725140ac600647d37496fb588589926ae4985163
[ira/wip.git] / examples / misc / adssearch.pl
1 #!/usr/bin/perl -w
2
3 # adssearch.pl  - query an Active Directory server and
4 #                 display objects in a human readable format
5 #
6 # Copyright (C) Guenther Deschner <gd@samba.org> 2003-2007
7 #
8 # TODO: add range retrieval
9 #       write sddl-converter, decode userParameters
10 #       apparently only win2k3 allows simple-binds with machine-accounts.
11 #       make sasl support independent from Authen::SASL::Cyrus v >0.11
12 use strict;
13
14 use Net::LDAP;
15 use Net::LDAP::Control;
16 use Net::LDAP::Constant qw(LDAP_REFERRAL);
17 use Convert::ASN1;
18 use Time::Local;
19 use POSIX qw(strftime);
20 use Getopt::Long;
21
22 my $have_sasl;
23 my $works_sasl;
24 my $pref_version;
25 BEGIN {
26         my $class = 'Authen::SASL';
27         $pref_version = "0.32";
28         if ( eval "require $class;" ) {
29                 $have_sasl = 1;
30         }
31         if ( eval "Net::LDAP->VERSION($pref_version);" ) {
32                 $works_sasl = 1;
33         }
34 }
35
36 # users may set defaults here
37 my $base        = "";
38 my $binddn      = "";
39 my $password    = "";
40 my $server      = "";
41 my $rebind_url;
42
43
44 my $tdbdump     = "/usr/bin/tdbdump";
45 my $testparm    = "/usr/bin/testparm";
46 my $net         = "/usr/bin/net";
47 my $dig         = "/usr/bin/dig";
48 my $nmblookup   = "/usr/bin/nmblookup";
49 my $secrets_tdb = "/etc/samba/secrets.tdb";
50 my $klist       = "/usr/bin/klist";
51 my $kinit       = "/usr/bin/kinit";
52 my $workgroup   = "";
53 my $machine     = "";
54 my $realm       = "";
55
56 # parse input
57 my (
58         $opt_asq,
59         $opt_base, 
60         $opt_binddn,
61         $opt_debug,
62         $opt_display_extendeddn,
63         $opt_display_metadata,
64         $opt_display_raw,
65         $opt_domain_scope,
66         $opt_dump_rootdse,
67         $opt_dump_schema,
68         $opt_dump_wknguid,
69         $opt_fastbind,
70         $opt_help, 
71         $opt_host, 
72         $opt_machine,
73         $opt_notify, 
74         $opt_notify_nodiffs,
75         $opt_paging,
76         $opt_password,
77         $opt_port,
78         $opt_realm,
79         $opt_saslmech,
80         $opt_scope, 
81         $opt_simpleauth,
82         $opt_starttls,
83         $opt_user,
84         $opt_verbose,
85         $opt_workgroup,
86 );
87
88 GetOptions(
89         'asq=s'         => \$opt_asq,
90         'base|b=s'      => \$opt_base,
91         'D|DN=s'        => \$opt_binddn,
92         'debug=i'       => \$opt_debug,
93         'domain_scope'  => \$opt_domain_scope,
94         'extendeddn|e:i'        => \$opt_display_extendeddn,
95         'fastbind'      => \$opt_fastbind,
96         'help'          => \$opt_help,
97         'host|h=s'      => \$opt_host,
98         'machine|P'     => \$opt_machine,
99         'metadata|m'    => \$opt_display_metadata,
100         'nodiffs'       => \$opt_notify_nodiffs,
101         'notify|n'      => \$opt_notify,
102         'paging:i'      => \$opt_paging,
103         'password|w=s'  => \$opt_password,
104         'port=i'        => \$opt_port,
105         'rawdisplay'    => \$opt_display_raw,
106         'realm|R=s'     => \$opt_realm,
107         'rootDSE'       => \$opt_dump_rootdse,
108         'saslmech|Y=s'  => \$opt_saslmech,
109         'schema|c'      => \$opt_dump_schema,
110         'scope|s=s'     => \$opt_scope,
111         'simpleauth|x'  => \$opt_simpleauth,
112         'tls|Z'         => \$opt_starttls,
113         'user|U=s'      => \$opt_user,
114         'verbose|v'     => \$opt_verbose,
115         'wknguid'       => \$opt_dump_wknguid,
116         'workgroup|k=s' => \$opt_workgroup,
117         );
118
119
120 if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
121         usage();
122         exit 1;
123 }
124
125 if ($opt_fastbind && !$opt_simpleauth) {
126         printf("LDAP fast bind can only be performed with simple binds\n");
127         exit 1;
128 }
129
130 if ($opt_notify) {
131         $opt_paging = undef;
132 }
133
134 # get the query
135 my $query       = shift;
136 my @attrs       = @ARGV;
137
138 # some global vars
139 my $filter = "";
140 my ($dse, $uri);
141 my ($attr, $value);
142 my (@ctrls, @ctrls_s);
143 my ($ctl_paged, $cookie);
144 my ($page_count, $total_entry_count);
145 my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
146 my ($mesg, $usn);
147 my (%entry_store);
148 my $async_search;
149
150 # fixed values and vars
151 my $set         = "X";
152 my $unset       = "-";
153 my $tabsize     = "\t\t\t";
154
155 # get defaults
156 my $scope       = $opt_scope    || "sub"; 
157 my $port        = $opt_port;
158
159 my %ads_controls = (
160 "LDAP_SERVER_NOTIFICATION_OID"          => "1.2.840.113556.1.4.528",
161 "LDAP_SERVER_EXTENDED_DN_OID"           => "1.2.840.113556.1.4.529",
162 "LDAP_PAGED_RESULT_OID_STRING"          => "1.2.840.113556.1.4.319",
163 "LDAP_SERVER_SD_FLAGS_OID"              => "1.2.840.113556.1.4.801",
164 "LDAP_SERVER_SORT_OID"                  => "1.2.840.113556.1.4.473",
165 "LDAP_SERVER_RESP_SORT_OID"             => "1.2.840.113556.1.4.474",
166 "LDAP_CONTROL_VLVREQUEST"               => "2.16.840.1.113730.3.4.9",
167 "LDAP_CONTROL_VLVRESPONSE"              => "2.16.840.1.113730.3.4.10",
168 "LDAP_SERVER_RANGE_RETRIEVAL"           => "1.2.840.113556.1.4.802", #unsure
169 "LDAP_SERVER_SHOW_DELETED_OID"          => "1.2.840.113556.1.4.417",
170 "LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID"  => "1.2.840.113556.1.4.521",
171 "LDAP_SERVER_LAZY_COMMIT_OID"           => "1.2.840.113556.1.4.619",
172 "LDAP_SERVER_TREE_DELETE_OID"           => "1.2.840.113556.1.4.805",
173 "LDAP_SERVER_DIRSYNC_OID"               => "1.2.840.113556.1.4.841",
174 "LDAP_SERVER_VERIFY_NAME_OID"           => "1.2.840.113556.1.4.1338",
175 "LDAP_SERVER_DOMAIN_SCOPE_OID"          => "1.2.840.113556.1.4.1339",
176 "LDAP_SERVER_SEARCH_OPTIONS_OID"        => "1.2.840.113556.1.4.1340",
177 "LDAP_SERVER_PERMISSIVE_MODIFY_OID"     => "1.2.840.113556.1.4.1413",
178 "LDAP_SERVER_ASQ_OID"                   => "1.2.840.113556.1.4.1504",
179 "NONE (Get stats control)"              => "1.2.840.113556.1.4.970",
180 "LDAP_SERVER_QUOTA_CONTROL_OID"         => "1.2.840.113556.1.4.1852",
181 "LDAP_SERVER_SHUTDOWN_NOTIFY_OID"       => "1.2.840.113556.1.4.1907",
182 );
183
184 my %ads_capabilities = (
185 "LDAP_CAP_ACTIVE_DIRECTORY_OID"         => "1.2.840.113556.1.4.800",
186 "LDAP_CAP_ACTIVE_DIRECTORY_V51_OID"     => "1.2.840.113556.1.4.1670",
187 "LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
188 );
189
190 my %ads_extensions = (
191 "LDAP_START_TLS_OID"                    => "1.3.6.1.4.1.1466.20037",
192 "LDAP_TTL_EXTENDED_OP_OID"              => "1.3.6.1.4.1.1466.101.119.1",
193 "LDAP_SERVER_FAST_BIND_OID"             => "1.2.840.113556.1.4.1781", 
194 "NONE (TTL refresh extended op)"        => "1.3.6.1.4.1.1466.101.119.1",
195 );
196
197 my %ads_matching_rules = (
198 "LDAP_MATCHING_RULE_BIT_AND"            => "1.2.840.113556.1.4.803",
199 "LDAP_MATCHING_RULE_BIT_OR"             => "1.2.840.113556.1.4.804",
200 );
201
202 my %wknguids = (
203 "WELL_KNOWN_GUID_COMPUTERS"             => "AA312825768811D1ADED00C04FD8D5CD",
204 "WELL_KNOWN_GUID_DOMAIN_CONTROLLERS"    => "A361B2FFFFD211D1AA4B00C04FD7D83A",
205 "WELL_KNOWN_GUID_SYSTEM"                => "AB1D30F3768811D1ADED00C04FD8D5CD",
206 "WELL_KNOWN_GUID_USERS"                 => "A9D1CA15768811D1ADED00C04FD8D5CD",
207 );
208
209 my %ads_systemflags = (
210 "FLAG_DONT_REPLICATE"                   => 0x00000001,  # 1
211 "FLAG_REPLICATE_TO_GC"                  => 0x00000002,  # 2
212 "FLAG_ATTRIBUTE_CONSTRUCT"              => 0x00000004,  # 4
213 "FLAG_CATEGORY_1_OBJECT"                => 0x00000010,  # 16
214 "FLAG_DELETE_WITHOUT_TOMBSTONE"         => 0x02000000,  # 33554432
215 "FLAG_DOMAIN_DISALLOW_MOVE"             => 0x04000000,  # 67108864
216 "FLAG_DOMAIN_DISALLOW_RENAME"           => 0x08000000,  # 134217728
217 #"FLAG_CONFIG_CAN_MOVE_RESTRICTED"      => 0x10000000,  # 268435456     # only setable on creation
218 #"FLAG_CONFIG_CAN_MOVE"                 => 0x20000000,  # 536870912     # only setable on creation
219 #"FLAG_CONFIG_CAN_RENAME"               => 0x40000000,  # 1073741824    # only setable on creation
220 "FLAG_DISALLOW_DELETE"                  => 0x80000000,  # 2147483648
221 );
222
223 my %ads_mixed_domain = (
224 "NATIVE_LEVEL_DOMAIN"                   => 0,
225 "MIXED_LEVEL_DOMAIN"                    => 1,
226 );
227
228 my %ads_ds_func = (
229 "DS_BEHAVIOR_WIN2000"                   => 0,   # untested
230 "DS_BEHAVIOR_WIN2003"                   => 2,
231 );
232
233 my %ads_instance_type = (
234 "DS_INSTANCETYPE_IS_NC_HEAD"            => 0x1,
235 "IT_WRITE"                              => 0x4,
236 "IT_NC_ABOVE"                           => 0x8,
237 );
238
239 my %ads_uacc = (
240         "ACCOUNT_NEVER_EXPIRES"         => 0x000000, # 0 
241         "ACCOUNT_OK"                    => 0x800000, # 8388608
242         "ACCOUNT_LOCKED_OUT"            => 0x800010, # 8388624
243 );
244
245 my %ads_gpoptions = (
246         "GPOPTIONS_INHERIT"             => 0,
247         "GPOPTIONS_BLOCK_INHERITANCE"   => 1,
248 );
249
250 my %ads_gplink_opts = (
251         "GPLINK_OPT_NONE"               => 0,
252         "GPLINK_OPT_DISABLED"           => 1,
253         "GPLINK_OPT_ENFORCED"           => 2,
254 );
255
256 my %ads_gpflags = (
257         "GPFLAGS_ALL_ENABLED"                   => 0,
258         "GPFLAGS_USER_SETTINGS_DISABLED"        => 1,
259         "GPFLAGS_MACHINE_SETTINGS_DISABLED"     => 2,
260         "GPFLAGS_ALL_DISABLED"                  => 3,
261 );
262
263 my %ads_serverstate = (
264         "SERVER_ENABLED"                => 1,
265         "SERVER_DISABLED"               => 2,
266 );
267
268 my %ads_sdeffective = (
269         "OWNER_SECURITY_INFORMATION"    => 0x01,
270         "DACL_SECURITY_INFORMATION"     => 0x04,
271         "SACL_SECURITY_INFORMATION"     => 0x10,
272 );
273
274 my %ads_trustattrs = (
275         "TRUST_ATTRIBUTE_NON_TRANSITIVE"        => 1,
276         "TRUST_ATTRIBUTE_TREE_PARENT"           => 2,
277         "TRUST_ATTRIBUTE_TREE_ROOT"             => 3,
278         "TRUST_ATTRIBUTE_UPLEVEL_ONLY"          => 4,
279 );
280
281 my %ads_trustdirection = (
282         "TRUST_DIRECTION_INBOUND"               => 1,
283         "TRUST_DIRECTION_OUTBOUND"              => 2,
284         "TRUST_DIRECTION_BIDIRECTIONAL"         => 3,
285 );
286
287 my %ads_trusttype = (
288         "TRUST_TYPE_DOWNLEVEL"                  => 1,
289         "TRUST_TYPE_UPLEVEL"                    => 2,
290         "TRUST_TYPE_KERBEROS"                   => 3,
291         "TRUST_TYPE_DCE"                        => 4,
292 );
293
294 my %ads_pwdproperties = (
295         "DOMAIN_PASSWORD_COMPLEX"               => 1, 
296         "DOMAIN_PASSWORD_NO_ANON_CHANGE"        => 2, 
297         "DOMAIN_PASSWORD_NO_CLEAR_CHANGE"       => 4, 
298         "DOMAIN_LOCKOUT_ADMINS"                 => 8, 
299         "DOMAIN_PASSWORD_STORE_CLEARTEXT"       => 16, 
300         "DOMAIN_REFUSE_PASSWORD_CHANGE"         => 32,
301 );
302
303 my %ads_uascompat = (
304         "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS"   => 0,
305         "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT"     => 1,
306 );
307
308 my %ads_frstypes = (
309         "REPLICA_SET_SYSVOL"            => 2,   # unsure
310         "REPLICA_SET_DFS"               => 1,   # unsure
311         "REPLICA_SET_OTHER"             => 0,   # unsure
312 );
313
314 my %ads_gp_cse_extensions = (
315 "Administrative Templates Extension"    => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
316 "Disk Quotas"                           => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
317 "EFS Recovery"                          => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
318 "Folder Redirection"                    => "25537BA6-77A8-11D2-9B6C-0000F8080861",
319 "IP Security"                           => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
320 "Internet Explorer Maintenance"         => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
321 "QoS Packet Scheduler"                  => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
322 "Scripts"                               => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
323 "Security"                              => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
324 "Software Installation"                 => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
325 );
326
327 # guess work
328 my %ads_gpcextensions = (
329 "Administrative Templates"              => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
330 "Certificates"                          => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
331 "EFS recovery policy processing"        => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
332 "Folder Redirection policy processing"  => "25537BA6-77A8-11D2-9B6C-0000F8080861",
333 "Folder Redirection"                    => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
334 "Registry policy processing"            => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
335 "Remote Installation Services"          => "3060E8CE-7020-11D2-842D-00C04FA372D4",
336 "Security Settings"                     => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
337 "Security policy processing"            => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
338 "unknown"                               => "3060E8D0-7020-11D2-842D-00C04FA372D4",
339 "unknown2"                              => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
340 );
341
342 my %ads_gpo_default_guids = (
343 "Default Domain Policy"                 => "31B2F340-016D-11D2-945F-00C04FB984F9",
344 "Default Domain Controllers Policy"     => "6AC1786C-016F-11D2-945F-00C04fB984F9",
345 "mist"                                  => "61718096-3D3F-4398-8318-203A48976F9E",
346 );
347
348 my %ads_uf = (
349         "UF_SCRIPT"                             => 0x00000001,
350         "UF_ACCOUNTDISABLE"                     => 0x00000002,
351 #       "UF_UNUSED_1"                           => 0x00000004,
352         "UF_HOMEDIR_REQUIRED"                   => 0x00000008,
353         "UF_LOCKOUT"                            => 0x00000010,
354         "UF_PASSWD_NOTREQD"                     => 0x00000020,
355         "UF_PASSWD_CANT_CHANGE"                 => 0x00000040,
356         "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED"    => 0x00000080,
357         "UF_TEMP_DUPLICATE_ACCOUNT"             => 0x00000100,
358         "UF_NORMAL_ACCOUNT"                     => 0x00000200,
359 #       "UF_UNUSED_2"                           => 0x00000400,
360         "UF_INTERDOMAIN_TRUST_ACCOUNT"          => 0x00000800,
361         "UF_WORKSTATION_TRUST_ACCOUNT"          => 0x00001000,
362         "UF_SERVER_TRUST_ACCOUNT"               => 0x00002000,
363 #       "UF_UNUSED_3"                           => 0x00004000,
364 #       "UF_UNUSED_4"                           => 0x00008000,
365         "UF_DONT_EXPIRE_PASSWD"                 => 0x00010000,
366         "UF_MNS_LOGON_ACCOUNT"                  => 0x00020000,
367         "UF_SMARTCARD_REQUIRED"                 => 0x00040000,
368         "UF_TRUSTED_FOR_DELEGATION"             => 0x00080000,
369         "UF_NOT_DELEGATED"                      => 0x00100000,
370         "UF_USE_DES_KEY_ONLY"                   => 0x00200000,
371         "UF_DONT_REQUIRE_PREAUTH"               => 0x00400000,
372         "UF_PASSWORD_EXPIRED"                   => 0x00800000,
373         "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000,
374         "UF_NO_AUTH_DATA_REQUIRED"              => 0x02000000,
375 #       "UF_UNUSED_8"                           => 0x04000000,
376 #       "UF_UNUSED_9"                           => 0x08000000,
377 #       "UF_UNUSED_10"                          => 0x10000000,
378 #       "UF_UNUSED_11"                          => 0x20000000,
379 #       "UF_UNUSED_12"                          => 0x40000000,
380 #       "UF_UNUSED_13"                          => 0x80000000,
381 );
382
383 my %ads_grouptype = (
384         "GROUP_TYPE_BUILTIN_LOCAL_GROUP"        => 0x00000001,
385         "GROUP_TYPE_ACCOUNT_GROUP"              => 0x00000002,
386         "GROUP_TYPE_RESOURCE_GROUP"             => 0x00000004,
387         "GROUP_TYPE_UNIVERSAL_GROUP"            => 0x00000008,
388         "GROUP_TYPE_APP_BASIC_GROUP"            => 0x00000010,
389         "GROUP_TYPE_APP_QUERY_GROUP"            => 0x00000020,
390         "GROUP_TYPE_SECURITY_ENABLED"           => 0x80000000,
391 );
392
393 my %ads_atype = (
394         "ATYPE_NORMAL_ACCOUNT"                  => 0x30000000,
395         "ATYPE_WORKSTATION_TRUST"               => 0x30000001,
396         "ATYPE_INTERDOMAIN_TRUST"               => 0x30000002,
397         "ATYPE_SECURITY_GLOBAL_GROUP"           => 0x10000000,
398         "ATYPE_DISTRIBUTION_GLOBAL_GROUP"       => 0x10000001,
399         "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP"    => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP
400         "ATYPE_SECURITY_LOCAL_GROUP"            => 0x20000000,
401         "ATYPE_DISTRIBUTION_LOCAL_GROUP"        => 0x20000001,
402         "ATYPE_ACCOUNT"                         => 0x30000000, # ATYPE_NORMAL_ACCOUNT
403         "ATYPE_GLOBAL_GROUP"                    => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP
404         "ATYPE_LOCAL_GROUP"                     => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP
405 );
406
407 my %ads_gtype = (
408         "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"    => 0x80000005,
409         "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP"     => 0x80000004,
410         "GTYPE_SECURITY_GLOBAL_GROUP"           => 0x80000002,
411         "GTYPE_SECURITY_UNIVERSAL_GROUP"        => 0x80000008,
412         "GTYPE_DISTRIBUTION_GLOBAL_GROUP"       => 0x00000002,
413         "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004,
414         "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP"    => 0x00000008,
415 );
416
417 my %munged_dial = (
418         "CtxCfgPresent"         => \&dump_int,
419         "CtxCfgFlags1"          => \&dump_int,
420         "CtxCallback"           => \&dump_string,
421         "CtxShadow"             => \&dump_string,
422         "CtxMaxConnectionTime"  => \&dump_int,
423         "CtxMaxDisconnectionTime"=> \&dump_int,
424         "CtxMaxIdleTime"        => \&dump_int,
425         "CtxKeyboardLayout"     => \&dump_int,
426         "CtxMinEncryptionLevel" => \&dump_int,
427         "CtxWorkDirectory"      => \&dump_string,
428         "CtxNWLogonServer"      => \&dump_string,
429         "CtxWFHomeDir"          => \&dump_string,
430         "CtxWFHomeDirDrive"     => \&dump_string,
431         "CtxWFProfilePath"      => \&dump_string,
432         "CtxInitialProgram"     => \&dump_string,
433         "CtxCallbackNumber"     => \&dump_string,
434 );
435
436 $SIG{__WARN__} = sub {
437         use Carp;
438         Carp::cluck (shift);
439 };
440
441 # if there is data missing, we try to autodetect with samba-tools (if installed)
442 # this might fill up workgroup, machine, realm
443 get_samba_info();
444
445 # get a workgroup
446 $workgroup      = $workgroup || $opt_workgroup || "";
447
448 # get the server
449 $server         = process_servername($opt_host) || 
450                   detect_server($workgroup,$opt_realm) || 
451                   die "please define server to query with -h host\n";
452
453
454 # get the base
455 $base           = defined($opt_base)? $opt_base : "" || 
456                   get_base_from_rootdse($server,$dse);
457
458 # get the realm
459 $realm          = $opt_realm || 
460                   get_realm_from_rootdse($server,$dse);
461
462 # get sasl mechs
463 my @sasl_mechs  = get_sasl_mechs_from_rootdse($server,$dse);
464 my $sasl_mech   = "GSSAPI";
465 if ($opt_saslmech) {
466         $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
467 }
468
469 # set bind type
470 my $sasl_bind = 1 if (!$opt_simpleauth);
471
472 # get username
473 my $user        = check_user($opt_user) || $ENV{'USER'} || "";
474
475 # gen upn
476 my $upn         = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
477
478 # get binddn
479 $binddn         = $opt_binddn || $upn;
480
481 # get the password
482 $password       = $password || $opt_password;
483 if (!$password) {
484         $password = $opt_machine ? get_machine_password($workgroup) : get_password();
485 }
486
487 my %attr_handler = (
488         "Token-Groups-No-GC-Acceptable" => \&dump_sid,  #wrong name
489         "accountExpires"                => \&dump_nttime,
490         "badPasswordTime"               => \&dump_nttime,                       
491         "creationTime"                  => \&dump_nttime,
492         "currentTime"                   => \&dump_timestr,
493         "domainControllerFunctionality" => \&dump_ds_func,
494         "domainFunctionality"           => \&dump_ds_func,
495         "fRSReplicaSetGUID"             => \&dump_guid,
496         "fRSReplicaSetType"             => \&dump_frstype,
497         "fRSVersionGUID"                => \&dump_guid,
498         "flags"                         => \&dump_gpflags,      # fixme: possibly only on gpos!
499         "forceLogoff"                   => \&dump_nttime_abs,
500         "forestFunctionality"           => \&dump_ds_func,
501 #       "gPCMachineExtensionNames"      => \&dump_gpcextensions,
502 #       "gPCUserExtensionNames"         => \&dump_gpcextensions,
503         "gPLink"                        => \&dump_gplink,
504         "gPOptions"                     => \&dump_gpoptions,
505         "groupType"                     => \&dump_gtype,
506         "instanceType"                  => \&dump_instance_type,
507         "lastLogon"                     => \&dump_nttime,
508         "lastLogonTimestamp"            => \&dump_nttime,
509         "lockOutObservationWindow"      => \&dump_nttime_abs,
510         "lockoutDuration"               => \&dump_nttime_abs,
511         "lockoutTime"                   => \&dump_nttime,
512 #       "logonHours"                    => \&dump_logonhours,
513         "maxPwdAge"                     => \&dump_nttime_abs,
514         "minPwdAge"                     => \&dump_nttime_abs,
515         "modifyTimeStamp"               => \&dump_timestr,
516         "msDS-Behavior-Version"         => \&dump_ds_func,      #unsure
517         "msDS-User-Account-Control-Computed" => \&dump_uacc,
518         "mS-DS-CreatorSID"              => \&dump_sid,
519 #       "msRADIUSFramedIPAddress"       => \&dump_ipaddr,
520 #       "msRASSavedFramedIPAddress"     => \&dump_ipaddr,
521         "netbootGUID"                   => \&dump_guid,
522         "nTMixedDomain"                 => \&dump_mixed_domain,
523         "nTSecurityDescriptor"          => \&dump_secdesc,
524         "objectGUID"                    => \&dump_guid,
525         "objectSid"                     => \&dump_sid,
526         "pKT"                           => \&dump_pkt,
527         "pKTGuid"                       => \&dump_guid,
528         "pwdLastSet"                    => \&dump_nttime,
529         "pwdProperties"                 => \&dump_pwdproperties,
530         "sAMAccountType"                => \&dump_atype,
531         "sDRightsEffective"             => \&dump_sdeffective,
532         "securityIdentifier"            => \&dump_sid,
533         "serverState"                   => \&dump_serverstate,
534         "supportedCapabilities",        => \&dump_capabilities,
535         "supportedControl",             => \&dump_controls,
536         "supportedExtension",           => \&dump_extension,
537         "systemFlags"                   => \&dump_systemflags,
538         "tokenGroups",                  => \&dump_sid,
539         "tokenGroupsGlobalAndUniversal" => \&dump_sid,
540         "tokenGroupsNoGCAcceptable"     => \&dump_sid,
541         "trustAttributes"               => \&dump_trustattr,
542         "trustDirection"                => \&dump_trustdirection,
543         "trustType"                     => \&dump_trusttype,
544         "uASCompat"                     => \&dump_uascompat,
545         "userAccountControl"            => \&dump_uac,
546         "userCertificate"               => \&dump_cert,
547         "userFlags"                     => \&dump_uf,
548         "userParameters"                => \&dump_munged_dial,
549         "whenChanged"                   => \&dump_timestr,
550         "whenCreated"                   => \&dump_timestr,
551 #       "dSCorePropagationData"         => \&dump_timestr,
552 );
553
554
555
556 ################
557 # subfunctions #
558 ################
559
560 sub usage {
561         print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
562         print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
563         print "\t--base|-b [base]\n\t\tUse base [base]\n";
564         print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
565         print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
566         print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
567         print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
568         print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
569         print "\t--help\n\t\tDisplay help page\n";
570         print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
571         print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
572         print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
573         print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
574         print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
575         print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
576         print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
577         print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
578         print "\t--rawdisplay\n\t\tDo not interpret values\n";
579         print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
580         print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
581         print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
582         print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
583         print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
584         print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
585         print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
586         print "\t--user|-U [user]\n\t\tUse [user]\n";
587         print "\t--wknguid\n\t\tDisplay well known guids\n";
588         print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
589 }
590
591 sub write_ads_list {
592         my ($mod,$attr,$value) = @_;
593         my $ofh = select(STDOUT);
594         $~ = "ADS_LIST";
595         select($ofh);
596         write();
597
598 format ADS_LIST =
599 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
600 $mod, $attr, $value
601 .
602 }
603
604 sub write_ads {
605         my ($mod,$attr,$value) = @_;
606         my $ofh = select(STDOUT);
607         $~ = "ADS";
608         select($ofh);
609         write();
610
611 format ADS =
612 @<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
613 $mod, $attr, $value
614 ~~                              ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
615                                 $value
616 .
617 }
618
619 sub detect_server {
620
621         my $workgroup = shift;
622         my $realm = shift;
623         my $result;
624         my $found;
625
626         # try net cache (nbt records)
627         if ( -x $net && $workgroup ) {
628                 my $key = sprintf("NBT/%s#1C", uc($workgroup));
629                 chomp($result = `$net cache search $key 2>&1 /dev/null`);
630                 $result =~ s/^.*Value: //;
631                 $result =~ s/:.*//;
632                 return $result if $result;
633                 printf("%10s query failed for [%s]\n", "net cache", $key);
634         }
635
636         # try dns SRV entries
637         if ( -x $dig && $realm ) {
638                 my $key = sprintf("_ldap._tcp.%s", lc($realm));
639                 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
640                 $result =~ s/.* //g;
641                 $result =~ s/.$//g;
642                 return $result if $result;
643                 printf("%10s query failed for [%s]\n", "dns", $key);
644         }
645
646         # try netbios broadcast query
647         if ( -x $nmblookup && $workgroup ) {
648                 my $key = sprintf("%s#1C", uc($workgroup));
649                 my $pattern = sprintf("%s<1c>", uc($workgroup));
650                 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
651                 $result =~ s/\s.*//;
652                 return $result if $result;
653                 printf("%10s query failed for [%s]\n", "nmblookup", $key);
654         }
655
656         return "";
657 }
658
659 sub get_samba_info {
660
661         if (! -x $testparm) { return -1; }
662         
663         my $tmp;
664         open(TESTPARM, "$testparm -s -v 2> /dev/null |");
665         while (my $line = <TESTPARM>) {
666                 chomp($line);
667                 if ($line =~ /netbios name/) {
668                         ($tmp, $machine) = split(/=/, $line);
669                         $machine =~ s/\s+|\t+//g;
670                 }
671                 if ($line =~ /realm/) {
672                         ($tmp, $realm) = split(/=/, $line);
673                         $realm =~ s/\s+|\t+//g;
674                 }
675                 if ($line =~ /workgroup/) {
676                         ($tmp, $workgroup) = split(/=/, $line);
677                         $workgroup =~ s/\s+|\t+//g;
678                 }
679         }
680         close(TESTPARM);
681         return 0;
682 }
683
684 sub gen_upn {
685         my $machine = shift;
686         my $realm = shift;
687         if ($machine && $realm) {
688                 return sprintf("%s\@%s", lc($machine), uc($realm));
689         };
690         return undef;
691 }
692
693 sub get_password {
694         if (!$password && $opt_simpleauth && check_ticket($user)) {
695                 return prompt_password($user);
696         }
697         return "";
698 }
699
700 sub get_user {
701         my $user = shift || prompt_user();
702         return $user;
703 }
704
705 sub get_machine_password {
706
707         my $workgroup = shift || "";
708         $workgroup = uc($workgroup);
709
710         my ($found, $tmp);
711         -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
712         -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
713
714         # get machine-password
715         my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
716         open(SECRETS,"$tdbdump $secrets_tdb |");
717         while(my $line = <SECRETS>) {
718                 chomp($line);
719                 if ($found) {
720                         $line =~ s/\\00//;
721                         ($line,$password) = split(/"/, $line);
722                         last;
723                 }
724                 if ($line =~ /$key/) {
725                         $found = 1;
726                 }
727         }
728         close(SECRETS);
729
730         if ($found) {
731                 print "Successfully autodetected machine password for workgroup: $workgroup\n";
732                 return $password;
733         } else {
734                 warn "No machine password available for $workgroup\n";
735         }
736         return "";
737 }
738
739 sub prompt_password {
740
741         my $acct = shift || "";
742         if ($acct =~ /\%/) {
743                 ($acct, $password) = split(/\%/, $acct);
744                 return $password;
745         }
746         system "stty -echo";
747         print "Enter password for $acct:";
748         my $password = <STDIN>;
749         chomp($password);
750         print "\n";
751         system "stty echo";
752         return $password;
753 }
754
755 sub prompt_user {
756
757         print "Enter Username:";
758         my $user = <STDIN>;
759         chomp($user);
760         print "\n";
761         return $user;
762 }
763
764 sub check_ticket {
765         return 0;
766         # works only for heimdal
767         return system("$klist -t");
768 }
769
770 sub get_ticket {
771
772         my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
773
774         open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
775         printf  KRB5CONF "# autogenerated by $0\n";
776         printf  KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
777         printf  KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
778         close(KRB5CONF);
779
780         if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
781                 return -1;
782         }
783
784         return 0;
785 }
786
787 sub check_user {
788         my $acct = shift || "";
789         if ($acct =~ /\%/) {
790                 ($acct, $password) = split(/\%/, $acct);
791         }
792         return $acct;
793 }
794
795 sub check_root_dse($$$@) {
796
797         # bogus function??
798         my $server = shift || "";
799         $dse = shift || get_dse($server) || return -1;
800         my $attr = shift || die "unknown query";
801         my @array = @_;
802
803         my $dse_list = $dse->get_value($attr, asref => '1');
804         my @dse_array = @$dse_list;
805
806         foreach my $i (@array) {
807                 # we could use -> supported_control but this 
808                 # is only available in newer versions of perl-ldap
809 #               if ( ! $dse->supported_control( $i ) ) {
810                 if ( grep(/$i->type()/, @dse_array) ) { 
811                         printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
812                         return -1;
813                 }
814         }
815         return 0;
816 }
817
818 sub check_ctrls ($$@) {
819         my $server = shift;
820         my $dse = shift;
821         my @array = @_;
822         return check_root_dse($server, $dse, "supportedControl", @array);
823 }
824
825 sub check_exts ($$@) {
826         my $server = shift;
827         my $dse = shift;
828         my @array = @_;
829         return check_root_dse($server, $dse, "supportedExtension", @array);
830 }
831
832 sub get_base_from_rootdse {
833
834         my $server = shift || "";
835         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
836         return $dse->get_value('defaultNamingContext');
837 }
838
839 sub get_realm_from_rootdse {
840
841         my $server = shift || "";
842         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
843         my $service = $dse->get_value('ldapServiceName') || "";
844         if ($service) {
845                 my ($t,$realm) = split(/\@/, $service);
846                 return $realm;
847         } else {
848                 die "very odd: could not get realm";
849         }
850 }
851
852 sub get_sasl_mechs_from_rootdse {
853
854         my $server = shift || "";
855         $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
856         my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
857         return @$mechs;
858 }
859
860 sub get_dse {
861
862         my $server = shift || return undef;
863         $async_ldap_hd = shift || get_ldap_hd($server,1);
864         if (!$async_ldap_hd) {
865                 print "oh, no connection\n";
866                 return undef;
867         }
868         my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
869         if ($mesg->code) { die "failed to bind\n"; };
870         my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
871
872         return $dse;
873 }
874
875 sub process_servername {
876
877         my $name = shift || return "";
878         if ($name =~ /^ldaps:\/\//i ) {
879                 $name =~ s#^ldaps://##i;
880                 $uri = sprintf("%s://%s", "ldaps", $name);
881         } else {
882                 $name =~ s#^ldap://##i;
883                 $uri = sprintf("%s://%s", "ldap", $name);
884         }
885         return $name;
886 }
887
888 sub get_ldap_hd {
889
890         my $server = shift || return undef;
891         my $async = shift || "0";
892         my $hd;
893         die "uri unavailable" if (!$uri);
894         if ($uri =~ /^ldaps:\/\//i ) {
895                 $port = $port || 636;
896                 use Net::LDAPS;
897                 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) || 
898                         die "host $server not available: $!";
899         } else {
900                 $port = $port || 389;
901                 $hd = Net::LDAP->new( $server, async => $async, port => $port ) || 
902                         die "host $server not available: $!";
903         }
904         $hd->debug($opt_debug);
905         if ($opt_starttls) {
906                 $hd->start_tls( verify => 'none' );
907         }
908
909         return $hd;
910 }
911
912 sub get_sasl_hd {
913
914         if (!$have_sasl) {
915                 print "no sasl support\n";
916                 return undef;
917         }
918
919         my $hd;
920         if ($sasl_mech && $sasl_mech eq "GSSAPI") {
921                 my $user = sprintf("%s\@%s", $user, uc($realm));
922                 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
923                         print "Could not get Kerberos ticket for user [$user]\n";
924                         return undef;
925                 }
926
927                 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
928                 my $conn = $hd->client_new("ldap", $server);
929                 
930                 if ($conn->code == -1) {
931                         printf "%s\n", $conn->error();
932                         return undef;
933                 };
934
935         } elsif ($sasl_mech) {
936
937                 # here comes generic sasl code
938                 $hd = Authen::SASL->new( mechanism => $sasl_mech, 
939                         callback  => { 
940                                 user => \&get_user, 
941                                 pass => \&get_password 
942                         } 
943                 ) || die "nope";
944         } else {
945                 $sasl_bind = 0;
946                 print "no supported SASL mechanism found (@sasl_mechs).\n";
947                 print "falling back to simple bind.\n";
948                 return undef;
949         }
950
951         return $hd;
952 }
953
954 sub check_sasl_mech {
955         my $mech_check = shift;
956         my $have_mech = 0;
957         foreach my $mech (@sasl_mechs) {
958                 $have_mech = 1 if ($mech eq uc($mech_check));
959         }
960         if (!$have_mech) {
961                 return -1;
962         }
963         return 0;
964 }
965
966 sub store_result ($) {
967
968         my $entry = shift;
969         return if (!$entry);
970         $entry_store{$entry->dn} = $entry;
971 }
972
973 sub display_result_diff ($) {
974
975         my $entry_new = shift;
976         return if ( !$entry_new);
977
978         if ( !exists $entry_store{$entry_new->dn}) {
979                 print "can't display any differences yet. full dump...\n";
980                 display_entry_generic($entry_new);
981                 return;
982         }
983
984         my $entry_old = $entry_store{$entry_new->dn};
985
986         foreach my $attr (sort $entry_new->attributes) {
987                 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
988                         display_attr_generic("add:\t", $entry_new, $attr);
989                         next;
990                 }
991         }
992
993         foreach my $attr (sort $entry_old->attributes) {
994                 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
995                         display_attr_generic("del:\t", $entry_old, $attr);
996                         next;
997                 }
998
999                 # now check for all values if they have changed, display changes
1000                 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
1001
1002                 $old_vals = $entry_old->get_value($attr, asref => 1);
1003                 @old_vals = @$old_vals;
1004                 $new_vals = $entry_new->get_value($attr, asref => 1);
1005                 @new_vals = @$new_vals;
1006
1007                 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
1008                         if ($old_vals[0] ne $new_vals[0]) {
1009                                 display_attr_generic("old:\t", $entry_old, $attr);
1010                                 display_attr_generic("new:\t", $entry_new, $attr);
1011                         }
1012                         next;
1013                 }
1014
1015                 # handle multivalued diffs
1016                 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
1017                 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
1018                 foreach my $val (sort keys %new) {
1019                         if (!exists $old{$val}) {
1020                                 display_value_generic("add:\t", $attr, $val);
1021                         }
1022                 }
1023                 foreach my $val (sort keys %old) {
1024                         if (!exists $new{$val}) {
1025                                 display_value_generic("del:\t", $attr, $val);
1026                         }
1027                 }
1028         }
1029         print "\n";
1030
1031 }
1032
1033 sub sid2string ($) {
1034
1035         # Fix from Michael James <michael@james.st>
1036         my $binary_sid = shift;
1037         my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1038         my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1039         return $sid_string;
1040                         
1041 }
1042
1043 sub string_to_guid {
1044         my $string = shift;
1045         return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1046         
1047         return  pack("I", hex $1) . 
1048                 pack("S", hex $2) . 
1049                 pack("S", hex $3) . 
1050                 pack("C", hex $4) . 
1051                 pack("C", hex $5) .
1052                 pack("C", hex $6) . 
1053                 pack("C", hex $7) . 
1054                 pack("C", hex $8) . 
1055                 pack("C", hex $9) . 
1056                 pack("C", hex $10) . 
1057                 pack("C", hex $11);
1058
1059 #       print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1060 }
1061                                                                
1062 sub bindstring_to_guid {
1063         my $str = shift;
1064         return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2", 
1065                 substr($str,0,2),
1066                 substr($str,2,2),
1067                 substr($str,4,2),
1068                 substr($str,6,2),
1069                 substr($str,8,2),
1070                 substr($str,10,2),
1071                 substr($str,12,2),
1072                 substr($str,14,2),
1073                 substr($str,16,2),
1074                 substr($str,18,2),
1075                 substr($str,20,2),
1076                 substr($str,22,2),
1077                 substr($str,24,2),
1078                 substr($str,26,2),
1079                 substr($str,28,2),
1080                 substr($str,30,2));
1081 }
1082
1083 sub guid_to_string {
1084         my $guid = shift;
1085         my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", 
1086                 unpack("I", $guid), 
1087                 unpack("S", substr($guid, 4, 2)), 
1088                 unpack("S", substr($guid, 6, 2)),
1089                 unpack("C", substr($guid, 8, 1)),
1090                 unpack("C", substr($guid, 9, 1)),
1091                 unpack("C", substr($guid, 10, 1)),
1092                 unpack("C", substr($guid, 11, 1)),
1093                 unpack("C", substr($guid, 12, 1)),
1094                 unpack("C", substr($guid, 13, 1)),
1095                 unpack("C", substr($guid, 14, 1)),
1096                 unpack("C", substr($guid, 15, 1)); 
1097         return lc($string);
1098 }
1099
1100 sub guid_to_bindstring {
1101         my $guid = shift;
1102         return unpack("H" . 2 * length($guid), $guid),
1103 }
1104
1105 sub dump_wknguid {
1106         print "Dumping Well known GUIDs:\n";
1107         foreach my $wknguid (keys %wknguids) {
1108
1109                 my $guid = bindstring_to_guid($wknguids{$wknguid});
1110                 my $str  = guid_to_string($guid);
1111                 my $back = guid_to_bindstring($guid);
1112
1113                 printf "wkguid:             %s\n", $wknguid;
1114                 printf "bind_string format: %s\n", $wknguids{$wknguid};
1115                 printf "string format:      %s\n", guid_to_string($guid);
1116                 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1117                                 
1118                 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1119         }
1120 }
1121
1122 sub gen_bitmask_string_format($%) {
1123         my $mod = shift;
1124         my (%tmp) = @_;
1125         my @list;
1126         foreach my $key (sort keys %tmp) {
1127                 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1128         }
1129         return join("\n$mod$tabsize",@list);
1130 }
1131
1132
1133 sub nt_to_unixtime ($) {
1134         # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1135         my $t64 = shift;
1136         $t64 =~ s/(.+).{7,7}/$1/;
1137         $t64 -= 11644473600;
1138         return $t64;
1139 }
1140
1141 sub dump_equal {
1142         my $val = shift;
1143         my $mod = shift || die "no mod";
1144         my (%header) = @_;
1145         my %tmp;
1146         my $found = 0;
1147         foreach my $key (keys %header) {
1148                 if ($header{$key} eq $val) {
1149                         $tmp{"($val)"} = $key;
1150                         $found = 1;
1151                         last;
1152                 }
1153         }
1154         if (!$found) { $tmp{$val} = ""; };
1155         return gen_bitmask_string_format($mod,%tmp);
1156 }
1157
1158 sub dump_bitmask {
1159         my $op = shift || die "no op";
1160         my $val = shift; 
1161         my $mod = shift || die "no mod";
1162         my (%header) = @_;
1163         my %tmp;
1164         $tmp{""} = sprintf("%s (0x%08x)", $val, $val);
1165         foreach my $key (sort keys %header) {   # sort by val !
1166                 my $val_hex = sprintf("0x%08x", $header{$key});
1167                 if ($op eq "&") {
1168                         $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset; 
1169                 } elsif ($op eq "==") {
1170                         $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset; 
1171                 } else {
1172                         print "unknown operator: $op\n";
1173                         return;
1174                 }
1175         }
1176         return gen_bitmask_string_format($mod,%tmp);
1177 }
1178
1179 sub dump_bitmask_and {
1180         return dump_bitmask("&",@_);
1181 }
1182
1183 sub dump_bitmask_equal {
1184         return dump_bitmask("==",@_);
1185 }
1186
1187 sub dump_uac {
1188         return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1189 }
1190
1191 sub dump_uascompat {
1192         return dump_bitmask_equal(@_,%ads_uascompat);
1193 }
1194
1195 sub dump_gpoptions {
1196         return dump_bitmask_equal(@_,%ads_gpoptions);
1197 }
1198
1199 sub dump_gpflags {
1200         return dump_bitmask_equal(@_,%ads_gpflags);
1201 }
1202
1203 sub dump_uacc {
1204         return dump_bitmask_equal(@_,%ads_uacc); 
1205 }
1206
1207 sub dump_uf {
1208         return dump_bitmask_and(@_,%ads_uf);
1209 }
1210
1211 sub dump_gtype {
1212         my $ret = dump_bitmask_and(@_,%ads_grouptype);
1213         $ret .= "\n$tabsize\t";
1214         $ret .= dump_bitmask_equal(@_,%ads_gtype);
1215         return $ret;
1216 }
1217
1218 sub dump_atype {
1219         return dump_bitmask_equal(@_,%ads_atype);
1220 }
1221
1222 sub dump_controls {
1223         return dump_equal(@_,%ads_controls);
1224 }
1225
1226 sub dump_capabilities {
1227         return dump_equal(@_,%ads_capabilities);
1228 }
1229
1230 sub dump_extension {
1231         return dump_equal(@_,%ads_extensions);
1232 }
1233
1234 sub dump_systemflags {
1235         return dump_bitmask_and(@_,%ads_systemflags);
1236 }
1237
1238 sub dump_instance_type {
1239         return dump_bitmask_and(@_,%ads_instance_type);
1240 }
1241
1242 sub dump_ds_func {
1243         return dump_bitmask_equal(@_,%ads_ds_func);
1244 }
1245
1246 sub dump_serverstate {
1247         return dump_bitmask_equal(@_,%ads_serverstate);
1248 }
1249
1250 sub dump_sdeffective {
1251         return dump_bitmask_and(@_,%ads_sdeffective);
1252 }
1253
1254 sub dump_trustattr {
1255         return dump_bitmask_equal(@_,%ads_trustattrs);
1256 }
1257
1258 sub dump_trusttype {
1259         return dump_bitmask_equal(@_,%ads_trusttype);
1260 }
1261
1262 sub dump_trustdirection {
1263         return dump_bitmask_equal(@_,%ads_trustdirection);
1264 }
1265
1266 sub dump_pwdproperties {
1267         return dump_bitmask_and(@_,%ads_pwdproperties);
1268 }
1269
1270 sub dump_frstype {
1271         return dump_bitmask_equal(@_,%ads_frstypes)
1272 }
1273
1274 sub dump_mixed_domain {
1275         return dump_bitmask_equal(@_,%ads_mixed_domain);
1276 }
1277
1278 sub dump_sid {
1279         my $bin_sid = shift;
1280         return sid2string($bin_sid);
1281 }
1282
1283 sub dump_guid {
1284         my $guid = shift;
1285         return guid_to_string($guid);
1286 }
1287
1288 sub dump_secdesc {
1289         my $val = shift;
1290         return "FIXME: write sddl-converter!";
1291 }
1292
1293 sub dump_nttime {
1294         my $nttime = shift;
1295         if ($nttime == 0) {
1296                 return sprintf("%s (%s)", "never", $nttime);
1297         }
1298         my $localtime = localtime(nt_to_unixtime($nttime));
1299         return sprintf("%s (%s)", $localtime, $nttime);
1300 }
1301
1302 sub dump_nttime_abs {
1303         if ($_[0] == 9223372036854775807) {
1304                 return sprintf("%s (%s)", "now", $_[0]);
1305         }
1306         if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1307                 return sprintf("%s (%s)", "never", $_[0]);
1308         }
1309         # FIXME: actually *do* abs time !
1310         return dump_nttime($_[0]);
1311 }
1312
1313 sub dump_timestr {
1314         my $time = shift;
1315         if ($time eq "16010101000010.0Z") {
1316                 return sprintf("%s (%s)", "never", $time);
1317         }
1318         my ($year,$mon,$mday,$hour,$min,$sec,$zone) = 
1319                 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1320         $mon -= 1;
1321         my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1322         return sprintf("%s (%s)", $localtime, $time);
1323 }
1324
1325 sub dump_string {
1326         return $_[0];
1327 }
1328
1329 sub dump_int {
1330         return sprintf("%d", $_[0]);
1331 }
1332
1333 sub dump_munged_dial {
1334         my $dial = shift;
1335         return "FIXME! decode this";
1336 }
1337
1338 sub dump_cert {
1339  
1340         my $cert = shift;
1341         open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1342         print OPENSSL $cert;
1343         close(OPENSSL);
1344         return "";
1345 }
1346
1347 sub dump_pkt {
1348         my $pkt = shift;
1349         return "not yet";
1350         printf("%s: ", $pkt);
1351         printf("%02X", $pkt);
1352         
1353 }
1354
1355 sub dump_gplink {
1356
1357         my $gplink = shift;
1358         my $gplink_mod = $gplink;
1359         my @links = split("\\]\\[", $gplink_mod);
1360         foreach my $link (@links) {
1361                 $link =~ s/^\[|\]$//g;
1362                 my ($ldap_link, $opt) = split(";", $link);
1363                 my @array = ( "$opt", "\t" );
1364                 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1365         }
1366         return $gplink;
1367 }
1368
1369 sub construct_filter {
1370
1371         my $tmp = shift;
1372
1373         if (!$tmp || $opt_notify) {
1374                 return "(objectclass=*)";
1375         }
1376
1377         if ($tmp && $tmp !~ /^.*\=/) {
1378                 return "(ANR=$tmp)";
1379         }
1380
1381         return $tmp;
1382         # (&(objectCategory=person)
1383         # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1384 }
1385
1386 sub construct_attrs {
1387         
1388         my @attrs = @_;
1389         
1390         if (!@attrs) {
1391                 push(@attrs,"*");
1392         }
1393
1394         if ($opt_notify) {
1395                 push(@attrs,"uSNChanged");
1396         }
1397
1398         if ($opt_display_metadata) {
1399                 push(@attrs,"msDS-ReplAttributeMetaData");
1400                 push(@attrs,"replPropertyMetaData");
1401         }
1402
1403         if ($opt_verbose) {
1404                 push(@attrs,"nTSecurityDescriptor");
1405                 push(@attrs,"msDS-KeyVersionNumber");
1406                 push(@attrs,"msDS-User-Account-Control-Computed");
1407                 push(@attrs,"modifyTimeStamp");
1408         }
1409
1410         return sort @attrs;
1411 }
1412
1413 sub print_header {
1414
1415         print "\n";
1416         printf "%10s: %s\n", "uri", $uri;
1417         printf "%10s: %s\n", "port", $port;
1418         printf "%10s: %s\n", "base", $base;
1419         printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1420         printf "%10s: %s\n", "password", $password;
1421         printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1422         printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1423         printf "%10s: %s\n", "filter", $filter;
1424         printf "%10s: %s\n", "scope", $scope;
1425         printf "%10s: %s\n", "attrs", join(", ", @attrs);
1426         printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1427         printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1428         printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1429         printf "\n";
1430 }
1431
1432 sub gen_controls {
1433
1434         # setup attribute-scoped query control
1435         my $asq_asn = Convert::ASN1->new;
1436         $asq_asn->prepare(
1437                 q<      asq ::= SEQUENCE {
1438                                 sourceAttribute   OCTET_STRING
1439                         }
1440                 >
1441         );
1442         my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1443         my $ctl_asq = Net::LDAP::Control->new(
1444                 type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1445                 critical => 'true',
1446                 value => $ctl_asq_val);
1447
1448
1449         # setup extended dn control
1450         my $asn_extended_dn = Convert::ASN1->new;
1451         $asn_extended_dn->prepare(
1452                 q<      ExtendedDn ::= SEQUENCE {
1453                                 mode     INTEGER
1454                         }
1455                 >
1456         );
1457
1458         # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1459         my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
1460         my $ctl_extended_dn = Net::LDAP::Control->new( 
1461                         type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1462                         critical => 'true',
1463                         value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
1464
1465         # setup notify control
1466         my $ctl_notification = Net::LDAP::Control->new( 
1467                 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1468                 critical => 'true');
1469
1470
1471         # setup paging control
1472         $ctl_paged = Net::LDAP::Control->new( 
1473                 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1474                 critical => 'true',
1475                 size => $opt_paging ? $opt_paging : 1000);
1476
1477         # setup domscope control
1478         my $ctl_domscope = Net::LDAP::Control->new( 
1479                 type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1480                 critical => 'true',
1481                 value => "");
1482
1483         if (defined($opt_paging)) {
1484                 push(@ctrls, $ctl_paged);
1485                 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1486         }
1487
1488         if (defined($opt_display_extendeddn)) {
1489                 push(@ctrls, $ctl_extended_dn);
1490                 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1491         } 
1492         if ($opt_notify) {
1493                 push(@ctrls, $ctl_notification);
1494                 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1495         }
1496         
1497         if ($opt_asq) {
1498                 push(@ctrls, $ctl_asq);
1499                 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1500         }
1501
1502         if ($opt_domain_scope) {
1503                 push(@ctrls, $ctl_domscope);
1504                 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1505         }
1506
1507         return @ctrls;
1508 }
1509
1510 sub display_value_generic ($$$) {
1511
1512         my ($mod,$attr,$value) = @_;
1513         return unless (defined($value) and defined($attr));
1514
1515         if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1516                 $value = $attr_handler{$attr}($value,$mod);
1517                 write_ads_list($mod,$attr,$value);
1518                 return;
1519         }
1520         write_ads($mod,$attr,$value);
1521 }
1522
1523 sub display_attr_generic ($$$) {
1524
1525         my ($mod,$entry,$attr) = @_;
1526         return if (!$attr || !$entry);
1527
1528         my $ref = $entry->get_value($attr, asref => 1);
1529         my @values = @$ref;
1530
1531         foreach my $value ( sort @values) {
1532                 display_value_generic($mod,$attr,$value);
1533         }
1534 }
1535
1536 sub display_entry_generic ($) {
1537
1538         my $entry = shift;
1539         return if (!$entry);
1540
1541         foreach my $attr ( sort $entry->attributes) {
1542                 display_attr_generic("\t",$entry,$attr);        
1543         }
1544 }
1545
1546 sub display_ldap_err ($) {
1547
1548         my $msg = shift;
1549         print_header();
1550         my ($package, $filename, $line, $subroutine) = caller(0);
1551
1552         print "got error from ADS:\n";
1553         printf("%s(%d): ERROR (%s): %s\n", 
1554                 $subroutine, $line, $msg->code, $msg->error);
1555
1556 }
1557
1558 sub process_result {
1559
1560         my ($msg,$entry) = @_;
1561
1562         if (!defined($msg)) { 
1563                 return; 
1564         }
1565
1566         if ($msg->code) {
1567                 display_ldap_err($msg);
1568                 exit 1;
1569         }
1570
1571         if (!defined($entry)) {
1572                 return;
1573         }
1574
1575         if ($entry->isa('Net::LDAP::Reference')) {
1576                 foreach my $ref ($entry->references) {
1577                         print "\ngot Reference: [$ref]\n";
1578                 }
1579                 return;
1580         }
1581
1582         print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1583
1584         display_entry_generic($entry);
1585 }
1586
1587 sub default_callback {
1588
1589         my ($res,$obj) = @_;
1590
1591         if (!$opt_notify && $res->code == LDAP_REFERRAL) {
1592                 return;
1593         }
1594
1595         if (!$opt_notify) {
1596                 return process_result($res,$obj);
1597         } 
1598 }
1599
1600 sub error_callback {
1601
1602         my ($msg,$entry) = @_;
1603
1604         if (!$msg) { 
1605                 return; 
1606         }
1607
1608         if ($msg->code) {
1609                 display_ldap_err($msg);
1610                 exit(1);
1611         }
1612         return;
1613 }
1614
1615 sub notify_callback {
1616
1617         my ($msg, $obj) = @_;
1618
1619         if (! defined($obj)) {
1620                 return;
1621         }
1622
1623         if ($obj->isa('Net::LDAP::Reference')) {
1624                 foreach my $ref ($obj->references) {
1625                         print "\ngot Reference: [$ref]\n";
1626                 }
1627                 return;
1628         }
1629
1630         while (1) {
1631
1632                 my $async_entry = $async_search->pop_entry;
1633
1634                 if (!$async_entry->dn) {
1635                         print "very weird. entry has no dn\n";
1636                         next;
1637                 }
1638         
1639                 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1640
1641                 my $new_usn = $async_entry->get_value('uSNChanged');
1642                 if (!$new_usn) {
1643                         die "odd, no usnChanged attribute???";
1644                 }
1645                 if (!$usn || $new_usn > $usn) {
1646                         $usn = $new_usn;
1647                         if ($opt_notify_nodiffs) {
1648                                 display_entry_generic($async_entry);
1649                         } else {
1650                                 display_result_diff($async_entry);
1651                         }
1652                 } 
1653                 store_result($async_entry);
1654         }
1655 }
1656
1657 sub do_bind($$) {
1658
1659         my $async_ldap_hd = shift || return undef;
1660         my $sasl_bind = shift;
1661
1662         if ($sasl_bind) {
1663                 if (!$works_sasl) {
1664                         print "this version of Net::LDAP does not have proper SASL support.\n";
1665                         print "Need at least perl-ldap V. $pref_version\n";
1666                 }
1667                 $sasl_hd = get_sasl_hd();
1668                 if (!$sasl_hd) {
1669                         print "failed to create SASL handle\n";
1670                         return -1;
1671                 }
1672                 $mesg = $async_ldap_hd->bind( 
1673                         sasl => $sasl_hd, 
1674                         callback => \&error_callback 
1675                 ) || die "doesnt work"; 
1676         } else {
1677                 $sasl_mech = "";
1678                 $mesg = $async_ldap_hd->bind( 
1679                         $binddn, 
1680                         password => $password, 
1681                         callback => $opt_fastbind ? undef : \&error_callback
1682                 ) || die "doesnt work";
1683         };
1684         if ($mesg->code) { 
1685                 display_ldap_err($mesg) if (!$opt_fastbind);
1686                 return -1;
1687         }
1688         return 0;
1689 }
1690
1691 sub do_fast_bind() {
1692
1693         do_unbind();
1694
1695         my $hd = get_ldap_hd($server,1);
1696
1697         my $mesg = $hd->extension(
1698                 name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1699         
1700         if ($mesg->code) { 
1701                 display_ldap_err($mesg);
1702                 return -1;
1703         }
1704
1705         my $ret = do_bind($hd, undef);
1706         $hd->unbind;
1707
1708         printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n", 
1709                 $ret == 0 ? "succeeded" : "failed");
1710
1711         return $ret;
1712 }
1713
1714 sub do_unbind() {
1715         if ($async_ldap_hd) {
1716                 $async_ldap_hd->unbind;
1717         }
1718         if ($sync_ldap_hd) {
1719                 $sync_ldap_hd->unbind;
1720         }
1721 }
1722
1723 ###############################################################################
1724
1725 sub main () {
1726
1727         if ($opt_fastbind) {
1728
1729                 if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1730                         print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1731                         exit 1;
1732                 }
1733
1734                 # fast bind can only bind, not search
1735                 exit do_fast_bind();
1736         }
1737
1738         $filter = construct_filter($query);
1739         @attrs  = construct_attrs(@attrs);
1740         @ctrls  = gen_controls();
1741
1742         if (check_ctrls($server,$dse,@ctrls) == -1) {
1743                 print "not all required LDAP Controls are supported by this server\n";
1744                 exit 1;
1745         }
1746
1747         if ($opt_dump_rootdse) {
1748                 print "Dumping Root-DSE:\n";
1749                 display_entry_generic($dse);
1750                 exit 0;
1751         }
1752
1753         if ($opt_dump_wknguid) {
1754                 dump_wknguid();
1755                 exit 0;
1756         }
1757
1758         if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1759                 exit 1;
1760         }
1761
1762         print_header();
1763
1764         if ($opt_dump_schema) {
1765                 print "Dumping Schema:\n";
1766                 my $ads_schema = $async_ldap_hd->schema;
1767                 $ads_schema->dump;
1768                 exit 0;
1769         }
1770
1771         while (1) {
1772
1773                 $async_search = $async_ldap_hd->search( 
1774                         base => $base, 
1775                         filter => $filter, 
1776                         attrs => [ @attrs ],
1777                         control => [ @ctrls ], 
1778                         callback => \&default_callback,
1779                         scope => $scope,
1780                                 ) || die "cannot search";
1781
1782                 if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) {
1783                         foreach my $ref ($async_search->referrals) {
1784                                 print "\ngot Referral: [$ref]\n";
1785                                 my ($prot, $host, $base) = split(/\/+/, $ref);
1786                                 $async_ldap_hd->unbind();
1787                                 $async_ldap_hd = get_ldap_hd($host, 1);
1788                                 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1789                                         $async_ldap_hd->unbind();
1790                                         next;
1791                                 }
1792                                 print "\nsuccessful rebind to: [$ref]\n";
1793                                 last;
1794                         }
1795                         next; # repeat the query
1796                 }
1797
1798                 if ($opt_notify) {
1799
1800                         print "Base [$base] is registered now for change-notify\n";
1801                         print "\nWaiting for change-notify...\n";
1802
1803                         my $sync_ldap_hd = get_ldap_hd($server,0);
1804                         if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1805                                 exit 2;
1806                         }
1807
1808                         my $sync_search = $sync_ldap_hd->search( 
1809                                 base => $base, 
1810                                 filter => $filter, 
1811                                 attrs => [ @attrs ],
1812                                 callback => \&notify_callback,
1813                                 scope => $scope,
1814                                 ) || die "cannot search";
1815
1816                 }
1817
1818                 $total_entry_count += $async_search->count;
1819                 ++$page_count;
1820                 print "-" x 80 . "\n";
1821                 printf("Got %d Entries in Page %d \n\n", 
1822                         $async_search->count, $page_count);
1823                 my ($resp) = $async_search->control( 
1824                         $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1825                 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1826         }
1827
1828         if ($async_search->entries == 0) {
1829                 print "No entries found with filter $filter\n";
1830         } else {
1831                 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);
1832         }
1833
1834         do_unbind()
1835 }
1836
1837 main();
1838
1839 exit 0;