2 Unix SMB/CIFS implementation.
3 LDAP protocol helper functions for SAMBA
4 Copyright (C) Gerald Carter 2001
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
7 Copyright (C) Andrew Bartlett 2002
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * persistent connections: if using NSS LDAP, many connections are made
30 * however, using only one within Samba would be nice
32 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
34 * Other LDAP based login attributes: accountExpires, etc.
35 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
36 * structures don't have fields for some of these attributes)
38 * SSL is done, but can't get the certificate based authentication to work
39 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
42 /* NOTE: this will NOT work against an Active Directory server
43 * due to the fact that the two password fields cannot be retrieved
44 * from a server; recommend using security = domain in this situation
52 #define SAM_ACCOUNT struct sam_passwd
55 struct ldapsam_privates {
63 /* retrive-once info */
66 BOOL permit_non_unix_accounts;
72 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
74 /*******************************************************************
75 find the ldap password
76 ******************************************************************/
77 static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len)
86 if (*p == ',') *p = '/';
88 data=secrets_fetch(key, &size);
90 DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n"));
96 DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1));
100 memcpy(pw, data, size);
107 /*******************************************************************
108 open a connection to the ldap server.
109 ******************************************************************/
110 static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
113 if (geteuid() != 0) {
114 DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n"));
118 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
119 DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
121 if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) {
122 DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
127 /* Parse the string manually */
131 int tls = LDAP_OPT_X_TLS_HARD;
136 const char *p = ldap_state->uri;
137 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
139 /* skip leading "URL:" (if any) */
140 if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
144 sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
147 if (strequal(protocol, "ldap")) {
149 } else if (strequal(protocol, "ldaps")) {
152 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
156 if ((*ldap_struct = ldap_init(host, port)) == NULL) {
157 DEBUG(0, ("ldap_init failed !\n"));
161 /* Connect to older servers using SSL and V2 rather than Start TLS */
162 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
164 if (version != LDAP_VERSION2)
166 version = LDAP_VERSION2;
167 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
171 if (strequal(protocol, "ldaps")) {
172 if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
173 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
174 &version) == LDAP_OPT_SUCCESS)
176 if (version < LDAP_VERSION3)
178 version = LDAP_VERSION3;
179 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
183 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
185 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
186 ldap_err2string(rc)));
189 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
192 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
194 DEBUG(0, ("Failed to setup a TLS session\n"));
199 * No special needs to setup options prior to the LDAP
200 * bind (which should be called next via ldap_connect_system()
206 DEBUG(2, ("ldap_open_connection: connection opened\n"));
210 /*******************************************************************
211 connect to the ldap server under system privilege.
212 ******************************************************************/
213 static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
216 static BOOL got_pw = False;
217 static pstring ldap_secret;
219 /* get the password if we don't have it already */
220 if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
222 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
223 lp_ldap_admin_dn()));
227 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
228 (OpenLDAP) doesnt' seem to support it */
230 DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n",
231 lp_ldap_admin_dn()));
233 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
234 ldap_secret)) != LDAP_SUCCESS)
236 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
240 DEBUG(2, ("ldap_connect_system: successful connection to the LDAP server\n"));
244 /*******************************************************************
245 run the search by name.
246 ******************************************************************/
247 static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
249 int scope = LDAP_SCOPE_SUBTREE;
252 DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
254 rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result);
256 if (rc != LDAP_SUCCESS) {
257 DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n",
258 ldap_err2string (rc)));
259 DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
266 /*******************************************************************
267 run the search by name.
268 ******************************************************************/
269 static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user,
270 LDAPMessage ** result)
275 * in the filter expression, replace %u with the real name
276 * so in ldap filter, %u MUST exist :-)
278 pstrcpy(filter, lp_ldap_filter());
281 * have to use this here because $ is filtered out
284 all_string_sub(filter, "%u", user, sizeof(pstring));
286 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
289 /*******************************************************************
290 run the search by uid.
291 ******************************************************************/
292 static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
293 LDAP * ldap_struct, int uid,
294 LDAPMessage ** result)
299 /* Get the username from the system and look that up in the LDAP */
301 if ((user = getpwuid_alloc(uid)) == NULL) {
302 DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
303 return LDAP_NO_SUCH_OBJECT;
306 pstrcpy(filter, lp_ldap_filter());
308 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
312 return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
315 /*******************************************************************
316 run the search by rid.
317 ******************************************************************/
318 static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
319 LDAP * ldap_struct, uint32 rid,
320 LDAPMessage ** result)
325 /* check if the user rid exsists, if not, try searching on the uid */
327 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
328 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result);
330 if (rc != LDAP_SUCCESS)
331 rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct,
332 fallback_pdb_user_rid_to_uid(rid),
338 /*******************************************************************
339 search an attribute and return the first value found.
340 ******************************************************************/
341 static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
342 char *attribute, pstring value)
346 if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
348 DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
353 pstrcpy(value, values[0]);
354 ldap_value_free(values);
355 #ifdef DEBUG_PASSWORDS
356 DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
361 /************************************************************************
362 Routine to manage the LDAPMod structure array
363 manage memory used by the array, by each struct, and values
365 ************************************************************************/
366 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
374 if (attribute == NULL || *attribute == '\0')
377 if (value == NULL || *value == '\0')
382 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
385 DEBUG(0, ("make_a_mod: out of memory!\n"));
391 for (i = 0; mods[i] != NULL; ++i) {
392 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
398 mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
401 DEBUG(0, ("make_a_mod: out of memory!\n"));
404 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
407 DEBUG(0, ("make_a_mod: out of memory!\n"));
410 mods[i]->mod_op = modop;
411 mods[i]->mod_values = NULL;
412 mods[i]->mod_type = strdup(attribute);
419 if (mods[i]->mod_values != NULL) {
420 for (; mods[i]->mod_values[j] != NULL; j++);
422 mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
423 (j + 2) * sizeof (char *));
425 if (mods[i]->mod_values == NULL) {
426 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
429 mods[i]->mod_values[j] = strdup(value);
430 mods[i]->mod_values[j + 1] = NULL;
435 /* New Interface is being implemented here */
437 /**********************************************************************
438 Initialize SAM_ACCOUNT from an LDAP query
439 (Based on init_sam_from_buffer in pdb_tdb.c)
440 *********************************************************************/
441 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
442 SAM_ACCOUNT * sampass,
443 LDAP * ldap_struct, LDAPMessage * entry)
449 pass_can_change_time,
450 pass_must_change_time;
470 uint8 hours[MAX_HOURS_LEN];
473 gid_t gid = getegid();
477 * do a little initialization
481 nt_username[0] = '\0';
485 logon_script[0] = '\0';
486 profile_path[0] = '\0';
488 munged_dial[0] = '\0';
489 workstations[0] = '\0';
492 if (sampass == NULL || ldap_struct == NULL || entry == NULL) {
493 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
497 get_single_attribute(ldap_struct, entry, "uid", username);
498 DEBUG(2, ("Entry found for user: %s\n", username));
500 pstrcpy(nt_username, username);
502 pstrcpy(domain, lp_workgroup());
504 get_single_attribute(ldap_struct, entry, "rid", temp);
505 user_rid = (uint32)atol(temp);
506 if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) {
509 group_rid = (uint32)atol(temp);
512 if ((ldap_state->permit_non_unix_accounts)
513 && (user_rid >= ldap_state->low_nua_rid)
514 && (user_rid <= ldap_state->high_nua_rid)) {
518 /* These values MAY be in LDAP, but they can also be retrieved through
519 * sys_getpw*() which is how we're doing it
522 pw = getpwnam_alloc(username);
524 DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username));
530 pdb_set_unix_homedir(sampass, pw->pw_dir);
534 pdb_set_uid(sampass, uid);
535 pdb_set_gid(sampass, gid);
537 if (group_rid == 0) {
539 /* call the mapping code here */
540 if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
541 sid_peek_rid(&map.sid, &group_rid);
544 group_rid=pdb_gid_to_group_rid(gid);
549 if (!get_single_attribute(ldap_struct, entry, "pwdLastSet", temp)) {
550 /* leave as default */
552 pass_last_set_time = (time_t) atol(temp);
553 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
556 if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) {
557 /* leave as default */
559 logon_time = (time_t) atol(temp);
560 pdb_set_logon_time(sampass, logon_time, True);
563 if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) {
564 /* leave as default */
566 logoff_time = (time_t) atol(temp);
567 pdb_set_logoff_time(sampass, logoff_time, True);
570 if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) {
571 /* leave as default */
573 kickoff_time = (time_t) atol(temp);
574 pdb_set_kickoff_time(sampass, kickoff_time, True);
577 if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) {
578 /* leave as default */
580 pass_can_change_time = (time_t) atol(temp);
581 pdb_set_pass_can_change_time(sampass, pass_can_change_time, True);
584 if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) {
585 /* leave as default */
587 pass_must_change_time = (time_t) atol(temp);
588 pdb_set_pass_must_change_time(sampass, pass_must_change_time, True);
591 /* recommend that 'gecos' and 'displayName' should refer to the same
592 * attribute OID. userFullName depreciated, only used by Samba
593 * primary rules of LDAP: don't make a new attribute when one is already defined
594 * that fits your needs; using cn then displayName rather than 'userFullName'
597 if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) {
598 if (!get_single_attribute(ldap_struct, entry, "displayName", fullname)) {
599 /* leave as default */
601 pdb_set_fullname(sampass, fullname);
604 pdb_set_fullname(sampass, fullname);
607 if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) {
608 pdb_set_dir_drive(sampass, standard_sub_specified(sampass->mem_ctx,
614 pdb_set_dir_drive(sampass, dir_drive, True);
617 if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) {
618 pdb_set_dir_drive(sampass, standard_sub_specified(sampass->mem_ctx,
624 pdb_set_homedir(sampass, homedir, True);
627 if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) {
628 pdb_set_logon_script(sampass, standard_sub_specified(sampass->mem_ctx,
634 pdb_set_logon_script(sampass, logon_script, True);
637 if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) {
638 pdb_set_profile_path(sampass, standard_sub_specified(sampass->mem_ctx,
644 pdb_set_profile_path(sampass, profile_path, True);
647 if (!get_single_attribute(ldap_struct, entry, "description", acct_desc)) {
648 /* leave as default */
650 pdb_set_acct_desc(sampass, acct_desc);
653 if (!get_single_attribute(ldap_struct, entry, "userWorkstations", workstations)) {
654 /* leave as default */;
656 pdb_set_workstations(sampass, workstations);
659 /* FIXME: hours stuff should be cleaner */
663 memset(hours, 0xff, hours_len);
665 if (!get_single_attribute (ldap_struct, entry, "lmPassword", temp)) {
666 /* leave as default */
668 pdb_gethexpwd(temp, smblmpwd);
669 memset((char *)temp, '\0', sizeof(temp));
670 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
674 if (!get_single_attribute (ldap_struct, entry, "ntPassword", temp)) {
675 /* leave as default */
677 pdb_gethexpwd(temp, smbntpwd);
678 memset((char *)temp, '\0', sizeof(temp));
679 if (!pdb_set_nt_passwd(sampass, smbntpwd))
683 if (!get_single_attribute (ldap_struct, entry, "acctFlags", temp)) {
684 acct_ctrl |= ACB_NORMAL;
686 acct_ctrl = pdb_decode_acct_ctrl(temp);
689 acct_ctrl |= ACB_NORMAL;
691 pdb_set_acct_ctrl(sampass, acct_ctrl);
694 pdb_set_hours_len(sampass, hours_len);
695 pdb_set_logon_divs(sampass, logon_divs);
697 pdb_set_user_rid(sampass, user_rid);
698 pdb_set_group_rid(sampass, group_rid);
700 pdb_set_username(sampass, username);
702 pdb_set_domain(sampass, domain);
703 pdb_set_nt_username(sampass, nt_username);
705 pdb_set_munged_dial(sampass, munged_dial);
707 /* pdb_set_unknown_3(sampass, unknown3); */
708 /* pdb_set_unknown_5(sampass, unknown5); */
709 /* pdb_set_unknown_6(sampass, unknown6); */
711 pdb_set_hours(sampass, hours);
716 /**********************************************************************
717 Initialize SAM_ACCOUNT from an LDAP query
718 (Based on init_buffer_from_sam in pdb_tdb.c)
719 *********************************************************************/
720 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
721 LDAPMod *** mods, int ldap_op,
722 const SAM_ACCOUNT * sampass)
727 if (mods == NULL || sampass == NULL) {
728 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
735 * took out adding "objectclass: sambaAccount"
736 * do this on a per-mod basis
739 make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass));
740 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
742 if ( pdb_get_user_rid(sampass) ) {
743 rid = pdb_get_user_rid(sampass);
744 } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) {
745 rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(sampass));
746 } else if (ldap_state->permit_non_unix_accounts) {
747 rid = ldapsam_get_next_available_nua_rid(ldap_state);
749 DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass)));
753 DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
757 slprintf(temp, sizeof(temp) - 1, "%i", rid);
758 make_a_mod(mods, ldap_op, "rid", temp);
760 if ( pdb_get_group_rid(sampass) ) {
761 rid = pdb_get_group_rid(sampass);
762 } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) {
763 rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
764 } else if (ldap_state->permit_non_unix_accounts) {
765 rid = DOMAIN_GROUP_RID_USERS;
767 DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass)));
771 slprintf(temp, sizeof(temp) - 1, "%i", rid);
772 make_a_mod(mods, ldap_op, "primaryGroupID", temp);
774 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
775 make_a_mod(mods, ldap_op, "pwdLastSet", temp);
777 /* displayName, cn, and gecos should all be the same
778 * most easily accomplished by giving them the same OID
779 * gecos isn't set here b/c it should be handled by the
783 make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass));
784 make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass));
785 make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass));
786 make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass));
789 * Only updates fields which have been set (not defaults from smb.conf)
792 if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME))
793 make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass));
795 if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE))
796 make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass));
798 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT))
799 make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass));
801 if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE))
802 make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass));
804 if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) {
805 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
806 make_a_mod(mods, ldap_op, "logonTime", temp);
809 if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) {
810 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
811 make_a_mod(mods, ldap_op, "logoffTime", temp);
814 if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) {
815 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
816 make_a_mod(mods, ldap_op, "kickoffTime", temp);
819 if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) {
820 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
821 make_a_mod(mods, ldap_op, "pwdCanChange", temp);
824 if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) {
825 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
826 make_a_mod(mods, ldap_op, "pwdMustChange", temp);
829 /* FIXME: Hours stuff goes in LDAP */
830 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
831 make_a_mod (mods, ldap_op, "lmPassword", temp);
833 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
834 make_a_mod (mods, ldap_op, "ntPassword", temp);
836 make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
837 NEW_PW_FORMAT_SPACE_PADDED_LEN));
843 /**********************************************************************
844 Connect to LDAP server and find the next available RID.
845 *********************************************************************/
846 static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct)
849 uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
854 if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) {
858 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) {
859 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid));
861 ldap_msgfree(result);
864 if (ldap_count_entries(ldap_struct, result) != 0)
866 DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid));
868 ldap_msgfree(result);
871 DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid));
875 /**********************************************************************
876 Extract the RID from an LDAP entry
877 *********************************************************************/
878 static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) {
880 SAM_ACCOUNT *user = NULL;
881 if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
885 if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
886 rid = pdb_get_user_rid(user);
891 if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) {
898 /**********************************************************************
899 Connect to LDAP server and find the next available RID.
900 *********************************************************************/
901 static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct)
907 char *final_filter = NULL;
912 pstrcpy(filter, lp_ldap_filter());
913 all_string_sub(filter, "%u", "*", sizeof(pstring));
916 asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid);
918 final_filter = strdup(filter);
920 DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
922 rc = ldap_search_s(ldap_struct, lp_ldap_suffix(),
923 LDAP_SCOPE_SUBTREE, final_filter, NULL, 0,
926 if (rc != LDAP_SUCCESS)
929 DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc)));
930 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
933 ldap_msgfree(result);
938 count = ldap_count_entries(ldap_struct, result);
939 DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count));
942 DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc)));
943 DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter));
945 ldap_msgfree(result);
947 return ldap_state->low_nua_rid;
951 entry = ldap_first_entry(ldap_struct,result);
953 top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
955 while ((entry = ldap_next_entry(ldap_struct, entry))) {
957 rid = entry_to_user_rid(ldap_state, entry, ldap_struct);
963 ldap_msgfree(result);
967 /**********************************************************************
968 Connect to LDAP server and find the next available RID.
969 *********************************************************************/
970 static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
975 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
979 if (!ldapsam_connect_system(ldap_state, ldap_struct))
981 ldap_unbind(ldap_struct);
985 top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct);
987 next_nua_rid = check_nua_rid_is_avail(ldap_state,
988 top_nua_rid, ldap_struct);
990 ldap_unbind(ldap_struct);
994 /**********************************************************************
995 Connect to LDAP server for password enumeration
996 *********************************************************************/
997 static BOOL ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
999 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1003 if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))
1007 if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))
1009 ldap_unbind(ldap_state->ldap_struct);
1013 pstrcpy(filter, lp_ldap_filter());
1014 all_string_sub(filter, "%u", "*", sizeof(pstring));
1016 rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(),
1017 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
1018 &ldap_state->result);
1020 if (rc != LDAP_SUCCESS)
1022 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
1023 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
1024 ldap_msgfree(ldap_state->result);
1025 ldap_unbind(ldap_state->ldap_struct);
1026 ldap_state->ldap_struct = NULL;
1027 ldap_state->result = NULL;
1031 DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1032 ldap_count_entries(ldap_state->ldap_struct,
1033 ldap_state->result)));
1035 ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct,
1036 ldap_state->result);
1037 ldap_state->index = 0;
1042 /**********************************************************************
1043 End enumeration of the LDAP password list
1044 *********************************************************************/
1045 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1047 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1048 if (ldap_state->ldap_struct && ldap_state->result)
1050 ldap_msgfree(ldap_state->result);
1051 ldap_unbind(ldap_state->ldap_struct);
1052 ldap_state->ldap_struct = NULL;
1053 ldap_state->result = NULL;
1057 /**********************************************************************
1058 Get the next entry in the LDAP password database
1059 *********************************************************************/
1060 static BOOL ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT * user)
1062 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1066 if (!ldap_state->entry)
1069 ldap_state->index++;
1070 ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct,
1073 ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct,
1081 /**********************************************************************
1082 Get SAM_ACCOUNT entry from LDAP by username
1083 *********************************************************************/
1084 static BOOL ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const char *sname)
1086 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1088 LDAPMessage *result;
1091 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1093 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1095 ldap_unbind(ldap_struct);
1098 if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS)
1100 ldap_unbind(ldap_struct);
1103 if (ldap_count_entries(ldap_struct, result) < 1)
1106 ("We don't find this user [%s] count=%d\n", sname,
1107 ldap_count_entries(ldap_struct, result)));
1108 ldap_unbind(ldap_struct);
1111 entry = ldap_first_entry(ldap_struct, result);
1114 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1115 DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n"));
1116 ldap_msgfree(result);
1117 ldap_unbind(ldap_struct);
1120 ldap_msgfree(result);
1121 ldap_unbind(ldap_struct);
1126 ldap_msgfree(result);
1127 ldap_unbind(ldap_struct);
1132 /**********************************************************************
1133 Get SAM_ACCOUNT entry from LDAP by rid
1134 *********************************************************************/
1135 static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, uint32 rid)
1137 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1139 LDAPMessage *result;
1142 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1145 if (!ldapsam_connect_system(ldap_state, ldap_struct))
1147 ldap_unbind(ldap_struct);
1150 if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) !=
1153 ldap_unbind(ldap_struct);
1157 if (ldap_count_entries(ldap_struct, result) < 1)
1160 ("We don't find this rid [%i] count=%d\n", rid,
1161 ldap_count_entries(ldap_struct, result)));
1162 ldap_unbind(ldap_struct);
1166 entry = ldap_first_entry(ldap_struct, result);
1169 if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) {
1170 DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
1171 ldap_msgfree(result);
1172 ldap_unbind(ldap_struct);
1175 ldap_msgfree(result);
1176 ldap_unbind(ldap_struct);
1181 ldap_msgfree(result);
1182 ldap_unbind(ldap_struct);
1187 /**********************************************************************
1188 Delete entry from LDAP for username
1189 *********************************************************************/
1190 static BOOL ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1192 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1198 LDAPMessage *result;
1201 DEBUG(0, ("sam_acct was NULL!\n"));
1205 sname = pdb_get_username(sam_acct);
1207 if (!ldapsam_open_connection(ldap_state, &ldap_struct))
1210 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
1212 if (!ldapsam_connect_system(ldap_state, ldap_struct)) {
1213 ldap_unbind (ldap_struct);
1214 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname));
1218 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result);
1219 if (ldap_count_entries (ldap_struct, result) == 0) {
1220 DEBUG (0, ("User doesn't exit!\n"));
1221 ldap_msgfree (result);
1222 ldap_unbind (ldap_struct);
1226 entry = ldap_first_entry (ldap_struct, result);
1227 dn = ldap_get_dn (ldap_struct, entry);
1229 rc = ldap_delete_s (ldap_struct, dn);
1232 if (rc != LDAP_SUCCESS) {
1234 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1235 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
1236 sname, ldap_err2string (rc), ld_error));
1238 ldap_unbind (ldap_struct);
1242 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
1243 ldap_unbind (ldap_struct);
1247 /**********************************************************************
1249 *********************************************************************/
1250 static BOOL ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1252 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1256 LDAPMessage *result;
1260 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1263 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1265 ldap_unbind(ldap_struct);
1269 rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct,
1270 pdb_get_username(newpwd), &result);
1272 if (ldap_count_entries(ldap_struct, result) == 0)
1274 DEBUG(0, ("No user to modify!\n"));
1275 ldap_msgfree(result);
1276 ldap_unbind(ldap_struct);
1280 if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) {
1281 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1282 ldap_msgfree(result);
1283 ldap_unbind(ldap_struct);
1287 entry = ldap_first_entry(ldap_struct, result);
1288 dn = ldap_get_dn(ldap_struct, entry);
1290 rc = ldap_modify_s(ldap_struct, dn, mods);
1292 if (rc != LDAP_SUCCESS)
1295 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
1298 ("failed to modify user with uid = %s with: %s\n\t%s\n",
1299 pdb_get_username(newpwd), ldap_err2string(rc),
1302 ldap_unbind(ldap_struct);
1307 ("successfully modified uid = %s in the LDAP database\n",
1308 pdb_get_username(newpwd)));
1309 ldap_mods_free(mods, 1);
1310 ldap_unbind(ldap_struct);
1314 /**********************************************************************
1315 Add SAM_ACCOUNT to LDAP
1316 *********************************************************************/
1317 static BOOL ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1319 struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1322 LDAP *ldap_struct = NULL;
1323 LDAPMessage *result = NULL;
1325 LDAPMod **mods = NULL;
1329 const char *username = pdb_get_username(newpwd);
1330 if (!username || !*username) {
1331 DEBUG(0, ("Cannot add user without a username!\n"));
1335 if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */
1340 if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */
1342 ldap_unbind(ldap_struct);
1346 rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, username, &result);
1348 if (ldap_count_entries(ldap_struct, result) != 0)
1350 DEBUG(0,("User already in the base, with samba properties\n"));
1351 ldap_msgfree(result);
1352 ldap_unbind(ldap_struct);
1355 ldap_msgfree(result);
1357 slprintf (filter, sizeof (filter) - 1, "uid=%s", username);
1358 rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result);
1359 num_result = ldap_count_entries(ldap_struct, result);
1361 if (num_result > 1) {
1362 DEBUG (0, ("More than one user with that uid exists: bailing out!\n"));
1363 ldap_msgfree(result);
1367 /* Check if we need to update an existing entry */
1368 if (num_result == 1) {
1372 DEBUG(3,("User exists without samba properties: adding them\n"));
1373 ldap_op = LDAP_MOD_REPLACE;
1374 entry = ldap_first_entry (ldap_struct, result);
1375 tmp = ldap_get_dn (ldap_struct, entry);
1376 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1380 /* Check if we need to add an entry */
1381 DEBUG(3,("Adding new user\n"));
1382 ldap_op = LDAP_MOD_ADD;
1383 if (username[strlen(username)-1] == '$') {
1384 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1386 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1390 ldap_msgfree(result);
1392 if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) {
1393 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1394 ldap_mods_free(mods, 1);
1395 ldap_unbind(ldap_struct);
1398 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
1400 if (ldap_op == LDAP_MOD_REPLACE) {
1401 rc = ldap_modify_s(ldap_struct, dn, mods);
1404 rc = ldap_add_s(ldap_struct, dn, mods);
1407 if (rc != LDAP_SUCCESS)
1411 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1412 DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n",
1413 pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error));
1415 ldap_mods_free(mods, 1);
1416 ldap_unbind(ldap_struct);
1420 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
1421 ldap_mods_free(mods, 1);
1422 ldap_unbind(ldap_struct);
1426 static void free_private_data(void **vp)
1428 struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
1430 if ((*ldap_state)->ldap_struct) {
1431 ldap_unbind((*ldap_state)->ldap_struct);
1436 /* No need to free any further, as it is talloc()ed */
1439 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1442 struct ldapsam_privates *ldap_state;
1444 if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
1448 (*pdb_method)->name = "ldapsam";
1450 (*pdb_method)->setsampwent = ldapsam_setsampwent;
1451 (*pdb_method)->endsampwent = ldapsam_endsampwent;
1452 (*pdb_method)->getsampwent = ldapsam_getsampwent;
1453 (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
1454 (*pdb_method)->getsampwrid = ldapsam_getsampwrid;
1455 (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
1456 (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
1457 (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
1459 /* TODO: Setup private data and free */
1461 ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
1464 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1465 return NT_STATUS_NO_MEMORY;
1469 ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location);
1471 ldap_state->uri = "ldap://localhost";
1474 (*pdb_method)->private_data = ldap_state;
1476 (*pdb_method)->free_private_data = free_private_data;
1478 return NT_STATUS_OK;
1481 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1484 struct ldapsam_privates *ldap_state;
1485 uint32 low_nua_uid, high_nua_uid;
1487 if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
1491 (*pdb_method)->name = "ldapsam_nua";
1493 ldap_state = (*pdb_method)->private_data;
1495 ldap_state->permit_non_unix_accounts = True;
1497 if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) {
1498 DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n"));
1499 return NT_STATUS_UNSUCCESSFUL;
1502 ldap_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid);
1504 ldap_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
1506 return NT_STATUS_OK;
1512 NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1514 DEBUG(0, ("ldap not detected at configure time, ldapsam not availalble!\n"));
1515 return NT_STATUS_UNSUCCESSFUL;
1518 NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
1520 DEBUG(0, ("ldap not dectected at configure time, ldapsam_nua not available!\n"));
1521 return NT_STATUS_UNSUCCESSFUL;