2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Gerald Carter 2001
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
7 Copyright (C) Andrew Bartlett 2002
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * persistent connections: if using NSS LDAP, many connections are made
30 * however, using only one within Samba would be nice
32 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
34 * Other LDAP based login attributes: accountExpires, etc.
35 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
36 * structures don't have fields for some of these attributes)
38 * SSL is done, but can't get the certificate based authentication to work
39 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
42 /* NOTE: this will NOT work against an Active Directory server
43 * due to the fact that the two password fields cannot be retrieved
44 * from a server; recommend using security = domain in this situation
52 #define SAM_ACCOUNT struct sam_passwd
55 struct ldapsam_privates {
63 /* retrive-once info */
66 BOOL permit_non_unix_accounts;
72 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
74 /*******************************************************************
75 find the ldap password
76 ******************************************************************/
77 static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len)
86 if (*p == ',') *p = '/';
88 data=secrets_fetch(key, &size);
90 DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
96 DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
100 memcpy(pw, data, size);
107 /*******************************************************************
108 open a connection to the ldap server.
109 ******************************************************************/
110 static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
113 if (geteuid() != 0) {
114 DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n"));
118 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
119 DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
121 if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) {
122 DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
127 /* Parse the string manually */
131 int tls = LDAP_OPT_X_TLS_HARD;
136 const char *p = ldap_state->uri;
137 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
139 /* skip leading "URL:" (if any) */
140 if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
144 sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
147 if (strequal(protocol, "ldap")) {
149 } else if (strequal(protocol, "ldaps")) {
152 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
156 if ((*ldap_struct = ldap_init(host, port)) == NULL) {
157 DEBUG(0, ("ldap_init failed !\n"));
161 /* Connect to older servers using SSL and V2 rather than Start TLS */
162 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
164 if (version != LDAP_VERSION2)
166 version = LDAP_VERSION2;
167 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
171 if (strequal(protocol, "ldaps")) {
172 if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
173 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
174 &version) == LDAP_OPT_SUCCESS)
176 if (version < LDAP_VERSION3)
178 version = LDAP_VERSION3;
179 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
183 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
185 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
186 ldap_err2string(rc)));
189 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
192 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
194 DEBUG(0, ("Failed to setup a TLS session\n"));
199 * No special needs to setup options prior to the LDAP
200 * bind (which should be called next via ldap_connect_system()
206 DEBUG(2, ("ldap_open_connection: connection opened\n"));
210 /*******************************************************************
211 connect to the ldap server under system privilege.
212 ******************************************************************/
213 static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
216 static BOOL got_pw = False;
217 static pstring ldap_secret;
219 /* get the password if we don't have it already */
220 if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
222 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
223 lp_ldap_admin_dn()));
227 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
228 (OpenLDAP) doesnt' seem to support it */
230 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
231 lp_ldap_admin_dn()));
233 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
234 ldap_secret)) != LDAP_SUCCESS)
236 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
240 DEBUG(2, ("ldap_connect_system: successful connection to the LDAP server\n"));
244 /*******************************************************************
245 run the search by name.
246 ******************************************************************/
247 static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
249 int scope = LDAP_SCOPE_SUBTREE;
252 DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
254 rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result);
256 if (rc != LDAP_SUCCESS) {
257 DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
258 ldap_err2string (rc)));
259 DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
266 /*******************************************************************
267 run the search by name.
268 ******************************************************************/
269 static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user,
270 LDAPMessage ** result)
275 * in the filter expression, replace %u with the real name
276 * so in ldap filter, %u MUST exist :-)
278 pstrcpy(filter, lp_ldap_filter());
281 * have to use this here because $ is filtered out
284 all_string_sub(filter, "%u", user, sizeof(pstring));
286 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
289 /*******************************************************************
290 run the search by uid.
291 ******************************************************************/
292 static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
293 LDAP * ldap_struct, int uid,
294 LDAPMessage ** result)
299 /* Get the username from the system and look that up in the LDAP */
301 if ((user = getpwuid_alloc(uid)) == NULL) {
302 DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
303 return LDAP_NO_SUCH_OBJECT;
306 pstrcpy(filter, lp_ldap_filter());
308 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
312 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
315 /*******************************************************************
316 run the search by rid.
317 ******************************************************************/
318 static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
319 LDAP * ldap_struct, uint32 rid,
320 LDAPMessage ** result)
325 /* check if the user rid exsists, if not, try searching on the uid */
327 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
328 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
330 if (rc != LDAP_SUCCESS)
331 rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct,
332 fallback_pdb_user_rid_to_uid(rid),
338 /*******************************************************************
339 search an attribute and return the first value found.
340 ******************************************************************/
341 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
342 char *attribute, char *value)
346 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
348 DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
353 pstrcpy(value, values[0]);
354 ldap_value_free(values);
355 #ifdef DEBUG_PASSWORDS
356 DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
361 /************************************************************************
362 Routine to manage the LDAPMod structure array
363 manage memory used by the array, by each struct, and values
365 ************************************************************************/
366 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
374 if (attribute == NULL || *attribute == '\0')
377 if (value == NULL || *value == '\0')
382 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
385 DEBUG(0, ("make_a_mod: out of memory!\n"));
391 for (i = 0; mods[i] != NULL; ++i) {
392 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
398 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
401 DEBUG(0, ("make_a_mod: out of memory!\n"));
404 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
407 DEBUG(0, ("make_a_mod: out of memory!\n"));
410 mods[i]->mod_op = modop;
411 mods[i]->mod_values = NULL;
412 mods[i]->mod_type = strdup(attribute);
419 if (mods[i]->mod_values != NULL) {
420 for (; mods[i]->mod_values[j] != NULL; j++);
422 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
423 (j + 2) * sizeof (char *));
425 if (mods[i]->mod_values == NULL) {
426 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
429 mods[i]->mod_values[j] = strdup(value);
430 mods[i]->mod_values[j + 1] = NULL;
435 /* New Interface is being implemented here */
437 /**********************************************************************
438 Initialize SAM_ACCOUNT from an LDAP query
439 (Based on init_sam_from_buffer in pdb_tdb.c)
440 *********************************************************************/
441 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
442 SAM_ACCOUNT * sampass,
443 LDAP * ldap_struct, LDAPMessage * entry)
449 pass_can_change_time,
450 pass_must_change_time;
470 uint8 hours[MAX_HOURS_LEN];
473 gid_t gid = getegid();
477 * do a little initialization
481 nt_username[0] = '\0';
485 logon_script[0] = '\0';
486 profile_path[0] = '\0';
488 munged_dial[0] = '\0';
489 workstations[0] = '\0';
492 if (sampass == NULL || ldap_struct == NULL || entry == NULL) {
493 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
497 get_single_attribute(ldap_struct, entry, "uid", username);
498 DEBUG(2, ("Entry found for user: %s\n", username));
500 pstrcpy(nt_username, username);
502 pstrcpy(domain, lp_workgroup());
504 get_single_attribute(ldap_struct, entry, "rid", temp);
505 user_rid = (uint32)atol(temp);
506 if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) {
509 group_rid = (uint32)atol(temp);
512 if ((ldap_state->permit_non_unix_accounts)
513 && (user_rid >= ldap_state->low_nua_rid)
514 && (user_rid <= ldap_state->high_nua_rid)) {
518 /* These values MAY be in LDAP, but they can also be retrieved through
519 * sys_getpw*() which is how we're doing it
522 pw = getpwnam_alloc(username);
524 DEBUG (2,("init_sam_from_ldap: User [%s] does not have a uid!\n", username));
532 pdb_set_uid(sampass, uid);
533 pdb_set_gid(sampass, gid);
535 if (group_rid == 0) {
537 /* call the mapping code here */
538 if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
539 sid_peek_rid(&map.sid, &group_rid);
542 group_rid=pdb_gid_to_group_rid(gid);
547 if (!get_single_attribute(ldap_struct, entry, "pwdLastSet", temp)) {
548 /* leave as default */
550 pass_last_set_time = (time_t) atol(temp);
551 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
554 if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) {
555 /* leave as default */
557 logon_time = (time_t) atol(temp);
558 pdb_set_logon_time(sampass, logon_time, True);
561 if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) {
562 /* leave as default */
564 logoff_time = (time_t) atol(temp);
565 pdb_set_logoff_time(sampass, logoff_time, True);
568 if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) {
569 /* leave as default */
571 kickoff_time = (time_t) atol(temp);
572 pdb_set_kickoff_time(sampass, kickoff_time, True);
575 if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) {
576 /* leave as default */
578 pass_can_change_time = (time_t) atol(temp);
579 pdb_set_pass_can_change_time(sampass, pass_can_change_time, True);
582 if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) {
583 /* leave as default */
585 pass_must_change_time = (time_t) atol(temp);
586 pdb_set_pass_must_change_time(sampass, pass_must_change_time, True);
589 /* recommend that 'gecos' and 'displayName' should refer to the same
590 * attribute OID. userFullName depreciated, only used by Samba
591 * primary rules of LDAP: don't make a new attribute when one is already defined
592 * that fits your needs; using cn then displayName rather than 'userFullName'
595 if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) {
596 if (!get_single_attribute(ldap_struct, entry, "displayName", fullname)) {
597 /* leave as default */
599 pdb_set_fullname(sampass, fullname);
602 pdb_set_fullname(sampass, fullname);
605 if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) {
606 pstrcpy(dir_drive, lp_logon_drive());
607 standard_sub_advanced(-1, username, "", gid, username, dir_drive);
608 DEBUG(5,("homeDrive fell back to %s\n",dir_drive));
609 pdb_set_dir_drive(sampass, dir_drive, False);
611 pdb_set_dir_drive(sampass, dir_drive, True);
614 if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) {
615 pstrcpy(homedir, lp_logon_home());
616 standard_sub_advanced(-1, username, "", gid, username, homedir);
617 DEBUG(5,("smbHome fell back to %s\n",homedir));
618 pdb_set_homedir(sampass, homedir, False);
620 pdb_set_homedir(sampass, homedir, True);
623 if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) {
624 pstrcpy(logon_script, lp_logon_script());
625 standard_sub_advanced(-1, username, "", gid, username, logon_script);
626 DEBUG(5,("scriptPath fell back to %s\n",logon_script));
627 pdb_set_logon_script(sampass, logon_script, False);
629 pdb_set_logon_script(sampass, logon_script, True);
632 if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) {
633 pstrcpy(profile_path, lp_logon_path());
634 standard_sub_advanced(-1, username, "", gid, username, profile_path);
635 DEBUG(5,("profilePath fell back to %s\n",profile_path));
636 pdb_set_profile_path(sampass, profile_path, False);
638 pdb_set_profile_path(sampass, profile_path, True);
641 if (!get_single_attribute(ldap_struct, entry, "description", acct_desc)) {
642 /* leave as default */
644 pdb_set_acct_desc(sampass, acct_desc);
647 if (!get_single_attribute(ldap_struct, entry, "userWorkstations", workstations)) {
648 /* leave as default */;
650 pdb_set_workstations(sampass, workstations);
653 /* FIXME: hours stuff should be cleaner */
657 memset(hours, 0xff, hours_len);
659 if (!get_single_attribute (ldap_struct, entry, "lmPassword", temp)) {
660 /* leave as default */
662 pdb_gethexpwd(temp, smblmpwd);
663 memset((char *)temp, '\0', sizeof(temp));
664 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
668 if (!get_single_attribute (ldap_struct, entry, "ntPassword", temp)) {
669 /* leave as default */
671 pdb_gethexpwd(temp, smbntpwd);
672 memset((char *)temp, '\0', sizeof(temp));
673 if (!pdb_set_nt_passwd(sampass, smbntpwd))
677 if (!get_single_attribute (ldap_struct, entry, "acctFlags", temp)) {
678 acct_ctrl |= ACB_NORMAL;
680 acct_ctrl = pdb_decode_acct_ctrl(temp);
683 acct_ctrl |= ACB_NORMAL;
685 pdb_set_acct_ctrl(sampass, acct_ctrl);
688 pdb_set_hours_len(sampass, hours_len);
689 pdb_set_logon_divs(sampass, logon_divs);
691 pdb_set_user_rid(sampass, user_rid);
692 pdb_set_group_rid(sampass, group_rid);
694 pdb_set_username(sampass, username);
696 pdb_set_domain(sampass, domain);
697 pdb_set_nt_username(sampass, nt_username);
699 pdb_set_munged_dial(sampass, munged_dial);
701 /* pdb_set_unknown_3(sampass, unknown3); */
702 /* pdb_set_unknown_5(sampass, unknown5); */
703 /* pdb_set_unknown_6(sampass, unknown6); */
705 pdb_set_hours(sampass, hours);
710 /**********************************************************************
711 Initialize SAM_ACCOUNT from an LDAP query
712 (Based on init_buffer_from_sam in pdb_tdb.c)
713 *********************************************************************/
714 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
715 LDAPMod *** mods, int ldap_op,
716 const SAM_ACCOUNT * sampass)
721 if (mods == NULL || sampass == NULL) {
722 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
729 * took out adding "objectclass: sambaAccount"
730 * do this on a per-mod basis
733 make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
734 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
736 if ( pdb_get_user_rid(sampass) ) {
737 rid = pdb_get_user_rid(sampass);
738 } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) {
739 rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
740 } else if (ldap_state->permit_non_unix_accounts) {
741 rid = ldapsam_get_next_available_nua_rid(ldap_state);
743 DEBUG(0, ("NO user RID specified on account %s, and finding next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
747 DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
751 slprintf(temp, sizeof(temp) - 1, "%i", rid);
752 make_a_mod(mods, ldap_op, "rid", temp);
754 if ( pdb_get_group_rid(sampass) ) {
755 rid = pdb_get_group_rid(sampass);
756 } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) {
757 rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
758 } else if (ldap_state->permit_non_unix_accounts) {
759 rid = DOMAIN_GROUP_RID_USERS;
761 DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
765 slprintf(temp, sizeof(temp) - 1, "%i", rid);
766 make_a_mod(mods, ldap_op, "primaryGroupID", temp);
768 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
769 make_a_mod(mods, ldap_op, "pwdLastSet", temp);
771 /* displayName, cn, and gecos should all be the same
772 * most easily accomplished by giving them the same OID
773 * gecos isn't set here b/c it should be handled by the
777 make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
778 make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
779 make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
780 make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
783 * Only updates fields which have been set (not defaults from smb.conf)
786 if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME))
787 make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
789 if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE))
790 make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass));
792 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT))
793 make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
795 if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE))
796 make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
798 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) {
799 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
800 make_a_mod(mods, ldap_op, "logonTime", temp);
803 if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) {
804 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
805 make_a_mod(mods, ldap_op, "logoffTime", temp);
808 if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) {
809 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
810 make_a_mod(mods, ldap_op, "kickoffTime", temp);
813 if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) {
814 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
815 make_a_mod(mods, ldap_op, "pwdCanChange", temp);
818 if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) {
819 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
820 make_a_mod(mods, ldap_op, "pwdMustChange", temp);
823 /* FIXME: Hours stuff goes in LDAP */
824 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
825 make_a_mod (mods, ldap_op, "lmPassword", temp);
827 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
828 make_a_mod (mods, ldap_op, "ntPassword", temp);
830 make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
831 NEW_PW_FORMAT_SPACE_PADDED_LEN));
837 /**********************************************************************
838 Connect to LDAP server and find the next available RID.
839 *********************************************************************/
840 static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct)
843 uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
848 if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
852 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) {
853 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
855 ldap_msgfree(result);
858 if (ldap_count_entries(ldap_struct, result) != 0)
860 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
862 ldap_msgfree(result);
865 DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
869 /**********************************************************************
870 Extract the RID from an LDAP entry
871 *********************************************************************/
872 static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) {
874 SAM_ACCOUNT *user = NULL;
875 if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
879 if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
880 rid = pdb_get_user_rid(user);
885 if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
892 /**********************************************************************
893 Connect to LDAP server and find the next available RID.
894 *********************************************************************/
895 static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct)
901 char *final_filter = NULL;
906 pstrcpy(filter, lp_ldap_filter());
907 all_string_sub(filter, "%u", "*", sizeof(pstring));
910 asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
912 final_filter = strdup(filter);
914 DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
916 rc = ldap_search_s(ldap_struct, lp_ldap_suffix(),
917 LDAP_SCOPE_SUBTREE, final_filter, NULL, 0,
920 if (rc != LDAP_SUCCESS)
923 DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
924 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
927 ldap_msgfree(result);
932 count = ldap_count_entries(ldap_struct, result);
933 DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
936 DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
937 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
939 ldap_msgfree(result);
941 return ldap_state->low_nua_rid;
945 entry = ldap_first_entry(ldap_struct,result);
947 top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
949 while ((entry = ldap_next_entry(ldap_struct, entry))) {
951 rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
957 ldap_msgfree(result);
961 /**********************************************************************
962 Connect to LDAP server and find the next available RID.
963 *********************************************************************/
964 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
969 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
973 if (!ldapsam_connect_system(ldap_state, ldap_struct))
975 ldap_unbind(ldap_struct);
979 top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct);
981 next_nua_rid = check_nua_rid_is_avail(ldap_state,
982 top_nua_rid, ldap_struct);
984 ldap_unbind(ldap_struct);
988 /**********************************************************************
989 Connect to LDAP server for password enumeration
990 *********************************************************************/
991 static BOOL ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
993 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
997 if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))
1001 if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))
1003 ldap_unbind(ldap_state->ldap_struct);
1007 pstrcpy(filter, lp_ldap_filter());
1008 all_string_sub(filter, "%u", "*", sizeof(pstring));
1010 rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(),
1011 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
1012 &ldap_state->result);
1014 if (rc != LDAP_SUCCESS)
1016 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
1017 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1018 ldap_msgfree(ldap_state->result);
1019 ldap_unbind(ldap_state->ldap_struct);
1020 ldap_state->ldap_struct = NULL;
1021 ldap_state->result = NULL;
1025 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1026 ldap_count_entries(ldap_state->ldap_struct,
1027 ldap_state->result)));
1029 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
1030 ldap_state->result);
1031 ldap_state->index = 0;
1036 /**********************************************************************
1037 End enumeration of the LDAP password list
1038 *********************************************************************/
1039 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1041 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1042 if (ldap_state->ldap_struct && ldap_state->result)
1044 ldap_msgfree(ldap_state->result);
1045 ldap_unbind(ldap_state->ldap_struct);
1046 ldap_state->ldap_struct = NULL;
1047 ldap_state->result = NULL;
1051 /**********************************************************************
1052 Get the next entry in the LDAP password database
1053 *********************************************************************/
1054 static BOOL ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT * user)
1056 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1060 if (!ldap_state->entry)
1063 ldap_state->index++;
1064 ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct,
1067 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
1075 /**********************************************************************
1076 Get SAM_ACCOUNT entry from LDAP by username
1077 *********************************************************************/
1078 static BOOL ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const char *sname)
1080 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1082 LDAPMessage *result;
1085 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1087 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1089 ldap_unbind(ldap_struct);
1092 if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS)
1094 ldap_unbind(ldap_struct);
1097 if (ldap_count_entries(ldap_struct, result) < 1)
1100 ("We didn't find the user [%s] count=%d\n", sname,
1101 ldap_count_entries(ldap_struct, result)));
1102 ldap_unbind(ldap_struct);
1105 entry = ldap_first_entry(ldap_struct, result);
1108 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1109 DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n"));
1110 ldap_msgfree(result);
1111 ldap_unbind(ldap_struct);
1114 ldap_msgfree(result);
1115 ldap_unbind(ldap_struct);
1120 ldap_msgfree(result);
1121 ldap_unbind(ldap_struct);
1126 /**********************************************************************
1127 Get SAM_ACCOUNT entry from LDAP by rid
1128 *********************************************************************/
1129 static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, uint32 rid)
1131 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1133 LDAPMessage *result;
1136 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1139 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1141 ldap_unbind(ldap_struct);
1144 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) !=
1147 ldap_unbind(ldap_struct);
1151 if (ldap_count_entries(ldap_struct, result) < 1)
1154 ("We didn't find the rid [%i] count=%d\n", rid,
1155 ldap_count_entries(ldap_struct, result)));
1156 ldap_unbind(ldap_struct);
1160 entry = ldap_first_entry(ldap_struct, result);
1163 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1164 DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1165 ldap_msgfree(result);
1166 ldap_unbind(ldap_struct);
1169 ldap_msgfree(result);
1170 ldap_unbind(ldap_struct);
1175 ldap_msgfree(result);
1176 ldap_unbind(ldap_struct);
1181 /**********************************************************************
1182 Delete entry from LDAP for username
1183 *********************************************************************/
1184 static BOOL ldapsam_delete_sam_account(struct pdb_methods *my_methods, const SAM_ACCOUNT * sam_acct)
1186 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1192 LDAPMessage *result;
1195 DEBUG(0, ("sam_acct was NULL!\n"));
1199 sname = pdb_get_username(sam_acct);
1201 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1204 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
1206 if (!ldapsam_connect_system(ldap_state, ldap_struct)) {
1207 ldap_unbind (ldap_struct);
1208 DEBUG(0, ("failed to delete user %s from the LDAP database.\n", sname));
1212 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result);
1213 if (ldap_count_entries (ldap_struct, result) == 0) {
1214 DEBUG (0, ("User doesn't exit!\n"));
1215 ldap_msgfree (result);
1216 ldap_unbind (ldap_struct);
1220 entry = ldap_first_entry (ldap_struct, result);
1221 dn = ldap_get_dn (ldap_struct, entry);
1223 rc = ldap_delete_s (ldap_struct, dn);
1226 if (rc != LDAP_SUCCESS) {
1228 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1229 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
1230 sname, ldap_err2string (rc), ld_error));
1232 ldap_unbind (ldap_struct);
1236 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
1237 ldap_unbind (ldap_struct);
1241 /**********************************************************************
1243 *********************************************************************/
1244 static BOOL ldapsam_update_sam_account(struct pdb_methods *my_methods, const SAM_ACCOUNT * newpwd)
1246 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1250 LDAPMessage *result;
1254 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1257 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1259 ldap_unbind(ldap_struct);
1263 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct,
1264 pdb_get_username(newpwd), &result);
1266 if (ldap_count_entries(ldap_struct, result) == 0)
1268 DEBUG(0, ("No user to modify!\n"));
1269 ldap_msgfree(result);
1270 ldap_unbind(ldap_struct);
1274 if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) {
1275 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1276 ldap_msgfree(result);
1277 ldap_unbind(ldap_struct);
1281 entry = ldap_first_entry(ldap_struct, result);
1282 dn = ldap_get_dn(ldap_struct, entry);
1284 rc = ldap_modify_s(ldap_struct, dn, mods);
1286 if (rc != LDAP_SUCCESS)
1289 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
1292 ("failed to modify user with uid = %s with: %s\n\t%s\n",
1293 pdb_get_username(newpwd), ldap_err2string(rc),
1296 ldap_unbind(ldap_struct);
1301 ("successfully modified uid = %s in the LDAP database\n",
1302 pdb_get_username(newpwd)));
1303 ldap_mods_free(mods, 1);
1304 ldap_unbind(ldap_struct);
1308 /**********************************************************************
1309 Add SAM_ACCOUNT to LDAP
1310 *********************************************************************/
1311 static BOOL ldapsam_add_sam_account(struct pdb_methods *my_methods, const SAM_ACCOUNT * newpwd)
1313 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1316 LDAP *ldap_struct = NULL;
1317 LDAPMessage *result = NULL;
1319 LDAPMod **mods = NULL;
1323 const char *username = pdb_get_username(newpwd);
1324 if (!username || !*username) {
1325 DEBUG(0, ("Cannot add user without a username!\n"));
1329 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1334 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1336 ldap_unbind(ldap_struct);
1340 rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, username, &result);
1342 if (ldap_count_entries(ldap_struct, result) != 0)
1344 DEBUG(0,("User already in the base, with samba properties\n"));
1345 ldap_msgfree(result);
1346 ldap_unbind(ldap_struct);
1349 ldap_msgfree(result);
1351 slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
1352 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result);
1353 num_result = ldap_count_entries(ldap_struct, result);
1355 if (num_result > 1) {
1356 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1357 ldap_msgfree(result);
1361 /* Check if we need to update an existing entry */
1362 if (num_result == 1) {
1366 DEBUG(3,("User exists without samba properties: adding them\n"));
1367 ldap_op = LDAP_MOD_REPLACE;
1368 entry = ldap_first_entry (ldap_struct, result);
1369 tmp = ldap_get_dn (ldap_struct, entry);
1370 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1374 /* Check if we need to add an entry */
1375 DEBUG(3,("Adding new user\n"));
1376 ldap_op = LDAP_MOD_ADD;
1377 if (username[strlen(username)-1] == '$') {
1378 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1380 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1384 ldap_msgfree(result);
1386 if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) {
1387 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1388 ldap_mods_free(mods, 1);
1389 ldap_unbind(ldap_struct);
1392 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
1394 if (ldap_op == LDAP_MOD_REPLACE) {
1395 rc = ldap_modify_s(ldap_struct, dn, mods);
1398 rc = ldap_add_s(ldap_struct, dn, mods);
1401 if (rc != LDAP_SUCCESS)
1405 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1406 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n",
1407 pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error));
1409 ldap_mods_free(mods, 1);
1410 ldap_unbind(ldap_struct);
1414 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
1415 ldap_mods_free(mods, 1);
1416 ldap_unbind(ldap_struct);
1420 static void free_private_data(void **vp)
1422 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
1424 if ((*ldap_state)->ldap_struct) {
1425 ldap_unbind((*ldap_state)->ldap_struct);
1430 /* No need to free any further, as it is talloc()ed */
1433 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1436 struct ldapsam_privates *ldap_state;
1438 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
1442 (*pdb_method)->name = "ldapsam";
1444 (*pdb_method)->setsampwent = ldapsam_setsampwent;
1445 (*pdb_method)->endsampwent = ldapsam_endsampwent;
1446 (*pdb_method)->getsampwent = ldapsam_getsampwent;
1447 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
1448 (*pdb_method)->getsampwrid = ldapsam_getsampwrid;
1449 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
1450 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
1451 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
1453 /* TODO: Setup private data and free */
1455 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
1458 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1459 return NT_STATUS_NO_MEMORY;
1463 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
1465 ldap_state->uri = "ldap://localhost";
1468 (*pdb_method)->private_data = ldap_state;
1470 (*pdb_method)->free_private_data = free_private_data;
1472 return NT_STATUS_OK;
1475 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1478 struct ldapsam_privates *ldap_state;
1479 uint32 low_nua_uid, high_nua_uid;
1481 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
1485 (*pdb_method)->name = "ldapsam_nua";
1487 ldap_state = (*pdb_method)->private_data;
1489 ldap_state->permit_non_unix_accounts = True;
1491 if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
1492 DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
1493 return NT_STATUS_UNSUCCESSFUL;
1496 ldap_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
1498 ldap_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
1500 return NT_STATUS_OK;
1506 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1508 DEBUG(0, ("ldap not detected at configure time, ldapsam not availalble!\n"));
1509 return NT_STATUS_UNSUCCESSFUL;
1512 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1514 DEBUG(0, ("ldap not dectected at configure time, ldapsam_nua not available!\n"));
1515 return NT_STATUS_UNSUCCESSFUL;