2 Unix SMB/CIFS mplementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Jean François Micouleau 1998
5 Copyright (C) Gerald Carter 2001-2003
6 Copyright (C) Shahms King 2001
7 Copyright (C) Andrew Bartlett 2002-2003
8 Copyright (C) Stefan (metze) Metzmacher 2002
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 * persistent connections: if using NSS LDAP, many connections are made
28 * however, using only one within Samba would be nice
30 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
32 * Other LDAP based login attributes: accountExpires, etc.
33 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 * structures don't have fields for some of these attributes)
36 * SSL is done, but can't get the certificate based authentication to work
37 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
40 /* NOTE: this will NOT work against an Active Directory server
41 * due to the fact that the two password fields cannot be retrieved
42 * from a server; recommend using security = domain in this situation
49 #define DBGC_CLASS DBGC_PASSDB
55 * Work around versions of the LDAP client libs that don't have the OIDs
56 * defined, or have them defined under the old name.
57 * This functionality is really a factor of the server, not the client
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define "1.3.6.1.4.1.4203.1.11.1"
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
81 #define SAM_ACCOUNT struct sam_passwd
86 struct ldapsam_privates {
87 struct smbldap_state *smbldap_state;
94 const char *domain_name;
97 /* configuration items */
100 BOOL permit_non_unix_accounts;
102 uint32 low_allocated_user_rid;
103 uint32 high_allocated_user_rid;
105 uint32 low_allocated_group_rid;
106 uint32 high_allocated_group_rid;
110 /**********************************************************************
111 Free a LDAPMessage (one is stored on the SAM_ACCOUNT)
112 **********************************************************************/
114 static void private_data_free_fn(void **result)
116 ldap_memfree(*result);
120 /**********************************************************************
121 get the attribute name given a user schame version
122 **********************************************************************/
124 static const char* get_userattr_key2string( int schema_ver, int key )
126 switch ( schema_ver )
128 case SCHEMAVER_SAMBAACCOUNT:
129 return get_attr_key2string( attrib_map_v22, key );
131 case SCHEMAVER_SAMBASAMACCOUNT:
132 return get_attr_key2string( attrib_map_v30, key );
135 DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
141 /**********************************************************************
142 return the list of attribute names given a user schema version
143 **********************************************************************/
145 static char** get_userattr_list( int schema_ver )
147 switch ( schema_ver )
149 case SCHEMAVER_SAMBAACCOUNT:
150 return get_attr_list( attrib_map_v22 );
152 case SCHEMAVER_SAMBASAMACCOUNT:
153 return get_attr_list( attrib_map_v30 );
155 DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
161 /*******************************************************************
162 generate the LDAP search filter for the objectclass based on the
163 version of the schema we are using
164 ******************************************************************/
166 static const char* get_objclass_filter( int schema_ver )
168 static fstring objclass_filter;
172 case SCHEMAVER_SAMBAACCOUNT:
173 snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
175 case SCHEMAVER_SAMBASAMACCOUNT:
176 snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
179 DEBUG(0,("pdb_ldapsam: get_objclass_filter(): Invalid schema version specified!\n"));
183 return objclass_filter;
186 /*******************************************************************
187 run the search by name.
188 ******************************************************************/
189 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state,
191 LDAPMessage ** result, char **attr)
194 char *escape_user = escape_ldap_string_alloc(user);
197 return LDAP_NO_MEMORY;
201 * in the filter expression, replace %u with the real name
202 * so in ldap filter, %u MUST exist :-)
204 snprintf(filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(),
205 get_objclass_filter(ldap_state->schema_ver));
208 * have to use this here because $ is filtered out
213 all_string_sub(filter, "%u", escape_user, sizeof(pstring));
214 SAFE_FREE(escape_user);
216 return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
219 /*******************************************************************
220 run the search by rid.
221 ******************************************************************/
222 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
223 uint32 rid, LDAPMessage ** result,
229 snprintf(filter, sizeof(filter)-1, "(&(rid=%i)%s)", rid,
230 get_objclass_filter(ldap_state->schema_ver));
232 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
237 /*******************************************************************
238 run the search by SID.
239 ******************************************************************/
240 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
241 const DOM_SID *sid, LDAPMessage ** result,
248 snprintf(filter, sizeof(filter)-1, "(&(%s=%s)%s)",
249 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
250 sid_to_string(sid_string, sid),
251 get_objclass_filter(ldap_state->schema_ver));
253 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
258 /*******************************************************************
259 Delete complete object or objectclass and attrs from
260 object found in search_result depending on lp_ldap_delete_dn
261 ******************************************************************/
262 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
264 const char *objectclass,
269 LDAPMod **mods = NULL;
271 BerElement *ptr = NULL;
273 rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
276 DEBUG(0, ("Entry must exist exactly once!\n"));
277 return NT_STATUS_UNSUCCESSFUL;
280 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
281 dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
283 if (lp_ldap_delete_dn()) {
284 NTSTATUS ret = NT_STATUS_OK;
285 rc = smbldap_delete(ldap_state->smbldap_state, dn);
287 if (rc != LDAP_SUCCESS) {
288 DEBUG(0, ("Could not delete object %s\n", dn));
289 ret = NT_STATUS_UNSUCCESSFUL;
295 /* Ok, delete only the SAM attributes */
297 for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
299 name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr))
303 /* We are only allowed to delete the attributes that
306 for (attrib = attrs; *attrib != NULL; attrib++)
308 if (StrCaseCmp(*attrib, name) == 0) {
309 DEBUG(10, ("deleting attribute %s\n", name));
310 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
321 smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
323 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
324 ldap_mods_free(mods, True);
326 if (rc != LDAP_SUCCESS) {
327 char *ld_error = NULL;
328 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
331 DEBUG(0, ("could not delete attributes for %s, error: %s (%s)\n",
332 dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
335 return NT_STATUS_UNSUCCESSFUL;
342 /**********************************************************************
343 Add the sambaDomain to LDAP, so we don't have to search for this stuff
344 again. This is a once-add operation for now.
346 TODO: Add other attributes, and allow modification.
347 *********************************************************************/
348 static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
351 fstring algorithmic_rid_base_string;
353 LDAPMod **mods = NULL;
356 LDAPMessage *result = NULL;
360 slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))",
361 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
362 ldap_state->domain_name, LDAP_OBJ_DOMINFO);
364 attr_list = get_attr_list( dominfo_attr_list );
365 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
367 free_attr_list( attr_list );
369 if (rc != LDAP_SUCCESS) {
370 return NT_STATUS_UNSUCCESSFUL;
373 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
375 if (num_result > 1) {
376 DEBUG (0, ("More than domain with that name exists: bailing out!\n"));
377 ldap_msgfree(result);
378 return NT_STATUS_UNSUCCESSFUL;
381 /* Check if we need to add an entry */
382 DEBUG(3,("Adding new domain\n"));
383 ldap_op = LDAP_MOD_ADD;
385 snprintf(dn, sizeof(dn), "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
386 ldap_state->domain_name, lp_ldap_suffix());
388 /* Free original search */
389 ldap_msgfree(result);
391 /* make the changes - the entry *must* not already have samba attributes */
392 smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
393 ldap_state->domain_name);
395 /* If we don't have an entry, then ask secrets.tdb for what it thinks.
396 It may choose to make it up */
398 sid_to_string(sid_string, get_global_sam_sid());
399 smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), sid_string);
401 slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string) - 1, "%i", algorithmic_rid_base());
402 smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
403 algorithmic_rid_base_string);
404 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
409 rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
411 case LDAP_MOD_REPLACE:
412 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
415 DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
416 return NT_STATUS_INVALID_PARAMETER;
419 if (rc!=LDAP_SUCCESS) {
420 char *ld_error = NULL;
421 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
424 ("failed to %s domain dn= %s with: %s\n\t%s\n",
425 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
426 dn, ldap_err2string(rc),
427 ld_error?ld_error:"unknown"));
430 ldap_mods_free(mods, True);
431 return NT_STATUS_UNSUCCESSFUL;
434 DEBUG(2,("added: domain = %s in the LDAP database\n", ldap_state->domain_name));
435 ldap_mods_free(mods, True);
439 /**********************************************************************
440 Search for the domain info entry
441 *********************************************************************/
442 static NTSTATUS ldapsam_search_domain_info(struct ldapsam_privates *ldap_state,
443 LDAPMessage ** result, BOOL try_add)
445 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
451 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
453 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
454 ldap_state->domain_name);
456 DEBUG(2, ("Searching for:[%s]\n", filter));
459 attr_list = get_attr_list( dominfo_attr_list );
460 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
462 free_attr_list( attr_list );
464 if (rc != LDAP_SUCCESS) {
465 DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
466 DEBUG(2,("Query was: %s, %s\n", lp_ldap_suffix(), filter));
467 } else if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, *result) < 1) {
468 DEBUG(3, ("Got no domain info entries for domain %s\n",
469 ldap_state->domain_name));
470 ldap_msgfree(*result);
472 if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state))) {
473 return ldapsam_search_domain_info(ldap_state, result, False);
475 DEBUG(0, ("Adding domain info failed with %s\n", nt_errstr(ret)));
478 } else if ((count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, *result)) > 1) {
479 DEBUG(0, ("Got too many (%d) domain info entries for domain %s\n",
480 count, ldap_state->domain_name));
481 ldap_msgfree(*result);
491 /**********************************************************************
492 Even if the sambaDomain attribute in LDAP tells us that this RID is
493 safe to use, always check before use.
494 *********************************************************************/
495 static BOOL sid_in_use(struct ldapsam_privates *ldap_state,
496 const DOM_SID *sid, int *error)
500 LDAPMessage *result = NULL;
503 char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
505 slprintf(filter, sizeof(filter)-1, "(%s=%s)", LDAP_ATTRIBUTE_SID, sid_to_string(sid_string, sid));
507 rc = smbldap_search_suffix(ldap_state->smbldap_state,
508 filter, sid_attr, &result);
510 if (rc != LDAP_SUCCESS) {
511 char *ld_error = NULL;
512 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
513 DEBUG(2, ("Failed to check if sid %s is alredy in use: %s\n",
514 sid_string, ld_error));
521 if ((count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result)) > 0) {
522 DEBUG(3, ("Sid %s already in use - trying next RID\n",
524 ldap_msgfree(result);
528 ldap_msgfree(result);
530 /* good, sid is not in use */
534 /**********************************************************************
535 Set the new nextRid attribute, and return one we can use.
537 This also checks that this RID is actually free - in case the admin
538 manually stole it :-).
539 *********************************************************************/
540 static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *rid, int rid_type)
542 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
544 LDAPMessage *domain_result = NULL;
545 LDAPMessage *entry = NULL;
547 LDAPMod **mods = NULL;
548 fstring old_rid_string;
549 fstring next_rid_string;
550 fstring algorithmic_rid_base_string;
554 char *ld_error = NULL;
556 if ( ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT ) {
557 DEBUG(0, ("Allocated RIDs require the %s objectclass used by 'ldapsam'\n",
558 LDAP_OBJ_SAMBASAMACCOUNT));
559 return NT_STATUS_UNSUCCESSFUL;
562 while (attempts < 10)
564 if (!NT_STATUS_IS_OK(ret = ldapsam_search_domain_info(ldap_state, &domain_result, True))) {
568 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, domain_result);
570 DEBUG(0, ("Could not get domain info entry\n"));
571 ldap_msgfree(domain_result);
575 if ((dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry)) == NULL) {
576 DEBUG(0, ("Could not get domain info DN\n"));
577 ldap_msgfree(domain_result);
581 /* yes, we keep 3 seperate counters, one for rids between 1000 (BASE_RID) and
582 algorithmic_rid_base. The other two are to avoid stomping on the
583 different sets of algorithmic RIDs */
585 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
586 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
587 algorithmic_rid_base_string))
590 alg_rid_base = (uint32)atol(algorithmic_rid_base_string);
592 alg_rid_base = algorithmic_rid_base();
593 /* Try to make the modification atomically by enforcing the
594 old value in the delete mod. */
595 slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string)-1, "%d", alg_rid_base);
596 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods,
597 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
598 algorithmic_rid_base_string);
603 if (alg_rid_base > BASE_RID) {
604 /* we have a non-default 'algorithmic rid base', so we have 'low' rids that we
605 can allocate to new users */
606 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
607 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_RID),
610 *rid = (uint32)atol(old_rid_string);
616 if (next_rid >= alg_rid_base) {
617 return NT_STATUS_UNSUCCESSFUL;
620 slprintf(next_rid_string, sizeof(next_rid_string)-1, "%d", next_rid);
622 /* Try to make the modification atomically by enforcing the
623 old value in the delete mod. */
624 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods,
625 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_RID),
629 if (!next_rid) { /* not got one already */
632 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
633 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID),
637 *rid = (uint32)atol(old_rid_string);
640 *rid = ldap_state->low_allocated_user_rid;
644 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
645 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
648 *rid = (uint32)atol(old_rid_string);
650 *rid = ldap_state->low_allocated_group_rid;
655 /* This is the core of the whole routine. If we had
656 scheme-style closures, there would be a *lot* less code
659 next_rid = *rid+RID_MULTIPLIER;
660 slprintf(next_rid_string, sizeof(next_rid_string)-1, "%d", next_rid);
664 if (next_rid > ldap_state->high_allocated_user_rid) {
665 return NT_STATUS_UNSUCCESSFUL;
668 /* Try to make the modification atomically by enforcing the
669 old value in the delete mod. */
670 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods,
671 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID),
676 if (next_rid > ldap_state->high_allocated_group_rid) {
677 return NT_STATUS_UNSUCCESSFUL;
680 /* Try to make the modification atomically by enforcing the
681 old value in the delete mod. */
682 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods,
683 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
689 if ((rc = ldap_modify_s(ldap_state->smbldap_state->ldap_struct, dn, mods)) == LDAP_SUCCESS) {
692 pstring domain_sid_string;
695 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, domain_result,
696 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID),
699 ldap_mods_free(mods, True);
701 ldap_msgfree(domain_result);
705 if (!string_to_sid(&dom_sid, domain_sid_string)) {
706 ldap_mods_free(mods, True);
708 ldap_msgfree(domain_result);
712 ldap_mods_free(mods, True);
715 ldap_msgfree(domain_result);
717 sid_copy(&sid, &dom_sid);
718 sid_append_rid(&sid, *rid);
720 /* check RID is not in use */
721 if (sid_in_use(ldap_state, &sid, &error)) {
732 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
733 DEBUG(2, ("Failed to modify rid: %s\n", ld_error ? ld_error : "(NULL"));
736 ldap_mods_free(mods, True);
742 ldap_msgfree(domain_result);
743 domain_result = NULL;
746 /* Sleep for a random timeout */
747 unsigned sleeptime = (sys_random()*sys_getpid()*attempts);
755 DEBUG(0, ("Failed to set new RID\n"));
759 /* New Interface is being implemented here */
761 /**********************************************************************
762 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
763 *********************************************************************/
764 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
765 SAM_ACCOUNT * sampass,
774 if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
775 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
779 for (values=ldap_values;*values;values++) {
780 if (strcasecmp(*values, LDAP_OBJ_POSIXACCOUNT ) == 0) {
785 if (!*values) { /*end of array, no posixAccount */
786 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
787 ldap_value_free(ldap_values);
790 ldap_value_free(ldap_values);
792 if ( !smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
793 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
798 if ( !smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
799 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
804 *gid = (gid_t)atol(temp);
806 pdb_set_unix_homedir(sampass, homedir, PDB_SET);
808 DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
814 /**********************************************************************
815 Initialize SAM_ACCOUNT from an LDAP query
816 (Based on init_sam_from_buffer in pdb_tdb.c)
817 *********************************************************************/
818 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
819 SAM_ACCOUNT * sampass,
826 pass_can_change_time,
827 pass_must_change_time;
840 uint8 smblmpwd[LM_HASH_LEN],
841 smbntpwd[NT_HASH_LEN];
842 uint16 acct_ctrl = 0,
845 uint8 hours[MAX_HOURS_LEN];
848 gid_t gid = getegid();
851 * do a little initialization
855 nt_username[0] = '\0';
859 logon_script[0] = '\0';
860 profile_path[0] = '\0';
862 munged_dial[0] = '\0';
863 workstations[0] = '\0';
866 if (sampass == NULL || ldap_state == NULL || entry == NULL) {
867 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
871 if (ldap_state->smbldap_state->ldap_struct == NULL) {
872 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
876 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
877 DEBUG(1, ("No uid attribute found for this user!\n"));
881 DEBUG(2, ("Entry found for user: %s\n", username));
883 pstrcpy(nt_username, username);
885 pstrcpy(domain, ldap_state->domain_name);
887 pdb_set_username(sampass, username, PDB_SET);
889 pdb_set_domain(sampass, domain, PDB_DEFAULT);
890 pdb_set_nt_username(sampass, nt_username, PDB_SET);
892 /* deal with different attributes between the schema first */
894 if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT )
896 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
897 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp))
899 pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
902 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
903 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp))
905 pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
909 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
916 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
917 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp))
919 user_rid = (uint32)atol(temp);
920 pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
923 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
924 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp))
926 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
930 group_rid = (uint32)atol(temp);
932 /* for some reason, we often have 0 as a primary group RID.
933 Make sure that we treat this just as a 'default' value */
936 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
938 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
942 if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
943 DEBUG(1, ("no %s or %s attribute found for this user %s\n",
944 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
945 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
952 * If so configured, try and get the values from LDAP
955 if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid)))
957 if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
960 /* call the mapping code here */
961 if(pdb_getgrgid(&map, gid)) {
962 pdb_set_group_sid(sampass, &map.sid, PDB_SET);
965 pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
970 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
971 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp))
973 /* leave as default */
975 pass_last_set_time = (time_t) atol(temp);
976 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
979 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
980 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp))
982 /* leave as default */
984 logon_time = (time_t) atol(temp);
985 pdb_set_logon_time(sampass, logon_time, PDB_SET);
988 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
989 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp))
991 /* leave as default */
993 logoff_time = (time_t) atol(temp);
994 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
997 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
998 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp))
1000 /* leave as default */
1002 kickoff_time = (time_t) atol(temp);
1003 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
1006 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1007 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp))
1009 /* leave as default */
1011 pass_can_change_time = (time_t) atol(temp);
1012 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
1015 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1016 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp))
1018 /* leave as default */
1020 pass_must_change_time = (time_t) atol(temp);
1021 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
1024 /* recommend that 'gecos' and 'displayName' should refer to the same
1025 * attribute OID. userFullName depreciated, only used by Samba
1026 * primary rules of LDAP: don't make a new attribute when one is already defined
1027 * that fits your needs; using cn then displayName rather than 'userFullName'
1030 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1031 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname))
1033 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1034 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname))
1036 /* leave as default */
1038 pdb_set_fullname(sampass, fullname, PDB_SET);
1041 pdb_set_fullname(sampass, fullname, PDB_SET);
1044 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1045 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
1047 pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx,
1053 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
1056 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1057 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
1059 pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx,
1065 pdb_set_homedir(sampass, homedir, PDB_SET);
1068 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1069 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
1071 pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx,
1077 pdb_set_logon_script(sampass, logon_script, PDB_SET);
1080 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1081 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
1083 pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx,
1089 pdb_set_profile_path(sampass, profile_path, PDB_SET);
1092 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1093 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
1095 /* leave as default */
1097 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
1100 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
1101 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations))
1103 /* leave as default */;
1105 pdb_set_workstations(sampass, workstations, PDB_SET);
1108 /* FIXME: hours stuff should be cleaner */
1112 memset(hours, 0xff, hours_len);
1114 if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry,
1115 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp))
1117 /* leave as default */
1119 pdb_gethexpwd(temp, smblmpwd);
1120 memset((char *)temp, '\0', strlen(temp)+1);
1121 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
1123 ZERO_STRUCT(smblmpwd);
1126 if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry,
1127 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp))
1129 /* leave as default */
1131 pdb_gethexpwd(temp, smbntpwd);
1132 memset((char *)temp, '\0', strlen(temp)+1);
1133 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
1135 ZERO_STRUCT(smbntpwd);
1138 if (!smbldap_get_single_attribute (ldap_state->smbldap_state->ldap_struct, entry,
1139 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp))
1141 acct_ctrl |= ACB_NORMAL;
1143 acct_ctrl = pdb_decode_acct_ctrl(temp);
1146 acct_ctrl |= ACB_NORMAL;
1148 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
1151 pdb_set_hours_len(sampass, hours_len, PDB_SET);
1152 pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
1154 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
1156 /* pdb_set_unknown_3(sampass, unknown3, PDB_SET); */
1157 /* pdb_set_unknown_5(sampass, unknown5, PDB_SET); */
1158 /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
1160 pdb_set_hours(sampass, hours, PDB_SET);
1165 /**********************************************************************
1166 Initialize SAM_ACCOUNT from an LDAP query
1167 (Based on init_buffer_from_sam in pdb_tdb.c)
1168 *********************************************************************/
1169 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1170 LDAPMessage *existing,
1171 LDAPMod *** mods, SAM_ACCOUNT * sampass,
1172 BOOL (*need_update)(const SAM_ACCOUNT *,
1178 if (mods == NULL || sampass == NULL) {
1179 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1186 * took out adding "objectclass: sambaAccount"
1187 * do this on a per-mod basis
1189 if (need_update(sampass, PDB_USERNAME))
1190 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1191 "uid", pdb_get_username(sampass));
1193 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
1195 if (pdb_get_init_flags(sampass, PDB_USERSID) == PDB_DEFAULT) {
1196 if (ldap_state->permit_non_unix_accounts) {
1197 if (!NT_STATUS_IS_OK(ldapsam_next_rid(ldap_state, &rid, USER_RID_TYPE))) {
1198 DEBUG(0, ("NO user RID specified on account %s, and "
1199 "finding next available NUA RID failed, "
1201 pdb_get_username(sampass)));
1202 ldap_mods_free(*mods, True);
1206 DEBUG(0, ("NO user RID specified on account %s, "
1207 "cannot store!\n", pdb_get_username(sampass)));
1208 ldap_mods_free(*mods, True);
1212 /* now that we have figured out the RID, always store it, as
1213 the schema requires it (either as a SID or a RID) */
1215 if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
1216 DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n",
1217 pdb_get_username(sampass)));
1218 ldap_mods_free(*mods, True);
1223 /* only update the RID if we actually need to */
1224 if (need_update(sampass, PDB_USERSID))
1227 fstring dom_sid_string;
1228 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
1230 switch ( ldap_state->schema_ver )
1232 case SCHEMAVER_SAMBAACCOUNT:
1233 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
1234 DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1235 sid_to_string(sid_string, user_sid),
1236 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
1239 slprintf(temp, sizeof(temp) - 1, "%i", rid);
1240 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1241 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
1245 case SCHEMAVER_SAMBASAMACCOUNT:
1246 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1247 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1248 sid_to_string(sid_string, user_sid));
1252 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1257 /* we don't need to store the primary group RID - so leaving it
1258 'free' to hang off the unix primary group makes life easier */
1260 if (need_update(sampass, PDB_GROUPSID))
1263 fstring dom_sid_string;
1264 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1266 switch ( ldap_state->schema_ver )
1268 case SCHEMAVER_SAMBAACCOUNT:
1269 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1270 DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1271 sid_to_string(sid_string, group_sid),
1272 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
1276 slprintf(temp, sizeof(temp) - 1, "%i", rid);
1277 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1278 get_userattr_key2string(ldap_state->schema_ver,
1279 LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1282 case SCHEMAVER_SAMBASAMACCOUNT:
1283 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1284 get_userattr_key2string(ldap_state->schema_ver,
1285 LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
1289 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1295 /* displayName, cn, and gecos should all be the same
1296 * most easily accomplished by giving them the same OID
1297 * gecos isn't set here b/c it should be handled by the
1299 * We change displayName only and fall back to cn if
1300 * it does not exist.
1303 if (need_update(sampass, PDB_FULLNAME))
1304 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1305 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
1306 pdb_get_fullname(sampass));
1308 if (need_update(sampass, PDB_ACCTDESC))
1309 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1310 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
1311 pdb_get_acct_desc(sampass));
1313 if (need_update(sampass, PDB_WORKSTATIONS))
1314 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1315 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
1316 pdb_get_workstations(sampass));
1318 if (need_update(sampass, PDB_SMBHOME))
1319 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1320 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
1321 pdb_get_homedir(sampass));
1323 if (need_update(sampass, PDB_DRIVE))
1324 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1325 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
1326 pdb_get_dir_drive(sampass));
1328 if (need_update(sampass, PDB_LOGONSCRIPT))
1329 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1330 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
1331 pdb_get_logon_script(sampass));
1333 if (need_update(sampass, PDB_PROFILE))
1334 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1335 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
1336 pdb_get_profile_path(sampass));
1338 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
1339 if (need_update(sampass, PDB_LOGONTIME))
1340 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1341 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1343 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
1344 if (need_update(sampass, PDB_LOGOFFTIME))
1345 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1346 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1348 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
1349 if (need_update(sampass, PDB_KICKOFFTIME))
1350 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1351 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1353 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
1354 if (need_update(sampass, PDB_CANCHANGETIME))
1355 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1356 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1358 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
1359 if (need_update(sampass, PDB_MUSTCHANGETIME))
1360 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1361 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1363 if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1364 || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY))
1367 pdb_sethexpwd(temp, pdb_get_lanman_passwd(sampass),
1368 pdb_get_acct_ctrl(sampass));
1370 if (need_update(sampass, PDB_LMPASSWD))
1371 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1372 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1375 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass),
1376 pdb_get_acct_ctrl(sampass));
1378 if (need_update(sampass, PDB_NTPASSWD))
1379 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1380 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1383 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
1384 if (need_update(sampass, PDB_PASSLASTSET))
1385 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1386 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1390 /* FIXME: Hours stuff goes in LDAP */
1392 if (need_update(sampass, PDB_ACCTCTRL))
1393 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1394 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1395 pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1402 /**********************************************************************
1403 Connect to LDAP server for password enumeration
1404 *********************************************************************/
1405 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
1407 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1412 snprintf( filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(),
1413 get_objclass_filter(ldap_state->schema_ver));
1414 all_string_sub(filter, "%u", "*", sizeof(pstring));
1416 attr_list = get_userattr_list(ldap_state->schema_ver);
1417 rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
1418 attr_list, &ldap_state->result);
1419 free_attr_list( attr_list );
1421 if (rc != LDAP_SUCCESS) {
1422 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
1423 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1424 ldap_msgfree(ldap_state->result);
1425 ldap_state->result = NULL;
1426 return NT_STATUS_UNSUCCESSFUL;
1429 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1430 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1431 ldap_state->result)));
1433 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1434 ldap_state->result);
1435 ldap_state->index = 0;
1437 return NT_STATUS_OK;
1440 /**********************************************************************
1441 End enumeration of the LDAP password list
1442 *********************************************************************/
1443 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1445 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1446 if (ldap_state->result) {
1447 ldap_msgfree(ldap_state->result);
1448 ldap_state->result = NULL;
1452 /**********************************************************************
1453 Get the next entry in the LDAP password database
1454 *********************************************************************/
1455 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1457 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1458 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1462 if (!ldap_state->entry)
1465 ldap_state->index++;
1466 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1468 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1472 return NT_STATUS_OK;
1475 /**********************************************************************
1476 Get SAM_ACCOUNT entry from LDAP by username
1477 *********************************************************************/
1478 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1480 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1481 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1482 LDAPMessage *result;
1488 attr_list = get_userattr_list( ldap_state->schema_ver );
1489 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1490 free_attr_list( attr_list );
1492 if ( rc != LDAP_SUCCESS )
1493 return NT_STATUS_NO_SUCH_USER;
1495 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1499 ("Unable to locate user [%s] count=%d\n", sname,
1501 return NT_STATUS_NO_SUCH_USER;
1502 } else if (count > 1) {
1504 ("Duplicate entries for this user [%s] Failing. count=%d\n", sname,
1506 return NT_STATUS_NO_SUCH_USER;
1509 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1511 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1512 DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1513 ldap_msgfree(result);
1514 return NT_STATUS_NO_SUCH_USER;
1516 pdb_set_backend_private_data(user, result,
1517 private_data_free_fn,
1518 my_methods, PDB_CHANGED);
1521 ldap_msgfree(result);
1526 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1527 const DOM_SID *sid, LDAPMessage **result)
1533 switch ( ldap_state->schema_ver )
1535 case SCHEMAVER_SAMBASAMACCOUNT:
1536 attr_list = get_userattr_list(ldap_state->schema_ver);
1537 rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1538 free_attr_list( attr_list );
1540 if ( rc != LDAP_SUCCESS )
1544 case SCHEMAVER_SAMBAACCOUNT:
1545 if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1549 attr_list = get_userattr_list(ldap_state->schema_ver);
1550 rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1551 free_attr_list( attr_list );
1553 if ( rc != LDAP_SUCCESS )
1560 /**********************************************************************
1561 Get SAM_ACCOUNT entry from LDAP by SID
1562 *********************************************************************/
1563 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1565 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1566 LDAPMessage *result;
1572 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1574 if (rc != LDAP_SUCCESS)
1575 return NT_STATUS_NO_SUCH_USER;
1577 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1582 ("Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1584 ldap_msgfree(result);
1585 return NT_STATUS_NO_SUCH_USER;
1590 ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1592 ldap_msgfree(result);
1593 return NT_STATUS_NO_SUCH_USER;
1596 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1599 ldap_msgfree(result);
1600 return NT_STATUS_NO_SUCH_USER;
1603 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1604 DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1605 ldap_msgfree(result);
1606 return NT_STATUS_NO_SUCH_USER;
1609 pdb_set_backend_private_data(user, result,
1610 private_data_free_fn,
1611 my_methods, PDB_CHANGED);
1612 return NT_STATUS_OK;
1615 /********************************************************************
1616 Do the actual modification - also change a plaittext passord if
1618 **********************************************************************/
1620 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1621 SAM_ACCOUNT *newpwd, char *dn,
1622 LDAPMod **mods, int ldap_op,
1623 BOOL (*need_update)(const SAM_ACCOUNT *,
1626 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1629 if (!my_methods || !newpwd || !dn) {
1630 return NT_STATUS_INVALID_PARAMETER;
1634 DEBUG(5,("mods is empty: nothing to modify\n"));
1635 /* may be password change below however */
1640 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1643 rc = smbldap_add(ldap_state->smbldap_state,
1646 case LDAP_MOD_REPLACE:
1647 rc = smbldap_modify(ldap_state->smbldap_state,
1651 DEBUG(0,("Wrong LDAP operation type: %d!\n",
1653 return NT_STATUS_INVALID_PARAMETER;
1656 if (rc!=LDAP_SUCCESS) {
1657 char *ld_error = NULL;
1658 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1661 ("failed to %s user dn= %s with: %s\n\t%s\n",
1662 ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1663 dn, ldap_err2string(rc),
1664 ld_error?ld_error:"unknown"));
1665 SAFE_FREE(ld_error);
1666 return NT_STATUS_UNSUCCESSFUL;
1670 if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1671 (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1672 need_update(newpwd, PDB_PLAINTEXT_PW) &&
1673 (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1677 struct berval *retdata;
1678 char *utf8_password;
1681 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1682 return NT_STATUS_NO_MEMORY;
1685 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1686 return NT_STATUS_NO_MEMORY;
1689 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1690 DEBUG(0,("ber_alloc_t returns NULL\n"));
1691 SAFE_FREE(utf8_password);
1692 return NT_STATUS_UNSUCCESSFUL;
1695 ber_printf (ber, "{");
1696 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1697 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1698 ber_printf (ber, "N}");
1700 if ((rc = ber_flatten (ber, &bv))<0) {
1701 DEBUG(0,("ber_flatten returns a value <0\n"));
1704 SAFE_FREE(utf8_password);
1705 return NT_STATUS_UNSUCCESSFUL;
1709 SAFE_FREE(utf8_password);
1712 if ((rc = smbldap_extended_operation(ldap_state->smbldap_state,
1713 LDAP_EXOP_MODIFY_PASSWD,
1714 bv, NULL, NULL, &retoid,
1715 &retdata)) != LDAP_SUCCESS) {
1716 DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
1717 pdb_get_username(newpwd),ldap_err2string(rc)));
1719 DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1720 #ifdef DEBUG_PASSWORD
1721 DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1723 ber_bvfree(retdata);
1724 ber_memfree(retoid);
1728 return NT_STATUS_OK;
1731 /**********************************************************************
1732 Delete entry from LDAP for username
1733 *********************************************************************/
1734 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1736 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1739 LDAPMessage *result;
1745 DEBUG(0, ("sam_acct was NULL!\n"));
1746 return NT_STATUS_INVALID_PARAMETER;
1749 sname = pdb_get_username(sam_acct);
1751 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
1753 attr_list= get_userattr_list( ldap_state->schema_ver );
1754 rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1756 if (rc != LDAP_SUCCESS) {
1757 free_attr_list( attr_list );
1758 return NT_STATUS_NO_SUCH_USER;
1761 switch ( ldap_state->schema_ver )
1763 case SCHEMAVER_SAMBASAMACCOUNT:
1764 fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1767 case SCHEMAVER_SAMBAACCOUNT:
1768 fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1771 fstrcpy( objclass, "UNKNOWN" );
1772 DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1776 ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1777 ldap_msgfree(result);
1778 free_attr_list( attr_list );
1783 /**********************************************************************
1784 Helper function to determine for update_sam_account whether
1785 we need LDAP modification.
1786 *********************************************************************/
1787 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1788 enum pdb_elements element)
1790 return IS_SAM_CHANGED(sampass, element);
1793 /**********************************************************************
1795 *********************************************************************/
1796 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1798 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1799 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1802 LDAPMessage *result;
1807 result = pdb_get_backend_private_data(newpwd, my_methods);
1809 attr_list = get_userattr_list(ldap_state->schema_ver);
1810 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1811 free_attr_list( attr_list );
1812 if (rc != LDAP_SUCCESS) {
1813 return NT_STATUS_UNSUCCESSFUL;
1815 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1818 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1819 DEBUG(0, ("No user to modify!\n"));
1820 return NT_STATUS_UNSUCCESSFUL;
1823 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1824 dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1826 DEBUG(4, ("user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1828 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1829 element_is_changed)) {
1830 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1831 return NT_STATUS_UNSUCCESSFUL;
1835 DEBUG(4,("mods is empty: nothing to update for user: %s\n",
1836 pdb_get_username(newpwd)));
1837 ldap_mods_free(mods, True);
1838 return NT_STATUS_OK;
1841 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1842 ldap_mods_free(mods,True);
1844 if (!NT_STATUS_IS_OK(ret)) {
1845 char *ld_error = NULL;
1846 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1848 DEBUG(0,("failed to modify user with uid = %s, error: %s (%s)\n",
1849 pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1850 SAFE_FREE(ld_error);
1854 DEBUG(2, ("successfully modified uid = %s in the LDAP database\n",
1855 pdb_get_username(newpwd)));
1856 return NT_STATUS_OK;
1859 /**********************************************************************
1860 Helper function to determine for update_sam_account whether
1861 we need LDAP modification.
1862 *********************************************************************/
1863 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1864 enum pdb_elements element)
1866 return (IS_SAM_SET(sampass, element) ||
1867 IS_SAM_CHANGED(sampass, element));
1870 /**********************************************************************
1871 Add SAM_ACCOUNT to LDAP
1872 *********************************************************************/
1874 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1876 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1877 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1879 LDAPMessage *result = NULL;
1880 LDAPMessage *entry = NULL;
1882 LDAPMod **mods = NULL;
1887 const char *username = pdb_get_username(newpwd);
1888 const DOM_SID *sid = pdb_get_user_sid(newpwd);
1892 if (!username || !*username) {
1893 DEBUG(0, ("Cannot add user without a username!\n"));
1894 return NT_STATUS_INVALID_PARAMETER;
1897 /* free this list after the second search or in case we exit on failure */
1898 attr_list = get_userattr_list(ldap_state->schema_ver);
1900 rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1902 if (rc != LDAP_SUCCESS) {
1903 free_attr_list( attr_list );
1904 return NT_STATUS_UNSUCCESSFUL;
1907 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1908 DEBUG(0,("User '%s' already in the base, with samba attributes\n",
1910 ldap_msgfree(result);
1911 free_attr_list( attr_list );
1912 return NT_STATUS_UNSUCCESSFUL;
1914 ldap_msgfree(result);
1917 if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1918 rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1920 if (rc == LDAP_SUCCESS) {
1921 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1922 DEBUG(0,("SID '%s' already in the base, with samba attributes\n",
1923 sid_to_string(sid_string, sid)));
1924 free_attr_list( attr_list );
1925 return NT_STATUS_UNSUCCESSFUL;
1927 ldap_msgfree(result);
1931 /* does the entry already exist but without a samba attributes?
1932 we need to return the samba attributes here */
1934 escape_user = escape_ldap_string_alloc( username );
1935 pstrcpy( filter, lp_ldap_filter() );
1936 all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1937 SAFE_FREE( escape_user );
1939 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1940 filter, attr_list, &result);
1941 if ( rc != LDAP_SUCCESS ) {
1942 free_attr_list( attr_list );
1943 return NT_STATUS_UNSUCCESSFUL;
1946 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1948 if (num_result > 1) {
1949 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1950 free_attr_list( attr_list );
1951 ldap_msgfree(result);
1952 return NT_STATUS_UNSUCCESSFUL;
1955 /* Check if we need to update an existing entry */
1956 if (num_result == 1) {
1959 DEBUG(3,("User exists without samba attributes: adding them\n"));
1960 ldap_op = LDAP_MOD_REPLACE;
1961 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1962 tmp = ldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1963 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1966 } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1968 /* There might be a SID for this account already - say an idmap entry */
1970 snprintf(filter, sizeof(filter)-1, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
1971 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1972 sid_to_string(sid_string, sid),
1973 LDAP_OBJ_IDMAP_ENTRY,
1974 LDAP_OBJ_SID_ENTRY);
1976 rc = smbldap_search_suffix(ldap_state->smbldap_state,
1977 filter, attr_list, &result);
1978 free_attr_list( attr_list );
1980 if ( rc != LDAP_SUCCESS ) {
1981 free_attr_list( attr_list );
1982 return NT_STATUS_UNSUCCESSFUL;
1985 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1987 if (num_result > 1) {
1988 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1989 free_attr_list( attr_list );
1990 ldap_msgfree(result);
1991 return NT_STATUS_UNSUCCESSFUL;
1994 /* Check if we need to update an existing entry */
1995 if (num_result == 1) {
1998 DEBUG(3,("User exists without samba attributes: adding them\n"));
1999 ldap_op = LDAP_MOD_REPLACE;
2000 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2001 tmp = ldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2002 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
2007 if (num_result == 0) {
2008 /* Check if we need to add an entry */
2009 DEBUG(3,("Adding new user\n"));
2010 ldap_op = LDAP_MOD_ADD;
2011 if (username[strlen(username)-1] == '$') {
2012 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
2014 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
2018 if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2019 element_is_set_or_changed)) {
2020 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2021 ldap_msgfree(result);
2022 return NT_STATUS_UNSUCCESSFUL;
2025 ldap_msgfree(result);
2028 DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2029 return NT_STATUS_UNSUCCESSFUL;
2031 switch ( ldap_state->schema_ver )
2033 case SCHEMAVER_SAMBAACCOUNT:
2034 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2036 case SCHEMAVER_SAMBASAMACCOUNT:
2037 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2040 DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2044 ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2045 if (!NT_STATUS_IS_OK(ret)) {
2046 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
2047 pdb_get_username(newpwd),dn));
2048 ldap_mods_free(mods, True);
2052 DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2053 ldap_mods_free(mods, True);
2055 return NT_STATUS_OK;
2058 /**********************************************************************
2059 *********************************************************************/
2061 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2063 LDAPMessage ** result)
2065 int scope = LDAP_SCOPE_SUBTREE;
2069 DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
2072 attr_list = get_attr_list(groupmap_attr_list);
2073 rc = smbldap_search(ldap_state->smbldap_state,
2074 lp_ldap_group_suffix (), scope,
2075 filter, attr_list, 0, result);
2076 free_attr_list( attr_list );
2078 if (rc != LDAP_SUCCESS) {
2079 char *ld_error = NULL;
2080 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2082 DEBUG(0, ("ldapsam_search_one_group: "
2083 "Problem during the LDAP search: LDAP error: %s (%s)",
2084 ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
2085 DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
2086 lp_ldap_group_suffix(), filter));
2087 SAFE_FREE(ld_error);
2093 /**********************************************************************
2094 *********************************************************************/
2096 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
2097 GROUP_MAP *map, LDAPMessage *entry)
2101 if (ldap_state == NULL || map == NULL || entry == NULL ||
2102 ldap_state->smbldap_state->ldap_struct == NULL)
2104 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2108 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2109 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp))
2111 DEBUG(0, ("Mandatory attribute %s not found\n",
2112 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2115 DEBUG(2, ("Entry found for group: %s\n", temp));
2117 map->gid = (gid_t)atol(temp);
2119 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2120 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp))
2122 DEBUG(0, ("Mandatory attribute %s not found\n",
2123 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2126 string_to_sid(&map->sid, temp);
2128 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2129 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp))
2131 DEBUG(0, ("Mandatory attribute %s not found\n",
2132 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2135 map->sid_name_use = (uint32)atol(temp);
2137 if ((map->sid_name_use < SID_NAME_USER) ||
2138 (map->sid_name_use > SID_NAME_UNKNOWN)) {
2139 DEBUG(0, ("Unknown Group type: %d\n", map->sid_name_use));
2143 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2144 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp))
2147 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2148 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
2150 DEBUG(0, ("Attributes cn not found either "
2151 "for gidNumber(%i)\n",map->gid));
2155 fstrcpy(map->nt_name, temp);
2157 if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2158 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp))
2162 fstrcpy(map->comment, temp);
2167 /**********************************************************************
2168 *********************************************************************/
2170 static BOOL init_ldap_from_group(LDAP *ldap_struct,
2171 LDAPMessage *existing,
2173 const GROUP_MAP *map)
2177 if (mods == NULL || map == NULL) {
2178 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
2184 sid_to_string(tmp, &map->sid);
2185 smbldap_make_mod(ldap_struct, existing, mods,
2186 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
2187 snprintf(tmp, sizeof(tmp)-1, "%i", map->sid_name_use);
2188 smbldap_make_mod(ldap_struct, existing, mods,
2189 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
2191 smbldap_make_mod(ldap_struct, existing, mods,
2192 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
2193 smbldap_make_mod(ldap_struct, existing, mods,
2194 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
2199 /**********************************************************************
2200 *********************************************************************/
2202 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2206 struct ldapsam_privates *ldap_state =
2207 (struct ldapsam_privates *)methods->private_data;
2208 LDAPMessage *result;
2212 if (ldapsam_search_one_group(ldap_state, filter, &result)
2214 return NT_STATUS_NO_SUCH_GROUP;
2217 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2220 DEBUG(4, ("Did not find group\n"));
2221 return NT_STATUS_NO_SUCH_GROUP;
2225 DEBUG(1, ("Duplicate entries for filter %s: count=%d\n",
2227 return NT_STATUS_NO_SUCH_GROUP;
2230 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2233 ldap_msgfree(result);
2234 return NT_STATUS_UNSUCCESSFUL;
2237 if (!init_group_from_ldap(ldap_state, map, entry)) {
2238 DEBUG(1, ("init_group_from_ldap failed for group filter %s\n",
2240 ldap_msgfree(result);
2241 return NT_STATUS_NO_SUCH_GROUP;
2244 ldap_msgfree(result);
2245 return NT_STATUS_OK;
2248 /**********************************************************************
2249 *********************************************************************/
2251 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2256 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
2258 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2259 sid_string_static(&sid));
2261 return ldapsam_getgroup(methods, filter, map);
2264 /**********************************************************************
2265 *********************************************************************/
2267 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2272 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%d))",
2274 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2277 return ldapsam_getgroup(methods, filter, map);
2280 /**********************************************************************
2281 *********************************************************************/
2283 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2287 char *escape_name = escape_ldap_string_alloc(name);
2290 return NT_STATUS_NO_MEMORY;
2293 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2295 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2296 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
2298 SAFE_FREE(escape_name);
2300 return ldapsam_getgroup(methods, filter, map);
2303 /**********************************************************************
2304 *********************************************************************/
2306 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
2308 LDAPMessage **result)
2312 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%i))",
2313 LDAP_OBJ_POSIXGROUP,
2314 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2317 return ldapsam_search_one_group(ldap_state, filter, result);
2320 /**********************************************************************
2321 *********************************************************************/
2323 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2326 struct ldapsam_privates *ldap_state =
2327 (struct ldapsam_privates *)methods->private_data;
2328 LDAPMessage *result = NULL;
2329 LDAPMod **mods = NULL;
2340 if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2342 DEBUG(0, ("Group %i already exists in LDAP\n", map->gid));
2343 return NT_STATUS_UNSUCCESSFUL;
2346 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2347 if (rc != LDAP_SUCCESS) {
2348 return NT_STATUS_UNSUCCESSFUL;
2351 count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2354 return NT_STATUS_UNSUCCESSFUL;
2357 DEBUG(2, ("Group %i must exist exactly once in LDAP\n",
2359 ldap_msgfree(result);
2360 return NT_STATUS_UNSUCCESSFUL;
2363 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2364 tmp = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2368 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2369 result, &mods, map)) {
2370 DEBUG(0, ("init_ldap_from_group failed!\n"));
2371 ldap_mods_free(mods, True);
2372 ldap_msgfree(result);
2373 return NT_STATUS_UNSUCCESSFUL;
2376 ldap_msgfree(result);
2379 DEBUG(0, ("mods is empty\n"));
2380 return NT_STATUS_UNSUCCESSFUL;
2383 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2385 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2386 ldap_mods_free(mods, True);
2388 if (rc != LDAP_SUCCESS) {
2389 char *ld_error = NULL;
2390 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2392 DEBUG(0, ("failed to add group %i error: %s (%s)\n", map->gid,
2393 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2394 SAFE_FREE(ld_error);
2395 return NT_STATUS_UNSUCCESSFUL;
2398 DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
2399 return NT_STATUS_OK;
2402 /**********************************************************************
2403 *********************************************************************/
2405 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2408 struct ldapsam_privates *ldap_state =
2409 (struct ldapsam_privates *)methods->private_data;
2412 LDAPMessage *result;
2416 rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2418 if (rc != LDAP_SUCCESS) {
2419 return NT_STATUS_UNSUCCESSFUL;
2422 if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2423 DEBUG(0, ("No group to modify!\n"));
2424 ldap_msgfree(result);
2425 return NT_STATUS_UNSUCCESSFUL;
2428 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2429 dn = ldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2431 if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2432 result, &mods, map)) {
2433 DEBUG(0, ("init_ldap_from_group failed\n"));
2434 ldap_msgfree(result);
2435 return NT_STATUS_UNSUCCESSFUL;
2438 ldap_msgfree(result);
2441 DEBUG(4, ("mods is empty: nothing to do\n"));
2442 return NT_STATUS_UNSUCCESSFUL;
2445 rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2447 ldap_mods_free(mods, True);
2449 if (rc != LDAP_SUCCESS) {
2450 char *ld_error = NULL;
2451 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2453 DEBUG(0, ("failed to modify group %i error: %s (%s)\n", map->gid,
2454 ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2455 SAFE_FREE(ld_error);
2458 DEBUG(2, ("successfully modified group %i in LDAP\n", map->gid));
2459 return NT_STATUS_OK;
2462 /**********************************************************************
2463 *********************************************************************/
2465 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2468 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2469 pstring sidstring, filter;
2470 LDAPMessage *result;
2475 sid_to_string(sidstring, &sid);
2477 snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
2478 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2480 rc = ldapsam_search_one_group(ldap_state, filter, &result);
2482 if (rc != LDAP_SUCCESS) {
2483 return NT_STATUS_NO_SUCH_GROUP;
2486 attr_list = get_attr_list( groupmap_attr_list_to_delete );
2487 ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2488 free_attr_list ( attr_list );
2490 ldap_msgfree(result);
2495 /**********************************************************************
2496 *********************************************************************/
2498 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2500 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2505 snprintf( filter, sizeof(filter)-1, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2506 attr_list = get_attr_list( groupmap_attr_list );
2507 rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2508 LDAP_SCOPE_SUBTREE, filter,
2509 attr_list, 0, &ldap_state->result);
2510 free_attr_list( attr_list );
2512 if (rc != LDAP_SUCCESS) {
2513 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
2514 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2515 ldap_msgfree(ldap_state->result);
2516 ldap_state->result = NULL;
2517 return NT_STATUS_UNSUCCESSFUL;
2520 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
2521 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2522 ldap_state->result)));
2524 ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2525 ldap_state->index = 0;
2527 return NT_STATUS_OK;
2530 /**********************************************************************
2531 *********************************************************************/
2533 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
2535 ldapsam_endsampwent(my_methods);
2538 /**********************************************************************
2539 *********************************************************************/
2541 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
2544 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2545 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2549 if (!ldap_state->entry)
2552 ldap_state->index++;
2553 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
2555 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2559 return NT_STATUS_OK;
2562 /**********************************************************************
2563 *********************************************************************/
2565 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
2566 enum SID_NAME_USE sid_name_use,
2567 GROUP_MAP **rmap, int *num_entries,
2578 if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
2579 DEBUG(0, ("Unable to open passdb\n"));
2580 return NT_STATUS_ACCESS_DENIED;
2583 while (NT_STATUS_IS_OK(nt_status = ldapsam_getsamgrent(methods, &map))) {
2584 if (sid_name_use != SID_NAME_UNKNOWN &&
2585 sid_name_use != map.sid_name_use) {
2586 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
2589 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
2590 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
2594 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
2596 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
2598 return NT_STATUS_UNSUCCESSFUL;
2603 mapt[entries] = map;
2608 ldapsam_endsamgrent(methods);
2610 *num_entries = entries;
2612 return NT_STATUS_OK;
2615 /**********************************************************************
2617 *********************************************************************/
2619 static void free_private_data(void **vp)
2621 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
2623 smbldap_free_struct(&(*ldap_state)->smbldap_state);
2627 /* No need to free any further, as it is talloc()ed */
2630 /**********************************************************************
2631 Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2632 *********************************************************************/
2634 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
2635 const char *location)
2638 struct ldapsam_privates *ldap_state;
2640 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
2644 (*pdb_method)->name = "ldapsam";
2646 (*pdb_method)->setsampwent = ldapsam_setsampwent;
2647 (*pdb_method)->endsampwent = ldapsam_endsampwent;
2648 (*pdb_method)->getsampwent = ldapsam_getsampwent;
2649 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
2650 (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
2651 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
2652 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
2653 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
2655 (*pdb_method)->getgrsid = ldapsam_getgrsid;
2656 (*pdb_method)->getgrgid = ldapsam_getgrgid;
2657 (*pdb_method)->getgrnam = ldapsam_getgrnam;
2658 (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
2659 (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
2660 (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
2661 (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
2663 /* TODO: Setup private data and free */
2665 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
2667 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
2668 return NT_STATUS_NO_MEMORY;
2671 if (!NT_STATUS_IS_OK(nt_status =
2672 smbldap_init(pdb_context->mem_ctx, location,
2673 &ldap_state->smbldap_state)));
2675 ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
2676 if (!ldap_state->domain_name) {
2677 return NT_STATUS_NO_MEMORY;
2680 (*pdb_method)->private_data = ldap_state;
2682 (*pdb_method)->free_private_data = free_private_data;
2684 return NT_STATUS_OK;
2687 /**********************************************************************
2688 Initialise the 'compat' mode for pdb_ldap
2689 *********************************************************************/
2691 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2694 struct ldapsam_privates *ldap_state;
2696 #ifdef WITH_LDAP_SAMCONFIG
2698 int ldap_port = lp_ldap_port();
2700 /* remap default port if not using SSL (ie clear or TLS) */
2701 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
2705 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
2707 return NT_STATUS_NO_MEMORY;
2712 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2716 (*pdb_method)->name = "ldapsam_compat";
2718 ldap_state = (*pdb_method)->private_data;
2719 ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
2721 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2723 return NT_STATUS_OK;
2726 /**********************************************************************
2727 Initialise the normal mode for pdb_ldap
2728 *********************************************************************/
2730 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
2733 struct ldapsam_privates *ldap_state;
2734 uint32 alg_rid_base;
2735 pstring alg_rid_base_string;
2736 uint32 low_idmap_uid, high_idmap_uid;
2737 uint32 low_idmap_gid, high_idmap_gid;
2738 LDAPMessage *result;
2740 DOM_SID ldap_domain_sid;
2741 DOM_SID secrets_domain_sid;
2742 pstring domain_sid_string;
2744 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
2748 (*pdb_method)->name = "ldapsam";
2750 ldap_state = (*pdb_method)->private_data;
2751 ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
2752 ldap_state->permit_non_unix_accounts = False;
2754 /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
2756 if (!NT_STATUS_IS_OK(nt_status = ldapsam_search_domain_info(ldap_state, &result, True))) {
2757 DEBUG(2, ("WARNING: Could not get domain info, nor add one to the domain\n"));
2758 DEBUGADD(2, ("Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs\n"));
2759 sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
2760 return NT_STATUS_OK;
2763 /* Given that the above might fail, everything below this must be optional */
2765 entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2767 DEBUG(0, ("Could not get domain info entry\n"));
2768 ldap_msgfree(result);
2769 return NT_STATUS_UNSUCCESSFUL;
2772 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2773 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
2777 string_to_sid(&ldap_domain_sid, domain_sid_string);
2778 found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
2779 if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
2780 /* reset secrets.tdb sid */
2781 secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
2783 sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
2786 if (smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
2787 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE),
2788 alg_rid_base_string))
2790 alg_rid_base = (uint32)atol(alg_rid_base_string);
2791 if (alg_rid_base != algorithmic_rid_base()) {
2792 DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
2793 "database was initialised. Aborting. \n"));
2794 ldap_msgfree(result);
2795 return NT_STATUS_UNSUCCESSFUL;
2798 ldap_msgfree(result);
2800 /* check for non-unix account ranges */
2802 if (lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)
2803 && lp_idmap_gid(&low_idmap_gid, &high_idmap_gid))
2805 DEBUG(2, ("Enabling non-unix account ranges\n"));
2807 ldap_state->permit_non_unix_accounts = True;
2809 ldap_state->low_allocated_user_rid = fallback_pdb_uid_to_user_rid(low_idmap_uid);
2810 ldap_state->high_allocated_user_rid = fallback_pdb_uid_to_user_rid(high_idmap_uid);
2811 ldap_state->low_allocated_group_rid = pdb_gid_to_group_rid(low_idmap_gid);
2812 ldap_state->high_allocated_group_rid = pdb_gid_to_group_rid(high_idmap_gid);
2815 return NT_STATUS_OK;
2818 NTSTATUS pdb_ldap_init(void)
2821 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
2824 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
2827 return NT_STATUS_OK;