2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Gerald Carter 2001
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
7 Copyright (C) Andrew Bartlett 2002
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * persistent connections: if using NSS LDAP, many connections are made
30 * however, using only one within Samba would be nice
32 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
34 * Other LDAP based login attributes: accountExpires, etc.
35 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
36 * structures don't have fields for some of these attributes)
38 * SSL is done, but can't get the certificate based authentication to work
39 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
42 /* NOTE: this will NOT work against an Active Directory server
43 * due to the fact that the two password fields cannot be retrieved
44 * from a server; recommend using security = domain in this situation
52 #define SAM_ACCOUNT struct sam_passwd
55 struct ldapsam_privates {
63 /* retrive-once info */
66 BOOL permit_non_unix_accounts;
72 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
74 /*******************************************************************
75 Converts NT user RID to a UNIX uid.
76 ********************************************************************/
78 static uid_t pdb_user_rid_to_uid(uint32 user_rid)
80 return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER);
83 /*******************************************************************
84 converts UNIX uid to an NT User RID.
85 ********************************************************************/
87 static uint32 pdb_uid_to_user_rid(uid_t uid)
89 return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE);
92 /*******************************************************************
93 find the ldap password
94 ******************************************************************/
95 static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len)
104 if (*p == ',') *p = '/';
106 data=secrets_fetch(key, &size);
108 DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
114 DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
118 memcpy(pw, data, size);
125 /*******************************************************************
126 open a connection to the ldap server.
127 ******************************************************************/
128 static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
131 if (geteuid() != 0) {
132 DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n"));
136 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
137 DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
139 if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) {
140 DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
145 /* Parse the string manually */
149 int tls = LDAP_OPT_X_TLS_HARD;
154 const char *p = ldap_state->uri;
155 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
157 /* skip leading "URL:" (if any) */
158 if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
162 sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
165 if (strequal(protocol, "ldap")) {
167 } else if (strequal(protocol, "ldaps")) {
170 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
174 if ((*ldap_struct = ldap_init(host, port)) == NULL) {
175 DEBUG(0, ("ldap_init failed !\n"));
179 /* Connect to older servers using SSL and V2 rather than Start TLS */
180 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
182 if (version != LDAP_VERSION2)
184 version = LDAP_VERSION2;
185 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
189 if (strequal(protocol, "ldaps")) {
190 if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
191 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
192 &version) == LDAP_OPT_SUCCESS)
194 if (version < LDAP_VERSION3)
196 version = LDAP_VERSION3;
197 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
201 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
203 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
204 ldap_err2string(rc)));
207 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
210 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
212 DEBUG(0, ("Failed to setup a TLS session\n"));
217 * No special needs to setup options prior to the LDAP
218 * bind (which should be called next via ldap_connect_system()
224 DEBUG(2, ("ldap_open_connection: connection opened\n"));
228 /*******************************************************************
229 connect to the ldap server under system privilege.
230 ******************************************************************/
231 static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
234 static BOOL got_pw = False;
235 static pstring ldap_secret;
237 /* get the password if we don't have it already */
238 if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
240 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
241 lp_ldap_admin_dn()));
245 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
246 (OpenLDAP) doesnt' seem to support it */
248 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
249 lp_ldap_admin_dn()));
251 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
252 ldap_secret)) != LDAP_SUCCESS)
254 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
258 DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
262 /*******************************************************************
263 run the search by name.
264 ******************************************************************/
265 static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
267 int scope = LDAP_SCOPE_SUBTREE;
270 DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
272 rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result);
274 if (rc != LDAP_SUCCESS) {
275 DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
276 ldap_err2string (rc)));
277 DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
284 /*******************************************************************
285 run the search by name.
286 ******************************************************************/
287 static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user,
288 LDAPMessage ** result)
293 * in the filter expression, replace %u with the real name
294 * so in ldap filter, %u MUST exist :-)
296 pstrcpy(filter, lp_ldap_filter());
299 * have to use this here because $ is filtered out
302 all_string_sub(filter, "%u", user, sizeof(pstring));
304 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
307 /*******************************************************************
308 run the search by uid.
309 ******************************************************************/
310 static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
311 LDAP * ldap_struct, int uid,
312 LDAPMessage ** result)
317 /* Get the username from the system and look that up in the LDAP */
319 if ((user = getpwuid_alloc(uid)) == NULL) {
320 DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
321 return LDAP_NO_SUCH_OBJECT;
324 pstrcpy(filter, lp_ldap_filter());
326 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
330 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
333 /*******************************************************************
334 run the search by rid.
335 ******************************************************************/
336 static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
337 LDAP * ldap_struct, uint32 rid,
338 LDAPMessage ** result)
343 /* check if the user rid exsists, if not, try searching on the uid */
345 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
346 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
348 if (rc != LDAP_SUCCESS)
349 rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct,
350 pdb_user_rid_to_uid(rid),
356 /*******************************************************************
357 search an attribute and return the first value found.
358 ******************************************************************/
359 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
360 char *attribute, char *value)
364 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
366 DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
371 pstrcpy(value, values[0]);
372 ldap_value_free(values);
373 #ifdef DEBUG_PASSWORDS
374 DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
379 /************************************************************************
380 Routine to manage the LDAPMod structure array
381 manage memory used by the array, by each struct, and values
383 ************************************************************************/
384 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
392 if (attribute == NULL || *attribute == '\0')
395 if (value == NULL || *value == '\0')
400 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
403 DEBUG(0, ("make_a_mod: out of memory!\n"));
409 for (i = 0; mods[i] != NULL; ++i) {
410 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
416 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
419 DEBUG(0, ("make_a_mod: out of memory!\n"));
422 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
425 DEBUG(0, ("make_a_mod: out of memory!\n"));
428 mods[i]->mod_op = modop;
429 mods[i]->mod_values = NULL;
430 mods[i]->mod_type = strdup(attribute);
437 if (mods[i]->mod_values != NULL) {
438 for (; mods[i]->mod_values[j] != NULL; j++);
440 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
441 (j + 2) * sizeof (char *));
443 if (mods[i]->mod_values == NULL) {
444 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
447 mods[i]->mod_values[j] = strdup(value);
448 mods[i]->mod_values[j + 1] = NULL;
453 /* New Interface is being implemented here */
455 /**********************************************************************
456 Initialize SAM_ACCOUNT from an LDAP query
457 (Based on init_sam_from_buffer in pdb_tdb.c)
458 *********************************************************************/
459 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
460 SAM_ACCOUNT * sampass,
461 LDAP * ldap_struct, LDAPMessage * entry)
467 pass_can_change_time,
468 pass_must_change_time;
488 uint8 hours[MAX_HOURS_LEN];
491 gid_t gid = getegid();
495 * do a little initialization
499 nt_username[0] = '\0';
503 logon_script[0] = '\0';
504 profile_path[0] = '\0';
506 munged_dial[0] = '\0';
507 workstations[0] = '\0';
510 if (sampass == NULL || ldap_struct == NULL || entry == NULL) {
511 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
515 get_single_attribute(ldap_struct, entry, "uid", username);
516 DEBUG(2, ("Entry found for user: %s\n", username));
518 pstrcpy(nt_username, username);
520 pstrcpy(domain, lp_workgroup());
522 get_single_attribute(ldap_struct, entry, "rid", temp);
523 user_rid = (uint32)atol(temp);
524 if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) {
527 group_rid = (uint32)atol(temp);
530 if ((ldap_state->permit_non_unix_accounts)
531 && (user_rid >= ldap_state->low_nua_rid)
532 && (user_rid <= ldap_state->high_nua_rid)) {
536 /* These values MAY be in LDAP, but they can also be retrieved through
537 * sys_getpw*() which is how we're doing it
540 pw = getpwnam_alloc(username);
542 DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username));
550 pdb_set_uid(sampass, uid);
551 pdb_set_gid(sampass, gid);
553 if (group_rid == 0) {
555 /* call the mapping code here */
556 if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
557 sid_peek_rid(&map.sid, &group_rid);
560 group_rid=pdb_gid_to_group_rid(gid);
565 if (!get_single_attribute(ldap_struct, entry, "pwdLastSet", temp)) {
566 /* leave as default */
568 pass_last_set_time = (time_t) atol(temp);
569 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
572 if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) {
573 /* leave as default */
575 logon_time = (time_t) atol(temp);
576 pdb_set_logon_time(sampass, logon_time, True);
579 if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) {
580 /* leave as default */
582 logoff_time = (time_t) atol(temp);
583 pdb_set_logoff_time(sampass, logoff_time, True);
586 if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) {
587 /* leave as default */
589 kickoff_time = (time_t) atol(temp);
590 pdb_set_kickoff_time(sampass, kickoff_time, True);
593 if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) {
594 /* leave as default */
596 pass_can_change_time = (time_t) atol(temp);
597 pdb_set_pass_can_change_time(sampass, pass_can_change_time, True);
600 if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) {
601 /* leave as default */
603 pass_must_change_time = (time_t) atol(temp);
604 pdb_set_pass_must_change_time(sampass, pass_must_change_time, True);
607 /* recommend that 'gecos' and 'displayName' should refer to the same
608 * attribute OID. userFullName depreciated, only used by Samba
609 * primary rules of LDAP: don't make a new attribute when one is already defined
610 * that fits your needs; using cn then displayName rather than 'userFullName'
613 if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) {
614 if (!get_single_attribute(ldap_struct, entry, "displayName", fullname)) {
615 /* leave as default */
617 pdb_set_fullname(sampass, fullname);
620 pdb_set_fullname(sampass, fullname);
623 if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) {
624 pstrcpy(dir_drive, lp_logon_drive());
625 standard_sub_advanced(-1, username, "", gid, username, dir_drive);
626 DEBUG(5,("homeDrive fell back to %s\n",dir_drive));
627 pdb_set_dir_drive(sampass, dir_drive, False);
629 pdb_set_dir_drive(sampass, dir_drive, True);
632 if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) {
633 pstrcpy(homedir, lp_logon_home());
634 standard_sub_advanced(-1, username, "", gid, username, homedir);
635 DEBUG(5,("smbHome fell back to %s\n",homedir));
636 pdb_set_homedir(sampass, homedir, False);
638 pdb_set_homedir(sampass, homedir, True);
641 if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) {
642 pstrcpy(logon_script, lp_logon_script());
643 standard_sub_advanced(-1, username, "", gid, username, logon_script);
644 DEBUG(5,("scriptPath fell back to %s\n",logon_script));
645 pdb_set_logon_script(sampass, logon_script, False);
647 pdb_set_logon_script(sampass, logon_script, True);
650 if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) {
651 pstrcpy(profile_path, lp_logon_path());
652 standard_sub_advanced(-1, username, "", gid, username, profile_path);
653 DEBUG(5,("profilePath fell back to %s\n",profile_path));
654 pdb_set_profile_path(sampass, profile_path, False);
656 pdb_set_profile_path(sampass, profile_path, True);
659 if (!get_single_attribute(ldap_struct, entry, "description", acct_desc)) {
660 /* leave as default */
662 pdb_set_acct_desc(sampass, acct_desc);
665 if (!get_single_attribute(ldap_struct, entry, "userWorkstations", workstations)) {
666 /* leave as default */;
668 pdb_set_workstations(sampass, workstations);
671 /* FIXME: hours stuff should be cleaner */
675 memset(hours, 0xff, hours_len);
677 if (!get_single_attribute (ldap_struct, entry, "lmPassword", temp)) {
678 /* leave as default */
680 pdb_gethexpwd(temp, smblmpwd);
681 memset((char *)temp, '\0', sizeof(temp));
682 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
686 if (!get_single_attribute (ldap_struct, entry, "ntPassword", temp)) {
687 /* leave as default */
689 pdb_gethexpwd(temp, smbntpwd);
690 memset((char *)temp, '\0', sizeof(temp));
691 if (!pdb_set_nt_passwd(sampass, smbntpwd))
695 if (!get_single_attribute (ldap_struct, entry, "acctFlags", temp)) {
696 acct_ctrl |= ACB_NORMAL;
698 acct_ctrl = pdb_decode_acct_ctrl(temp);
701 acct_ctrl |= ACB_NORMAL;
703 pdb_set_acct_ctrl(sampass, acct_ctrl);
706 pdb_set_hours_len(sampass, hours_len);
707 pdb_set_logon_divs(sampass, logon_divs);
709 pdb_set_user_rid(sampass, user_rid);
710 pdb_set_group_rid(sampass, group_rid);
712 pdb_set_username(sampass, username);
714 pdb_set_domain(sampass, domain);
715 pdb_set_nt_username(sampass, nt_username);
717 pdb_set_munged_dial(sampass, munged_dial);
719 /* pdb_set_unknown_3(sampass, unknown3); */
720 /* pdb_set_unknown_5(sampass, unknown5); */
721 /* pdb_set_unknown_6(sampass, unknown6); */
723 pdb_set_hours(sampass, hours);
728 /**********************************************************************
729 Initialize SAM_ACCOUNT from an LDAP query
730 (Based on init_buffer_from_sam in pdb_tdb.c)
731 *********************************************************************/
732 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
733 LDAPMod *** mods, int ldap_op,
734 const SAM_ACCOUNT * sampass)
739 if (mods == NULL || sampass == NULL) {
740 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
747 * took out adding "objectclass: sambaAccount"
748 * do this on a per-mod basis
751 make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
752 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
754 if ( pdb_get_user_rid(sampass) ) {
755 rid = pdb_get_user_rid(sampass);
756 } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) {
757 rid = pdb_uid_to_user_rid(pdb_get_uid(sampass));
758 } else if (ldap_state->permit_non_unix_accounts) {
759 rid = ldapsam_get_next_available_nua_rid(ldap_state);
761 DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
765 DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
769 slprintf(temp, sizeof(temp) - 1, "%i", rid);
770 make_a_mod(mods, ldap_op, "rid", temp);
772 if ( pdb_get_group_rid(sampass) ) {
773 rid = pdb_get_group_rid(sampass);
774 } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) {
775 rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
776 } else if (ldap_state->permit_non_unix_accounts) {
777 rid = DOMAIN_GROUP_RID_USERS;
779 DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
783 slprintf(temp, sizeof(temp) - 1, "%i", rid);
784 make_a_mod(mods, ldap_op, "primaryGroupID", temp);
786 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
787 make_a_mod(mods, ldap_op, "pwdLastSet", temp);
789 /* displayName, cn, and gecos should all be the same
790 * most easily accomplished by giving them the same OID
791 * gecos isn't set here b/c it should be handled by the
795 make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
796 make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
797 make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
798 make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
801 * Only updates fields which have been set (not defaults from smb.conf)
804 if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME))
805 make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
807 if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE))
808 make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass));
810 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT))
811 make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
813 if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE))
814 make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
816 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) {
817 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
818 make_a_mod(mods, ldap_op, "logonTime", temp);
821 if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) {
822 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
823 make_a_mod(mods, ldap_op, "logoffTime", temp);
826 if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) {
827 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
828 make_a_mod(mods, ldap_op, "kickoffTime", temp);
831 if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) {
832 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
833 make_a_mod(mods, ldap_op, "pwdCanChange", temp);
836 if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) {
837 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
838 make_a_mod(mods, ldap_op, "pwdMustChange", temp);
841 /* FIXME: Hours stuff goes in LDAP */
842 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
843 make_a_mod (mods, ldap_op, "lmPassword", temp);
845 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
846 make_a_mod (mods, ldap_op, "ntPassword", temp);
848 make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
849 NEW_PW_FORMAT_SPACE_PADDED_LEN));
855 /**********************************************************************
856 Connect to LDAP server and find the next available RID.
857 *********************************************************************/
858 static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct)
861 uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
866 if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
870 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) {
871 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
873 ldap_msgfree(result);
876 if (ldap_count_entries(ldap_struct, result) != 0)
878 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
880 ldap_msgfree(result);
883 DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
887 /**********************************************************************
888 Extract the RID from an LDAP entry
889 *********************************************************************/
890 static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) {
892 SAM_ACCOUNT *user = NULL;
893 if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
897 if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
898 rid = pdb_get_user_rid(user);
903 if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
910 /**********************************************************************
911 Connect to LDAP server and find the next available RID.
912 *********************************************************************/
913 static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct)
919 char *final_filter = NULL;
924 pstrcpy(filter, lp_ldap_filter());
925 all_string_sub(filter, "%u", "*", sizeof(pstring));
928 asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
930 final_filter = strdup(filter);
932 DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
934 rc = ldap_search_s(ldap_struct, lp_ldap_suffix(),
935 LDAP_SCOPE_SUBTREE, final_filter, NULL, 0,
938 if (rc != LDAP_SUCCESS)
941 DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
942 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
945 ldap_msgfree(result);
950 count = ldap_count_entries(ldap_struct, result);
951 DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
954 DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
955 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
957 ldap_msgfree(result);
959 return ldap_state->low_nua_rid;
963 entry = ldap_first_entry(ldap_struct,result);
965 top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
967 while ((entry = ldap_next_entry(ldap_struct, entry))) {
969 rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
975 ldap_msgfree(result);
979 /**********************************************************************
980 Connect to LDAP server and find the next available RID.
981 *********************************************************************/
982 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
987 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
991 if (!ldapsam_connect_system(ldap_state, ldap_struct))
993 ldap_unbind(ldap_struct);
997 top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct);
999 next_nua_rid = check_nua_rid_is_avail(ldap_state,
1000 top_nua_rid, ldap_struct);
1002 ldap_unbind(ldap_struct);
1003 return next_nua_rid;
1006 /**********************************************************************
1007 Connect to LDAP server for password enumeration
1008 *********************************************************************/
1009 static BOOL ldapsam_setsampwent(struct pdb_context *context, BOOL update)
1011 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1015 if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))
1019 if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))
1021 ldap_unbind(ldap_state->ldap_struct);
1025 pstrcpy(filter, lp_ldap_filter());
1026 all_string_sub(filter, "%u", "*", sizeof(pstring));
1028 rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(),
1029 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
1030 &ldap_state->result);
1032 if (rc != LDAP_SUCCESS)
1034 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
1035 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1036 ldap_msgfree(ldap_state->result);
1037 ldap_unbind(ldap_state->ldap_struct);
1038 ldap_state->ldap_struct = NULL;
1039 ldap_state->result = NULL;
1043 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1044 ldap_count_entries(ldap_state->ldap_struct,
1045 ldap_state->result)));
1047 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
1048 ldap_state->result);
1049 ldap_state->index = 0;
1054 /**********************************************************************
1055 End enumeration of the LDAP password list
1056 *********************************************************************/
1057 static void ldapsam_endsampwent(struct pdb_context *context)
1059 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1060 if (ldap_state->ldap_struct && ldap_state->result)
1062 ldap_msgfree(ldap_state->result);
1063 ldap_unbind(ldap_state->ldap_struct);
1064 ldap_state->ldap_struct = NULL;
1065 ldap_state->result = NULL;
1069 /**********************************************************************
1070 Get the next entry in the LDAP password database
1071 *********************************************************************/
1072 static BOOL ldapsam_getsampwent(struct pdb_context *context, SAM_ACCOUNT * user)
1074 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1078 if (!ldap_state->entry)
1081 ldap_state->index++;
1082 ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct,
1085 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
1093 /**********************************************************************
1094 Get SAM_ACCOUNT entry from LDAP by username
1095 *********************************************************************/
1096 static BOOL ldapsam_getsampwnam(struct pdb_context *context, SAM_ACCOUNT * user, const char *sname)
1098 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1100 LDAPMessage *result;
1103 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1105 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1107 ldap_unbind(ldap_struct);
1110 if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS)
1112 ldap_unbind(ldap_struct);
1115 if (ldap_count_entries(ldap_struct, result) < 1)
1118 ("We don't find this user [%s] count=%d\n", sname,
1119 ldap_count_entries(ldap_struct, result)));
1120 ldap_unbind(ldap_struct);
1123 entry = ldap_first_entry(ldap_struct, result);
1126 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1127 DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n"));
1128 ldap_msgfree(result);
1129 ldap_unbind(ldap_struct);
1132 ldap_msgfree(result);
1133 ldap_unbind(ldap_struct);
1138 ldap_msgfree(result);
1139 ldap_unbind(ldap_struct);
1144 /**********************************************************************
1145 Get SAM_ACCOUNT entry from LDAP by rid
1146 *********************************************************************/
1147 static BOOL ldapsam_getsampwrid(struct pdb_context *context, SAM_ACCOUNT * user, uint32 rid)
1149 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1151 LDAPMessage *result;
1154 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1157 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1159 ldap_unbind(ldap_struct);
1162 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) !=
1165 ldap_unbind(ldap_struct);
1169 if (ldap_count_entries(ldap_struct, result) < 1)
1172 ("We don't find this rid [%i] count=%d\n", rid,
1173 ldap_count_entries(ldap_struct, result)));
1174 ldap_unbind(ldap_struct);
1178 entry = ldap_first_entry(ldap_struct, result);
1181 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1182 DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1183 ldap_msgfree(result);
1184 ldap_unbind(ldap_struct);
1187 ldap_msgfree(result);
1188 ldap_unbind(ldap_struct);
1193 ldap_msgfree(result);
1194 ldap_unbind(ldap_struct);
1199 /**********************************************************************
1200 Delete entry from LDAP for username
1201 *********************************************************************/
1202 static BOOL ldapsam_delete_sam_account(struct pdb_context *context, const SAM_ACCOUNT * sam_acct)
1204 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1210 LDAPMessage *result;
1213 DEBUG(0, ("sam_acct was NULL!\n"));
1217 sname = pdb_get_username(sam_acct);
1219 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1222 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
1224 if (!ldapsam_connect_system(ldap_state, ldap_struct)) {
1225 ldap_unbind (ldap_struct);
1226 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname));
1230 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result);
1231 if (ldap_count_entries (ldap_struct, result) == 0) {
1232 DEBUG (0, ("User doesn't exit!\n"));
1233 ldap_msgfree (result);
1234 ldap_unbind (ldap_struct);
1238 entry = ldap_first_entry (ldap_struct, result);
1239 dn = ldap_get_dn (ldap_struct, entry);
1241 rc = ldap_delete_s (ldap_struct, dn);
1244 if (rc != LDAP_SUCCESS) {
1246 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1247 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
1248 sname, ldap_err2string (rc), ld_error));
1250 ldap_unbind (ldap_struct);
1254 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
1255 ldap_unbind (ldap_struct);
1259 /**********************************************************************
1261 *********************************************************************/
1262 static BOOL ldapsam_update_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd)
1264 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1268 LDAPMessage *result;
1272 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1275 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1277 ldap_unbind(ldap_struct);
1281 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct,
1282 pdb_get_username(newpwd), &result);
1284 if (ldap_count_entries(ldap_struct, result) == 0)
1286 DEBUG(0, ("No user to modify!\n"));
1287 ldap_msgfree(result);
1288 ldap_unbind(ldap_struct);
1292 if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) {
1293 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1294 ldap_msgfree(result);
1295 ldap_unbind(ldap_struct);
1299 entry = ldap_first_entry(ldap_struct, result);
1300 dn = ldap_get_dn(ldap_struct, entry);
1302 rc = ldap_modify_s(ldap_struct, dn, mods);
1304 if (rc != LDAP_SUCCESS)
1307 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
1310 ("failed to modify user with uid = %s with: %s\n\t%s\n",
1311 pdb_get_username(newpwd), ldap_err2string(rc),
1314 ldap_unbind(ldap_struct);
1319 ("successfully modified uid = %s in the LDAP database\n",
1320 pdb_get_username(newpwd)));
1321 ldap_mods_free(mods, 1);
1322 ldap_unbind(ldap_struct);
1326 /**********************************************************************
1327 Add SAM_ACCOUNT to LDAP
1328 *********************************************************************/
1329 static BOOL ldapsam_add_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd)
1331 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data;
1334 LDAP *ldap_struct = NULL;
1335 LDAPMessage *result = NULL;
1337 LDAPMod **mods = NULL;
1341 const char *username = pdb_get_username(newpwd);
1342 if (!username || !*username) {
1343 DEBUG(0, ("Cannot add user without a username!\n"));
1347 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1352 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1354 ldap_unbind(ldap_struct);
1358 rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, username, &result);
1360 if (ldap_count_entries(ldap_struct, result) != 0)
1362 DEBUG(0,("User already in the base, with samba properties\n"));
1363 ldap_msgfree(result);
1364 ldap_unbind(ldap_struct);
1367 ldap_msgfree(result);
1369 slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
1370 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result);
1371 num_result = ldap_count_entries(ldap_struct, result);
1373 if (num_result > 1) {
1374 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1375 ldap_msgfree(result);
1379 /* Check if we need to update an existing entry */
1380 if (num_result == 1) {
1384 DEBUG(3,("User exists without samba properties: adding them\n"));
1385 ldap_op = LDAP_MOD_REPLACE;
1386 entry = ldap_first_entry (ldap_struct, result);
1387 tmp = ldap_get_dn (ldap_struct, entry);
1388 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1392 /* Check if we need to add an entry */
1393 DEBUG(3,("Adding new user\n"));
1394 ldap_op = LDAP_MOD_ADD;
1395 if (username[strlen(username)-1] == '$') {
1396 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1398 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1402 ldap_msgfree(result);
1404 if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) {
1405 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1406 ldap_mods_free(mods, 1);
1407 ldap_unbind(ldap_struct);
1410 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
1412 if (ldap_op == LDAP_MOD_REPLACE) {
1413 rc = ldap_modify_s(ldap_struct, dn, mods);
1416 rc = ldap_add_s(ldap_struct, dn, mods);
1419 if (rc != LDAP_SUCCESS)
1423 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1424 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n",
1425 pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error));
1427 ldap_mods_free(mods, 1);
1428 ldap_unbind(ldap_struct);
1432 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
1433 ldap_mods_free(mods, 1);
1434 ldap_unbind(ldap_struct);
1438 static void free_private_data(void **vp)
1440 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
1442 if ((*ldap_state)->ldap_struct) {
1443 ldap_unbind((*ldap_state)->ldap_struct);
1448 /* No need to free any further, as it is talloc()ed */
1451 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1454 struct ldapsam_privates *ldap_state;
1456 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
1460 (*pdb_method)->name = "ldapsam";
1462 (*pdb_method)->setsampwent = ldapsam_setsampwent;
1463 (*pdb_method)->endsampwent = ldapsam_endsampwent;
1464 (*pdb_method)->getsampwent = ldapsam_getsampwent;
1465 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
1466 (*pdb_method)->getsampwrid = ldapsam_getsampwrid;
1467 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
1468 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
1469 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
1471 /* TODO: Setup private data and free */
1473 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
1476 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1477 return NT_STATUS_NO_MEMORY;
1481 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
1483 ldap_state->uri = "ldap://localhost";
1486 (*pdb_method)->private_data = ldap_state;
1488 (*pdb_method)->free_private_data = free_private_data;
1490 return NT_STATUS_OK;
1493 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1496 struct ldapsam_privates *ldap_state;
1497 uint32 low_nua_uid, high_nua_uid;
1499 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
1503 (*pdb_method)->name = "ldapsam_nua";
1505 ldap_state = (*pdb_method)->private_data;
1507 ldap_state->permit_non_unix_accounts = True;
1509 if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
1510 DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
1511 return NT_STATUS_UNSUCCESSFUL;
1514 ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid);
1516 ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid);
1518 return NT_STATUS_OK;
1524 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1526 DEBUG(0, ("ldapsam not compiled in!\n"));
1527 return NT_STATUS_UNSUCCESSFUL;
1530 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1532 DEBUG(0, ("ldapsam_nua not compiled in!\n"));
1533 return NT_STATUS_UNSUCCESSFUL;