2 Unix SMB/Netbios implementation.
4 ads (active directory) utility library
5 Copyright (C) Andrew Tridgell 2001
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* return a dn of the form "dc=AA,dc=BB,dc=CC" from a
27 realm of the form AA.BB.CC
31 return a string for an error from a ads routine
33 char *ads_errstr(int rc)
35 return ldap_err2string(rc);
39 this is a minimal interact function, just enough for SASL to talk
40 GSSAPI/kerberos to W2K
41 Error handling is a bit of a problem. I can't see how to get Cyrus-sasl
42 to give sensible errors
44 static int sasl_interact(LDAP *ld,unsigned flags,void *defaults,void *in)
46 sasl_interact_t *interact = in;
48 while (interact->id != SASL_CB_LIST_END) {
49 interact->result = strdup("");
50 interact->len = strlen(interact->result);
58 connect to the LDAP server
60 int ads_connect(ADS_STRUCT *ads)
62 int version = LDAP_VERSION3;
65 ads->last_attempt = time(NULL);
67 ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
69 return LDAP_SERVER_DOWN;
71 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
74 /* the machine acct password might have changed */
75 ads->password = secrets_fetch_machine_password();
76 kerberos_kinit_password(ads);
79 rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL,
87 a wrapper around ldap_search_s that retries depending on the error code
88 this is supposed to catch dropped connections and auto-reconnect
90 int ads_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, const char *exp,
91 const char **attrs, void **res)
93 struct timeval timeout;
98 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
99 return LDAP_SERVER_DOWN;
104 timeout.tv_sec = ADS_SEARCH_TIMEOUT;
107 rc = ldap_search_ext_s(ads->ld, bind_path, scope, exp, attrs, 0, NULL, NULL,
108 &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
109 if (rc == 0) return rc;
112 if (*res) ads_msgfree(ads, *res);
114 DEBUG(1,("Reopening ads connection after error %s\n", ads_errstr(rc)));
116 /* we should unbind here, but that seems to trigger openldap bugs :(
117 ldap_unbind(ads->ld);
121 rc2 = ads_connect(ads);
123 DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(rc)));
127 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
132 do a general ADS search
134 int ads_search(ADS_STRUCT *ads, void **res,
138 return ads_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE, exp, attrs, res);
142 do a search on a specific DistinguishedName
144 int ads_search_dn(ADS_STRUCT *ads, void **res,
148 return ads_search_retry(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
152 free up memory from a ads_search
154 void ads_msgfree(ADS_STRUCT *ads, void *msg)
161 find a machine account given a hostname
163 int ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
168 /* the easiest way to find a machine account anywhere in the tree
169 is to look for hostname$ */
170 asprintf(&exp, "(samAccountName=%s$)", host);
171 ret = ads_search(ads, res, exp, NULL);
178 a convenient routine for adding a generic LDAP record
180 int ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
187 #define MAX_MOD_VALUES 10
189 /* count the number of attributes */
190 va_start(ap, new_dn);
191 for (i=0; va_arg(ap, char *); i++) {
192 /* skip the values */
193 while (va_arg(ap, char *)) ;
197 mods = malloc(sizeof(LDAPMod *) * (i+1));
199 va_start(ap, new_dn);
200 for (i=0; (name=va_arg(ap, char *)); i++) {
203 values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
204 for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
208 mods[i] = malloc(sizeof(LDAPMod));
209 mods[i]->mod_type = name;
210 mods[i]->mod_op = LDAP_MOD_ADD;
211 mods[i]->mod_values = values;
216 ret = ldap_add_s(ads->ld, new_dn, mods);
218 for (i=0; mods[i]; i++) {
219 free(mods[i]->mod_values);
228 add a machine account to the ADS server
230 static int ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname)
233 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
235 asprintf(&host_spn, "HOST/%s", hostname);
236 asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
237 asprintf(&new_dn, "cn=%s,cn=Computers,%s", hostname, ads->bind_path);
238 asprintf(&samAccountName, "%s$", hostname);
239 asprintf(&controlstr, "%u",
240 UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
241 UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
243 ret = ads_gen_add(ads, new_dn,
244 "cn", hostname, NULL,
245 "sAMAccountName", samAccountName, NULL,
247 "top", "person", "organizationalPerson",
248 "user", "computer", NULL,
249 "userPrincipalName", host_upn, NULL,
250 "servicePrincipalName", host_spn, NULL,
251 "dNSHostName", hostname, NULL,
252 "userAccountControl", controlstr, NULL,
253 "operatingSystem", "Samba", NULL,
254 "operatingSystemVersion", VERSION, NULL,
260 free(samAccountName);
267 dump a binary result from ldap
269 static void dump_binary(const char *field, struct berval **values)
272 for (i=0; values[i]; i++) {
273 printf("%s: ", field);
274 for (j=0; j<values[i]->bv_len; j++) {
275 printf("%02X", (unsigned char)values[i]->bv_val[j]);
282 dump a string result from ldap
284 static void dump_string(const char *field, struct berval **values)
287 for (i=0; values[i]; i++) {
288 printf("%s: %s\n", field, values[i]->bv_val);
293 dump a record from LDAP on stdout
296 void ads_dump(ADS_STRUCT *ads, void *res)
303 void (*handler)(const char *, struct berval **);
305 {"objectGUID", dump_binary},
306 {"objectSid", dump_binary},
310 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
311 for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b);
313 field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) {
314 struct berval **values;
317 values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field);
319 for (i=0; handlers[i].name; i++) {
320 if (StrCaseCmp(handlers[i].name, field) == 0) {
321 handlers[i].handler(field, values);
325 if (!handlers[i].name) {
326 dump_string(field, values);
328 ldap_value_free_len(values);
338 count how many replies are in a LDAPMessage
340 int ads_count_replies(ADS_STRUCT *ads, void *res)
342 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
346 join a machine to a realm, creating the machine account
347 and setting the machine password
349 int ads_join_realm(ADS_STRUCT *ads, const char *hostname)
355 /* hostname must be lowercase */
356 host = strdup(hostname);
359 rc = ads_find_machine_acct(ads, (void **)&res, host);
360 if (rc == LDAP_SUCCESS && ads_count_replies(ads, res) == 1) {
361 DEBUG(0, ("Host account for %s already exists\n", host));
365 rc = ads_add_machine_acct(ads, host);
366 if (rc != LDAP_SUCCESS) {
367 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(rc)));
371 rc = ads_find_machine_acct(ads, (void **)&res, host);
372 if (rc != LDAP_SUCCESS || ads_count_replies(ads, res) != 1) {
373 DEBUG(0, ("Host account test failed\n"));
374 /* hmmm, we need NTSTATUS */
384 delete a machine from the realm
386 int ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
390 char *hostnameDN, *host;
392 /* hostname must be lowercase */
393 host = strdup(hostname);
396 rc = ads_find_machine_acct(ads, &res, host);
397 if (rc != LDAP_SUCCESS || ads_count_replies(ads, res) != 1) {
398 DEBUG(0, ("Host account for %s does not exist.\n", host));
402 hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
403 rc = ldap_delete_s(ads->ld, hostnameDN);
404 ldap_memfree(hostnameDN);
405 if (rc != LDAP_SUCCESS) {
406 DEBUG(0, ("ldap_delete_s: %s\n", ads_errstr(rc)));
410 rc = ads_find_machine_acct(ads, &res, host);
411 if (rc == LDAP_SUCCESS && ads_count_replies(ads, res) == 1 ) {
412 DEBUG(0, ("Failed to remove host account.\n"));
413 /*hmmm, we need NTSTATUS */
423 NTSTATUS ads_set_machine_password(ADS_STRUCT *ads,
424 const char *hostname,
425 const char *password)
428 char *host = strdup(hostname);
430 ret = krb5_set_password(ads->kdc_server, host, ads->realm, password);
437 return a RFC2254 binary string representation of a buffer
441 char *ads_binary_string(char *buf, int len)
445 const char *hex = "0123456789ABCDEF";
446 s = malloc(len * 3 + 1);
448 for (j=i=0;i<len;i++) {
450 s[j+1] = hex[((unsigned char)buf[i]) >> 4];
451 s[j+2] = hex[((unsigned char)buf[i]) & 0xF];
459 return the binary string representation of a DOM_SID
462 char *ads_sid_binstring(DOM_SID *sid)
465 int len = sid_size(sid);
467 if (!buf) return NULL;
468 sid_linearize(buf, len, sid);
469 s = ads_binary_string(buf, len);
475 pull the first entry from a ADS result
477 void *ads_first_entry(ADS_STRUCT *ads, void *res)
479 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
483 pull the next entry from a ADS result
485 void *ads_next_entry(ADS_STRUCT *ads, void *res)
487 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
491 pull a single string from a ADS result
493 char *ads_pull_string(ADS_STRUCT *ads,
494 TALLOC_CTX *mem_ctx, void *msg, const char *field)
499 values = ldap_get_values(ads->ld, msg, field);
500 if (!values) return NULL;
503 ret = talloc_strdup(mem_ctx, values[0]);
505 ldap_value_free(values);
510 pull a single uint32 from a ADS result
512 BOOL ads_pull_uint32(ADS_STRUCT *ads,
513 void *msg, const char *field, uint32 *v)
517 values = ldap_get_values(ads->ld, msg, field);
518 if (!values) return False;
520 ldap_value_free(values);
524 *v = atoi(values[0]);
525 ldap_value_free(values);
530 pull a single DOM_SID from a ADS result
532 BOOL ads_pull_sid(ADS_STRUCT *ads,
533 void *msg, const char *field, DOM_SID *sid)
535 struct berval **values;
538 values = ldap_get_values_len(ads->ld, msg, field);
540 if (!values) return False;
543 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
546 ldap_value_free_len(values);
551 pull an array of DOM_SIDs from a ADS result
552 return the count of SIDs pulled
554 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
555 void *msg, const char *field, DOM_SID **sids)
557 struct berval **values;
561 values = ldap_get_values_len(ads->ld, msg, field);
563 if (!values) return 0;
565 for (i=0; values[i]; i++) /* nop */ ;
567 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
570 for (i=0; values[i]; i++) {
571 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
575 ldap_value_free_len(values);
580 /* find the update serial number - this is the core of the ldap cache */
581 BOOL ads_USN(ADS_STRUCT *ads, uint32 *usn)
583 const char *attrs[] = {"highestCommittedUSN", NULL};
588 rc = ads_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
589 if (rc || ads_count_replies(ads, res) != 1) return False;
590 ret = ads_pull_uint32(ads, res, "highestCommittedUSN", usn);
591 ads_msgfree(ads, res);