s3-talloc Change TALLOC_P() to talloc()
[nivanova/samba-autobuild/.git] / source3 / lib / smbldap.c
1 /* 
2    Unix SMB/CIFS implementation.
3    LDAP protocol helper functions for SAMBA
4    Copyright (C) Jean Fran├žois Micouleau       1998
5    Copyright (C) Gerald Carter                  2001-2003
6    Copyright (C) Shahms King                    2001
7    Copyright (C) Andrew Bartlett                2002-2003
8    Copyright (C) Stefan (metze) Metzmacher      2002-2003
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22
23 */
24
25 #include "includes.h"
26 #include "smbldap.h"
27 #include "secrets.h"
28 #include "../libcli/security/security.h"
29
30 /* Try not to hit the up or down server forever */
31
32 #define SMBLDAP_DONT_PING_TIME 10       /* ping only all 10 seconds */
33 #define SMBLDAP_NUM_RETRIES 8           /* retry only 8 times */
34
35 #define SMBLDAP_IDLE_TIME 150           /* After 2.5 minutes disconnect */
36
37
38 /* attributes used by Samba 2.2 */
39
40 ATTRIB_MAP_ENTRY attrib_map_v22[] = {
41         { LDAP_ATTR_UID,                "uid"           },
42         { LDAP_ATTR_UIDNUMBER,          LDAP_ATTRIBUTE_UIDNUMBER},
43         { LDAP_ATTR_GIDNUMBER,          LDAP_ATTRIBUTE_GIDNUMBER},
44         { LDAP_ATTR_UNIX_HOME,          "homeDirectory" },
45         { LDAP_ATTR_PWD_LAST_SET,       "pwdLastSet"    },
46         { LDAP_ATTR_PWD_CAN_CHANGE,     "pwdCanChange"  },
47         { LDAP_ATTR_PWD_MUST_CHANGE,    "pwdMustChange" },
48         { LDAP_ATTR_LOGON_TIME,         "logonTime"     },
49         { LDAP_ATTR_LOGOFF_TIME,        "logoffTime"    },
50         { LDAP_ATTR_KICKOFF_TIME,       "kickoffTime"   },
51         { LDAP_ATTR_CN,                 "cn"            },
52         { LDAP_ATTR_SN,                 "sn"            },
53         { LDAP_ATTR_DISPLAY_NAME,       "displayName"   },
54         { LDAP_ATTR_HOME_PATH,          "smbHome"       },
55         { LDAP_ATTR_HOME_DRIVE,         "homeDrive"     },
56         { LDAP_ATTR_LOGON_SCRIPT,       "scriptPath"    },
57         { LDAP_ATTR_PROFILE_PATH,       "profilePath"   },
58         { LDAP_ATTR_DESC,               "description"   },
59         { LDAP_ATTR_USER_WKS,           "userWorkstations"},
60         { LDAP_ATTR_USER_RID,           "rid"           },
61         { LDAP_ATTR_PRIMARY_GROUP_RID,  "primaryGroupID"},
62         { LDAP_ATTR_LMPW,               "lmPassword"    },
63         { LDAP_ATTR_NTPW,               "ntPassword"    },
64         { LDAP_ATTR_DOMAIN,             "domain"        },
65         { LDAP_ATTR_OBJCLASS,           "objectClass"   },
66         { LDAP_ATTR_ACB_INFO,           "acctFlags"     },
67         { LDAP_ATTR_MOD_TIMESTAMP,      "modifyTimestamp"       },
68         { LDAP_ATTR_LIST_END,           NULL            }
69 };
70
71 ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
72         { LDAP_ATTR_PWD_LAST_SET,       "pwdLastSet"    },
73         { LDAP_ATTR_PWD_CAN_CHANGE,     "pwdCanChange"  },
74         { LDAP_ATTR_PWD_MUST_CHANGE,    "pwdMustChange" },
75         { LDAP_ATTR_LOGON_TIME,         "logonTime"     },
76         { LDAP_ATTR_LOGOFF_TIME,        "logoffTime"    },
77         { LDAP_ATTR_KICKOFF_TIME,       "kickoffTime"   },
78         { LDAP_ATTR_DISPLAY_NAME,       "displayName"   },
79         { LDAP_ATTR_HOME_PATH,          "smbHome"       },
80         { LDAP_ATTR_HOME_DRIVE,         "homeDrives"    },
81         { LDAP_ATTR_LOGON_SCRIPT,       "scriptPath"    },
82         { LDAP_ATTR_PROFILE_PATH,       "profilePath"   },
83         { LDAP_ATTR_USER_WKS,           "userWorkstations"},
84         { LDAP_ATTR_USER_RID,           "rid"           },
85         { LDAP_ATTR_PRIMARY_GROUP_RID,  "primaryGroupID"},
86         { LDAP_ATTR_LMPW,               "lmPassword"    },
87         { LDAP_ATTR_NTPW,               "ntPassword"    },
88         { LDAP_ATTR_DOMAIN,             "domain"        },
89         { LDAP_ATTR_ACB_INFO,           "acctFlags"     },
90         { LDAP_ATTR_LIST_END,           NULL            }
91 };
92
93 /* attributes used by Samba 3.0's sambaSamAccount */
94
95 ATTRIB_MAP_ENTRY attrib_map_v30[] = {
96         { LDAP_ATTR_UID,                "uid"                   },
97         { LDAP_ATTR_UIDNUMBER,          LDAP_ATTRIBUTE_UIDNUMBER},
98         { LDAP_ATTR_GIDNUMBER,          LDAP_ATTRIBUTE_GIDNUMBER},
99         { LDAP_ATTR_UNIX_HOME,          "homeDirectory"         },
100         { LDAP_ATTR_PWD_LAST_SET,       "sambaPwdLastSet"       },
101         { LDAP_ATTR_PWD_CAN_CHANGE,     "sambaPwdCanChange"     },
102         { LDAP_ATTR_PWD_MUST_CHANGE,    "sambaPwdMustChange"    },
103         { LDAP_ATTR_LOGON_TIME,         "sambaLogonTime"        },
104         { LDAP_ATTR_LOGOFF_TIME,        "sambaLogoffTime"       },
105         { LDAP_ATTR_KICKOFF_TIME,       "sambaKickoffTime"      },
106         { LDAP_ATTR_CN,                 "cn"                    },
107         { LDAP_ATTR_SN,                 "sn"                    },
108         { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
109         { LDAP_ATTR_HOME_DRIVE,         "sambaHomeDrive"        },
110         { LDAP_ATTR_HOME_PATH,          "sambaHomePath"         },
111         { LDAP_ATTR_LOGON_SCRIPT,       "sambaLogonScript"      },
112         { LDAP_ATTR_PROFILE_PATH,       "sambaProfilePath"      },
113         { LDAP_ATTR_DESC,               "description"           },
114         { LDAP_ATTR_USER_WKS,           "sambaUserWorkstations" },
115         { LDAP_ATTR_USER_SID,           LDAP_ATTRIBUTE_SID      },
116         { LDAP_ATTR_PRIMARY_GROUP_SID,  "sambaPrimaryGroupSID"  },
117         { LDAP_ATTR_LMPW,               "sambaLMPassword"       },
118         { LDAP_ATTR_NTPW,               "sambaNTPassword"       },
119         { LDAP_ATTR_DOMAIN,             "sambaDomainName"       },
120         { LDAP_ATTR_OBJCLASS,           "objectClass"           },
121         { LDAP_ATTR_ACB_INFO,           "sambaAcctFlags"        },
122         { LDAP_ATTR_MUNGED_DIAL,        "sambaMungedDial"       },
123         { LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
124         { LDAP_ATTR_BAD_PASSWORD_TIME,  "sambaBadPasswordTime"  },
125         { LDAP_ATTR_PWD_HISTORY,        "sambaPasswordHistory"  },
126         { LDAP_ATTR_MOD_TIMESTAMP,      "modifyTimestamp"       },
127         { LDAP_ATTR_LOGON_HOURS,        "sambaLogonHours"       },
128         { LDAP_ATTR_LIST_END,           NULL                    }
129 };
130
131 ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
132         { LDAP_ATTR_PWD_LAST_SET,       "sambaPwdLastSet"       },
133         { LDAP_ATTR_PWD_CAN_CHANGE,     "sambaPwdCanChange"     },
134         { LDAP_ATTR_PWD_MUST_CHANGE,    "sambaPwdMustChange"    },
135         { LDAP_ATTR_LOGON_TIME,         "sambaLogonTime"        },
136         { LDAP_ATTR_LOGOFF_TIME,        "sambaLogoffTime"       },
137         { LDAP_ATTR_KICKOFF_TIME,       "sambaKickoffTime"      },
138         { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
139         { LDAP_ATTR_HOME_DRIVE,         "sambaHomeDrive"        },
140         { LDAP_ATTR_HOME_PATH,          "sambaHomePath"         },
141         { LDAP_ATTR_LOGON_SCRIPT,       "sambaLogonScript"      },
142         { LDAP_ATTR_PROFILE_PATH,       "sambaProfilePath"      },
143         { LDAP_ATTR_USER_WKS,           "sambaUserWorkstations" },
144         { LDAP_ATTR_USER_SID,           LDAP_ATTRIBUTE_SID      },
145         { LDAP_ATTR_PRIMARY_GROUP_SID,  "sambaPrimaryGroupSID"  },
146         { LDAP_ATTR_LMPW,               "sambaLMPassword"       },
147         { LDAP_ATTR_NTPW,               "sambaNTPassword"       },
148         { LDAP_ATTR_DOMAIN,             "sambaDomainName"       },
149         { LDAP_ATTR_ACB_INFO,           "sambaAcctFlags"        },
150         { LDAP_ATTR_MUNGED_DIAL,        "sambaMungedDial"       },
151         { LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
152         { LDAP_ATTR_BAD_PASSWORD_TIME,  "sambaBadPasswordTime"  },
153         { LDAP_ATTR_PWD_HISTORY,        "sambaPasswordHistory"  },
154         { LDAP_ATTR_LOGON_HOURS,        "sambaLogonHours"       },
155         { LDAP_ATTR_LIST_END,           NULL                    }
156 };
157
158 /* attributes used for allocating RIDs */
159
160 ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
161         { LDAP_ATTR_DOMAIN,             "sambaDomainName"       },
162         { LDAP_ATTR_NEXT_RID,           "sambaNextRid"          },
163         { LDAP_ATTR_NEXT_USERRID,       "sambaNextUserRid"      },
164         { LDAP_ATTR_NEXT_GROUPRID,      "sambaNextGroupRid"     },
165         { LDAP_ATTR_DOM_SID,            LDAP_ATTRIBUTE_SID      },
166         { LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
167         { LDAP_ATTR_OBJCLASS,           "objectClass"           },
168         { LDAP_ATTR_LIST_END,           NULL                    },
169 };
170
171 /* Samba 3.0 group mapping attributes */
172
173 ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
174         { LDAP_ATTR_GIDNUMBER,          LDAP_ATTRIBUTE_GIDNUMBER},
175         { LDAP_ATTR_GROUP_SID,          LDAP_ATTRIBUTE_SID      },
176         { LDAP_ATTR_GROUP_TYPE,         "sambaGroupType"        },
177         { LDAP_ATTR_SID_LIST,           "sambaSIDList"          },
178         { LDAP_ATTR_DESC,               "description"           },
179         { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
180         { LDAP_ATTR_CN,                 "cn"                    },
181         { LDAP_ATTR_OBJCLASS,           "objectClass"           },
182         { LDAP_ATTR_LIST_END,           NULL                    }       
183 };
184
185 ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
186         { LDAP_ATTR_GROUP_SID,          LDAP_ATTRIBUTE_SID      },
187         { LDAP_ATTR_GROUP_TYPE,         "sambaGroupType"        },
188         { LDAP_ATTR_DESC,               "description"           },
189         { LDAP_ATTR_DISPLAY_NAME,       "displayName"           },
190         { LDAP_ATTR_SID_LIST,           "sambaSIDList"          },
191         { LDAP_ATTR_LIST_END,           NULL                    }       
192 };
193
194 /* idmap_ldap sambaUnixIdPool */
195
196 ATTRIB_MAP_ENTRY idpool_attr_list[] = {
197         { LDAP_ATTR_UIDNUMBER,          LDAP_ATTRIBUTE_UIDNUMBER},
198         { LDAP_ATTR_GIDNUMBER,          LDAP_ATTRIBUTE_GIDNUMBER},
199         { LDAP_ATTR_OBJCLASS,           "objectClass"           },
200         { LDAP_ATTR_LIST_END,           NULL                    }       
201 };
202
203 ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
204         { LDAP_ATTR_SID,                LDAP_ATTRIBUTE_SID      },
205         { LDAP_ATTR_UIDNUMBER,          LDAP_ATTRIBUTE_UIDNUMBER},
206         { LDAP_ATTR_GIDNUMBER,          LDAP_ATTRIBUTE_GIDNUMBER},
207         { LDAP_ATTR_OBJCLASS,           "objectClass"           },
208         { LDAP_ATTR_LIST_END,           NULL                    }       
209 };
210
211 /**********************************************************************
212  perform a simple table lookup and return the attribute name 
213  **********************************************************************/
214  
215  const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
216 {
217         int i = 0;
218
219         while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
220                 if ( table[i].attrib == key )
221                         return table[i].name;
222                 i++;
223         }
224
225         return NULL;
226 }
227
228
229 /**********************************************************************
230  Return the list of attribute names from a mapping table
231  **********************************************************************/
232
233  const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
234 {
235         const char **names;
236         int i = 0;
237
238         while ( table[i].attrib != LDAP_ATTR_LIST_END )
239                 i++;
240         i++;
241
242         names = talloc_array( mem_ctx, const char*, i );
243         if ( !names ) {
244                 DEBUG(0,("get_attr_list: out of memory\n"));
245                 return NULL;
246         }
247
248         i = 0;
249         while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
250                 names[i] = talloc_strdup( names, table[i].name );
251                 i++;
252         }
253         names[i] = NULL;
254
255         return names;
256 }
257
258 /*******************************************************************
259  Search an attribute and return the first value found.
260 ******************************************************************/
261
262  bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
263                                     const char *attribute, char *value,
264                                     int max_len)
265 {
266         char **values;
267         size_t size = 0;
268
269         if ( !attribute )
270                 return False;
271
272         value[0] = '\0';
273
274         if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
275                 DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
276
277                 return False;
278         }
279
280         if (!convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, &size)) {
281                 DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n", 
282                           attribute, values[0]));
283                 ldap_value_free(values);
284                 return False;
285         }
286
287         ldap_value_free(values);
288 #ifdef DEBUG_PASSWORDS
289         DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
290 #endif  
291         return True;
292 }
293
294  char * smbldap_talloc_single_attribute(LDAP *ldap_struct, LDAPMessage *entry,
295                                         const char *attribute,
296                                         TALLOC_CTX *mem_ctx)
297 {
298         char **values;
299         char *result;
300         size_t converted_size;
301
302         if (attribute == NULL) {
303                 return NULL;
304         }
305
306         values = ldap_get_values(ldap_struct, entry, attribute);
307
308         if (values == NULL) {
309                 DEBUG(10, ("attribute %s does not exist\n", attribute));
310                 return NULL;
311         }
312
313         if (ldap_count_values(values) != 1) {
314                 DEBUG(10, ("attribute %s has %d values, expected only one\n",
315                            attribute, ldap_count_values(values)));
316                 ldap_value_free(values);
317                 return NULL;
318         }
319
320         if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
321                 DEBUG(10, ("pull_utf8_talloc failed\n"));
322                 ldap_value_free(values);
323                 return NULL;
324         }
325
326         ldap_value_free(values);
327
328 #ifdef DEBUG_PASSWORDS
329         DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
330                      attribute, result));
331 #endif  
332         return result;
333 }
334
335  char * smbldap_talloc_first_attribute(LDAP *ldap_struct, LDAPMessage *entry,
336                                        const char *attribute,
337                                        TALLOC_CTX *mem_ctx)
338 {
339         char **values;
340         char *result;
341         size_t converted_size;
342
343         if (attribute == NULL) {
344                 return NULL;
345         }
346
347         values = ldap_get_values(ldap_struct, entry, attribute);
348
349         if (values == NULL) {
350                 DEBUG(10, ("attribute %s does not exist\n", attribute));
351                 return NULL;
352         }
353
354         if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
355                 DEBUG(10, ("pull_utf8_talloc failed\n"));
356                 ldap_value_free(values);
357                 return NULL;
358         }
359
360         ldap_value_free(values);
361
362 #ifdef DEBUG_PASSWORDS
363         DEBUG (100, ("smbldap_get_first_attribute: [%s] = [%s]\n",
364                      attribute, result));
365 #endif
366         return result;
367 }
368
369  char * smbldap_talloc_smallest_attribute(LDAP *ldap_struct, LDAPMessage *entry,
370                                           const char *attribute,
371                                           TALLOC_CTX *mem_ctx)
372 {
373         char **values;
374         char *result;
375         size_t converted_size;
376         int i, num_values;
377
378         if (attribute == NULL) {
379                 return NULL;
380         }
381
382         values = ldap_get_values(ldap_struct, entry, attribute);
383
384         if (values == NULL) {
385                 DEBUG(10, ("attribute %s does not exist\n", attribute));
386                 return NULL;
387         }
388
389         if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
390                 DEBUG(10, ("pull_utf8_talloc failed\n"));
391                 ldap_value_free(values);
392                 return NULL;
393         }
394
395         num_values = ldap_count_values(values);
396
397         for (i=1; i<num_values; i++) {
398                 char *tmp;
399
400                 if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
401                                       &converted_size)) {
402                         DEBUG(10, ("pull_utf8_talloc failed\n"));
403                         TALLOC_FREE(result);
404                         ldap_value_free(values);
405                         return NULL;
406                 }
407
408                 if (strcasecmp_m(tmp, result) < 0) {
409                         TALLOC_FREE(result);
410                         result = tmp;
411                 } else {
412                         TALLOC_FREE(tmp);
413                 }
414         }
415
416         ldap_value_free(values);
417
418 #ifdef DEBUG_PASSWORDS
419         DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
420                      attribute, result));
421 #endif
422         return result;
423 }
424
425  bool smbldap_talloc_single_blob(TALLOC_CTX *mem_ctx, LDAP *ld,
426                                  LDAPMessage *msg, const char *attrib,
427                                  DATA_BLOB *blob)
428 {
429         struct berval **values;
430
431         values = ldap_get_values_len(ld, msg, attrib);
432         if (!values) {
433                 return false;
434         }
435
436         if (ldap_count_values_len(values) != 1) {
437                 DEBUG(10, ("Expected one value for %s, got %d\n", attrib,
438                            ldap_count_values_len(values)));
439                 return false;
440         }
441
442         *blob = data_blob_talloc(mem_ctx, values[0]->bv_val,
443                                  values[0]->bv_len);
444         ldap_value_free_len(values);
445
446         return (blob->data != NULL);
447 }
448
449  bool smbldap_pull_sid(LDAP *ld, LDAPMessage *msg, const char *attrib,
450                        struct dom_sid *sid)
451 {
452         DATA_BLOB blob;
453         bool ret;
454
455         if (!smbldap_talloc_single_blob(talloc_tos(), ld, msg, attrib,
456                                         &blob)) {
457                 return false;
458         }
459         ret = sid_parse((char *)blob.data, blob.length, sid);
460         TALLOC_FREE(blob.data);
461         return ret;
462 }
463
464  static int ldapmsg_destructor(LDAPMessage **result) {
465         ldap_msgfree(*result);
466         return 0;
467 }
468
469  void talloc_autofree_ldapmsg(TALLOC_CTX *mem_ctx, LDAPMessage *result)
470 {
471         LDAPMessage **handle;
472
473         if (result == NULL) {
474                 return;
475         }
476
477         handle = talloc(mem_ctx, LDAPMessage *);
478         SMB_ASSERT(handle != NULL);
479
480         *handle = result;
481         talloc_set_destructor(handle, ldapmsg_destructor);
482 }
483
484  static int ldapmod_destructor(LDAPMod ***mod) {
485         ldap_mods_free(*mod, True);
486         return 0;
487 }
488
489  void talloc_autofree_ldapmod(TALLOC_CTX *mem_ctx, LDAPMod **mod)
490 {
491         LDAPMod ***handle;
492
493         if (mod == NULL) {
494                 return;
495         }
496
497         handle = talloc(mem_ctx, LDAPMod **);
498         SMB_ASSERT(handle != NULL);
499
500         *handle = mod;
501         talloc_set_destructor(handle, ldapmod_destructor);
502 }
503
504 /************************************************************************
505  Routine to manage the LDAPMod structure array
506  manage memory used by the array, by each struct, and values
507  ***********************************************************************/
508
509 static void smbldap_set_mod_internal(LDAPMod *** modlist, int modop, const char *attribute, const char *value, const DATA_BLOB *blob)
510 {
511         LDAPMod **mods;
512         int i;
513         int j;
514
515         mods = *modlist;
516
517         /* sanity checks on the mod values */
518
519         if (attribute == NULL || *attribute == '\0') {
520                 return; 
521         }
522
523 #if 0   /* commented out after discussion with abartlet.  Do not reenable.
524            left here so other do not re-add similar code   --jerry */
525         if (value == NULL || *value == '\0')
526                 return;
527 #endif
528
529         if (mods == NULL) {
530                 mods = SMB_MALLOC_P(LDAPMod *);
531                 if (mods == NULL) {
532                         smb_panic("smbldap_set_mod: out of memory!");
533                         /* notreached. */
534                 }
535                 mods[0] = NULL;
536         }
537
538         for (i = 0; mods[i] != NULL; ++i) {
539                 if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
540                         break;
541         }
542
543         if (mods[i] == NULL) {
544                 mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
545                 if (mods == NULL) {
546                         smb_panic("smbldap_set_mod: out of memory!");
547                         /* notreached. */
548                 }
549                 mods[i] = SMB_MALLOC_P(LDAPMod);
550                 if (mods[i] == NULL) {
551                         smb_panic("smbldap_set_mod: out of memory!");
552                         /* notreached. */
553                 }
554                 mods[i]->mod_op = modop;
555                 mods[i]->mod_values = NULL;
556                 mods[i]->mod_type = SMB_STRDUP(attribute);
557                 mods[i + 1] = NULL;
558         }
559
560         if (blob && (modop & LDAP_MOD_BVALUES)) {
561                 j = 0;
562                 if (mods[i]->mod_bvalues != NULL) {
563                         for (; mods[i]->mod_bvalues[j] != NULL; j++);
564                 }
565                 mods[i]->mod_bvalues = SMB_REALLOC_ARRAY(mods[i]->mod_bvalues, struct berval *, j + 2);
566
567                 if (mods[i]->mod_bvalues == NULL) {
568                         smb_panic("smbldap_set_mod: out of memory!");
569                         /* notreached. */
570                 }
571
572                 mods[i]->mod_bvalues[j] = SMB_MALLOC_P(struct berval);
573                 SMB_ASSERT(mods[i]->mod_bvalues[j] != NULL);
574
575                 mods[i]->mod_bvalues[j]->bv_val = (char *)memdup(blob->data, blob->length);
576                 SMB_ASSERT(mods[i]->mod_bvalues[j]->bv_val != NULL);
577                 mods[i]->mod_bvalues[j]->bv_len = blob->length;
578
579                 mods[i]->mod_bvalues[j + 1] = NULL;
580         } else if (value != NULL) {
581                 char *utf8_value = NULL;
582                 size_t converted_size;
583
584                 j = 0;
585                 if (mods[i]->mod_values != NULL) {
586                         for (; mods[i]->mod_values[j] != NULL; j++);
587                 }
588                 mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
589
590                 if (mods[i]->mod_values == NULL) {
591                         smb_panic("smbldap_set_mod: out of memory!");
592                         /* notreached. */
593                 }
594
595                 if (!push_utf8_talloc(talloc_tos(), &utf8_value, value, &converted_size)) {
596                         smb_panic("smbldap_set_mod: String conversion failure!");
597                         /* notreached. */
598                 }
599
600                 mods[i]->mod_values[j] = SMB_STRDUP(utf8_value);
601                 TALLOC_FREE(utf8_value);
602                 SMB_ASSERT(mods[i]->mod_values[j] != NULL);
603
604                 mods[i]->mod_values[j + 1] = NULL;
605         }
606         *modlist = mods;
607 }
608
609  void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
610 {
611         smbldap_set_mod_internal(modlist, modop, attribute, value, NULL);
612 }
613
614  void smbldap_set_mod_blob(LDAPMod *** modlist, int modop, const char *attribute, const DATA_BLOB *value)
615 {
616         smbldap_set_mod_internal(modlist, modop | LDAP_MOD_BVALUES, attribute, NULL, value);
617 }
618
619 /**********************************************************************
620   Set attribute to newval in LDAP, regardless of what value the
621   attribute had in LDAP before.
622 *********************************************************************/
623
624 static void smbldap_make_mod_internal(LDAP *ldap_struct, LDAPMessage *existing,
625                                       LDAPMod ***mods,
626                                       const char *attribute, int op,
627                                       const char *newval,
628                                       const DATA_BLOB *newblob)
629 {
630         char oldval[2048]; /* current largest allowed value is mungeddial */
631         bool existed;
632         DATA_BLOB oldblob = data_blob_null;
633
634         if (attribute == NULL) {
635                 /* This can actually happen for ldapsam_compat where we for
636                  * example don't have a password history */
637                 return;
638         }
639
640         if (existing != NULL) {
641                 if (op & LDAP_MOD_BVALUES) {
642                         existed = smbldap_talloc_single_blob(talloc_tos(), ldap_struct, existing, attribute, &oldblob);
643                 } else {
644                         existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
645                 }
646         } else {
647                 existed = False;
648                 *oldval = '\0';
649         }
650
651         if (existed) {
652                 bool equal = false;
653                 if (op & LDAP_MOD_BVALUES) {
654                         equal = (newblob && (data_blob_cmp(&oldblob, newblob) == 0));
655                 } else {
656                         /* all of our string attributes are case insensitive */
657                         equal = (newval && (strcasecmp_m(oldval, newval) == 0));
658                 }
659
660                 if (equal) {
661                         /* Believe it or not, but LDAP will deny a delete and
662                            an add at the same time if the values are the
663                            same... */
664                         DEBUG(10,("smbldap_make_mod: attribute |%s| not changed.\n", attribute));
665                         return;
666                 }
667
668                 /* There has been no value before, so don't delete it.
669                  * Here's a possible race: We might end up with
670                  * duplicate attributes */
671                 /* By deleting exactly the value we found in the entry this
672                  * should be race-free in the sense that the LDAP-Server will
673                  * deny the complete operation if somebody changed the
674                  * attribute behind our back. */
675                 /* This will also allow modifying single valued attributes 
676                  * in Novell NDS. In NDS you have to first remove attribute and then
677                  * you could add new value */
678
679                 if (op & LDAP_MOD_BVALUES) {
680                         DEBUG(10,("smbldap_make_mod: deleting attribute |%s| blob\n", attribute));
681                         smbldap_set_mod_blob(mods, LDAP_MOD_DELETE, attribute, &oldblob);
682                 } else {
683                         DEBUG(10,("smbldap_make_mod: deleting attribute |%s| values |%s|\n", attribute, oldval));
684                         smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
685                 }
686         }
687
688         /* Regardless of the real operation (add or modify)
689            we add the new value here. We rely on deleting
690            the old value, should it exist. */
691
692         if (op & LDAP_MOD_BVALUES) {
693                 if (newblob && newblob->length) {
694                         DEBUG(10,("smbldap_make_mod: adding attribute |%s| blob\n", attribute));
695                         smbldap_set_mod_blob(mods, LDAP_MOD_ADD, attribute, newblob);
696                 }
697         } else {
698                 if ((newval != NULL) && (strlen(newval) > 0)) {
699                         DEBUG(10,("smbldap_make_mod: adding attribute |%s| value |%s|\n", attribute, newval));
700                         smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
701                 }
702         }
703 }
704
705  void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
706                       LDAPMod ***mods,
707                       const char *attribute, const char *newval)
708 {
709         smbldap_make_mod_internal(ldap_struct, existing, mods, attribute,
710                                   0, newval, NULL);
711 }
712
713  void smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *existing,
714                             LDAPMod ***mods,
715                             const char *attribute, const DATA_BLOB *newblob)
716 {
717         smbldap_make_mod_internal(ldap_struct, existing, mods, attribute,
718                                   LDAP_MOD_BVALUES, NULL, newblob);
719 }
720
721 /**********************************************************************
722  Some varients of the LDAP rebind code do not pass in the third 'arg' 
723  pointer to a void*, so we try and work around it by assuming that the 
724  value of the 'LDAP *' pointer is the same as the one we had passed in
725  **********************************************************************/
726
727 struct smbldap_state_lookup {
728         LDAP *ld;
729         struct smbldap_state *smbldap_state;
730         struct smbldap_state_lookup *prev, *next;
731 };
732
733 static struct smbldap_state_lookup *smbldap_state_lookup_list;
734
735 static struct smbldap_state *smbldap_find_state(LDAP *ld) 
736 {
737         struct smbldap_state_lookup *t;
738
739         for (t = smbldap_state_lookup_list; t; t = t->next) {
740                 if (t->ld == ld) {
741                         return t->smbldap_state;
742                 }
743         }
744         return NULL;
745 }
746
747 static void smbldap_delete_state(struct smbldap_state *smbldap_state) 
748 {
749         struct smbldap_state_lookup *t;
750
751         for (t = smbldap_state_lookup_list; t; t = t->next) {
752                 if (t->smbldap_state == smbldap_state) {
753                         DLIST_REMOVE(smbldap_state_lookup_list, t);
754                         SAFE_FREE(t);
755                         return;
756                 }
757         }
758 }
759
760 static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) 
761 {
762         struct smbldap_state *tmp_ldap_state;
763         struct smbldap_state_lookup *t;
764
765         if ((tmp_ldap_state = smbldap_find_state(ld))) {
766                 SMB_ASSERT(tmp_ldap_state == smbldap_state);
767                 return;
768         }
769
770         t = SMB_XMALLOC_P(struct smbldap_state_lookup);
771         ZERO_STRUCTP(t);
772
773         DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
774         t->ld = ld;
775         t->smbldap_state = smbldap_state;
776 }
777
778 /********************************************************************
779  start TLS on an existing LDAP connection
780 *******************************************************************/
781
782 int smb_ldap_start_tls(LDAP *ldap_struct, int version)
783
784 #ifdef LDAP_OPT_X_TLS
785         int rc;
786 #endif
787
788         if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
789                 return LDAP_SUCCESS;
790         }
791
792 #ifdef LDAP_OPT_X_TLS
793         if (version != LDAP_VERSION3) {
794                 DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
795                 return LDAP_OPERATIONS_ERROR;
796         }
797
798         if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS)  {
799                 DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
800                          ldap_err2string(rc)));
801                 return rc;
802         }
803
804         DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
805         return LDAP_SUCCESS;
806 #else
807         DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
808         return LDAP_OPERATIONS_ERROR;
809 #endif
810 }
811
812 /********************************************************************
813  setup a connection to the LDAP server based on a uri
814 *******************************************************************/
815
816 static int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
817 {
818         int rc;
819
820         DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
821
822 #ifdef HAVE_LDAP_INITIALIZE
823
824         rc = ldap_initialize(ldap_struct, uri);
825         if (rc) {
826                 DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
827                 return rc;
828         }
829
830         if (lp_ldap_follow_referral() != Auto) {
831                 rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS,
832                      lp_ldap_follow_referral() ? LDAP_OPT_ON : LDAP_OPT_OFF);
833                 if (rc != LDAP_SUCCESS)
834                         DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n",
835                                 ldap_err2string(rc)));
836         }
837
838         return LDAP_SUCCESS;
839 #else 
840
841         /* Parse the string manually */
842
843         {
844                 int port = 0;
845                 fstring protocol;
846                 fstring host;
847                 SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
848
849
850                 /* skip leading "URL:" (if any) */
851                 if ( strnequal( uri, "URL:", 4 ) ) {
852                         uri += 4;
853                 }
854
855                 sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
856
857                 if (port == 0) {
858                         if (strequal(protocol, "ldap")) {
859                                 port = LDAP_PORT;
860                         } else if (strequal(protocol, "ldaps")) {
861                                 port = LDAPS_PORT;
862                         } else {
863                                 DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
864                         }
865                 }
866
867                 if ((*ldap_struct = ldap_init(host, port)) == NULL)     {
868                         DEBUG(0, ("ldap_init failed !\n"));
869                         return LDAP_OPERATIONS_ERROR;
870                 }
871
872                 if (strequal(protocol, "ldaps")) {
873 #ifdef LDAP_OPT_X_TLS
874                         int tls = LDAP_OPT_X_TLS_HARD;
875                         if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
876                         {
877                                 DEBUG(0, ("Failed to setup a TLS session\n"));
878                         }
879
880                         DEBUG(3,("LDAPS option set...!\n"));
881 #else
882                         DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
883                         return LDAP_OPERATIONS_ERROR;
884 #endif /* LDAP_OPT_X_TLS */
885                 }
886         }
887 #endif /* HAVE_LDAP_INITIALIZE */
888
889         /* now set connection timeout */
890 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
891         {
892                 int ct = lp_ldap_connection_timeout()*1000;
893                 rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
894                 if (rc != LDAP_SUCCESS) {
895                         DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
896                                 ct, ldap_err2string(rc)));
897                 }
898         }
899 #elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
900         {
901                 struct timeval ct;
902                 ct.tv_usec = 0;
903                 ct.tv_sec = lp_ldap_connection_timeout();
904                 rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
905                 if (rc != LDAP_SUCCESS) {
906                         DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
907                                 (int)ct.tv_sec, ldap_err2string(rc)));
908                 }
909         }
910 #endif
911
912         return LDAP_SUCCESS;
913 }
914
915 /********************************************************************
916  try to upgrade to Version 3 LDAP if not already, in either case return current
917  version 
918  *******************************************************************/
919
920 static int smb_ldap_upgrade_conn(LDAP *ldap_struct, int *new_version)
921 {
922         int version;
923         int rc;
924
925         /* assume the worst */
926         *new_version = LDAP_VERSION2;
927
928         rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
929         if (rc) {
930                 return rc;
931         }
932
933         if (version == LDAP_VERSION3) {
934                 *new_version = LDAP_VERSION3;
935                 return LDAP_SUCCESS;
936         }
937
938         /* try upgrade */
939         version = LDAP_VERSION3;
940         rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
941         if (rc) {
942                 return rc;
943         }
944
945         *new_version = LDAP_VERSION3;
946         return LDAP_SUCCESS;
947 }
948
949 /*******************************************************************
950  open a connection to the ldap server (just until the bind)
951  ******************************************************************/
952
953 int smb_ldap_setup_full_conn(LDAP **ldap_struct, const char *uri)
954 {
955         int rc, version;
956
957         rc = smb_ldap_setup_conn(ldap_struct, uri);
958         if (rc) {
959                 return rc;
960         }
961
962         rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
963         if (rc) {
964                 return rc;
965         }
966
967         rc = smb_ldap_start_tls(*ldap_struct, version);
968         if (rc) {
969                 return rc;
970         }
971
972         return LDAP_SUCCESS;
973 }
974
975 /*******************************************************************
976  open a connection to the ldap server.
977 ******************************************************************/
978 static int smbldap_open_connection (struct smbldap_state *ldap_state)
979
980 {
981         int rc = LDAP_SUCCESS;
982         int version;
983         int deref;
984         LDAP **ldap_struct = &ldap_state->ldap_struct;
985
986         rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
987         if (rc) {
988                 return rc;
989         }
990
991         /* Store the LDAP pointer in a lookup list */
992
993         smbldap_store_state(*ldap_struct, ldap_state);
994
995         /* Upgrade to LDAPv3 if possible */
996
997         rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
998         if (rc) {
999                 return rc;
1000         }
1001
1002         /* Start TLS if required */
1003
1004         rc = smb_ldap_start_tls(*ldap_struct, version);
1005         if (rc) {
1006                 return rc;
1007         }
1008
1009         /* Set alias dereferencing method */
1010         deref = lp_ldap_deref();
1011         if (deref != -1) {
1012                 if (ldap_set_option (*ldap_struct, LDAP_OPT_DEREF, &deref) != LDAP_OPT_SUCCESS) {
1013                         DEBUG(1,("smbldap_open_connection: Failed to set dereferencing method: %d\n", deref));
1014                 } else {
1015                         DEBUG(5,("Set dereferencing method: %d\n", deref));
1016                 }
1017         }
1018
1019         DEBUG(2, ("smbldap_open_connection: connection opened\n"));
1020         return rc;
1021 }
1022
1023 /*******************************************************************
1024  a rebind function for authenticated referrals
1025  This version takes a void* that we can shove useful stuff in :-)
1026 ******************************************************************/
1027 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1028 #else
1029 static int rebindproc_with_state  (LDAP * ld, char **whop, char **credp, 
1030                                    int *methodp, int freeit, void *arg)
1031 {
1032         struct smbldap_state *ldap_state = arg;
1033         struct timespec ts;
1034
1035         /** @TODO Should we be doing something to check what servers we rebind to?
1036             Could we get a referral to a machine that we don't want to give our
1037             username and password to? */
1038
1039         if (freeit) {
1040                 SAFE_FREE(*whop);
1041                 if (*credp) {
1042                         memset(*credp, '\0', strlen(*credp));
1043                 }
1044                 SAFE_FREE(*credp);
1045         } else {
1046                 DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n", 
1047                           ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
1048
1049                 if (ldap_state->anonymous) {
1050                         *whop = NULL;
1051                         *credp = NULL;
1052                 } else {
1053                         *whop = SMB_STRDUP(ldap_state->bind_dn);
1054                         if (!*whop) {
1055                                 return LDAP_NO_MEMORY;
1056                         }
1057                         *credp = SMB_STRDUP(ldap_state->bind_secret);
1058                         if (!*credp) {
1059                                 SAFE_FREE(*whop);
1060                                 return LDAP_NO_MEMORY;
1061                         }
1062                 }
1063                 *methodp = LDAP_AUTH_SIMPLE;
1064         }
1065
1066         clock_gettime_mono(&ts);
1067         ldap_state->last_rebind = convert_timespec_to_timeval(ts);
1068
1069         return 0;
1070 }
1071 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1072
1073 /*******************************************************************
1074  a rebind function for authenticated referrals
1075  This version takes a void* that we can shove useful stuff in :-)
1076  and actually does the connection.
1077 ******************************************************************/
1078 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1079 static int rebindproc_connect_with_state (LDAP *ldap_struct, 
1080                                           LDAP_CONST char *url, 
1081                                           ber_tag_t request,
1082                                           ber_int_t msgid, void *arg)
1083 {
1084         struct smbldap_state *ldap_state =
1085                 (struct smbldap_state *)arg;
1086         int rc;
1087         struct timespec ts;
1088         int version;
1089
1090         DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n", 
1091                  url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
1092
1093         /* call START_TLS again (ldaps:// is handled by the OpenLDAP library
1094          * itself) before rebinding to another LDAP server to avoid to expose
1095          * our credentials. At least *try* to secure the connection - Guenther */
1096
1097         smb_ldap_upgrade_conn(ldap_struct, &version);
1098         smb_ldap_start_tls(ldap_struct, version);
1099
1100         /** @TODO Should we be doing something to check what servers we rebind to?
1101             Could we get a referral to a machine that we don't want to give our
1102             username and password to? */
1103
1104         rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1105
1106         /* only set the last rebind timestamp when we did rebind after a
1107          * non-read LDAP operation. That way we avoid the replication sleep
1108          * after a simple redirected search operation - Guenther */
1109
1110         switch (request) {
1111
1112                 case LDAP_REQ_MODIFY:
1113                 case LDAP_REQ_ADD:
1114                 case LDAP_REQ_DELETE:
1115                 case LDAP_REQ_MODDN:
1116                 case LDAP_REQ_EXTENDED:
1117                         DEBUG(10,("rebindproc_connect_with_state: "
1118                                 "setting last_rebind timestamp "
1119                                 "(req: 0x%02x)\n", (unsigned int)request));
1120                         clock_gettime_mono(&ts);
1121                         ldap_state->last_rebind = convert_timespec_to_timeval(ts);
1122                         break;
1123                 default:
1124                         ZERO_STRUCT(ldap_state->last_rebind);
1125                         break;
1126         }
1127
1128         return rc;
1129 }
1130 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1131
1132 /*******************************************************************
1133  Add a rebind function for authenticated referrals
1134 ******************************************************************/
1135 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1136 #else
1137 # if LDAP_SET_REBIND_PROC_ARGS == 2
1138 static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
1139                        int *method, int freeit )
1140 {
1141         struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
1142
1143         return rebindproc_with_state(ldap_struct, whop, credp,
1144                                      method, freeit, ldap_state);
1145 }
1146 # endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
1147 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1148
1149 /*******************************************************************
1150  a rebind function for authenticated referrals
1151  this also does the connection, but no void*.
1152 ******************************************************************/
1153 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1154 # if LDAP_SET_REBIND_PROC_ARGS == 2
1155 static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
1156                                ber_int_t msgid)
1157 {
1158         struct smbldap_state *ldap_state = smbldap_find_state(ld);
1159
1160         return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid, 
1161                                              ldap_state);
1162 }
1163 # endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
1164 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1165
1166 /*******************************************************************
1167  connect to the ldap server under system privilege.
1168 ******************************************************************/
1169 static int smbldap_connect_system(struct smbldap_state *ldap_state, LDAP * ldap_struct)
1170 {
1171         int rc;
1172         int version;
1173
1174         if (!ldap_state->anonymous && !ldap_state->bind_dn) {
1175                 char *bind_dn = NULL;
1176                 char *bind_secret = NULL;
1177
1178                 /* get the default dn and password only if they are not set already */
1179                 if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1180                         DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
1181                         return LDAP_INVALID_CREDENTIALS;
1182                 }
1183                 smbldap_set_creds(ldap_state, false, bind_dn, bind_secret);
1184                 SAFE_FREE(bind_dn);
1185                 memset(bind_secret, '\0', strlen(bind_secret));
1186                 SAFE_FREE(bind_secret);
1187         }
1188
1189         /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite 
1190            (OpenLDAP) doesnt' seem to support it */
1191
1192         DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
1193                   ldap_state->uri, ldap_state->bind_dn));
1194
1195 #ifdef HAVE_LDAP_SET_REBIND_PROC
1196 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1197 # if LDAP_SET_REBIND_PROC_ARGS == 2     
1198         ldap_set_rebind_proc(ldap_struct, &rebindproc_connect); 
1199 # endif
1200 # if LDAP_SET_REBIND_PROC_ARGS == 3     
1201         ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);  
1202 # endif
1203 #else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1204 # if LDAP_SET_REBIND_PROC_ARGS == 2     
1205         ldap_set_rebind_proc(ldap_struct, &rebindproc); 
1206 # endif
1207 # if LDAP_SET_REBIND_PROC_ARGS == 3     
1208         ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);  
1209 # endif
1210 #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
1211 #endif
1212
1213         rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1214
1215         if (rc != LDAP_SUCCESS) {
1216                 char *ld_error = NULL;
1217                 ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1218                                 &ld_error);
1219                 DEBUG(ldap_state->num_failures ? 2 : 0,
1220                       ("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
1221                                ldap_state->uri,
1222                                ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
1223                                ldap_err2string(rc),
1224                                ld_error ? ld_error : "(unknown)"));
1225                 SAFE_FREE(ld_error);
1226                 ldap_state->num_failures++;
1227                 return rc;
1228         }
1229
1230         ldap_state->num_failures = 0;
1231         ldap_state->paged_results = False;
1232
1233         ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1234
1235         if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1236                 ldap_state->paged_results = True;
1237         }
1238
1239         DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1240         DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n", 
1241                 ldap_state->paged_results ? "does" : "does not"));
1242         return rc;
1243 }
1244
1245 static void smbldap_idle_fn(struct event_context *event_ctx,
1246                             struct timed_event *te,
1247                             struct timeval now_abs,
1248                             void *private_data);
1249
1250 /**********************************************************************
1251  Connect to LDAP server (called before every ldap operation)
1252 *********************************************************************/
1253 static int smbldap_open(struct smbldap_state *ldap_state)
1254 {
1255         int rc, opt_rc;
1256         bool reopen = False;
1257         SMB_ASSERT(ldap_state);
1258
1259         if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time_mono(NULL))) {
1260
1261 #ifdef HAVE_UNIXSOCKET
1262                 struct sockaddr_un addr;
1263 #else
1264                 struct sockaddr addr;
1265 #endif
1266                 socklen_t len = sizeof(addr);
1267                 int sd;
1268
1269                 opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1270                 if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1271                         reopen = True;
1272
1273 #ifdef HAVE_UNIXSOCKET
1274                 if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1275                         reopen = True;
1276 #endif
1277                 if (reopen) {
1278                         /* the other end has died. reopen. */
1279                         ldap_unbind(ldap_state->ldap_struct);
1280                         ldap_state->ldap_struct = NULL;
1281                         ldap_state->last_ping = (time_t)0;
1282                 } else {
1283                         ldap_state->last_ping = time_mono(NULL);
1284                 } 
1285         }
1286
1287         if (ldap_state->ldap_struct != NULL) {
1288                 DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1289                 return LDAP_SUCCESS;
1290         }
1291
1292         if ((rc = smbldap_open_connection(ldap_state))) {
1293                 return rc;
1294         }
1295
1296         if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
1297                 ldap_unbind(ldap_state->ldap_struct);
1298                 ldap_state->ldap_struct = NULL;
1299                 return rc;
1300         }
1301
1302
1303         ldap_state->last_ping = time_mono(NULL);
1304         ldap_state->pid = sys_getpid();
1305
1306         TALLOC_FREE(ldap_state->idle_event);
1307
1308         if (ldap_state->event_context != NULL) {
1309                 ldap_state->idle_event = event_add_timed(
1310                         ldap_state->event_context, NULL,
1311                         timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1312                         smbldap_idle_fn, ldap_state);
1313         }
1314
1315         DEBUG(4,("The LDAP server is successfully connected\n"));
1316
1317         return LDAP_SUCCESS;
1318 }
1319
1320 /**********************************************************************
1321 Disconnect from LDAP server 
1322 *********************************************************************/
1323 static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1324 {
1325         if (!ldap_state)
1326                 return NT_STATUS_INVALID_PARAMETER;
1327
1328         if (ldap_state->ldap_struct != NULL) {
1329                 ldap_unbind(ldap_state->ldap_struct);
1330                 ldap_state->ldap_struct = NULL;
1331         }
1332
1333         smbldap_delete_state(ldap_state);
1334
1335         DEBUG(5,("The connection to the LDAP server was closed\n"));
1336         /* maybe free the results here --metze */
1337
1338         return NT_STATUS_OK;
1339 }
1340
1341 static bool got_alarm;
1342
1343 static void (*old_handler)(int);
1344
1345 static void gotalarm_sig(int dummy)
1346 {
1347         got_alarm = True;
1348 }
1349
1350 static int another_ldap_try(struct smbldap_state *ldap_state, int *rc,
1351                             int *attempts, time_t endtime)
1352 {
1353         time_t now = time_mono(NULL);
1354         int open_rc = LDAP_SERVER_DOWN;
1355
1356         if (*rc != LDAP_SERVER_DOWN)
1357                 goto no_next;
1358
1359         if (now >= endtime) {
1360                 smbldap_close(ldap_state);
1361                 *rc = LDAP_TIMEOUT;
1362                 goto no_next;
1363         }
1364
1365         if (*attempts == 0) {
1366                 got_alarm = False;
1367                 old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1368                 alarm(endtime - now);
1369
1370                 if (ldap_state->pid != sys_getpid())
1371                         smbldap_close(ldap_state);
1372         }
1373
1374         while (1) {
1375
1376                 if (*attempts != 0)
1377                         smb_msleep(1000);
1378
1379                 *attempts += 1;
1380
1381                 open_rc = smbldap_open(ldap_state);
1382
1383                 if (open_rc == LDAP_SUCCESS) {
1384                         ldap_state->last_use = now;
1385                         return True;
1386                 }
1387
1388                 if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1389                         /* The fact that we are non-root or any other
1390                          * access-denied condition will not change in the next
1391                          * round of trying */
1392                         *rc = open_rc;
1393                         break;
1394                 }
1395
1396                 if (got_alarm) {
1397                         *rc = LDAP_TIMEOUT;
1398                         break;
1399                 }
1400
1401                 if (open_rc != LDAP_SUCCESS) {
1402                         DEBUG(1, ("Connection to LDAP server failed for the "
1403                                   "%d try!\n", *attempts));
1404                 }
1405         }
1406
1407  no_next:
1408         CatchSignal(SIGALRM, old_handler);
1409         alarm(0);
1410         ldap_state->last_use = now;
1411         return False;
1412 }
1413
1414 /*********************************************************************
1415  ********************************************************************/
1416
1417 static int smbldap_search_ext(struct smbldap_state *ldap_state,
1418                               const char *base, int scope, const char *filter, 
1419                               const char *attrs[], int attrsonly,
1420                               LDAPControl **sctrls, LDAPControl **cctrls, 
1421                               int sizelimit, LDAPMessage **res)
1422 {
1423         int             rc = LDAP_SERVER_DOWN;
1424         int             attempts = 0;
1425         char           *utf8_filter;
1426         time_t          endtime = time_mono(NULL)+lp_ldap_timeout();
1427         struct          timeval timeout;
1428         size_t          converted_size;
1429
1430         SMB_ASSERT(ldap_state);
1431
1432         DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1433                  "scope => [%d]\n", base, filter, scope));
1434
1435         if (ldap_state->last_rebind.tv_sec > 0) {
1436                 struct timeval  tval;
1437                 struct timespec ts;
1438                 int64_t tdiff = 0;
1439                 int             sleep_time = 0;
1440
1441                 clock_gettime_mono(&ts);
1442                 tval = convert_timespec_to_timeval(ts);
1443
1444                 tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1445                 tdiff /= 1000; /* Convert to milliseconds. */
1446
1447                 sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1448                 sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1449
1450                 if (sleep_time > 0) {
1451                         /* we wait for the LDAP replication */
1452                         DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1453                                  "for LDAP replication.\n",sleep_time));
1454                         smb_msleep(sleep_time);
1455                         DEBUG(5,("smbldap_search_ext: go on!\n"));
1456                 }
1457                 ZERO_STRUCT(ldap_state->last_rebind);
1458         }
1459
1460         if (!push_utf8_talloc(talloc_tos(), &utf8_filter, filter, &converted_size)) {
1461                 return LDAP_NO_MEMORY;
1462         }
1463
1464         /* Setup timeout for the ldap_search_ext_s call - local and remote. */
1465         timeout.tv_sec = lp_ldap_timeout();
1466         timeout.tv_usec = 0;
1467
1468         /* Setup alarm timeout.... Do we need both of these ? JRA.
1469          * Yes, I think we do need both of these. The server timeout only
1470          * covers the case where the server's operation takes too long. It
1471          * does not cover the case where the request hangs on its way to the
1472          * server. The server side timeout is not strictly necessary, it's
1473          * just a bit more kind to the server. VL. */
1474
1475         got_alarm = 0;
1476         CatchSignal(SIGALRM, gotalarm_sig);
1477         alarm(lp_ldap_timeout());
1478         /* End setup timeout. */
1479
1480         while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1481                 rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope, 
1482                                        utf8_filter,
1483                                        discard_const_p(char *, attrs),
1484                                        attrsonly, sctrls, cctrls, &timeout,
1485                                        sizelimit, res);
1486                 if (rc != LDAP_SUCCESS) {
1487                         char *ld_error = NULL;
1488                         int ld_errno;
1489
1490                         ldap_get_option(ldap_state->ldap_struct,
1491                                         LDAP_OPT_ERROR_NUMBER, &ld_errno);
1492
1493                         ldap_get_option(ldap_state->ldap_struct,
1494                                         LDAP_OPT_ERROR_STRING, &ld_error);
1495                         DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1496                                    "(%s)\n", base, ld_errno,
1497                                    ldap_err2string(rc),
1498                                    ld_error ? ld_error : "unknown"));
1499                         SAFE_FREE(ld_error);
1500
1501                         if (ld_errno == LDAP_SERVER_DOWN) {
1502                                 ldap_unbind(ldap_state->ldap_struct);
1503                                 ldap_state->ldap_struct = NULL;
1504                         }
1505                 }
1506         }
1507
1508         TALLOC_FREE(utf8_filter);
1509
1510         /* Teardown timeout. */
1511         CatchSignal(SIGALRM, SIG_IGN);
1512         alarm(0);
1513
1514         if (got_alarm != 0)
1515                 return LDAP_TIMELIMIT_EXCEEDED;
1516
1517         return rc;
1518 }
1519
1520 int smbldap_search(struct smbldap_state *ldap_state, 
1521                    const char *base, int scope, const char *filter, 
1522                    const char *attrs[], int attrsonly, 
1523                    LDAPMessage **res)
1524 {
1525         return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1526                                   attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1527 }
1528
1529 int smbldap_search_paged(struct smbldap_state *ldap_state, 
1530                          const char *base, int scope, const char *filter, 
1531                          const char **attrs, int attrsonly, int pagesize,
1532                          LDAPMessage **res, void **cookie)
1533 {
1534         LDAPControl     pr;
1535         LDAPControl     **rcontrols;
1536         LDAPControl     *controls[2] = { NULL, NULL};
1537         BerElement      *cookie_be = NULL;
1538         struct berval   *cookie_bv = NULL;
1539         int             tmp = 0, i, rc;
1540         bool            critical = True;
1541
1542         *res = NULL;
1543
1544         DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1545                  "scope => [%d], pagesize => [%d]\n",
1546                  base, filter, scope, pagesize));
1547
1548         cookie_be = ber_alloc_t(LBER_USE_DER);
1549         if (cookie_be == NULL) {
1550                 DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1551                          "NULL\n"));
1552                 return LDAP_NO_MEMORY;
1553         }
1554
1555         /* construct cookie */
1556         if (*cookie != NULL) {
1557                 ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1558                 ber_bvfree((struct berval *)*cookie); /* don't need it from last time */
1559                 *cookie = NULL;
1560         } else {
1561                 ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1562         }
1563         ber_flatten(cookie_be, &cookie_bv);
1564
1565         pr.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
1566         pr.ldctl_iscritical = (char) critical;
1567         pr.ldctl_value.bv_len = cookie_bv->bv_len;
1568         pr.ldctl_value.bv_val = cookie_bv->bv_val;
1569
1570         controls[0] = &pr;
1571         controls[1] = NULL;
1572
1573         rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs, 
1574                                  0, controls, NULL, LDAP_NO_LIMIT, res);
1575
1576         ber_free(cookie_be, 1);
1577         ber_bvfree(cookie_bv);
1578
1579         if (rc != 0) {
1580                 DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1581                          "failed with [%s]\n", filter, ldap_err2string(rc)));
1582                 goto done;
1583         }
1584
1585         DEBUG(3,("smbldap_search_paged: search was successful\n"));
1586
1587         rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL, 
1588                                NULL, NULL, &rcontrols,  0);
1589         if (rc != 0) {
1590                 DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1591                          "with [%s]\n", ldap_err2string(rc)));
1592                 goto done;
1593         }
1594
1595         if (rcontrols == NULL)
1596                 goto done;
1597
1598         for (i=0; rcontrols[i]; i++) {
1599
1600                 if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1601                         continue;
1602
1603                 cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1604                 ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1605                 /* the berval is the cookie, but must be freed when it is all
1606                    done */
1607                 if (cookie_bv->bv_len)
1608                         *cookie=ber_bvdup(cookie_bv);
1609                 else
1610                         *cookie=NULL;
1611                 ber_bvfree(cookie_bv);
1612                 ber_free(cookie_be, 1);
1613                 break;
1614         }
1615         ldap_controls_free(rcontrols);
1616 done:   
1617         return rc;
1618 }
1619
1620 int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
1621 {
1622         int             rc = LDAP_SERVER_DOWN;
1623         int             attempts = 0;
1624         char           *utf8_dn;
1625         time_t          endtime = time_mono(NULL)+lp_ldap_timeout();
1626         size_t          converted_size;
1627
1628         SMB_ASSERT(ldap_state);
1629
1630         DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1631
1632         if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1633                 return LDAP_NO_MEMORY;
1634         }
1635
1636         while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1637                 rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1638                 if (rc != LDAP_SUCCESS) {
1639                         char *ld_error = NULL;
1640                         int ld_errno;
1641
1642                         ldap_get_option(ldap_state->ldap_struct,
1643                                         LDAP_OPT_ERROR_NUMBER, &ld_errno);
1644
1645                         ldap_get_option(ldap_state->ldap_struct,
1646                                         LDAP_OPT_ERROR_STRING, &ld_error);
1647                         DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1648                                    "(%s)\n", dn, ld_errno,
1649                                    ldap_err2string(rc),
1650                                    ld_error ? ld_error : "unknown"));
1651                         SAFE_FREE(ld_error);
1652
1653                         if (ld_errno == LDAP_SERVER_DOWN) {
1654                                 ldap_unbind(ldap_state->ldap_struct);
1655                                 ldap_state->ldap_struct = NULL;
1656                         }
1657                 }
1658         }
1659
1660         TALLOC_FREE(utf8_dn);
1661         return rc;
1662 }
1663
1664 int smbldap_add(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
1665 {
1666         int             rc = LDAP_SERVER_DOWN;
1667         int             attempts = 0;
1668         char           *utf8_dn;
1669         time_t          endtime = time_mono(NULL)+lp_ldap_timeout();
1670         size_t          converted_size;
1671
1672         SMB_ASSERT(ldap_state);
1673
1674         DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1675
1676         if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1677                 return LDAP_NO_MEMORY;
1678         }
1679
1680         while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1681                 rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1682                 if (rc != LDAP_SUCCESS) {
1683                         char *ld_error = NULL;
1684                         int ld_errno;
1685
1686                         ldap_get_option(ldap_state->ldap_struct,
1687                                         LDAP_OPT_ERROR_NUMBER, &ld_errno);
1688
1689                         ldap_get_option(ldap_state->ldap_struct,
1690                                         LDAP_OPT_ERROR_STRING, &ld_error);
1691                         DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1692                                    "(%s)\n", dn, ld_errno,
1693                                    ldap_err2string(rc),
1694                                    ld_error ? ld_error : "unknown"));
1695                         SAFE_FREE(ld_error);
1696
1697                         if (ld_errno == LDAP_SERVER_DOWN) {
1698                                 ldap_unbind(ldap_state->ldap_struct);
1699                                 ldap_state->ldap_struct = NULL;
1700                         }
1701                 }
1702         }
1703
1704         TALLOC_FREE(utf8_dn);
1705         return rc;
1706 }
1707
1708 int smbldap_delete(struct smbldap_state *ldap_state, const char *dn)
1709 {
1710         int             rc = LDAP_SERVER_DOWN;
1711         int             attempts = 0;
1712         char           *utf8_dn;
1713         time_t          endtime = time_mono(NULL)+lp_ldap_timeout();
1714         size_t          converted_size;
1715
1716         SMB_ASSERT(ldap_state);
1717
1718         DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1719
1720         if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1721                 return LDAP_NO_MEMORY;
1722         }
1723
1724         while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1725                 rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1726                 if (rc != LDAP_SUCCESS) {
1727                         char *ld_error = NULL;
1728                         int ld_errno;
1729
1730                         ldap_get_option(ldap_state->ldap_struct,
1731                                         LDAP_OPT_ERROR_NUMBER, &ld_errno);
1732
1733                         ldap_get_option(ldap_state->ldap_struct,
1734                                         LDAP_OPT_ERROR_STRING, &ld_error);
1735                         DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1736                                    "(%s)\n", dn, ld_errno,
1737                                    ldap_err2string(rc),
1738                                    ld_error ? ld_error : "unknown"));
1739                         SAFE_FREE(ld_error);
1740
1741                         if (ld_errno == LDAP_SERVER_DOWN) {
1742                                 ldap_unbind(ldap_state->ldap_struct);
1743                                 ldap_state->ldap_struct = NULL;
1744                         }
1745                 }
1746         }
1747
1748         TALLOC_FREE(utf8_dn);
1749         return rc;
1750 }
1751
1752 int smbldap_extended_operation(struct smbldap_state *ldap_state, 
1753                                LDAP_CONST char *reqoid, struct berval *reqdata, 
1754                                LDAPControl **serverctrls, LDAPControl **clientctrls, 
1755                                char **retoidp, struct berval **retdatap)
1756 {
1757         int             rc = LDAP_SERVER_DOWN;
1758         int             attempts = 0;
1759         time_t          endtime = time_mono(NULL)+lp_ldap_timeout();
1760
1761         if (!ldap_state)
1762                 return (-1);
1763
1764         while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1765                 rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1766                                                reqdata, serverctrls,
1767                                                clientctrls, retoidp, retdatap);
1768                 if (rc != LDAP_SUCCESS) {
1769                         char *ld_error = NULL;
1770                         int ld_errno;
1771
1772                         ldap_get_option(ldap_state->ldap_struct,
1773                                         LDAP_OPT_ERROR_NUMBER, &ld_errno);
1774
1775                         ldap_get_option(ldap_state->ldap_struct,
1776                                         LDAP_OPT_ERROR_STRING, &ld_error);
1777                         DEBUG(10, ("Extended operation failed with error: "
1778                                    "%d (%s) (%s)\n", ld_errno,
1779                                    ldap_err2string(rc),
1780                                    ld_error ? ld_error : "unknown"));
1781                         SAFE_FREE(ld_error);
1782
1783                         if (ld_errno == LDAP_SERVER_DOWN) {
1784                                 ldap_unbind(ldap_state->ldap_struct);
1785                                 ldap_state->ldap_struct = NULL;
1786                         }
1787                 }
1788         }
1789
1790         return rc;
1791 }
1792
1793 /*******************************************************************
1794  run the search by name.
1795 ******************************************************************/
1796 int smbldap_search_suffix (struct smbldap_state *ldap_state,
1797                            const char *filter, const char **search_attr,
1798                            LDAPMessage ** result)
1799 {
1800         return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1801                               filter, search_attr, 0, result);
1802 }
1803
1804 static void smbldap_idle_fn(struct event_context *event_ctx,
1805                             struct timed_event *te,
1806                             struct timeval now_abs,
1807                             void *private_data)
1808 {
1809         struct smbldap_state *state = (struct smbldap_state *)private_data;
1810
1811         TALLOC_FREE(state->idle_event);
1812
1813         if (state->ldap_struct == NULL) {
1814                 DEBUG(10,("ldap connection not connected...\n"));
1815                 return;
1816         }
1817
1818         if ((state->last_use+SMBLDAP_IDLE_TIME) > time_mono(NULL)) {
1819                 DEBUG(10,("ldap connection not idle...\n"));
1820
1821                 /* this needs to be made monotonic clock aware inside tevent: */
1822                 state->idle_event = event_add_timed(
1823                         event_ctx, NULL,
1824                         timeval_add(&now_abs, SMBLDAP_IDLE_TIME, 0),
1825                         smbldap_idle_fn,
1826                         private_data);
1827                 return;
1828         }
1829
1830         DEBUG(7,("ldap connection idle...closing connection\n"));
1831         smbldap_close(state);
1832 }
1833
1834 /**********************************************************************
1835  Housekeeping
1836  *********************************************************************/
1837
1838 void smbldap_free_struct(struct smbldap_state **ldap_state) 
1839 {
1840         smbldap_close(*ldap_state);
1841
1842         if ((*ldap_state)->bind_secret) {
1843                 memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
1844         }
1845
1846         SAFE_FREE((*ldap_state)->bind_dn);
1847         SAFE_FREE((*ldap_state)->bind_secret);
1848
1849         TALLOC_FREE((*ldap_state)->idle_event);
1850
1851         *ldap_state = NULL;
1852
1853         /* No need to free any further, as it is talloc()ed */
1854 }
1855
1856
1857 /**********************************************************************
1858  Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1859  *********************************************************************/
1860
1861 NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, struct event_context *event_ctx,
1862                       const char *location,
1863                       struct smbldap_state **smbldap_state)
1864 {
1865         *smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1866         if (!*smbldap_state) {
1867                 DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1868                 return NT_STATUS_NO_MEMORY;
1869         }
1870
1871         if (location) {
1872                 (*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1873         } else {
1874                 (*smbldap_state)->uri = "ldap://localhost";
1875         }
1876
1877         (*smbldap_state)->event_context = event_ctx;
1878
1879         return NT_STATUS_OK;
1880 }
1881
1882  char *smbldap_talloc_dn(TALLOC_CTX *mem_ctx, LDAP *ld,
1883                          LDAPMessage *entry)
1884 {
1885         char *utf8_dn, *unix_dn;
1886         size_t converted_size;
1887
1888         utf8_dn = ldap_get_dn(ld, entry);
1889         if (!utf8_dn) {
1890                 DEBUG (5, ("smbldap_talloc_dn: ldap_get_dn failed\n"));
1891                 return NULL;
1892         }
1893         if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1894                 DEBUG (0, ("smbldap_talloc_dn: String conversion failure utf8 "
1895                            "[%s]\n", utf8_dn));
1896                 return NULL;
1897         }
1898         ldap_memfree(utf8_dn);
1899         return unix_dn;
1900 }
1901
1902 /*******************************************************************
1903  Check if root-dse has a certain Control or Extension
1904 ********************************************************************/
1905
1906 static bool smbldap_check_root_dse(LDAP *ld, const char **attrs, const char *value) 
1907 {
1908         LDAPMessage *msg = NULL;
1909         LDAPMessage *entry = NULL;
1910         char **values = NULL;
1911         int rc, num_result, num_values, i;
1912         bool result = False;
1913
1914         if (!attrs[0]) {
1915                 DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1916                 return False;
1917         }
1918
1919         if (!strequal(attrs[0], "supportedExtension") && 
1920             !strequal(attrs[0], "supportedControl") && 
1921             !strequal(attrs[0], "namingContexts")) {
1922                 DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1923                 return False;
1924         }
1925
1926         rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, 
1927                            "(objectclass=*)", discard_const_p(char *, attrs), 0 , &msg);
1928
1929         if (rc != LDAP_SUCCESS) {
1930                 DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1931                 return False;
1932         }
1933
1934         num_result = ldap_count_entries(ld, msg);
1935
1936         if (num_result != 1) {
1937                 DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1938                 goto done;
1939         }
1940
1941         entry = ldap_first_entry(ld, msg);
1942
1943         if (entry == NULL) {
1944                 DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1945                 goto done;
1946         }
1947
1948         values = ldap_get_values(ld, entry, attrs[0]);
1949
1950         if (values == NULL) {
1951                 DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1952                 goto done;
1953         }
1954
1955         num_values = ldap_count_values(values);
1956
1957         if (num_values == 0) {
1958                 DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1959                 goto done;
1960         }
1961
1962         for (i=0; i<num_values; i++) {
1963                 if (strcmp(values[i], value) == 0)
1964                         result = True;
1965         }
1966
1967
1968  done:
1969         if (values != NULL)
1970                 ldap_value_free(values);
1971         if (msg != NULL)
1972                 ldap_msgfree(msg);
1973
1974         return result;
1975
1976 }
1977
1978 /*******************************************************************
1979  Check if LDAP-Server supports a certain Control (OID in string format)
1980 ********************************************************************/
1981
1982 bool smbldap_has_control(LDAP *ld, const char *control)
1983 {
1984         const char *attrs[] = { "supportedControl", NULL };
1985         return smbldap_check_root_dse(ld, attrs, control);
1986 }
1987
1988 /*******************************************************************
1989  Check if LDAP-Server supports a certain Extension (OID in string format)
1990 ********************************************************************/
1991
1992 bool smbldap_has_extension(LDAP *ld, const char *extension)
1993 {
1994         const char *attrs[] = { "supportedExtension", NULL };
1995         return smbldap_check_root_dse(ld, attrs, extension);
1996 }
1997
1998 /*******************************************************************
1999  Check if LDAP-Server holds a given namingContext
2000 ********************************************************************/
2001
2002 bool smbldap_has_naming_context(LDAP *ld, const char *naming_context)
2003 {
2004         const char *attrs[] = { "namingContexts", NULL };
2005         return smbldap_check_root_dse(ld, attrs, naming_context);
2006 }
2007
2008 bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char *dn, const char *secret)
2009 {
2010         ldap_state->anonymous = anon;
2011
2012         /* free any previously set credential */
2013
2014         SAFE_FREE(ldap_state->bind_dn);
2015         if (ldap_state->bind_secret) {
2016                 /* make sure secrets are zeroed out of memory */
2017                 memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
2018                 SAFE_FREE(ldap_state->bind_secret);
2019         }
2020
2021         if ( ! anon) {
2022                 ldap_state->bind_dn = SMB_STRDUP(dn);
2023                 ldap_state->bind_secret = SMB_STRDUP(secret);
2024         }
2025
2026         return True;
2027 }