2 Unix SMB/Netbios implementation.
4 ads (active directory) utility library
5 Copyright (C) Andrew Tridgell 2001
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* return a dn of the form "dc=AA,dc=BB,dc=CC" from a
27 realm of the form AA.BB.CC
31 return a string for an error from a ads routine
33 char *ads_errstr(int rc)
35 return ldap_err2string(rc);
39 this is a minimal interact function, just enough for SASL to talk
40 GSSAPI/kerberos to W2K
41 Error handling is a bit of a problem. I can't see how to get Cyrus-sasl
42 to give sensible errors
44 static int sasl_interact(LDAP *ld,unsigned flags,void *defaults,void *in)
46 sasl_interact_t *interact = in;
48 while (interact->id != SASL_CB_LIST_END) {
49 interact->result = strdup("");
50 interact->len = strlen(interact->result);
58 connect to the LDAP server
60 int ads_connect(ADS_STRUCT *ads)
62 int version = LDAP_VERSION3;
65 ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
69 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
71 rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL,
80 do a general ADS search
82 int ads_search(ADS_STRUCT *ads, void **res,
87 return ldap_search_s(ads->ld, ads->bind_path,
88 LDAP_SCOPE_SUBTREE, exp, (char **)attrs, 0, (LDAPMessage **)res);
93 find a machine account given a hostname
95 int ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
100 /* the easiest way to find a machine account anywhere in the tree
101 is to look for hostname$ */
102 asprintf(&exp, "(samAccountName=%s$)", host);
103 ret = ads_search(ads, res, exp, NULL);
110 a convenient routine for adding a generic LDAP record
112 int ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
119 #define MAX_MOD_VALUES 10
121 /* count the number of attributes */
122 va_start(ap, new_dn);
123 for (i=0; va_arg(ap, char *); i++) {
124 /* skip the values */
125 while (va_arg(ap, char *)) ;
129 mods = malloc(sizeof(LDAPMod *) * (i+1));
131 va_start(ap, new_dn);
132 for (i=0; (name=va_arg(ap, char *)); i++) {
135 values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
136 for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
140 mods[i] = malloc(sizeof(LDAPMod));
141 mods[i]->mod_type = name;
142 mods[i]->mod_op = LDAP_MOD_ADD;
143 mods[i]->mod_values = values;
148 ret = ldap_add_s(ads->ld, new_dn, mods);
150 for (i=0; mods[i]; i++) {
151 free(mods[i]->mod_values);
160 add a machine account to the ADS server
162 static int ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname)
165 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
167 asprintf(&host_spn, "HOST/%s", hostname);
168 asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
169 asprintf(&new_dn, "cn=%s,cn=Computers,%s", hostname, ads->bind_path);
170 asprintf(&samAccountName, "%s$", hostname);
171 asprintf(&controlstr, "%u",
172 UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
173 UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
175 ret = ads_gen_add(ads, new_dn,
176 "cn", hostname, NULL,
177 "sAMAccountName", samAccountName, NULL,
179 "top", "person", "organizationalPerson",
180 "user", "computer", NULL,
181 "userPrincipalName", host_upn, NULL,
182 "servicePrincipalName", host_spn, NULL,
183 "dNSHostName", hostname, NULL,
184 "userAccountControl", controlstr, NULL,
185 "operatingSystem", "Samba", NULL,
186 "operatingSystemVersion", VERSION, NULL,
192 free(samAccountName);
199 dump a binary result from ldap
201 static void dump_binary(const char *field, struct berval **values)
204 for (i=0; values[i]; i++) {
205 printf("%s: ", field);
206 for (j=0; j<values[i]->bv_len; j++) {
207 printf("%02X", (unsigned char)values[i]->bv_val[j]);
214 dump a string result from ldap
216 static void dump_string(const char *field, struct berval **values)
219 for (i=0; values[i]; i++) {
220 printf("%s: %s\n", field, values[i]->bv_val);
225 dump a record from LDAP on stdout
228 void ads_dump(ADS_STRUCT *ads, void *res)
235 void (*handler)(const char *, struct berval **);
237 {"objectGUID", dump_binary},
238 {"objectSid", dump_binary},
242 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
243 for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b);
245 field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) {
246 struct berval **values;
249 values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field);
251 for (i=0; handlers[i].name; i++) {
252 if (StrCaseCmp(handlers[i].name, field) == 0) {
253 handlers[i].handler(field, values);
257 if (!handlers[i].name) {
258 dump_string(field, values);
260 ldap_value_free_len(values);
270 count how many replies are in a LDAPMessage
272 int ads_count_replies(ADS_STRUCT *ads, void *res)
274 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
278 join a machine to a realm, creating the machine account
279 and setting the machine password
281 int ads_join_realm(ADS_STRUCT *ads, const char *hostname)
287 /* hostname must be lowercase */
288 host = strdup(hostname);
291 rc = ads_find_machine_acct(ads, (void **)&res, host);
292 if (rc == LDAP_SUCCESS && ads_count_replies(ads, res) == 1) {
293 DEBUG(0, ("Host account for %s already exists\n", host));
297 rc = ads_add_machine_acct(ads, host);
298 if (rc != LDAP_SUCCESS) {
299 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(rc)));
303 rc = ads_find_machine_acct(ads, (void **)&res, host);
304 if (rc != LDAP_SUCCESS || ads_count_replies(ads, res) != 1) {
305 DEBUG(0, ("Host account test failed\n"));
306 /* hmmm, we need NTSTATUS */
316 delete a machine from the realm
318 int ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
322 char *hostnameDN, *host;
324 /* hostname must be lowercase */
325 host = strdup(hostname);
328 rc = ads_find_machine_acct(ads, &res, host);
329 if (rc != LDAP_SUCCESS || ads_count_replies(ads, res) != 1) {
330 DEBUG(0, ("Host account for %s does not exist.\n", host));
334 hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
335 rc = ldap_delete_s(ads->ld, hostnameDN);
336 ldap_memfree(hostnameDN);
337 if (rc != LDAP_SUCCESS) {
338 DEBUG(0, ("ldap_delete_s: %s\n", ads_errstr(rc)));
342 rc = ads_find_machine_acct(ads, &res, host);
343 if (rc == LDAP_SUCCESS && ads_count_replies(ads, res) == 1 ) {
344 DEBUG(0, ("Failed to remove host account.\n"));
345 /*hmmm, we need NTSTATUS */
355 NTSTATUS ads_set_machine_password(ADS_STRUCT *ads,
356 const char *hostname,
357 const char *password)
360 char *host = strdup(hostname);
362 ret = krb5_set_password(ads->kdc_server, host, ads->realm, password);
368 pull the first entry from a ADS result
370 void *ads_first_entry(ADS_STRUCT *ads, void *res)
372 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
376 pull the next entry from a ADS result
378 void *ads_next_entry(ADS_STRUCT *ads, void *res)
380 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
384 pull a single string from a ADS result
386 char *ads_pull_string(ADS_STRUCT *ads,
387 TALLOC_CTX *mem_ctx, void *msg, const char *field)
392 values = ldap_get_values(ads->ld, msg, field);
394 if (!values || !values[0]) return NULL;
396 ret = talloc_strdup(mem_ctx, values[0]);
397 ldap_value_free(values);
402 pull a single uint32 from a ADS result
404 BOOL ads_pull_uint32(ADS_STRUCT *ads,
405 void *msg, const char *field, uint32 *v)
409 values = ldap_get_values(ads->ld, msg, field);
411 if (!values || !values[0]) return False;
413 *v = atoi(values[0]);
414 ldap_value_free(values);
419 pull a single DOM_SID from a ADS result
421 BOOL ads_pull_sid(ADS_STRUCT *ads,
422 void *msg, const char *field, DOM_SID *sid)
424 struct berval **values;
427 values = ldap_get_values_len(ads->ld, msg, field);
429 if (!values || !values[0]) return False;
431 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
433 ldap_value_free_len(values);
438 /* find the update serial number - this is the core of the ldap cache */
439 BOOL ads_USN(ADS_STRUCT *ads, uint32 *usn)
441 const char *attrs[] = {"highestCommittedUSN", NULL};
445 rc = ldap_search_s(ads->ld, ads->bind_path,
446 LDAP_SCOPE_BASE, "(objectclass=*)", (char **)attrs, 0, (LDAPMessage **)&res);
447 if (rc || ads_count_replies(ads, res) != 1) return False;
448 return ads_pull_uint32(ads, res, "highestCommittedUSN", usn);