();
380
381 # get a workgroup
382 $workgroup      = $workgroup || $opt_workgroup || "";
383
384 # get the server
385 $server         = process_servername($opt_host) || 
386                   detect_server($workgroup,$opt_realm) || 
387                   die "please define server to query with -h host\n";
388
389
390 # get the base
391 $base           = $opt_base || 
392                   get_base_from_rootdse($server,$dse);
393
394 # get the realm
395 $realm          = $opt_realm || 
396                   get_realm_from_rootdse($server,$dse);
397
398 # get sasl mechs
399 my @sasl_mechs  = get_sasl_mechs_from_rootdse($server,$dse);
400 my $sasl_mech   = "GSSAPI";
401 if ($opt_saslmech) {
402         $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
403 }
404
405 # set bind type
406 my $sasl_bind = 1 if (!$opt_simpleauth);
407
408 # get username
409 my $user        = check_user($opt_user) || $ENV{'USER'} || "";
410
411 # gen upn
412 my $upn         = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
413
414 # get binddn
415 $binddn         = $opt_binddn || $upn;
416
417 # get the password
418 $password       = $password || $opt_password;
419 if (!$password) {
420         $password = $opt_machine ? get_machine_password($workgroup) : get_password();
421 }
422
423 my %attr_handler = (
424         "Token-Groups-No-GC-Acceptable" => \&dump_sid,  #wrong name
425         "accountExpires"                => \&dump_nttime,
426         "badPasswordTime"               => \&dump_nttime,                       
427         "creationTime"                  => \&dump_nttime,
428         "currentTime"                   => \&dump_timestr,
429         "domainControllerFunctionality" => \&dump_ds_func,
430         "domainFunctionality"           => \&dump_ds_func,
431         "fRSReplicaSetGUID"             => \&dump_guid,
432         "fRSReplicaSetType"             => \&dump_frstype,
433         "fRSVersionGUID"                => \&dump_guid,
434         "flags"                         => \&dump_gpflags,      # fixme: possibly only on gpos!
435         "forceLogoff"                   => \&dump_nttime_abs,
436         "forestFunctionality"           => \&dump_ds_func,
437 #       "gPCMachineExtensionNames"      => \&dump_gpcextensions,
438 #       "gPCUserExtensionNames"         => \&dump_gpcextensions,
439         "gPLink"                        => \&dump_gplink,
440         "gPOptions"                     => \&dump_gpoptions,
441         "groupType"                     => \&dump_gtype,
442         "instanceType"                  => \&dump_instance_type,
443         "lastLogon"                     => \&dump_nttime,
444         "lastLogonTimestamp"            => \&dump_nttime,
445         "lockOutObservationWindow"      => \&dump_nttime_abs,
446         "lockoutDuration"               => \&dump_nttime_abs,
447         "lockoutTime"                   => \&dump_nttime,
448 #       "logonHours"                    => \&dump_logonhours,
449         "maxPwdAge"                     => \&dump_nttime_abs,
450         "minPwdAge"                     => \&dump_nttime_abs,
451         "modifyTimeStamp"               => \&dump_timestr,
452         "msDS-Behavior-Version"         => \&dump_ds_func,      #unsure
453         "msDS-User-Account-Control-Computed" => \&dump_uacc,
454         "mS-DS-CreatorSID"              => \&dump_sid,
455 #       "msRADIUSFramedIPAddress"       => \&dump_ipaddr,
456 #       "msRASSavedFramedIPAddress"     => \&dump_ipaddr,
457         "netbootGUID"                   => \&dump_guid,
458         "nTMixedDomain"                 => \&dump_mixed_domain,
459         "nTSecurityDescriptor"          => \&dump_secdesc,
460         "objectGUID"                    => \&dump_guid,
461         "objectSid"                     => \&dump_sid,
462         "pKT"                           => \&dump_pkt,
463         "pKTGuid"                       => \&dump_guid,
464         "pwdLastSet"                    => \&dump_nttime,
465         "pwdProperties"                 => \&dump_pwdproperties,
466         "sAMAccountType"                => \&dump_atype,
467         "sDRightsEffective"             => \&dump_sdeffective,
468         "securityIdentifier"            => \&dump_sid,
469         "serverState"                   => \&dump_serverstate,
470         "supportedCapabilities",        => \&dump_capabilities,
471         "supportedControl",             => \&dump_controls,
472         "supportedExtension",           => \&dump_extension,
473         "systemFlags"                   => \&dump_systemflags,
474         "tokenGroups",                  => \&dump_sid,
475         "tokenGroupsGlobalAndUniversal" => \&dump_sid,
476         "tokenGroupsNoGCAcceptable"     => \&dump_sid,
477         "trustAttributes"               => \&dump_trustattr,
478         "trustDirection"                => \&dump_trustdirection,
479         "trustType"                     => \&dump_trusttype,
480         "uASCompat"                     => \&dump_uascompat,
481         "userAccountControl"            => \&dump_uac,
482         "userCertificate"               => \&dump_cert,
483         "userFlags"                     => \&dump_uf,
484         "userParameters"                => \&dump_munged_dial,
485         "whenChanged"                   => \&dump_timestr,
486         "whenCreated"                   => \&dump_timestr,
487 #       "dSCorePropagationData"         => \&dump_timestr,
488 );
489
490
491
492 ################
493 # subfunctions #
494 ################
495
496 sub usage {
497         print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
498         print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
499         print "\t--base|-b [base]\n\t\tUse base [base]\n";
500         print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
501         print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
502         print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
503         print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
504         print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
505         print "\t--help\n\t\tDisplay help page\n";
506         print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
507         print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
508         print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
509         print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
510         print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
511         print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
512         print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
513         print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
514         print "\t--rawdisplay\n\t\tDo not interpret values\n";
515         print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
516         print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
517         print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
518         print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
519         print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
520         print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
521         print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
522         print "\t--user|-U [user]\n\t\tUse [user]\n";
523         print "\t--wknguid\n\t\tDisplay well known guids\n";
524         print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
525 }
526
527 sub write_ads_list {
528         my ($mod,$attr,$value) = @_;
529         my $ofh = select(STDOUT);
530         $~ = "ADS_LIST";
531         select($ofh);
532         write();
533
534 format ADS_LIST =
535 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
536 $mod, $attr, $value
537 .
538 }
539
540 sub write_ads {
541         my ($mod,$attr,$value) = @_;
542         my $ofh = select(STDOUT);
543         $~ = "ADS";
544         select($ofh);
545         write();
546
547 format ADS =
548 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
549 $mod, $attr, $value
550 ~~                              ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
551                                 $value
552 .
553 }
554
555 sub detect_server {
556
557         my $workgroup = shift;
558         my $realm = shift;
559         my $result;
560         my $found;
561
562         # try net cache (nbt records)
563         if ( -x $net && $workgroup ) {
564                 my $key = sprintf("NBT/%s#1C", uc($workgroup));
565                 chomp($result = `$net cache search $key 2>&1 /dev/null`);
566                 $result =~ s/^.*Value: //;
567                 $result =~ s/:.*//;
568                 return $result if $result;
569                 printf("%10s query failed for [%s]\n", "net cache", $key);
570         }
571
572         # try dns SRV entries
573         if ( -x $dig && $realm ) {
574                 my $key = sprintf("_ldap._tcp.%s", lc($realm));
575                 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
576                 $result =~ s/.* //g;
577                 $result =~ s/.$//g;
578                 return $result if $result;
579                 printf("%10s query failed for [%s]\n", "dns", $key);
580         }
581
582         # try netbios broadcast query
583         if ( -x $nmblookup && $workgroup ) {
584                 my $key = sprintf("%s#1C", uc($workgroup));
585                 my $pattern = sprintf("%s<1c>", uc($workgroup));
586                 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
587                 $result =~ s/\s.*//;
588                 return $result if $result;
589                 printf("%10s query failed for [%s]\n", "nmblookup", $key);
590         }
591
592         return "";
593 }
594
595 sub get_samba_info {
596
597         if (! -x $testparm) { return -1; }
598         
599         my $tmp;
600         open(TESTPARM, "$testparm -s -v 2> /dev/null |");
601         while (my $line = <TESTPARM>) {
602                 chomp($line);
603                 if ($line =~ /netbios name/) {
604                         ($tmp, $machine) = split(/=/, $line);
605                         $machine =~ s/\s+|\t+//g;
606                 }
607                 if ($line =~ /realm/) {
608                         ($tmp, $realm) = split(/=/, $line);
609                         $realm =~ s/\s+|\t+//g;
610                 }
611                 if ($line =~ /workgroup/) {
612                         ($tmp, $workgroup) = split(/=/, $line);
613                         $workgroup =~ s/\s+|\t+//g;
614                 }
615         }
616         close(TESTPARM);
617         return 0;
618 }
619
620 sub gen_upn {
621         my $machine = shift;
622         my $realm = shift;
623         if ($machine && $realm) {
624                 return sprintf("%s\@%s", lc($machine), uc($realm));
625         };
626         return undef;
627 }
628
629 sub get_password {
630         if (!$password && $opt_simpleauth && check_ticket($user)) {
631                 return prompt_password($user);
632         }
633         return "";
634 }
635
636 sub get_user {
637         my $user = shift || prompt_user();
638         return $user;
639 }
640
641 sub get_machine_password {
642
643         my $workgroup = shift || "";
644         $workgroup = uc($workgroup);
645
646         my ($found, $tmp);
647         -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
648         -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
649
650         # get machine-password
651         my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
652         open(SECRETS,"$tdbdump $secrets_tdb |");
653         while(my $line = <SECRETS>) {
654                 chomp($line);
655                 if ($found) {
656                         $line =~ s/\\00//;
657                         ($line,$password) = split(/"/, $line);
658                         last;
659                 }
660                 if ($line =~ /$key/) {
661                         $found = 1;
662                 }
663         }
664         close(SECRETS);
665
666         if ($found) {
667                 print "Successfully autodetected machine password for workgroup: $workgroup\n";
668                 return $password;
669         } else {
670                 warn "No machine password available for $workgroup\n";
671         }
672         return "";
673 }
674
675 sub prompt_password {
676
677         my $acct = shift || "";
678         if ($acct =~ /\%/) {
679                 ($acct, $password) = split(/\%/, $acct);
680                 return $password;
681         }
682         system "stty -echo";
683         print "Enter password for $acct:";
684         my $password = <STDIN>;
685         chomp($password);
686         print "\n";
687         system "stty echo";
688         return $password;
689 }
690
691 sub prompt_user {
692
693         print "Enter Username:";
694         my $user = <STDIN>;
695         chomp($user);
696         print "\n";
697         return $user;
698 }
699
700 sub check_ticket {
701         return 0;
702         # works only for heimdal
703         return system("$klist -t");
704 }
705
706 sub get_ticket {
707
708         my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
709
710         open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
711         printf  KRB5CONF "# autogenerated by $0\n";
712         printf  KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
713         printf  KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
714         close(KRB5CONF);
715
716         if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
717                 return -1;
718         }
719
720         return 0;
721 }
722
723 sub check_user {
724         my $acct = shift || "";
725         if ($acct =~ /\%/) {
726                 ($acct, $password) = split(/\%/, $acct);
727         }
728         return $acct;
729 }
730
731 sub check_root_dse($$$@) {
732
733         # bogus function??
734         my $server = shift || "";
735         $dse = shift || get_dse($server) || return -1;
736         my $attr = shift || die "unknown query";
737         my @array = @_;
738
739         my $dse_list = $dse->get_value($attr, asref => '1');
740         my @dse_array = @$dse_list;
741
742         foreach my $i (@array) {
743                 # we could use -> supported_control but this 
744                 # is only available in newer versions of perl-ldap
745 #               if ( ! $dse->supported_control( $i ) ) {
746                 if ( grep(/$i->type()/, @dse_array) ) { 
747                         printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
748                         return -1;
749                 }
750         }
751         return 0;
752 }
753
754 sub check_ctrls ($$@) {
755         my $server = shift;
756         my $dse = shift;
757         my @array = @_;
758         return check_root_dse($server, $dse, "supportedControl", @array);
759 }
760
761 sub check_exts ($$@) {
762         my $server = shift;
763         my $dse = shift;
764         my @array = @_;
765         return check_root_dse($server, $dse, "supportedExtension", @array);
766 }
767
768 sub get_base_from_rootdse {
769
770         my $server = shift || "";
771         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
772         return $dse->get_value('defaultNamingContext');
773 }
774
775 sub get_realm_from_rootdse {
776
777         my $server = shift || "";
778         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
779         my $service = $dse->get_value('ldapServiceName') || "";
780         if ($service) {
781                 my ($t,$realm) = split(/\@/, $service);
782                 return $realm;
783         } else {
784                 die "very odd: could not get realm";
785         }
786 }
787
788 sub get_sasl_mechs_from_rootdse {
789
790         my $server = shift || "";
791         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
792         my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
793         return @$mechs;
794 }
795
796 sub get_dse {
797
798         my $server = shift || return undef;
799         $async_ldap_hd = shift || get_ldap_hd($server,1);
800         if (!$async_ldap_hd) {
801                 print "oh, no connection\n";
802                 return undef;
803         }
804         my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
805         if ($mesg->code) { die "failed to bind\n"; };
806         my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
807
808         return $dse;
809 }
810
811 sub process_servername {
812
813         my $name = shift || return "";
814         if ($name =~ /^ldaps:\/\//i ) {
815                 $name =~ s#^ldaps://##i;
816                 $uri = sprintf("%s://%s", "ldaps", $name);
817         } else {
818                 $name =~ s#^ldap://##i;
819                 $uri = sprintf("%s://%s", "ldap", $name);
820         }
821         return $name;
822 }
823
824 sub get_ldap_hd {
825
826         my $server = shift || return undef;
827         my $async = shift || "0";
828         my $hd;
829         die "uri unavailable" if (!$uri);
830         if ($uri =~ /^ldaps:\/\//i ) {
831                 $port = $port || 636;
832                 use Net::LDAPS;
833                 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) || 
834                         die "host $server not available: $!";
835         } else {
836                 $port = $port || 389;
837                 $hd = Net::LDAP->new( $server, async => $async, port => $port ) || 
838                         die "host $server not available: $!";
839         }
840         $hd->debug($opt_debug);
841         if ($opt_starttls) {
842                 $hd->start_tls( verify => 'none' );
843         }
844
845         return $hd;
846 }
847
848 sub get_sasl_hd {
849
850         if (!$have_sasl) {
851                 print "no sasl support\n";
852                 return undef;
853         }
854
855         my $hd;
856         if ($sasl_mech && $sasl_mech eq "GSSAPI") {
857                 my $user = sprintf("%s\@%s", $user, uc($realm));
858                 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
859                         print "Could not get Kerberos ticket for user [$user]\n";
860                         return undef;
861                 }
862
863                 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
864                 my $conn = $hd->client_new("ldap", $server);
865                 
866                 if ($conn->code == -1) {
867                         printf "%s\n", $conn->error();
868                         return undef;
869                 };
870
871         } elsif ($sasl_mech) {
872
873                 # here comes generic sasl code
874                 $hd = Authen::SASL->new( mechanism => $sasl_mech, 
875                         callback  => { 
876                                 user => \&get_user, 
877                                 pass => \&get_password 
878                         } 
879                 ) || die "nope";
880         } else {
881                 $sasl_bind = 0;
882                 print "no supported SASL mechanism found (@sasl_mechs).\n";
883                 print "falling back to simple bind.\n";
884                 return undef;
885         }
886
887         return $hd;
888 }
889
890 sub check_sasl_mech {
891         my $mech_check = shift;
892         my $have_mech = 0;
893         foreach my $mech (@sasl_mechs) {
894                 $have_mech = 1 if ($mech eq uc($mech_check));
895         }
896         if (!$have_mech) {
897                 return -1;
898         }
899         return 0;
900 }
901
902
903 sub parse_ads_h {
904
905         -e "$ads_h" || die "cannot open samba3 ads.h ($ads_h): $!";
906         open(ADSH,"$ads_h");
907         while (my $line = <ADSH>) {
908                 chomp($line);
909                 if ($line =~ /#define.UF.*0x/) {
910                         my ($tmp, $name, $val) = split(/\s+/,$line);
911                         next if ($name =~ /UNUSED/);
912 #                       $ads_uf{$name} = sprintf("%d", hex $val);
913                         $ads_uf{$name} = hex $val;
914                 }
915                 if ($line =~ /#define.GROUP_TYPE.*0x/) {
916                         my ($tmp, $name, $val) = split(/\s+/,$line);
917                         $ads_grouptype{$name} = hex $val;
918                 }
919                 if ($line =~ /#define.ATYPE.*0x/) {
920                         my ($tmp, $name, $val) = split(/\s+/,$line);
921                         $ads_atype{$name} = 
922                                 (exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val;
923                 }
924                 if ($line =~ /#define.GTYPE.*0x/) {
925                         my ($val, $i);
926                         my ($tmp, $name, @val) = split(/\s+/,$line);
927                         foreach my $tempval (@val) {
928                                 if ($tempval =~ /^0x/) {
929                                         $val = $tempval;
930                                         last;
931                                 }
932                         }
933                         next if (!$val);
934                         $ads_gtype{$name} = sprintf("%d", hex $val);
935                 }
936
937         }
938         close(ADSH);
939 }
940
941 sub store_result ($) {
942
943         my $entry = shift;
944         return if (!$entry);
945         $entry_store{$entry->dn} = $entry;
946 }
947
948 sub display_result_diff ($) {
949
950         my $entry_new = shift;
951         return if ( !$entry_new);
952
953         if ( !exists $entry_store{$entry_new->dn}) {
954                 print "can't display any differences yet. full dump...\n";
955                 display_entry_generic($entry_new);
956                 return;
957         }
958
959         my $entry_old = $entry_store{$entry_new->dn};
960
961         foreach my $attr (sort $entry_new->attributes) {
962                 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
963                         display_attr_generic("add:\t", $entry_new, $attr);
964                         next;
965                 }
966         }
967
968         foreach my $attr (sort $entry_old->attributes) {
969                 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
970                         display_attr_generic("del:\t", $entry_old, $attr);
971                         next;
972                 }
973
974                 # now check for all values if they have changed, display changes
975                 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
976
977                 $old_vals = $entry_old->get_value($attr, asref => 1);
978                 @old_vals = @$old_vals;
979                 $new_vals = $entry_new->get_value($attr, asref => 1);
980                 @new_vals = @$new_vals;
981
982                 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
983                         if ($old_vals[0] ne $new_vals[0]) {
984                                 display_attr_generic("old:\t", $entry_old, $attr);
985                                 display_attr_generic("new:\t", $entry_new, $attr);
986                         }
987                         next;
988                 }
989
990                 # handle multivalued diffs
991                 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
992                 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
993                 foreach my $val (sort keys %new) {
994                         if (!exists $old{$val}) {
995                                 display_value_generic("add:\t", $attr, $val);
996                         }
997                 }
998                 foreach my $val (sort keys %old) {
999                         if (!exists $new{$val}) {
1000                                 display_value_generic("del:\t", $attr, $val);
1001                         }
1002                 }
1003         }
1004         print "\n";
1005
1006 }
1007
1008 sub sid2string ($) {
1009
1010         # Fix from Michael James <michael@james.st>
1011         my $binary_sid = shift;
1012         my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1013         my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1014         return $sid_string;
1015                         
1016 }
1017
1018 sub string_to_guid {
1019         my $string = shift;
1020         return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1021         
1022         return  pack("I", hex $1) . 
1023                 pack("S", hex $2) . 
1024                 pack("S", hex $3) . 
1025                 pack("C", hex $4) . 
1026                 pack("C", hex $5) .
1027                 pack("C", hex $6) . 
1028                 pack("C", hex $7) . 
1029                 pack("C", hex $8) . 
1030                 pack("C", hex $9) . 
1031                 pack("C", hex $10) . 
1032                 pack("C", hex $11);
1033
1034 #       print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1035 }
1036                                                                
1037 sub bindstring_to_guid {
1038         my $str = shift;
1039         return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2", 
1040                 substr($str,0,2),
1041                 substr($str,2,2),
1042                 substr($str,4,2),
1043                 substr($str,6,2),
1044                 substr($str,8,2),
1045                 substr($str,10,2),
1046                 substr($str,12,2),
1047                 substr($str,14,2),
1048                 substr($str,16,2),
1049                 substr($str,18,2),
1050                 substr($str,20,2),
1051                 substr($str,22,2),
1052                 substr($str,24,2),
1053                 substr($str,26,2),
1054                 substr($str,28,2),
1055                 substr($str,30,2));
1056 }
1057
1058 sub guid_to_string {
1059         my $guid = shift;
1060         my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", 
1061                 unpack("I", $guid), 
1062                 unpack("S", substr($guid, 4, 2)), 
1063                 unpack("S", substr($guid, 6, 2)),
1064                 unpack("C", substr($guid, 8, 1)),
1065                 unpack("C", substr($guid, 9, 1)),
1066                 unpack("C", substr($guid, 10, 1)),
1067                 unpack("C", substr($guid, 11, 1)),
1068                 unpack("C", substr($guid, 12, 1)),
1069                 unpack("C", substr($guid, 13, 1)),
1070                 unpack("C", substr($guid, 14, 1)),
1071                 unpack("C", substr($guid, 15, 1)); 
1072         return lc($string);
1073 }
1074
1075 sub guid_to_bindstring {
1076         my $guid = shift;
1077         return unpack("H" . 2 * length($guid), $guid),
1078 }
1079
1080 sub dump_wknguid {
1081         print "Dumping Well known GUIDs:\n";
1082         foreach my $wknguid (keys %wknguids) {
1083
1084                 my $guid = bindstring_to_guid($wknguids{$wknguid});
1085                 my $str  = guid_to_string($guid);
1086                 my $back = guid_to_bindstring($guid);
1087
1088                 printf "wkguid:             %s\n", $wknguid;
1089                 printf "bind_string format: %s\n", $wknguids{$wknguid};
1090                 printf "string format:      %s\n", guid_to_string($guid);
1091                 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1092                                 
1093                 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1094         }
1095 }
1096
1097 sub gen_bitmask_string_format($%) {
1098         my $mod = shift;
1099         my (%tmp) = @_;
1100         my @list;
1101         foreach my $key (sort keys %tmp) {
1102                 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1103         }
1104         return join("\n$mod$tabsize",@list);
1105 }
1106
1107
1108 sub nt_to_unixtime ($) {
1109         # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1110         my $t64 = shift;
1111         $t64 =~ s/(.+).{7,7}/$1/;
1112         $t64 -= 11644473600;
1113         return $t64;
1114 }
1115
1116 sub dump_equal {
1117         my $val = shift;
1118         my $mod = shift || die "no mod";
1119         my (%header) = @_;
1120         my %tmp;
1121         my $found = 0;
1122         foreach my $key (keys %header) {
1123                 if ($header{$key} eq $val) {
1124                         $tmp{"($val)"} = $key;
1125                         $found = 1;
1126                         last;
1127                 }
1128         }
1129         if (!$found) { $tmp{$val} = ""; };
1130         return gen_bitmask_string_format($mod,%tmp);
1131 }
1132
1133 sub dump_bitmask {
1134         my $op = shift || die "no op";
1135         my $val = shift; 
1136         my $mod = shift || die "no mod";
1137         my (%header) = @_;
1138         my %tmp;
1139         $tmp{""} = $val;
1140         foreach my $key (sort keys %header) {   # sort by val !
1141                 if ($op eq "&") {
1142                         $tmp{$key} = ( $val & $header{$key} ) ? $set:$unset; 
1143                 } elsif ($op eq "==") {
1144                         $tmp{$key} = ( $val == $header{$key} ) ? $set:$unset; 
1145                 } else {
1146                         print "unknown operator: $op\n";
1147                         return;
1148                 }
1149         }
1150         return gen_bitmask_string_format($mod,%tmp);
1151 }
1152
1153 sub dump_bitmask_and {
1154         return dump_bitmask("&",@_);
1155 }
1156
1157 sub dump_bitmask_equal {
1158         return dump_bitmask("==",@_);
1159 }
1160
1161 sub dump_uac {
1162         return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1163 }
1164
1165 sub dump_uascompat {
1166         return dump_bitmask_equal(@_,%ads_uascompat);
1167 }
1168
1169 sub dump_gpoptions {
1170         return dump_bitmask_equal(@_,%ads_gpoptions);
1171 }
1172
1173 sub dump_gpflags {
1174         return dump_bitmask_equal(@_,%ads_gpflags);
1175 }
1176
1177 sub dump_uacc {
1178         return dump_bitmask_equal(@_,%ads_uacc); 
1179 }
1180
1181 sub dump_uf {
1182         return dump_bitmask_and(@_,%ads_uf);
1183 }
1184
1185 sub dump_gtype {
1186         my $ret = dump_bitmask_and(@_,%ads_grouptype);
1187         $ret .= "\n$tabsize\t";
1188         $ret .= dump_bitmask_equal(@_,%ads_gtype);
1189         return $ret;
1190 }
1191
1192 sub dump_atype {
1193         return dump_bitmask_equal(@_,%ads_atype);
1194 }
1195
1196 sub dump_controls {
1197         return dump_equal(@_,%ads_controls);
1198 }
1199
1200 sub dump_capabilities {
1201         return dump_equal(@_,%ads_capabilities);
1202 }
1203
1204 sub dump_extension {
1205         return dump_equal(@_,%ads_extensions);
1206 }
1207
1208 sub dump_systemflags {
1209         return dump_bitmask_and(@_,%ads_systemflags);
1210 }
1211
1212 sub dump_instance_type {
1213         return dump_bitmask_and(@_,%ads_instance_type);
1214 }
1215
1216 sub dump_ds_func {
1217         return dump_bitmask_equal(@_,%ads_ds_func);
1218 }
1219
1220 sub dump_serverstate {
1221         return dump_bitmask_equal(@_,%ads_serverstate);
1222 }
1223
1224 sub dump_sdeffective {
1225         return dump_bitmask_and(@_,%ads_sdeffective);
1226 }
1227
1228 sub dump_trustattr {
1229         return dump_bitmask_equal(@_,%ads_trustattrs);
1230 }
1231
1232 sub dump_trusttype {
1233         return dump_bitmask_equal(@_,%ads_trusttype);
1234 }
1235
1236 sub dump_trustdirection {
1237         return dump_bitmask_equal(@_,%ads_trustdirection);
1238 }
1239
1240 sub dump_pwdproperties {
1241         return dump_bitmask_and(@_,%ads_pwdproperties);
1242 }
1243
1244 sub dump_frstype {
1245         return dump_bitmask_equal(@_,%ads_frstypes)
1246 }
1247
1248 sub dump_mixed_domain {
1249         return dump_bitmask_equal(@_,%ads_mixed_domain);
1250 }
1251
1252 sub dump_sid {
1253         my $bin_sid = shift;
1254         return sid2string($bin_sid);
1255 }
1256
1257 sub dump_guid {
1258         my $guid = shift;
1259         return guid_to_string($guid);
1260 }
1261
1262 sub dump_secdesc {
1263         my $val = shift;
1264         return "FIXME: write sddl-converter!";
1265 }
1266
1267 sub dump_nttime {
1268         my $nttime = shift;
1269         if ($nttime == 0) {
1270                 return sprintf("%s (%s)", "never", $nttime);
1271         }
1272         my $localtime = localtime(nt_to_unixtime($nttime));
1273         return sprintf("%s (%s)", $localtime, $nttime);
1274 }
1275
1276 sub dump_nttime_abs {
1277         if ($_[0] == 9223372036854775807) {
1278                 return sprintf("%s (%s)", "now", $_[0]);
1279         }
1280         if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1281                 return sprintf("%s (%s)", "never", $_[0]);
1282         }
1283         # FIXME: actually *do* abs time !
1284         return dump_nttime($_[0]);
1285 }
1286
1287 sub dump_timestr {
1288         my $time = shift;
1289         if ($time eq "16010101000010.0Z") {
1290                 return sprintf("%s (%s)", "never", $time);
1291         }
1292         my ($year,$mon,$mday,$hour,$min,$sec,$zone) = 
1293                 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1294         $mon -= 1;
1295         my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1296         return sprintf("%s (%s)", $localtime, $time);
1297 }
1298
1299 sub dump_string {
1300         return $_[0];
1301 }
1302
1303 sub dump_int {
1304         return sprintf("%d", $_[0]);
1305 }
1306
1307 sub dump_munged_dial {
1308         my $dial = shift;
1309         return "FIXME! decode this";
1310 }
1311
1312 sub dump_cert {
1313  
1314         my $cert = shift;
1315         open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1316         print OPENSSL $cert;
1317         close(OPENSSL);
1318         return "";
1319 }
1320
1321 sub dump_pkt {
1322         my $pkt = shift;
1323         return "not yet";
1324         printf("%s: ", $pkt);
1325         printf("%02X", $pkt);
1326         
1327 }
1328
1329 sub dump_gplink {
1330
1331         my $gplink = shift;
1332         my $gplink_mod = $gplink;
1333         my @links = split("\\]\\[", $gplink_mod);
1334         foreach my $link (@links) {
1335                 $link =~ s/^\[|\]$//g;
1336                 my ($ldap_link, $opt) = split(";", $link);
1337                 my @array = ( "$opt", "\t" );
1338                 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1339         }
1340         return $gplink;
1341 }
1342
1343 sub construct_filter {
1344
1345         my $tmp = shift;
1346
1347         if (!$tmp || $opt_notify) {
1348                 return "(objectclass=*)";
1349         }
1350
1351         if ($tmp && $tmp !~ /^.*\=/) {
1352                 return "(ANR=$tmp)";
1353         }
1354
1355         return $tmp;
1356         # (&(objectCategory=person)
1357         # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1358 }
1359
1360 sub construct_attrs {
1361         
1362         my @attrs = @_;
1363         
1364         if (!@attrs) {
1365                 push(@attrs,"*");
1366         }
1367
1368         if ($opt_notify) {
1369                 push(@attrs,"uSNChanged");
1370         }
1371
1372         if ($opt_display_metadata) {
1373                 push(@attrs,"msDS-ReplAttributeMetaData");
1374                 push(@attrs,"replPropertyMetaData");
1375         }
1376
1377         if ($opt_verbose) {
1378                 push(@attrs,"nTSecurityDescriptor");
1379                 push(@attrs,"msDS-KeyVersionNumber");
1380                 push(@attrs,"msDS-User-Account-Control-Computed");
1381                 push(@attrs,"modifyTimeStamp");
1382         }
1383
1384         return sort @attrs;
1385 }
1386
1387 sub print_header {
1388
1389         print "\n";
1390         printf "%10s: %s\n", "uri", $uri;
1391         printf "%10s: %s\n", "port", $port;
1392         printf "%10s: %s\n", "base", $base;
1393         printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1394         printf "%10s: %s\n", "password", $password;
1395         printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1396         printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1397         printf "%10s: %s\n", "filter", $filter;
1398         printf "%10s: %s\n", "scope", $scope;
1399         printf "%10s: %s\n", "attrs", join(", ", @attrs);
1400         printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1401         printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1402         printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1403         printf "\n";
1404 }
1405
1406 sub gen_controls {
1407
1408         # setup attribute-scoped query control
1409         my $asq_asn = Convert::ASN1->new;
1410         $asq_asn->prepare(
1411                 q<      asq ::= SEQUENCE {
1412                                 sourceAttribute   OCTET_STRING
1413                         }
1414                 >
1415         );
1416         my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1417         my $ctl_asq = Net::LDAP::Control->new(
1418                 type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1419                 critical => 'true',
1420                 value => $ctl_asq_val);
1421
1422
1423         # setup extended dn control
1424         my $asn_extended_dn = Convert::ASN1->new;
1425         $asn_extended_dn->prepare(
1426                 q<      ExtendedDn ::= SEQUENCE {
1427                                 mode     INTEGER
1428                         }
1429                 >
1430         );
1431
1432         # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1433         my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
1434         my $ctl_extended_dn = Net::LDAP::Control->new( 
1435                         type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1436                         critical => 'true',
1437                         value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
1438
1439         # setup notify control
1440         my $ctl_notification = Net::LDAP::Control->new( 
1441                 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1442                 critical => 'true');
1443
1444
1445         # setup paging control
1446         $ctl_paged = Net::LDAP::Control->new( 
1447                 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1448                 critical => 'true',
1449                 size => $opt_paging ? $opt_paging : 1000);
1450
1451         # setup domscope control
1452         my $ctl_domscope = Net::LDAP::Control->new( 
1453                 type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1454                 critical => 'true',
1455                 value => "");
1456
1457         if (defined($opt_paging)) {
1458                 push(@ctrls, $ctl_paged);
1459                 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1460         }
1461
1462         if (defined($opt_display_extendeddn)) {
1463                 push(@ctrls, $ctl_extended_dn);
1464                 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1465         } 
1466         if ($opt_notify) {
1467                 push(@ctrls, $ctl_notification);
1468                 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1469         }
1470         
1471         if ($opt_asq) {
1472                 push(@ctrls, $ctl_asq);
1473                 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1474         }
1475
1476         if ($opt_domain_scope) {
1477                 push(@ctrls, $ctl_domscope);
1478                 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1479         }
1480
1481         return @ctrls;
1482 }
1483
1484 sub display_value_generic ($$$) {
1485
1486         my ($mod,$attr,$value) = @_;
1487         return unless (defined($value) and defined($attr));
1488
1489         if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1490                 $value = $attr_handler{$attr}($value,$mod);
1491                 write_ads_list($mod,$attr,$value);
1492                 return;
1493         }
1494         write_ads($mod,$attr,$value);
1495 }
1496
1497 sub display_attr_generic ($$$) {
1498
1499         my ($mod,$entry,$attr) = @_;
1500         return if (!$attr || !$entry);
1501
1502         my $ref = $entry->get_value($attr, asref => 1);
1503         my @values = @$ref;
1504
1505         foreach my $value ( sort @values) {
1506                 display_value_generic($mod,$attr,$value);
1507         }
1508 }
1509
1510 sub display_entry_generic ($) {
1511
1512         my $entry = shift;
1513         return if (!$entry);
1514
1515         foreach my $attr ( sort $entry->attributes) {
1516                 display_attr_generic("\t",$entry,$attr);        
1517         }
1518 }
1519
1520 sub display_ldap_err ($) {
1521
1522         my $msg = shift;
1523         print_header();
1524         my ($package, $filename, $line, $subroutine) = caller(0);
1525
1526         print "got error from ADS:\n";
1527         printf("%s(%d): ERROR (%s): %s\n", 
1528                 $subroutine, $line, $msg->code, $msg->error);
1529
1530 }
1531
1532 sub process_result {
1533
1534         my ($msg,$entry) = @_;
1535
1536         if (!defined($msg)) { 
1537                 return; 
1538         }
1539
1540         if ($msg->code) {
1541                 display_ldap_err($msg);
1542                 exit 1;
1543         }
1544
1545         if (!defined($entry)) {
1546                 return;
1547         }
1548
1549         if ($entry->isa('Net::LDAP::Reference')) {
1550                 foreach my $ref ($entry->references) {
1551                         print "\ngot Reference: [$ref]\n";
1552                 }
1553                 return;
1554         }
1555
1556         print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1557
1558         display_entry_generic($entry);
1559 }
1560
1561 sub default_callback {
1562
1563         my ($res,$obj) = @_;
1564
1565         if ($res->code == LDAP_REFERRAL) {
1566                 return;
1567         }
1568
1569         if (!$opt_notify) {
1570                 return process_result($res,$obj);
1571         } 
1572 }
1573
1574 sub error_callback {
1575
1576         my ($msg,$entry) = @_;
1577
1578         if (!$msg) { 
1579                 return; 
1580         }
1581
1582         if ($msg->code) {
1583                 display_ldap_err($msg);
1584                 exit(1);
1585         }
1586         return;
1587 }
1588
1589 sub notify_callback {
1590
1591         my ($msg, $obj) = @_;
1592
1593         if (! defined($obj)) {
1594                 return;
1595         }
1596
1597         if ($obj->isa('Net::LDAP::Reference')) {
1598                 foreach my $ref ($obj->references) {
1599                         print "\ngot Reference: [$ref]\n";
1600                 }
1601                 return;
1602         }
1603
1604         while (1) {
1605
1606                 my $async_entry = $async_search->pop_entry;
1607
1608                 if (!$async_entry->dn) {
1609                         print "very weird. entry has no dn\n";
1610                         next;
1611                 }
1612         
1613                 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1614
1615                 my $new_usn = $async_entry->get_value('uSNChanged');
1616                 if (!$new_usn) {
1617                         die "odd, no usnChanged attribute???";
1618                 }
1619                 if (!$usn || $new_usn > $usn) {
1620                         $usn = $new_usn;
1621                         if ($opt_notify_nodiffs) {
1622                                 display_entry_generic($async_entry);
1623                         } else {
1624                                 display_result_diff($async_entry);
1625                         }
1626                 } 
1627                 store_result($async_entry);
1628         }
1629 }
1630
1631 sub do_bind($$) {
1632
1633         my $async_ldap_hd = shift || return undef;
1634         my $sasl_bind = shift;
1635
1636         if ($sasl_bind) {
1637                 if (!$works_sasl) {
1638                         print "this version of Net::LDAP does not have proper SASL support.\n";
1639                         print "Need at least perl-ldap V. $pref_version\n";
1640                 }
1641                 $sasl_hd = get_sasl_hd();
1642                 if (!$sasl_hd) {
1643                         print "failed to create SASL handle\n";
1644                         return -1;
1645                 }
1646                 $mesg = $async_ldap_hd->bind( 
1647                         sasl => $sasl_hd, 
1648                         callback => \&error_callback 
1649                 ) || die "doesnt work"; 
1650         } else {
1651                 $sasl_mech = "";
1652                 $mesg = $async_ldap_hd->bind( 
1653                         $binddn, 
1654                         password => $password, 
1655                         callback => $opt_fastbind ? undef : \&error_callback
1656                 ) || die "doesnt work";
1657         };
1658         if ($mesg->code) { 
1659                 display_ldap_err($mesg) if (!$opt_fastbind);
1660                 return -1;
1661         }
1662         return 0;
1663 }
1664
1665 sub do_fast_bind() {
1666
1667         do_unbind();
1668
1669         my $hd = get_ldap_hd($server,1);
1670
1671         my $mesg = $hd->extension(
1672                 name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1673         
1674         if ($mesg->code) { 
1675                 display_ldap_err($mesg);
1676                 return -1;
1677         }
1678
1679         my $ret = do_bind($hd, undef);
1680         $hd->unbind;
1681
1682         printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n", 
1683                 $ret == 0 ? "succeeded" : "failed");
1684
1685         return $ret;
1686 }
1687
1688 sub do_unbind() {
1689         if ($async_ldap_hd) {
1690                 $async_ldap_hd->unbind;
1691         }
1692         if ($sync_ldap_hd) {
1693                 $sync_ldap_hd->unbind;
1694         }
1695 }
1696
1697 ###############################################################################
1698
1699 sub main () {
1700
1701         if ($opt_fastbind) {
1702
1703                 if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1704                         print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1705                         exit 1;
1706                 }
1707
1708                 # fast bind can only bind, not search
1709                 exit do_fast_bind();
1710         }
1711
1712         $filter = construct_filter($query);
1713         @attrs  = construct_attrs(@attrs);
1714         @ctrls  = gen_controls();
1715
1716         if (check_ctrls($server,$dse,@ctrls) == -1) {
1717                 print "not all required LDAP Controls are supported by this server\n";
1718                 exit 1;
1719         }
1720
1721         if ($opt_dump_rootdse) {
1722                 print "Dumping Root-DSE:\n";
1723                 display_entry_generic($dse);
1724                 exit 0;
1725         }
1726
1727         if ($opt_dump_wknguid) {
1728                 dump_wknguid();
1729                 exit 0;
1730         }
1731
1732         if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1733                 exit 1;
1734         }
1735
1736         print_header();
1737
1738         if ($opt_dump_schema) {
1739                 print "Dumping Schema:\n";
1740                 my $ads_schema = $async_ldap_hd->schema;
1741                 $ads_schema->dump;
1742                 exit 0;
1743         }
1744
1745         while (1) {
1746
1747                 $async_search = $async_ldap_hd->search( 
1748                         base => $base, 
1749                         filter => $filter, 
1750                         attrs => [ @attrs ],
1751                         control => [ @ctrls ], 
1752                         callback => \&default_callback,
1753                         scope => $scope,
1754                                 ) || die "cannot search";
1755
1756                 if ($async_search->code == LDAP_REFERRAL) {
1757                         foreach my $ref ($async_search->referrals) {
1758                                 print "\ngot Referral: [$ref]\n";
1759                                 $async_ldap_hd->unbind();
1760                                 $async_ldap_hd = get_ldap_hd($ref, 1);
1761                                 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1762                                         $async_ldap_hd->unbind();
1763                                         next;
1764                                 }
1765                                 print "\nsuccessful rebind to: [$ref]\n";
1766                                 last;
1767                         }
1768                         next; # repeat the query
1769                 }
1770
1771                 if ($opt_notify) {
1772
1773                         print "Base [$base] is registered now for change-notify\n";
1774                         print "\nWaiting for change-notify...\n";
1775
1776                         my $sync_ldap_hd = get_ldap_hd($server,0);
1777                         if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1778                                 exit 2;
1779                         }
1780
1781                         my $sync_search = $sync_ldap_hd->search( 
1782                                 base => $base, 
1783                                 filter => $filter, 
1784                                 attrs => [ @attrs ],
1785                                 callback => \&notify_callback,
1786                                 scope => $scope,
1787                                 ) || die "cannot search";
1788
1789                 }
1790
1791                 $total_entry_count += $async_search->count;
1792                 ++$page_count;
1793                 print "-" x 80 . "\n";
1794                 printf("Got %d Entries in Page %d \n\n", 
1795                         $async_search->count, $page_count);
1796                 my ($resp) = $async_search->control( 
1797                         $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1798                 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1799         }
1800
1801         if ($async_search->entries == 0) {
1802                 print "No entries found with filter $filter\n";
1803         } else {
1804                 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);
1805         }
1806
1807         do_unbind()
1808 }
1809
1810 main();
1811
1812 exit 0;