r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
[tprouty/samba.git] / source / passdb / pdb_ldap.c
1 /* 
2    Unix SMB/CIFS mplementation.
3    LDAP protocol helper functions for SAMBA
4    Copyright (C) Jean Fran├žois Micouleau        1998
5    Copyright (C) Gerald Carter                  2001-2003
6    Copyright (C) Shahms King                    2001
7    Copyright (C) Andrew Bartlett                2002-2003
8    Copyright (C) Stefan (metze) Metzmacher      2002-2003
9     
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23    
24 */
25
26 /* TODO:
27 *  persistent connections: if using NSS LDAP, many connections are made
28 *      however, using only one within Samba would be nice
29 *  
30 *  Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31 *
32 *  Other LDAP based login attributes: accountExpires, etc.
33 *  (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
34 *  structures don't have fields for some of these attributes)
35 *
36 *  SSL is done, but can't get the certificate based authentication to work
37 *  against on my test platform (Linux 2.4, OpenLDAP 2.x)
38 */
39
40 /* NOTE: this will NOT work against an Active Directory server
41 *  due to the fact that the two password fields cannot be retrieved
42 *  from a server; recommend using security = domain in this situation
43 *  and/or winbind
44 */
45
46 #include "includes.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_PASSDB
50
51 #include <lber.h>
52 #include <ldap.h>
53
54 /*
55  * Work around versions of the LDAP client libs that don't have the OIDs
56  * defined, or have them defined under the old name.  
57  * This functionality is really a factor of the server, not the client 
58  *
59  */
60
61 #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62 #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63 #elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64 #define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65 #endif
66
67 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70 #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID        ((ber_tag_t) 0x80U)
71 #endif
72
73 #if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75 #elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76 #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW       ((ber_tag_t) 0x82U)
77 #endif
78
79
80 #ifndef SAM_ACCOUNT
81 #define SAM_ACCOUNT struct sam_passwd
82 #endif
83
84 #include "smbldap.h"
85
86 struct ldapsam_privates {
87         struct smbldap_state *smbldap_state;
88
89         /* Former statics */
90         LDAPMessage *result;
91         LDAPMessage *entry;
92         int index;
93         
94         const char *domain_name;
95         DOM_SID domain_sid;
96         
97         /* configuration items */
98         int schema_ver;
99 };
100
101 /**********************************************************************
102  Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
103  **********************************************************************/
104  
105 static void private_data_free_fn(void **result) 
106 {
107         ldap_msgfree(*result);
108         *result = NULL;
109 }
110
111 /**********************************************************************
112  Get the attribute name given a user schame version.
113  **********************************************************************/
114  
115 static const char* get_userattr_key2string( int schema_ver, int key )
116 {
117         switch ( schema_ver ) {
118                 case SCHEMAVER_SAMBAACCOUNT:
119                         return get_attr_key2string( attrib_map_v22, key );
120                         
121                 case SCHEMAVER_SAMBASAMACCOUNT:
122                         return get_attr_key2string( attrib_map_v30, key );
123                         
124                 default:
125                         DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
126                         break;
127         }
128         return NULL;
129 }
130
131 /**********************************************************************
132  Return the list of attribute names given a user schema version.
133 **********************************************************************/
134
135 static char** get_userattr_list( int schema_ver )
136 {
137         switch ( schema_ver ) {
138                 case SCHEMAVER_SAMBAACCOUNT:
139                         return get_attr_list( attrib_map_v22 );
140                         
141                 case SCHEMAVER_SAMBASAMACCOUNT:
142                         return get_attr_list( attrib_map_v30 );
143                 default:
144                         DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
145                         break;
146         }
147         
148         return NULL;
149 }
150
151 /**************************************************************************
152  Return the list of attribute names to delete given a user schema version.
153 **************************************************************************/
154
155 static char** get_userattr_delete_list( int schema_ver )
156 {
157         switch ( schema_ver ) {
158                 case SCHEMAVER_SAMBAACCOUNT:
159                         return get_attr_list( attrib_map_to_delete_v22 );
160                         
161                 case SCHEMAVER_SAMBASAMACCOUNT:
162                         return get_attr_list( attrib_map_to_delete_v30 );
163                 default:
164                         DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
165                         break;
166         }
167         
168         return NULL;
169 }
170
171
172 /*******************************************************************
173  Generate the LDAP search filter for the objectclass based on the 
174  version of the schema we are using.
175 ******************************************************************/
176
177 static const char* get_objclass_filter( int schema_ver )
178 {
179         static fstring objclass_filter;
180         
181         switch( schema_ver ) {
182                 case SCHEMAVER_SAMBAACCOUNT:
183                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
184                         break;
185                 case SCHEMAVER_SAMBASAMACCOUNT:
186                         fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
187                         break;
188                 default:
189                         DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
190                         break;
191         }
192         
193         return objclass_filter; 
194 }
195
196 /*******************************************************************
197  Run the search by name.
198 ******************************************************************/
199
200 static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, 
201                                           const char *user,
202                                           LDAPMessage ** result, char **attr)
203 {
204         pstring filter;
205         char *escape_user = escape_ldap_string_alloc(user);
206
207         if (!escape_user) {
208                 return LDAP_NO_MEMORY;
209         }
210
211         /*
212          * in the filter expression, replace %u with the real name
213          * so in ldap filter, %u MUST exist :-)
214          */
215         pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(), 
216                 get_objclass_filter(ldap_state->schema_ver));
217
218         /* 
219          * have to use this here because $ is filtered out
220            * in pstring_sub
221          */
222         
223
224         all_string_sub(filter, "%u", escape_user, sizeof(pstring));
225         SAFE_FREE(escape_user);
226
227         return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
228 }
229
230 /*******************************************************************
231  Run the search by rid.
232 ******************************************************************/
233
234 static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, 
235                                          uint32 rid, LDAPMessage ** result, 
236                                          char **attr)
237 {
238         pstring filter;
239         int rc;
240
241         pstr_sprintf(filter, "(&(rid=%i)%s)", rid, 
242                 get_objclass_filter(ldap_state->schema_ver));
243         
244         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
245         
246         return rc;
247 }
248
249 /*******************************************************************
250  Run the search by SID.
251 ******************************************************************/
252
253 static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, 
254                                          const DOM_SID *sid, LDAPMessage ** result, 
255                                          char **attr)
256 {
257         pstring filter;
258         int rc;
259         fstring sid_string;
260
261         pstr_sprintf(filter, "(&(%s=%s)%s)", 
262                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
263                 sid_to_string(sid_string, sid), 
264                 get_objclass_filter(ldap_state->schema_ver));
265                 
266         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
267         
268         return rc;
269 }
270
271 /*******************************************************************
272  Delete complete object or objectclass and attrs from
273  object found in search_result depending on lp_ldap_delete_dn
274 ******************************************************************/
275
276 static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
277                                      LDAPMessage *result,
278                                      const char *objectclass,
279                                      char **attrs)
280 {
281         int rc;
282         LDAPMessage *entry = NULL;
283         LDAPMod **mods = NULL;
284         char *name, *dn;
285         BerElement *ptr = NULL;
286
287         rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
288
289         if (rc != 1) {
290                 DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
291                 return NT_STATUS_UNSUCCESSFUL;
292         }
293
294         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
295         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
296         if (!dn) {
297                 return NT_STATUS_UNSUCCESSFUL;
298         }
299
300         if (lp_ldap_delete_dn()) {
301                 NTSTATUS ret = NT_STATUS_OK;
302                 rc = smbldap_delete(ldap_state->smbldap_state, dn);
303
304                 if (rc != LDAP_SUCCESS) {
305                         DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
306                         ret = NT_STATUS_UNSUCCESSFUL;
307                 }
308                 SAFE_FREE(dn);
309                 return ret;
310         }
311
312         /* Ok, delete only the SAM attributes */
313         
314         for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
315              name != NULL;
316              name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
317                 char **attrib;
318
319                 /* We are only allowed to delete the attributes that
320                    really exist. */
321
322                 for (attrib = attrs; *attrib != NULL; attrib++) {
323                         /* Don't delete LDAP_ATTR_MOD_TIMESTAMP attribute. */
324                         if (strequal(*attrib, get_userattr_key2string(ldap_state->schema_ver,
325                                                 LDAP_ATTR_MOD_TIMESTAMP))) {
326                                 continue;
327                         }
328                         if (strequal(*attrib, name)) {
329                                 DEBUG(10, ("ldapsam_delete_entry: deleting "
330                                            "attribute %s\n", name));
331                                 smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
332                                                 NULL);
333                         }
334                 }
335
336                 ldap_memfree(name);
337         }
338         
339         if (ptr != NULL) {
340                 ber_free(ptr, 0);
341         }
342         
343         smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
344
345         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
346         ldap_mods_free(mods, True);
347
348         if (rc != LDAP_SUCCESS) {
349                 char *ld_error = NULL;
350                 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
351                                 &ld_error);
352                 
353                 DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
354                           dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
355                 SAFE_FREE(ld_error);
356                 SAFE_FREE(dn);
357                 return NT_STATUS_UNSUCCESSFUL;
358         }
359
360         SAFE_FREE(dn);
361         return NT_STATUS_OK;
362 }
363                   
364 /* New Interface is being implemented here */
365
366 #if 0   /* JERRY - not uesed anymore */
367
368 /**********************************************************************
369 Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
370 *********************************************************************/
371 static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, 
372                                 SAM_ACCOUNT * sampass,
373                                 LDAPMessage * entry,
374                                 gid_t *gid)
375 {
376         pstring  homedir;
377         pstring  temp;
378         char **ldap_values;
379         char **values;
380
381         if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
382                 DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
383                 return False;
384         }
385
386         for (values=ldap_values;*values;values++) {
387                 if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
388                         break;
389                 }
390         }
391         
392         if (!*values) { /*end of array, no posixAccount */
393                 DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
394                 ldap_value_free(ldap_values);
395                 return False;
396         }
397         ldap_value_free(ldap_values);
398
399         if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
400                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) ) 
401         {
402                 return False;
403         }
404         
405         if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
406                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
407         {
408                 return False;
409         }
410         
411         *gid = (gid_t)atol(temp);
412
413         pdb_set_unix_homedir(sampass, homedir, PDB_SET);
414         
415         DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
416         
417         return True;
418 }
419
420 #endif
421
422 static time_t ldapsam_get_entry_timestamp(
423         struct ldapsam_privates *ldap_state,
424         LDAPMessage * entry)
425 {
426         pstring temp;   
427         struct tm tm;
428
429         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
430                         get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
431                         temp))
432                 return (time_t) 0;
433
434         strptime(temp, "%Y%m%d%H%M%SZ", &tm);
435         tzset();
436         return timegm(&tm);
437 }
438
439 /**********************************************************************
440  Initialize SAM_ACCOUNT from an LDAP query.
441  (Based on init_sam_from_buffer in pdb_tdb.c)
442 *********************************************************************/
443
444 static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, 
445                                 SAM_ACCOUNT * sampass,
446                                 LDAPMessage * entry)
447 {
448         time_t  logon_time,
449                         logoff_time,
450                         kickoff_time,
451                         pass_last_set_time, 
452                         pass_can_change_time, 
453                         pass_must_change_time,
454                         ldap_entry_time,
455                         bad_password_time;
456         pstring         username, 
457                         domain,
458                         nt_username,
459                         fullname,
460                         homedir,
461                         dir_drive,
462                         logon_script,
463                         profile_path,
464                         acct_desc,
465                         workstations;
466         char            munged_dial[2048];
467         uint32          user_rid; 
468         uint8           smblmpwd[LM_HASH_LEN],
469                         smbntpwd[NT_HASH_LEN];
470         uint16          acct_ctrl = 0, 
471                         logon_divs;
472         uint16          bad_password_count = 0, 
473                         logon_count = 0;
474         uint32 hours_len;
475         uint8           hours[MAX_HOURS_LEN];
476         pstring temp;
477         LOGIN_CACHE     *cache_entry = NULL;
478         int pwHistLen;
479
480         /*
481          * do a little initialization
482          */
483         username[0]     = '\0';
484         domain[0]       = '\0';
485         nt_username[0]  = '\0';
486         fullname[0]     = '\0';
487         homedir[0]      = '\0';
488         dir_drive[0]    = '\0';
489         logon_script[0] = '\0';
490         profile_path[0] = '\0';
491         acct_desc[0]    = '\0';
492         munged_dial[0]  = '\0';
493         workstations[0] = '\0';
494          
495
496         if (sampass == NULL || ldap_state == NULL || entry == NULL) {
497                 DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
498                 return False;
499         }
500
501         if (ldap_state->smbldap_state->ldap_struct == NULL) {
502                 DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
503                 return False;
504         }
505         
506         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
507                 DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
508                 return False;
509         }
510
511         DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
512
513         pstrcpy(nt_username, username);
514
515         pstrcpy(domain, ldap_state->domain_name);
516         
517         pdb_set_username(sampass, username, PDB_SET);
518
519         pdb_set_domain(sampass, domain, PDB_DEFAULT);
520         pdb_set_nt_username(sampass, nt_username, PDB_SET);
521
522         /* deal with different attributes between the schema first */
523         
524         if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
525                 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
526                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
527                         pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
528                 }
529                 
530                 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
531                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
532                         pdb_set_group_sid_from_string(sampass, temp, PDB_SET);                  
533                 } else {
534                         pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
535                 }
536         } else {
537                 if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
538                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
539                         user_rid = (uint32)atol(temp);
540                         pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
541                 }
542                 
543                 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
544                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
545                         pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
546                 } else {
547                         uint32 group_rid;
548                         
549                         group_rid = (uint32)atol(temp);
550                         
551                         /* for some reason, we often have 0 as a primary group RID.
552                            Make sure that we treat this just as a 'default' value */
553                            
554                         if ( group_rid > 0 )
555                                 pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
556                         else
557                                 pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
558                 }
559         }
560
561         if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
562                 DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n", 
563                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
564                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
565                         username));
566                 return False;
567         }
568
569         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
570                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
571                 /* leave as default */
572         } else {
573                 pass_last_set_time = (time_t) atol(temp);
574                 pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
575         }
576
577         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
578                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
579                 /* leave as default */
580         } else {
581                 logon_time = (time_t) atol(temp);
582                 pdb_set_logon_time(sampass, logon_time, PDB_SET);
583         }
584
585         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
586                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
587                 /* leave as default */
588         } else {
589                 logoff_time = (time_t) atol(temp);
590                 pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
591         }
592
593         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
594                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
595                 /* leave as default */
596         } else {
597                 kickoff_time = (time_t) atol(temp);
598                 pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
599         }
600
601         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
602                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
603                 /* leave as default */
604         } else {
605                 pass_can_change_time = (time_t) atol(temp);
606                 pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
607         }
608
609         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
610                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {    
611                 /* leave as default */
612         } else {
613                 pass_must_change_time = (time_t) atol(temp);
614                 pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
615         }
616
617         /* recommend that 'gecos' and 'displayName' should refer to the same
618          * attribute OID.  userFullName depreciated, only used by Samba
619          * primary rules of LDAP: don't make a new attribute when one is already defined
620          * that fits your needs; using cn then displayName rather than 'userFullName'
621          */
622
623         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
624                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
625                 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
626                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
627                         /* leave as default */
628                 } else {
629                         pdb_set_fullname(sampass, fullname, PDB_SET);
630                 }
631         } else {
632                 pdb_set_fullname(sampass, fullname, PDB_SET);
633         }
634
635         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
636                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive)) 
637         {
638                 pdb_set_dir_drive( sampass, 
639                         talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
640                         PDB_DEFAULT );
641         } else {
642                 pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
643         }
644
645         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
646                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir)) 
647         {
648                 pdb_set_homedir( sampass, 
649                         talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
650                         PDB_DEFAULT );
651         } else {
652                 pdb_set_homedir(sampass, homedir, PDB_SET);
653         }
654
655         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
656                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script)) 
657         {
658                 pdb_set_logon_script( sampass, 
659                         talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()), 
660                         PDB_DEFAULT );
661         } else {
662                 pdb_set_logon_script(sampass, logon_script, PDB_SET);
663         }
664
665         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
666                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path)) 
667         {
668                 pdb_set_profile_path( sampass, 
669                         talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
670                         PDB_DEFAULT );
671         } else {
672                 pdb_set_profile_path(sampass, profile_path, PDB_SET);
673         }
674
675         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
676                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc)) 
677         {
678                 /* leave as default */
679         } else {
680                 pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
681         }
682
683         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
684                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
685                 /* leave as default */;
686         } else {
687                 pdb_set_workstations(sampass, workstations, PDB_SET);
688         }
689
690         if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry, 
691                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
692                 /* leave as default */;
693         } else {
694                 pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
695         }
696         
697         /* FIXME: hours stuff should be cleaner */
698         
699         logon_divs = 168;
700         hours_len = 21;
701         memset(hours, 0xff, hours_len);
702
703         if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry, 
704                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
705                 /* leave as default */
706         } else {
707                 pdb_gethexpwd(temp, smblmpwd);
708                 memset((char *)temp, '\0', strlen(temp)+1);
709                 if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
710                         return False;
711                 ZERO_STRUCT(smblmpwd);
712         }
713
714         if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
715                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
716                 /* leave as default */
717         } else {
718                 pdb_gethexpwd(temp, smbntpwd);
719                 memset((char *)temp, '\0', strlen(temp)+1);
720                 if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
721                         return False;
722                 ZERO_STRUCT(smbntpwd);
723         }
724
725         account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
726         if (pwHistLen > 0){
727                 uint8 *pwhist = NULL;
728                 int i;
729
730                 /* We can only store (sizeof(pstring)-1)/64 password history entries. */
731                 pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
732
733                 if ((pwhist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN)) == NULL){
734                         DEBUG(0, ("init_sam_from_ldap: malloc failed!\n"));
735                         return False;
736                 }
737                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
738
739                 if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry, 
740                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), temp)) {
741                         /* leave as default - zeros */
742                 } else {
743                         BOOL hex_failed = False;
744                         for (i = 0; i < pwHistLen; i++){
745                                 /* Get the 16 byte salt. */
746                                 if (!pdb_gethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
747                                         hex_failed = True;
748                                         break;
749                                 }
750                                 /* Get the 16 byte MD5 hash of salt+passwd. */
751                                 if (!pdb_gethexpwd(&temp[(i*64)+32],
752                                                 &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN])) {
753                                         hex_failed = True;
754                                         break;
755                                 }
756                         }
757                         if (hex_failed) {
758                                 DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n",
759                                         username));
760                                 memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
761                         }
762                 }
763                 if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
764                         SAFE_FREE(pwhist);
765                         return False;
766                 }
767                 SAFE_FREE(pwhist);
768         }
769
770         if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
771                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
772                 acct_ctrl |= ACB_NORMAL;
773         } else {
774                 acct_ctrl = pdb_decode_acct_ctrl(temp);
775
776                 if (acct_ctrl == 0)
777                         acct_ctrl |= ACB_NORMAL;
778
779                 pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
780         }
781
782         pdb_set_hours_len(sampass, hours_len, PDB_SET);
783         pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
784
785 /*      pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
786         
787         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
788                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
789                         /* leave as default */
790         } else {
791                 bad_password_count = (uint32) atol(temp);
792                 pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
793         }
794
795         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
796                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
797                 /* leave as default */
798         } else {
799                 bad_password_time = (time_t) atol(temp);
800                 pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
801         }
802
803
804         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
805                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
806                         /* leave as default */
807         } else {
808                 logon_count = (uint32) atol(temp);
809                 pdb_set_logon_count(sampass, logon_count, PDB_SET);
810         }
811
812         /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
813
814         if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
815                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) {
816                         /* leave as default */
817         } else {
818                 pdb_gethexhours(temp, hours);
819                 memset((char *)temp, '\0', strlen(temp) +1);
820                 pdb_set_hours(sampass, hours, PDB_SET);
821                 ZERO_STRUCT(hours);
822         }
823
824         /* check the timestamp of the cache vs ldap entry */
825         if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state, 
826                                                             entry)))
827                 return True;
828
829         /* see if we have newer updates */
830         if (!(cache_entry = login_cache_read(sampass))) {
831                 DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
832                            (unsigned int)pdb_get_bad_password_count(sampass),
833                            (unsigned int)pdb_get_bad_password_time(sampass)));
834                 return True;
835         }
836
837         DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n", 
838                   (unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp, 
839                   (unsigned int)cache_entry->bad_password_time));
840
841         if (ldap_entry_time > cache_entry->entry_timestamp) {
842                 /* cache is older than directory , so
843                    we need to delete the entry but allow the 
844                    fields to be written out */
845                 login_cache_delentry(sampass);
846         } else {
847                 /* read cache in */
848                 pdb_set_acct_ctrl(sampass, 
849                                   pdb_get_acct_ctrl(sampass) | 
850                                   (cache_entry->acct_ctrl & ACB_AUTOLOCK),
851                                   PDB_SET);
852                 pdb_set_bad_password_count(sampass, 
853                                            cache_entry->bad_password_count, 
854                                            PDB_SET);
855                 pdb_set_bad_password_time(sampass, 
856                                           cache_entry->bad_password_time, 
857                                           PDB_SET);
858         }
859
860         SAFE_FREE(cache_entry);
861         return True;
862 }
863
864 /**********************************************************************
865  Initialize the ldap db from a SAM_ACCOUNT. Called on update.
866  (Based on init_buffer_from_sam in pdb_tdb.c)
867 *********************************************************************/
868
869 static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, 
870                                 LDAPMessage *existing,
871                                 LDAPMod *** mods, SAM_ACCOUNT * sampass,
872                                 BOOL (*need_update)(const SAM_ACCOUNT *,
873                                                     enum pdb_elements))
874 {
875         pstring temp;
876         uint32 rid;
877
878         if (mods == NULL || sampass == NULL) {
879                 DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
880                 return False;
881         }
882
883         *mods = NULL;
884
885         /* 
886          * took out adding "objectclass: sambaAccount"
887          * do this on a per-mod basis
888          */
889         if (need_update(sampass, PDB_USERNAME))
890                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, 
891                               "uid", pdb_get_username(sampass));
892
893         DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
894
895         /* only update the RID if we actually need to */
896         if (need_update(sampass, PDB_USERSID)) {
897                 fstring sid_string;
898                 fstring dom_sid_string;
899                 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
900                 
901                 switch ( ldap_state->schema_ver ) {
902                         case SCHEMAVER_SAMBAACCOUNT:
903                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
904                                         DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
905                                                 sid_to_string(sid_string, user_sid), 
906                                                 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
907                                         return False;
908                                 }
909                                 slprintf(temp, sizeof(temp) - 1, "%i", rid);
910                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
911                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), 
912                                         temp);
913                                 break;
914                                 
915                         case SCHEMAVER_SAMBASAMACCOUNT:
916                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
917                                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
918                                         sid_to_string(sid_string, user_sid));                                 
919                                 break;
920                                 
921                         default:
922                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
923                                 break;
924                 }               
925         }
926
927         /* we don't need to store the primary group RID - so leaving it
928            'free' to hang off the unix primary group makes life easier */
929
930         if (need_update(sampass, PDB_GROUPSID)) {
931                 fstring sid_string;
932                 fstring dom_sid_string;
933                 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
934                 
935                 switch ( ldap_state->schema_ver ) {
936                         case SCHEMAVER_SAMBAACCOUNT:
937                                 if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
938                                         DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
939                                                 sid_to_string(sid_string, group_sid),
940                                                 sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
941                                         return False;
942                                 }
943
944                                 slprintf(temp, sizeof(temp) - 1, "%i", rid);
945                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
946                                         get_userattr_key2string(ldap_state->schema_ver, 
947                                         LDAP_ATTR_PRIMARY_GROUP_RID), temp);
948                                 break;
949                                 
950                         case SCHEMAVER_SAMBASAMACCOUNT:
951                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
952                                         get_userattr_key2string(ldap_state->schema_ver, 
953                                         LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
954                                 break;
955                                 
956                         default:
957                                 DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
958                                 break;
959                 }
960                 
961         }
962         
963         /* displayName, cn, and gecos should all be the same
964          *  most easily accomplished by giving them the same OID
965          *  gecos isn't set here b/c it should be handled by the 
966          *  add-user script
967          *  We change displayName only and fall back to cn if
968          *  it does not exist.
969          */
970
971         if (need_update(sampass, PDB_FULLNAME))
972                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
973                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), 
974                         pdb_get_fullname(sampass));
975
976         if (need_update(sampass, PDB_ACCTDESC))
977                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
978                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), 
979                         pdb_get_acct_desc(sampass));
980
981         if (need_update(sampass, PDB_WORKSTATIONS))
982                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
983                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), 
984                         pdb_get_workstations(sampass));
985         
986         if (need_update(sampass, PDB_MUNGEDDIAL))
987                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
988                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), 
989                         pdb_get_munged_dial(sampass));
990         
991         if (need_update(sampass, PDB_SMBHOME))
992                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
993                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), 
994                         pdb_get_homedir(sampass));
995                         
996         if (need_update(sampass, PDB_DRIVE))
997                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
998                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), 
999                         pdb_get_dir_drive(sampass));
1000
1001         if (need_update(sampass, PDB_LOGONSCRIPT))
1002                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1003                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), 
1004                         pdb_get_logon_script(sampass));
1005
1006         if (need_update(sampass, PDB_PROFILE))
1007                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1008                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), 
1009                         pdb_get_profile_path(sampass));
1010
1011         slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
1012         if (need_update(sampass, PDB_LOGONTIME))
1013                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1014                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1015
1016         slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
1017         if (need_update(sampass, PDB_LOGOFFTIME))
1018                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1019                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1020
1021         slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
1022         if (need_update(sampass, PDB_KICKOFFTIME))
1023                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1024                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1025
1026         slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
1027         if (need_update(sampass, PDB_CANCHANGETIME))
1028                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1029                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1030
1031         slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
1032         if (need_update(sampass, PDB_MUSTCHANGETIME))
1033                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1034                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1035
1036
1037         if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
1038                         || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1039
1040                 if (need_update(sampass, PDB_LMPASSWD)) {
1041                         const uchar *lm_pw =  pdb_get_lanman_passwd(sampass);
1042                         if (lm_pw) {
1043                                 pdb_sethexpwd(temp, lm_pw,
1044                                               pdb_get_acct_ctrl(sampass));
1045                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1046                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1047                                                  temp);
1048                         } else {
1049                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1050                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), 
1051                                                  NULL);
1052                         }
1053                 }
1054                 if (need_update(sampass, PDB_NTPASSWD)) {
1055                         const uchar *nt_pw =  pdb_get_nt_passwd(sampass);
1056                         if (nt_pw) {
1057                                 pdb_sethexpwd(temp, nt_pw,
1058                                               pdb_get_acct_ctrl(sampass));
1059                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1060                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1061                                                  temp);
1062                         } else {
1063                                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1064                                                  get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), 
1065                                                  NULL);
1066                         }
1067                 }
1068
1069                 if (need_update(sampass, PDB_PWHISTORY)) {
1070                         int pwHistLen = 0;
1071                         account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
1072                         if (pwHistLen == 0) {
1073                                 /* Remove any password history from the LDAP store. */
1074                                 memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
1075                                 temp[64] = '\0';
1076                         } else {
1077                                 int i, currHistLen = 0;
1078                                 const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1079                                 if (pwhist != NULL) {
1080                                         /* We can only store (sizeof(pstring)-1)/64 password history entries. */
1081                                         pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
1082                                         for (i=0; i< pwHistLen && i < currHistLen; i++) {
1083                                                 /* Store the salt. */
1084                                                 pdb_sethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
1085                                                 /* Followed by the md5 hash of salt + md4 hash */
1086                                                 pdb_sethexpwd(&temp[(i*64)+32],
1087                                                         &pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1088                                                 DEBUG(100, ("temp=%s\n", temp));
1089                                         }
1090                                 } 
1091                         }
1092                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1093                                          get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY), 
1094                                          temp);
1095                 }
1096
1097                 if (need_update(sampass, PDB_PASSLASTSET)) {
1098                         slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
1099                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1100                                 get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), 
1101                                 temp);
1102                 }
1103         }
1104
1105         if (need_update(sampass, PDB_HOURS)) {
1106                 const char *hours = pdb_get_hours(sampass);
1107                 if (hours) {
1108                         pdb_sethexhours(temp, hours);
1109                         smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1110                                 existing,
1111                                 mods,
1112                                 get_userattr_key2string(ldap_state->schema_ver,
1113                                                 LDAP_ATTR_LOGON_HOURS),
1114                                 temp);
1115                 }
1116         }
1117
1118         if (need_update(sampass, PDB_ACCTCTRL))
1119                 smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1120                         get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), 
1121                         pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1122
1123         /* password lockout cache: 
1124            - If we are now autolocking or clearing, we write to ldap
1125            - If we are clearing, we delete the cache entry
1126            - If the count is > 0, we update the cache
1127
1128            This even means when autolocking, we cache, just in case the
1129            update doesn't work, and we have to cache the autolock flag */
1130
1131         if (need_update(sampass, PDB_BAD_PASSWORD_COUNT))  /* &&
1132             need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1133                 uint16 badcount = pdb_get_bad_password_count(sampass);
1134                 time_t badtime = pdb_get_bad_password_time(sampass);
1135                 uint32 pol;
1136                 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1137
1138                 DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1139                         (unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1140
1141                 if ((badcount >= pol) || (badcount == 0)) {
1142                         DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1143                                 (unsigned int)badcount, (unsigned int)badtime));
1144                         slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
1145                         smbldap_make_mod(
1146                                 ldap_state->smbldap_state->ldap_struct,
1147                                 existing, mods, 
1148                                 get_userattr_key2string(
1149                                         ldap_state->schema_ver, 
1150                                         LDAP_ATTR_BAD_PASSWORD_COUNT),
1151                                 temp);
1152
1153                         slprintf (temp, sizeof (temp) - 1, "%li", badtime);
1154                         smbldap_make_mod(
1155                                 ldap_state->smbldap_state->ldap_struct, 
1156                                 existing, mods,
1157                                 get_userattr_key2string(
1158                                         ldap_state->schema_ver, 
1159                                         LDAP_ATTR_BAD_PASSWORD_TIME), 
1160                                 temp);
1161                 }
1162                 if (badcount == 0) {
1163                         DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1164                         login_cache_delentry(sampass);
1165                 } else {
1166                         LOGIN_CACHE cache_entry;
1167
1168                         cache_entry.entry_timestamp = time(NULL);
1169                         cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1170                         cache_entry.bad_password_count = badcount;
1171                         cache_entry.bad_password_time = badtime;
1172
1173                         DEBUG(7, ("Updating bad password count and time in login cache\n"));
1174                         login_cache_write(sampass, cache_entry);
1175                 }
1176         }
1177
1178         return True;
1179 }
1180
1181 /**********************************************************************
1182  Connect to LDAP server for password enumeration.
1183 *********************************************************************/
1184
1185 static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
1186 {
1187         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1188         int rc;
1189         pstring filter;
1190         char **attr_list;
1191
1192         pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(), 
1193                 get_objclass_filter(ldap_state->schema_ver));
1194         all_string_sub(filter, "%u", "*", sizeof(pstring));
1195
1196         attr_list = get_userattr_list(ldap_state->schema_ver);
1197         rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, 
1198                                    attr_list, &ldap_state->result);
1199         free_attr_list( attr_list );
1200
1201         if (rc != LDAP_SUCCESS) {
1202                 DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
1203                 DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter));
1204                 ldap_msgfree(ldap_state->result);
1205                 ldap_state->result = NULL;
1206                 return NT_STATUS_UNSUCCESSFUL;
1207         }
1208
1209         DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
1210                 ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
1211                 ldap_state->result)));
1212
1213         ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
1214                                  ldap_state->result);
1215         ldap_state->index = 0;
1216
1217         return NT_STATUS_OK;
1218 }
1219
1220 /**********************************************************************
1221  End enumeration of the LDAP password list.
1222 *********************************************************************/
1223
1224 static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1225 {
1226         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1227         if (ldap_state->result) {
1228                 ldap_msgfree(ldap_state->result);
1229                 ldap_state->result = NULL;
1230         }
1231 }
1232
1233 /**********************************************************************
1234 Get the next entry in the LDAP password database.
1235 *********************************************************************/
1236
1237 static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
1238 {
1239         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1240         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1241         BOOL bret = False;
1242
1243         while (!bret) {
1244                 if (!ldap_state->entry)
1245                         return ret;
1246                 
1247                 ldap_state->index++;
1248                 bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
1249                 
1250                 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
1251                                             ldap_state->entry); 
1252         }
1253
1254         return NT_STATUS_OK;
1255 }
1256
1257 static void append_attr(char ***attr_list, const char *new_attr)
1258 {
1259         int i;
1260
1261         if (new_attr == NULL) {
1262                 return;
1263         }
1264
1265         for (i=0; (*attr_list)[i] != NULL; i++) {
1266                 ;
1267         }
1268
1269         (*attr_list) = SMB_REALLOC_ARRAY((*attr_list), char *,  i+2);
1270         SMB_ASSERT((*attr_list) != NULL);
1271         (*attr_list)[i] = SMB_STRDUP(new_attr);
1272         (*attr_list)[i+1] = NULL;
1273 }
1274
1275 /**********************************************************************
1276 Get SAM_ACCOUNT entry from LDAP by username.
1277 *********************************************************************/
1278
1279 static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
1280 {
1281         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1282         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1283         LDAPMessage *result = NULL;
1284         LDAPMessage *entry = NULL;
1285         int count;
1286         char ** attr_list;
1287         int rc;
1288         
1289         attr_list = get_userattr_list( ldap_state->schema_ver );
1290         append_attr(&attr_list, get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP));
1291         rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1292         free_attr_list( attr_list );
1293
1294         if ( rc != LDAP_SUCCESS ) 
1295                 return NT_STATUS_NO_SUCH_USER;
1296         
1297         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1298         
1299         if (count < 1) {
1300                 DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1301                 ldap_msgfree(result);
1302                 return NT_STATUS_NO_SUCH_USER;
1303         } else if (count > 1) {
1304                 DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1305                 ldap_msgfree(result);
1306                 return NT_STATUS_NO_SUCH_USER;
1307         }
1308
1309         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1310         if (entry) {
1311                 if (!init_sam_from_ldap(ldap_state, user, entry)) {
1312                         DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1313                         ldap_msgfree(result);
1314                         return NT_STATUS_NO_SUCH_USER;
1315                 }
1316                 pdb_set_backend_private_data(user, result, 
1317                                              private_data_free_fn, 
1318                                              my_methods, PDB_CHANGED);
1319                 ret = NT_STATUS_OK;
1320         } else {
1321                 ldap_msgfree(result);
1322         }
1323         return ret;
1324 }
1325
1326 static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state, 
1327                                    const DOM_SID *sid, LDAPMessage **result) 
1328 {
1329         int rc = -1;
1330         char ** attr_list;
1331         uint32 rid;
1332
1333         switch ( ldap_state->schema_ver ) {
1334                 case SCHEMAVER_SAMBASAMACCOUNT:
1335                         attr_list = get_userattr_list(ldap_state->schema_ver);
1336                         append_attr(&attr_list, get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP));
1337                         rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
1338                         free_attr_list( attr_list );
1339
1340                         if ( rc != LDAP_SUCCESS ) 
1341                                 return rc;
1342                         break;
1343                         
1344                 case SCHEMAVER_SAMBAACCOUNT:
1345                         if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1346                                 return rc;
1347                         }
1348                 
1349                         attr_list = get_userattr_list(ldap_state->schema_ver);
1350                         rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1351                         free_attr_list( attr_list );
1352
1353                         if ( rc != LDAP_SUCCESS ) 
1354                                 return rc;
1355                         break;
1356         }
1357         return rc;
1358 }
1359
1360 /**********************************************************************
1361  Get SAM_ACCOUNT entry from LDAP by SID.
1362 *********************************************************************/
1363
1364 static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
1365 {
1366         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1367         LDAPMessage *result = NULL;
1368         LDAPMessage *entry = NULL;
1369         int count;
1370         int rc;
1371         fstring sid_string;
1372
1373         rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
1374                                           sid, &result); 
1375         if (rc != LDAP_SUCCESS)
1376                 return NT_STATUS_NO_SUCH_USER;
1377
1378         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1379         
1380         if (count < 1) {
1381                 DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
1382                        count));
1383                 ldap_msgfree(result);
1384                 return NT_STATUS_NO_SUCH_USER;
1385         }  else if (count > 1) {
1386                 DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
1387                        count));
1388                 ldap_msgfree(result);
1389                 return NT_STATUS_NO_SUCH_USER;
1390         }
1391
1392         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1393         if (!entry) {
1394                 ldap_msgfree(result);
1395                 return NT_STATUS_NO_SUCH_USER;
1396         }
1397
1398         if (!init_sam_from_ldap(ldap_state, user, entry)) {
1399                 DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1400                 ldap_msgfree(result);
1401                 return NT_STATUS_NO_SUCH_USER;
1402         }
1403
1404         pdb_set_backend_private_data(user, result, 
1405                                      private_data_free_fn, 
1406                                      my_methods, PDB_CHANGED);
1407         return NT_STATUS_OK;
1408 }       
1409
1410 static BOOL ldapsam_can_pwchange_exop(struct smbldap_state *ldap_state)
1411 {
1412         LDAPMessage *msg = NULL;
1413         LDAPMessage *entry = NULL;
1414         char **values = NULL;
1415         char *attrs[] = { "supportedExtension", NULL };
1416         int rc, num_result, num_values, i;
1417         BOOL result = False;
1418
1419         rc = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, "(objectclass=*)",
1420                             attrs, 0, &msg);
1421
1422         if (rc != LDAP_SUCCESS) {
1423                 DEBUG(3, ("Could not search rootDSE\n"));
1424                 return False;
1425         }
1426
1427         num_result = ldap_count_entries(ldap_state->ldap_struct, msg);
1428
1429         if (num_result != 1) {
1430                 DEBUG(3, ("Expected one rootDSE, got %d\n", num_result));
1431                 goto done;
1432         }
1433
1434         entry = ldap_first_entry(ldap_state->ldap_struct, msg);
1435
1436         if (entry == NULL) {
1437                 DEBUG(3, ("Could not retrieve rootDSE\n"));
1438                 goto done;
1439         }
1440
1441         values = ldap_get_values(ldap_state->ldap_struct, entry,
1442                                  "supportedExtension");
1443
1444         if (values == NULL) {
1445                 DEBUG(9, ("LDAP Server does not support any extensions\n"));
1446                 goto done;
1447         }
1448
1449         num_values = ldap_count_values(values);
1450
1451         if (num_values == 0) {
1452                 DEBUG(9, ("LDAP Server does not support any extensions\n"));
1453                 goto done;
1454         }
1455
1456         for (i=0; i<num_values; i++) {
1457                 if (strcmp(values[i], LDAP_EXOP_MODIFY_PASSWD) == 0)
1458                         result = True;
1459         }
1460
1461  done:
1462         if (values != NULL)
1463                 ldap_value_free(values);
1464         if (msg != NULL)
1465                 ldap_msgfree(msg);
1466
1467         return result;
1468 }
1469
1470 /********************************************************************
1471  Do the actual modification - also change a plaintext passord if 
1472  it it set.
1473 **********************************************************************/
1474
1475 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
1476                                      SAM_ACCOUNT *newpwd, char *dn,
1477                                      LDAPMod **mods, int ldap_op, 
1478                                      BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
1479 {
1480         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1481         int rc;
1482         
1483         if (!my_methods || !newpwd || !dn) {
1484                 return NT_STATUS_INVALID_PARAMETER;
1485         }
1486         
1487         if (!mods) {
1488                 DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1489                 /* may be password change below however */
1490         } else {
1491                 switch(ldap_op) {
1492                         case LDAP_MOD_ADD: 
1493                                 smbldap_set_mod(&mods, LDAP_MOD_ADD, 
1494                                                 "objectclass", 
1495                                                 LDAP_OBJ_ACCOUNT);
1496                                 rc = smbldap_add(ldap_state->smbldap_state, 
1497                                                  dn, mods);
1498                                 break;
1499                         case LDAP_MOD_REPLACE: 
1500                                 rc = smbldap_modify(ldap_state->smbldap_state, 
1501                                                     dn ,mods);
1502                                 break;
1503                         default:        
1504                                 DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n", 
1505                                          ldap_op));
1506                                 return NT_STATUS_INVALID_PARAMETER;
1507                 }
1508                 
1509                 if (rc!=LDAP_SUCCESS) {
1510                         char *ld_error = NULL;
1511                         ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1512                                         &ld_error);
1513                         DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
1514                                ldap_op == LDAP_MOD_ADD ? "add" : "modify",
1515                                dn, ldap_err2string(rc),
1516                                ld_error?ld_error:"unknown"));
1517                         SAFE_FREE(ld_error);
1518                         return NT_STATUS_UNSUCCESSFUL;
1519                 }  
1520         }
1521         
1522         if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
1523                         (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1524                         need_update(newpwd, PDB_PLAINTEXT_PW) &&
1525                         (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1526                 BerElement *ber;
1527                 struct berval *bv;
1528                 char *retoid;
1529                 struct berval *retdata;
1530                 char *utf8_password;
1531                 char *utf8_dn;
1532
1533                 if (!ldapsam_can_pwchange_exop(ldap_state->smbldap_state)) {
1534                         DEBUG(2, ("ldap password change requested, but LDAP "
1535                                   "server does not support it -- ignoring\n"));
1536                         return NT_STATUS_OK;
1537                 }
1538
1539                 if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1540                         return NT_STATUS_NO_MEMORY;
1541                 }
1542
1543                 if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1544                         return NT_STATUS_NO_MEMORY;
1545                 }
1546
1547                 if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1548                         DEBUG(0,("ber_alloc_t returns NULL\n"));
1549                         SAFE_FREE(utf8_password);
1550                         return NT_STATUS_UNSUCCESSFUL;
1551                 }
1552
1553                 ber_printf (ber, "{");
1554                 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
1555                 ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
1556                 ber_printf (ber, "N}");
1557
1558                 if ((rc = ber_flatten (ber, &bv))<0) {
1559                         DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1560                         ber_free(ber,1);
1561                         SAFE_FREE(utf8_dn);
1562                         SAFE_FREE(utf8_password);
1563                         return NT_STATUS_UNSUCCESSFUL;
1564                 }
1565                 
1566                 SAFE_FREE(utf8_dn);
1567                 SAFE_FREE(utf8_password);
1568                 ber_free(ber, 1);
1569
1570                 if ((rc = smbldap_extended_operation(ldap_state->smbldap_state, 
1571                                                      LDAP_EXOP_MODIFY_PASSWD,
1572                                                      bv, NULL, NULL, &retoid, 
1573                                                      &retdata)) != LDAP_SUCCESS) {
1574                         char *ld_error = NULL;
1575
1576                         if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1577                                 DEBUG(3, ("Could not set userPassword "
1578                                           "attribute due to an objectClass "
1579                                           "violation -- ignoring\n"));
1580                                 ber_bvfree(bv);
1581                                 return NT_STATUS_OK;
1582                         }
1583
1584                         ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1585                                         &ld_error);
1586                         DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1587                                 pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1588                         SAFE_FREE(ld_error);
1589                         ber_bvfree(bv);
1590                         return NT_STATUS_UNSUCCESSFUL;
1591                 } else {
1592                         DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1593 #ifdef DEBUG_PASSWORD
1594                         DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1595 #endif    
1596                         ber_bvfree(retdata);
1597                         ber_memfree(retoid);
1598                 }
1599                 ber_bvfree(bv);
1600         }
1601         return NT_STATUS_OK;
1602 }
1603
1604 /**********************************************************************
1605  Delete entry from LDAP for username.
1606 *********************************************************************/
1607
1608 static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
1609 {
1610         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1611         const char *sname;
1612         int rc;
1613         LDAPMessage *result = NULL;
1614         NTSTATUS ret;
1615         char **attr_list;
1616         fstring objclass;
1617
1618         if (!sam_acct) {
1619                 DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1620                 return NT_STATUS_INVALID_PARAMETER;
1621         }
1622
1623         sname = pdb_get_username(sam_acct);
1624
1625         DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
1626
1627         attr_list= get_userattr_delete_list( ldap_state->schema_ver );
1628         rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
1629
1630         if (rc != LDAP_SUCCESS)  {
1631                 free_attr_list( attr_list );
1632                 return NT_STATUS_NO_SUCH_USER;
1633         }
1634         
1635         switch ( ldap_state->schema_ver ) {
1636                 case SCHEMAVER_SAMBASAMACCOUNT:
1637                         fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
1638                         break;
1639                         
1640                 case SCHEMAVER_SAMBAACCOUNT:
1641                         fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
1642                         break;
1643                 default:
1644                         fstrcpy( objclass, "UNKNOWN" );
1645                         DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
1646                                 break;
1647         }
1648
1649         ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
1650         ldap_msgfree(result);
1651         free_attr_list( attr_list );
1652
1653         return ret;
1654 }
1655
1656 /**********************************************************************
1657  Helper function to determine for update_sam_account whether
1658  we need LDAP modification.
1659 *********************************************************************/
1660
1661 static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
1662                                enum pdb_elements element)
1663 {
1664         return IS_SAM_CHANGED(sampass, element);
1665 }
1666
1667 /**********************************************************************
1668  Update SAM_ACCOUNT.
1669 *********************************************************************/
1670
1671 static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1672 {
1673         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1674         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1675         int rc = 0;
1676         char *dn;
1677         LDAPMessage *result = NULL;
1678         LDAPMessage *entry = NULL;
1679         LDAPMod **mods = NULL;
1680         char **attr_list;
1681
1682         result = pdb_get_backend_private_data(newpwd, my_methods);
1683         if (!result) {
1684                 attr_list = get_userattr_list(ldap_state->schema_ver);
1685                 rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1686                 free_attr_list( attr_list );
1687                 if (rc != LDAP_SUCCESS) {
1688                         return NT_STATUS_UNSUCCESSFUL;
1689                 }
1690                 pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
1691         }
1692
1693         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1694                 DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1695                 return NT_STATUS_UNSUCCESSFUL;
1696         }
1697
1698         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1699         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1700         if (!dn) {
1701                 return NT_STATUS_UNSUCCESSFUL;
1702         }
1703
1704         DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1705
1706         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1707                                 element_is_changed)) {
1708                 DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1709                 SAFE_FREE(dn);
1710                 if (mods != NULL)
1711                         ldap_mods_free(mods,True);
1712                 return NT_STATUS_UNSUCCESSFUL;
1713         }
1714         
1715         if (mods == NULL) {
1716                 DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1717                          pdb_get_username(newpwd)));
1718                 SAFE_FREE(dn);
1719                 return NT_STATUS_OK;
1720         }
1721         
1722         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1723         ldap_mods_free(mods,True);
1724         SAFE_FREE(dn);
1725
1726         if (!NT_STATUS_IS_OK(ret)) {
1727                 char *ld_error = NULL;
1728                 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1729                                 &ld_error);
1730                 DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
1731                          pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
1732                 SAFE_FREE(ld_error);
1733                 return ret;
1734         }
1735
1736         DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1737                   pdb_get_username(newpwd)));
1738         return NT_STATUS_OK;
1739 }
1740
1741 /**********************************************************************
1742  Helper function to determine for update_sam_account whether
1743  we need LDAP modification.
1744  *********************************************************************/
1745
1746 static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
1747                                       enum pdb_elements element)
1748 {
1749         return (IS_SAM_SET(sampass, element) ||
1750                 IS_SAM_CHANGED(sampass, element));
1751 }
1752
1753 /**********************************************************************
1754  Add SAM_ACCOUNT to LDAP.
1755 *********************************************************************/
1756
1757 static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
1758 {
1759         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1760         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
1761         int rc;
1762         LDAPMessage     *result = NULL;
1763         LDAPMessage     *entry  = NULL;
1764         pstring         dn;
1765         LDAPMod         **mods = NULL;
1766         int             ldap_op = LDAP_MOD_REPLACE;
1767         uint32          num_result;
1768         char            **attr_list;
1769         char            *escape_user;
1770         const char      *username = pdb_get_username(newpwd);
1771         const DOM_SID   *sid = pdb_get_user_sid(newpwd);
1772         pstring         filter;
1773         fstring         sid_string;
1774
1775         if (!username || !*username) {
1776                 DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
1777                 return NT_STATUS_INVALID_PARAMETER;
1778         }
1779
1780         /* free this list after the second search or in case we exit on failure */
1781         attr_list = get_userattr_list(ldap_state->schema_ver);
1782
1783         rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
1784
1785         if (rc != LDAP_SUCCESS) {
1786                 free_attr_list( attr_list );
1787                 return NT_STATUS_UNSUCCESSFUL;
1788         }
1789
1790         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1791                 DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n", 
1792                          username));
1793                 ldap_msgfree(result);
1794                 free_attr_list( attr_list );
1795                 return NT_STATUS_UNSUCCESSFUL;
1796         }
1797         ldap_msgfree(result);
1798         result = NULL;
1799
1800         if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
1801                 rc = ldapsam_get_ldap_user_by_sid(ldap_state, 
1802                                                   sid, &result); 
1803                 if (rc == LDAP_SUCCESS) {
1804                         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
1805                                 DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n", 
1806                                          sid_to_string(sid_string, sid)));
1807                                 free_attr_list( attr_list );
1808                                 ldap_msgfree(result);
1809                                 return NT_STATUS_UNSUCCESSFUL;
1810                         }
1811                         ldap_msgfree(result);
1812                 }
1813         }
1814
1815         /* does the entry already exist but without a samba attributes?
1816            we need to return the samba attributes here */
1817            
1818         escape_user = escape_ldap_string_alloc( username );
1819         pstrcpy( filter, lp_ldap_filter() );
1820         all_string_sub( filter, "%u", escape_user, sizeof(filter) );
1821         SAFE_FREE( escape_user );
1822
1823         rc = smbldap_search_suffix(ldap_state->smbldap_state, 
1824                                    filter, attr_list, &result);
1825         if ( rc != LDAP_SUCCESS ) {
1826                 free_attr_list( attr_list );
1827                 return NT_STATUS_UNSUCCESSFUL;
1828         }
1829
1830         num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1831         
1832         if (num_result > 1) {
1833                 DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1834                 free_attr_list( attr_list );
1835                 ldap_msgfree(result);
1836                 return NT_STATUS_UNSUCCESSFUL;
1837         }
1838         
1839         /* Check if we need to update an existing entry */
1840         if (num_result == 1) {
1841                 char *tmp;
1842                 
1843                 DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1844                 ldap_op = LDAP_MOD_REPLACE;
1845                 entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1846                 tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1847                 if (!tmp) {
1848                         free_attr_list( attr_list );
1849                         ldap_msgfree(result);
1850                         return NT_STATUS_UNSUCCESSFUL;
1851                 }
1852                 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1853                 SAFE_FREE(tmp);
1854
1855         } else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
1856
1857                 /* There might be a SID for this account already - say an idmap entry */
1858
1859                 pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))", 
1860                          get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1861                          sid_to_string(sid_string, sid),
1862                          LDAP_OBJ_IDMAP_ENTRY,
1863                          LDAP_OBJ_SID_ENTRY);
1864                 
1865                 /* free old result before doing a new search */
1866                 if (result != NULL) {
1867                         ldap_msgfree(result);
1868                         result = NULL;
1869                 }
1870                 rc = smbldap_search_suffix(ldap_state->smbldap_state, 
1871                                            filter, attr_list, &result);
1872                         
1873                 if ( rc != LDAP_SUCCESS ) {
1874                         free_attr_list( attr_list );
1875                         return NT_STATUS_UNSUCCESSFUL;
1876                 }
1877                 
1878                 num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1879                 
1880                 if (num_result > 1) {
1881                         DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
1882                         free_attr_list( attr_list );
1883                         ldap_msgfree(result);
1884                         return NT_STATUS_UNSUCCESSFUL;
1885                 }
1886                 
1887                 /* Check if we need to update an existing entry */
1888                 if (num_result == 1) {
1889                         char *tmp;
1890                         
1891                         DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
1892                         ldap_op = LDAP_MOD_REPLACE;
1893                         entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
1894                         tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
1895                         if (!tmp) {
1896                                 free_attr_list( attr_list );
1897                                 ldap_msgfree(result);
1898                                 return NT_STATUS_UNSUCCESSFUL;
1899                         }
1900                         slprintf (dn, sizeof (dn) - 1, "%s", tmp);
1901                         SAFE_FREE(tmp);
1902                 }
1903         }
1904         
1905         free_attr_list( attr_list );
1906
1907         if (num_result == 0) {
1908                 /* Check if we need to add an entry */
1909                 DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
1910                 ldap_op = LDAP_MOD_ADD;
1911                 if (username[strlen(username)-1] == '$') {
1912                         slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
1913                 } else {
1914                         slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
1915                 }
1916         }
1917
1918         if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1919                                 element_is_set_or_changed)) {
1920                 DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
1921                 ldap_msgfree(result);
1922                 if (mods != NULL)
1923                         ldap_mods_free(mods,True);
1924                 return NT_STATUS_UNSUCCESSFUL;          
1925         }
1926         
1927         ldap_msgfree(result);
1928
1929         if (mods == NULL) {
1930                 DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
1931                 return NT_STATUS_UNSUCCESSFUL;
1932         }
1933         switch ( ldap_state->schema_ver ) {
1934                 case SCHEMAVER_SAMBAACCOUNT:
1935                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
1936                         break;
1937                 case SCHEMAVER_SAMBASAMACCOUNT:
1938                         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
1939                         break;
1940                 default:
1941                         DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
1942                         break;
1943         }
1944
1945         ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
1946         if (!NT_STATUS_IS_OK(ret)) {
1947                 DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
1948                          pdb_get_username(newpwd),dn));
1949                 ldap_mods_free(mods, True);
1950                 return ret;
1951         }
1952
1953         DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
1954         ldap_mods_free(mods, True);
1955         
1956         return NT_STATUS_OK;
1957 }
1958
1959 /**********************************************************************
1960  *********************************************************************/
1961
1962 static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
1963                                      const char *filter,
1964                                      LDAPMessage ** result)
1965 {
1966         int scope = LDAP_SCOPE_SUBTREE;
1967         int rc;
1968         char **attr_list;
1969
1970         attr_list = get_attr_list(groupmap_attr_list);
1971         rc = smbldap_search(ldap_state->smbldap_state, 
1972                             lp_ldap_group_suffix (), scope,
1973                             filter, attr_list, 0, result);
1974         free_attr_list( attr_list );
1975
1976         if (rc != LDAP_SUCCESS) {
1977                 char *ld_error = NULL;
1978                 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1979                                 &ld_error);
1980                 DEBUG(0, ("ldapsam_search_one_group: "
1981                           "Problem during the LDAP search: LDAP error: %s (%s)\n",
1982                           ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
1983                 DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
1984                           lp_ldap_group_suffix(), filter));
1985                 SAFE_FREE(ld_error);
1986         }
1987
1988         return rc;
1989 }
1990
1991 /**********************************************************************
1992  *********************************************************************/
1993
1994 static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
1995                                  GROUP_MAP *map, LDAPMessage *entry)
1996 {
1997         pstring temp;
1998
1999         if (ldap_state == NULL || map == NULL || entry == NULL ||
2000                         ldap_state->smbldap_state->ldap_struct == NULL) {
2001                 DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2002                 return False;
2003         }
2004
2005         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2006                         get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
2007                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", 
2008                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2009                 return False;
2010         }
2011         DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2012
2013         map->gid = (gid_t)atol(temp);
2014
2015         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2016                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
2017                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2018                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2019                 return False;
2020         }
2021         
2022         if (!string_to_sid(&map->sid, temp)) {
2023                 DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2024                 return False;
2025         }
2026
2027         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2028                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
2029                 DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2030                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2031                 return False;
2032         }
2033         map->sid_name_use = (enum SID_NAME_USE)atol(temp);
2034
2035         if ((map->sid_name_use < SID_NAME_USER) ||
2036                         (map->sid_name_use > SID_NAME_UNKNOWN)) {
2037                 DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2038                 return False;
2039         }
2040
2041         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2042                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
2043                 temp[0] = '\0';
2044                 if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2045                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp)) 
2046                 {
2047                         DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2048 for gidNumber(%lu)\n",(unsigned long)map->gid));
2049                         return False;
2050                 }
2051         }
2052         fstrcpy(map->nt_name, temp);
2053
2054         if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, 
2055                         get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
2056                 temp[0] = '\0';
2057         }
2058         fstrcpy(map->comment, temp);
2059
2060         return True;
2061 }
2062
2063 /**********************************************************************
2064  *********************************************************************/
2065
2066 static BOOL init_ldap_from_group(LDAP *ldap_struct,
2067                                  LDAPMessage *existing,
2068                                  LDAPMod ***mods,
2069                                  const GROUP_MAP *map)
2070 {
2071         pstring tmp;
2072
2073         if (mods == NULL || map == NULL) {
2074                 DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
2075                 return False;
2076         }
2077
2078         *mods = NULL;
2079
2080         sid_to_string(tmp, &map->sid);
2081
2082         smbldap_make_mod(ldap_struct, existing, mods, 
2083                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
2084         pstr_sprintf(tmp, "%i", map->sid_name_use);
2085         smbldap_make_mod(ldap_struct, existing, mods, 
2086                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
2087
2088         smbldap_make_mod(ldap_struct, existing, mods, 
2089                 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
2090         smbldap_make_mod(ldap_struct, existing, mods, 
2091                 get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
2092
2093         return True;
2094 }
2095
2096 /**********************************************************************
2097  *********************************************************************/
2098
2099 static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2100                                  const char *filter,
2101                                  GROUP_MAP *map)
2102 {
2103         struct ldapsam_privates *ldap_state =
2104                 (struct ldapsam_privates *)methods->private_data;
2105         LDAPMessage *result = NULL;
2106         LDAPMessage *entry = NULL;
2107         int count;
2108
2109         if (ldapsam_search_one_group(ldap_state, filter, &result)
2110             != LDAP_SUCCESS) {
2111                 return NT_STATUS_NO_SUCH_GROUP;
2112         }
2113
2114         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2115
2116         if (count < 1) {
2117                 DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
2118                 ldap_msgfree(result);
2119                 return NT_STATUS_NO_SUCH_GROUP;
2120         }
2121
2122         if (count > 1) {
2123                 DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
2124                           filter, count));
2125                 ldap_msgfree(result);
2126                 return NT_STATUS_NO_SUCH_GROUP;
2127         }
2128
2129         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2130
2131         if (!entry) {
2132                 ldap_msgfree(result);
2133                 return NT_STATUS_UNSUCCESSFUL;
2134         }
2135
2136         if (!init_group_from_ldap(ldap_state, map, entry)) {
2137                 DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
2138                           filter));
2139                 ldap_msgfree(result);
2140                 return NT_STATUS_NO_SUCH_GROUP;
2141         }
2142
2143         ldap_msgfree(result);
2144         return NT_STATUS_OK;
2145 }
2146
2147 /**********************************************************************
2148  *********************************************************************/
2149
2150 static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
2151                                  DOM_SID sid)
2152 {
2153         pstring filter;
2154
2155         pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
2156                 LDAP_OBJ_GROUPMAP, 
2157                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2158                 sid_string_static(&sid));
2159
2160         return ldapsam_getgroup(methods, filter, map);
2161 }
2162
2163 /**********************************************************************
2164  *********************************************************************/
2165
2166 static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
2167                                  gid_t gid)
2168 {
2169         pstring filter;
2170
2171         pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
2172                 LDAP_OBJ_GROUPMAP,
2173                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2174                 (unsigned long)gid);
2175
2176         return ldapsam_getgroup(methods, filter, map);
2177 }
2178
2179 /**********************************************************************
2180  *********************************************************************/
2181
2182 static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
2183                                  const char *name)
2184 {
2185         pstring filter;
2186         char *escape_name = escape_ldap_string_alloc(name);
2187
2188         if (!escape_name) {
2189                 return NT_STATUS_NO_MEMORY;
2190         }
2191
2192         pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
2193                 LDAP_OBJ_GROUPMAP,
2194                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2195                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
2196
2197         SAFE_FREE(escape_name);
2198
2199         return ldapsam_getgroup(methods, filter, map);
2200 }
2201
2202 static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2203                                                const char *username,
2204                                                gid_t primary_gid,
2205                                                DOM_SID **sids, gid_t **gids,
2206                                                int *num_groups)
2207 {
2208         struct ldapsam_privates *ldap_state =
2209                 (struct ldapsam_privates *)methods->private_data;
2210         struct smbldap_state *conn = ldap_state->smbldap_state;
2211         pstring filter;
2212         char *attrs[] = { "gidNumber", "sambaSID", NULL };
2213         char *escape_name;
2214         int rc;
2215         LDAPMessage *msg = NULL;
2216         LDAPMessage *entry;
2217         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2218         int num_sids, num_gids;
2219         extern DOM_SID global_sid_NULL;
2220
2221         if (!lp_parm_bool(-1, "ldapsam", "trusted", False))
2222                 return pdb_default_enum_group_memberships(methods, username,
2223                                                           primary_gid, sids,
2224                                                           gids, num_groups);
2225
2226         *sids = NULL;
2227         num_sids = 0;
2228
2229         escape_name = escape_ldap_string_alloc(username);
2230
2231         if (escape_name == NULL)
2232                 return NT_STATUS_NO_MEMORY;
2233
2234         pstr_sprintf(filter, "(&(objectClass=posixGroup)"
2235                      "(|(memberUid=%s)(gidNumber=%d)))",
2236                      username, primary_gid);
2237
2238         rc = smbldap_search(conn, lp_ldap_group_suffix(),
2239                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &msg);
2240
2241         if (rc != LDAP_SUCCESS)
2242                 goto done;
2243
2244         num_gids = 0;
2245         *gids = NULL;
2246
2247         num_sids = 0;
2248         *sids = NULL;
2249
2250         /* We need to add the primary group as the first gid/sid */
2251
2252         add_gid_to_array_unique(primary_gid, gids, &num_gids);
2253
2254         /* This sid will be replaced later */
2255
2256         add_sid_to_array_unique(&global_sid_NULL, sids, &num_sids);
2257
2258         for (entry = ldap_first_entry(conn->ldap_struct, msg);
2259              entry != NULL;
2260              entry = ldap_next_entry(conn->ldap_struct, entry))
2261         {
2262                 fstring str;
2263                 DOM_SID sid;
2264                 gid_t gid;
2265                 char *end;
2266
2267                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2268                                                   entry, "sambaSID",
2269                                                   str, sizeof(str)-1))
2270                         goto done;
2271
2272                 if (!string_to_sid(&sid, str))
2273                         goto done;
2274
2275                 if (!smbldap_get_single_attribute(conn->ldap_struct,
2276                                                   entry, "gidNumber",
2277                                                   str, sizeof(str)-1))
2278                         goto done;
2279
2280                 gid = strtoul(str, &end, 10);
2281
2282                 if (PTR_DIFF(end, str) != strlen(str))
2283                         goto done;
2284
2285                 if (gid == primary_gid) {
2286                         sid_copy(&(*sids)[0], &sid);
2287                 } else {
2288                         add_gid_to_array_unique(gid, gids, &num_gids);
2289                         add_sid_to_array_unique(&sid, sids, &num_sids);
2290                 }
2291         }
2292
2293         if (sid_compare(&global_sid_NULL, &(*sids)[0]) == 0) {
2294                 DEBUG(3, ("primary group not found\n"));
2295                 goto done;
2296         }
2297
2298         *num_groups = num_sids;
2299
2300         result = NT_STATUS_OK;
2301
2302  done:
2303
2304         SAFE_FREE(escape_name);
2305         if (msg != NULL)
2306                 ldap_msgfree(msg);
2307
2308         return result;
2309 }
2310
2311 /**********************************************************************
2312  *********************************************************************/
2313
2314 static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
2315                                            gid_t gid,
2316                                            LDAPMessage **result)
2317 {
2318         pstring filter;
2319
2320         pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%lu))", 
2321                 LDAP_OBJ_POSIXGROUP, LDAP_OBJ_IDMAP_ENTRY,
2322                 get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2323                 (unsigned long)gid);
2324
2325         return ldapsam_search_one_group(ldap_state, filter, result);
2326 }
2327
2328 /**********************************************************************
2329  *********************************************************************/
2330
2331 static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
2332                                                 GROUP_MAP *map)
2333 {
2334         struct ldapsam_privates *ldap_state =
2335                 (struct ldapsam_privates *)methods->private_data;
2336         LDAPMessage *result = NULL;
2337         LDAPMod **mods = NULL;
2338         int count;
2339
2340         char *tmp;
2341         pstring dn;
2342         LDAPMessage *entry;
2343
2344         GROUP_MAP dummy;
2345
2346         int rc;
2347
2348         if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
2349                                              map->gid))) {
2350                 DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
2351                 return NT_STATUS_UNSUCCESSFUL;
2352         }
2353
2354         rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2355         if (rc != LDAP_SUCCESS) {
2356                 ldap_msgfree(result);
2357                 return NT_STATUS_UNSUCCESSFUL;
2358         }
2359
2360         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2361
2362         if ( count == 0 ) {
2363                 /* There's no posixGroup account, let's try to find an
2364                  * appropriate idmap entry for aliases */
2365
2366                 pstring suffix;
2367                 pstring filter;
2368                 char **attr_list;
2369
2370                 ldap_msgfree(result);
2371
2372                 pstrcpy( suffix, lp_ldap_idmap_suffix() );
2373                 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%u))",
2374                              LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_GIDNUMBER,
2375                              map->gid);
2376                 
2377                 attr_list = get_attr_list( sidmap_attr_list );
2378                 rc = smbldap_search(ldap_state->smbldap_state, suffix,
2379                                     LDAP_SCOPE_SUBTREE, filter, attr_list,
2380                                     0, &result);
2381
2382                 free_attr_list(attr_list);
2383
2384                 if (rc != LDAP_SUCCESS) {
2385                         DEBUG(3,("Failure looking up entry (%s)\n",
2386                                  ldap_err2string(rc) ));
2387                         ldap_msgfree(result);
2388                         return NT_STATUS_UNSUCCESSFUL;
2389                 }
2390         }
2391                            
2392         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2393         if ( count == 0 ) {
2394                 ldap_msgfree(result);
2395                 return NT_STATUS_UNSUCCESSFUL;
2396         }
2397
2398         if (count > 1) {
2399                 DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
2400                           (unsigned long)map->gid));
2401                 ldap_msgfree(result);
2402                 return NT_STATUS_UNSUCCESSFUL;
2403         }
2404
2405         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2406         tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2407         if (!tmp) {
2408                 ldap_msgfree(result);
2409                 return NT_STATUS_UNSUCCESSFUL;
2410         }
2411         pstrcpy(dn, tmp);
2412         SAFE_FREE(tmp);
2413
2414         if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2415                                   result, &mods, map)) {
2416                 DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
2417                 ldap_mods_free(mods, True);
2418                 ldap_msgfree(result);
2419                 return NT_STATUS_UNSUCCESSFUL;
2420         }
2421
2422         ldap_msgfree(result);
2423
2424         if (mods == NULL) {
2425                 DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
2426                 return NT_STATUS_UNSUCCESSFUL;
2427         }
2428
2429         smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
2430
2431         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2432         ldap_mods_free(mods, True);
2433
2434         if (rc != LDAP_SUCCESS) {
2435                 char *ld_error = NULL;
2436                 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2437                                 &ld_error);
2438                 DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid, 
2439                           ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2440                 SAFE_FREE(ld_error);
2441                 return NT_STATUS_UNSUCCESSFUL;
2442         }
2443
2444         DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2445         return NT_STATUS_OK;
2446 }
2447
2448 /**********************************************************************
2449  *********************************************************************/
2450
2451 static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
2452                                                    GROUP_MAP *map)
2453 {
2454         struct ldapsam_privates *ldap_state =
2455                 (struct ldapsam_privates *)methods->private_data;
2456         int rc;
2457         char *dn = NULL;
2458         LDAPMessage *result = NULL;
2459         LDAPMessage *entry = NULL;
2460         LDAPMod **mods = NULL;
2461
2462         rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
2463
2464         if (rc != LDAP_SUCCESS) {
2465                 return NT_STATUS_UNSUCCESSFUL;
2466         }
2467
2468         if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
2469                 DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
2470                 ldap_msgfree(result);
2471                 return NT_STATUS_UNSUCCESSFUL;
2472         }
2473
2474         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
2475
2476         if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
2477                                   result, &mods, map)) {
2478                 DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
2479                 ldap_msgfree(result);
2480                 if (mods != NULL)
2481                         ldap_mods_free(mods,True);
2482                 return NT_STATUS_UNSUCCESSFUL;
2483         }
2484
2485         if (mods == NULL) {
2486                 DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
2487                 ldap_msgfree(result);
2488                 return NT_STATUS_OK;
2489         }
2490
2491         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2492         if (!dn) {
2493                 ldap_msgfree(result);
2494                 return NT_STATUS_UNSUCCESSFUL;
2495         }
2496         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2497         SAFE_FREE(dn);
2498
2499         ldap_mods_free(mods, True);
2500         ldap_msgfree(result);
2501
2502         if (rc != LDAP_SUCCESS) {
2503                 char *ld_error = NULL;
2504                 ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
2505                                 &ld_error);
2506                 DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid, 
2507                           ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
2508                 SAFE_FREE(ld_error);
2509                 return NT_STATUS_UNSUCCESSFUL;
2510         }
2511
2512         DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
2513         return NT_STATUS_OK;
2514 }
2515
2516 /**********************************************************************
2517  *********************************************************************/
2518
2519 static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
2520                                                    DOM_SID sid)
2521 {
2522         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
2523         pstring sidstring, filter;
2524         LDAPMessage *result = NULL;
2525         int rc;
2526         NTSTATUS ret;
2527         char **attr_list;
2528
2529         sid_to_string(sidstring, &sid);
2530         
2531         pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))", 
2532                 LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
2533
2534         rc = ldapsam_search_one_group(ldap_state, filter, &result);
2535
2536         if (rc != LDAP_SUCCESS) {
2537                 return NT_STATUS_NO_SUCH_GROUP;
2538         }
2539
2540         attr_list = get_attr_list( groupmap_attr_list_to_delete );
2541         ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
2542         free_attr_list ( attr_list );
2543
2544         ldap_msgfree(result);
2545
2546         return ret;
2547 }
2548
2549 /**********************************************************************
2550  *********************************************************************/
2551
2552 static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
2553 {
2554         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2555         fstring filter;
2556         int rc;
2557         char **attr_list;
2558
2559         pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
2560         attr_list = get_attr_list( groupmap_attr_list );
2561         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2562                             LDAP_SCOPE_SUBTREE, filter,
2563                             attr_list, 0, &ldap_state->result);
2564         free_attr_list( attr_list );
2565
2566         if (rc != LDAP_SUCCESS) {
2567                 DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
2568                 DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
2569                 ldap_msgfree(ldap_state->result);
2570                 ldap_state->result = NULL;
2571                 return NT_STATUS_UNSUCCESSFUL;
2572         }
2573
2574         DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
2575                   ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2576                                      ldap_state->result)));
2577
2578         ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
2579         ldap_state->index = 0;
2580
2581         return NT_STATUS_OK;
2582 }
2583
2584 /**********************************************************************
2585  *********************************************************************/
2586
2587 static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
2588 {
2589         ldapsam_endsampwent(my_methods);
2590 }
2591
2592 /**********************************************************************
2593  *********************************************************************/
2594
2595 static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
2596                                     GROUP_MAP *map)
2597 {
2598         NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2599         struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
2600         BOOL bret = False;
2601
2602         while (!bret) {
2603                 if (!ldap_state->entry)
2604                         return ret;
2605                 
2606                 ldap_state->index++;
2607                 bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
2608                 
2609                 ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
2610                                             ldap_state->entry); 
2611         }
2612
2613         return NT_STATUS_OK;
2614 }
2615
2616 /**********************************************************************
2617  *********************************************************************/
2618
2619 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
2620                                            enum SID_NAME_USE sid_name_use,
2621                                            GROUP_MAP **rmap, int *num_entries,
2622                                            BOOL unix_only)
2623 {
2624         GROUP_MAP map;
2625         GROUP_MAP *mapt;
2626         int entries = 0;
2627
2628         *num_entries = 0;
2629         *rmap = NULL;
2630
2631         if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
2632                 DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
2633                 return NT_STATUS_ACCESS_DENIED;
2634         }
2635
2636         while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
2637                 if (sid_name_use != SID_NAME_UNKNOWN &&
2638                     sid_name_use != map.sid_name_use) {
2639                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
2640                         continue;
2641                 }
2642                 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
2643                         DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
2644                         continue;
2645                 }
2646
2647                 mapt=SMB_REALLOC_ARRAY((*rmap), GROUP_MAP, entries+1);
2648                 if (!mapt) {
2649                         DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
2650                         SAFE_FREE(*rmap);
2651                         return NT_STATUS_UNSUCCESSFUL;
2652                 }
2653                 else
2654                         (*rmap) = mapt;
2655
2656                 mapt[entries] = map;
2657
2658                 entries += 1;
2659
2660         }
2661         ldapsam_endsamgrent(methods);
2662
2663         *num_entries = entries;
2664
2665         return NT_STATUS_OK;
2666 }
2667
2668 static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
2669                                         const DOM_SID *alias,
2670                                         const DOM_SID *member,
2671                                         int modop)
2672 {
2673         struct ldapsam_privates *ldap_state =
2674                 (struct ldapsam_privates *)methods->private_data;
2675         char *dn;
2676         LDAPMessage *result = NULL;
2677         LDAPMessage *entry = NULL;
2678         int count;
2679         LDAPMod **mods = NULL;
2680         int rc;
2681
2682         pstring filter;
2683
2684         pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2685                      LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
2686                      get_attr_key2string(groupmap_attr_list,
2687                                          LDAP_ATTR_GROUP_SID),
2688                      sid_string_static(alias));
2689
2690         if (ldapsam_search_one_group(ldap_state, filter,
2691                                      &result) != LDAP_SUCCESS)
2692                 return NT_STATUS_NO_SUCH_ALIAS;
2693
2694         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2695                                    result);
2696
2697         if (count < 1) {
2698                 DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
2699                 ldap_msgfree(result);
2700                 return NT_STATUS_NO_SUCH_ALIAS;
2701         }
2702
2703         if (count > 1) {
2704                 DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for filter %s: "
2705                           "count=%d\n", filter, count));
2706                 ldap_msgfree(result);
2707                 return NT_STATUS_NO_SUCH_ALIAS;
2708         }
2709
2710         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
2711                                  result);
2712
2713         if (!entry) {
2714                 ldap_msgfree(result);
2715                 return NT_STATUS_UNSUCCESSFUL;
2716         }
2717
2718         dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2719         if (!dn) {
2720                 ldap_msgfree(result);
2721                 return NT_STATUS_UNSUCCESSFUL;
2722         }
2723
2724         smbldap_set_mod(&mods, modop,
2725                         get_attr_key2string(groupmap_attr_list,
2726                                             LDAP_ATTR_SID_LIST),
2727                         sid_string_static(member));
2728
2729         rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
2730
2731         ldap_mods_free(mods, True);
2732         ldap_msgfree(result);
2733
2734         if (rc != LDAP_SUCCESS) {
2735                 char *ld_error = NULL;
2736                 ldap_get_option(ldap_state->smbldap_state->ldap_struct,
2737                                 LDAP_OPT_ERROR_STRING,&ld_error);
2738                 
2739                 DEBUG(0, ("ldapsam_modify_aliasmem: Could not modify alias "
2740                           "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
2741                           ld_error?ld_error:"unknown"));
2742                 SAFE_FREE(ld_error);
2743                 SAFE_FREE(dn);
2744                 return NT_STATUS_UNSUCCESSFUL;
2745         }
2746
2747         SAFE_FREE(dn);
2748
2749         return NT_STATUS_OK;
2750 }
2751
2752 static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
2753                                      const DOM_SID *alias,
2754                                      const DOM_SID *member)
2755 {
2756         return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
2757 }
2758
2759 static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
2760                                      const DOM_SID *alias,
2761                                      const DOM_SID *member)
2762 {
2763         return ldapsam_modify_aliasmem(methods, alias, member,
2764                                        LDAP_MOD_DELETE);
2765 }
2766
2767 static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
2768                                       const DOM_SID *alias, DOM_SID **members,
2769                                       int *num_members)
2770 {
2771         struct ldapsam_privates *ldap_state =
2772                 (struct ldapsam_privates *)methods->private_data;
2773         LDAPMessage *result = NULL;
2774         LDAPMessage *entry = NULL;
2775         int count;
2776         char **values;
2777         int i;
2778         pstring filter;
2779
2780         *members = NULL;
2781         *num_members = 0;
2782
2783         pstr_sprintf(filter, "(&(|(objectClass=%s)(objectclass=%s))(%s=%s))",
2784                      LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY,
2785                      get_attr_key2string(groupmap_attr_list,
2786                                          LDAP_ATTR_GROUP_SID),
2787                      sid_string_static(alias));
2788
2789         if (ldapsam_search_one_group(ldap_state, filter,
2790                                      &result) != LDAP_SUCCESS)
2791                 return NT_STATUS_NO_SUCH_ALIAS;
2792
2793         count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
2794                                    result);
2795
2796         if (count < 1) {
2797                 DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
2798                 ldap_msgfree(result);
2799                 return NT_STATUS_NO_SUCH_ALIAS;
2800         }
2801
2802         if (count > 1) {
2803                 DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for filter %s: "
2804                           "count=%d\n", filter, count));
2805                 ldap_msgfree(result);
2806                 return NT_STATUS_NO_SUCH_ALIAS;
2807         }
2808
2809         entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
2810                                  result);
2811
2812         if (!entry) {
2813                 ldap_msgfree(result);
2814                 return NT_STATUS_UNSUCCESSFUL;
2815         }
2816
2817         values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
2818                                  entry,
2819                                  get_attr_key2string(groupmap_attr_list,
2820                                                      LDAP_ATTR_SID_LIST));
2821
2822         if (values == NULL) {
2823                 ldap_msgfree(result);
2824                 return NT_STATUS_OK;
2825         }
2826
2827         count = ldap_count_values(values);
2828
2829         for (i=0; i<count; i++) {
2830                 DOM_SID member;
2831
2832                 if (!string_to_sid(&member, values[i]))
2833                         continue;
2834
2835                 add_sid_to_array(&member, members, num_members);
2836         }
2837
2838         ldap_value_free(values);
2839         ldap_msgfree(result);
2840
2841         return NT_STATUS_OK;
2842 }
2843
2844 static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
2845                                           const DOM_SID *members,
2846                                           int num_members,
2847                                           DOM_SID **aliases, int *num_aliases)
2848 {
2849         struct ldapsam_privates *ldap_state =
2850                 (struct ldapsam_privates *)methods->private_data;
2851         LDAP *ldap_struct;
2852
2853         char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
2854
2855         LDAPMessage *result = NULL;
2856         LDAPMessage *entry = NULL;
2857         int i;
2858         int rc;
2859         char *filter;
2860         TALLOC_CTX *mem_ctx;
2861
2862         mem_ctx = talloc_init("ldapsam_alias_memberships");
2863
2864         if (mem_ctx == NULL)
2865                 return NT_STATUS_NO_MEMORY;
2866
2867         /* This query could be further optimized by adding a
2868            (&(sambaSID=<domain-sid>*)) so that only those aliases that are
2869            asked for in the getuseraliases are returned. */        
2870
2871         filter = talloc_asprintf(mem_ctx,
2872                                  "(&(|(objectclass=%s)(objectclass=%s))(|",
2873                                  LDAP_OBJ_GROUPMAP, LDAP_OBJ_IDMAP_ENTRY);
2874
2875         for (i=0; i<num_members; i++)
2876                 filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
2877                                          filter,
2878                                          sid_string_static(&members[i]));
2879
2880         filter = talloc_asprintf(mem_ctx, "%s))", filter);
2881
2882         rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
2883                             LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2884
2885         talloc_destroy(mem_ctx);
2886
2887         if (rc != LDAP_SUCCESS)
2888                 return NT_STATUS_UNSUCCESSFUL;
2889
2890         *aliases = NULL;
2891         *num_aliases = 0;
2892
2893         ldap_struct = ldap_state->smbldap_state->ldap_struct;
2894
2895         for (entry = ldap_first_entry(ldap_struct, result);
2896              entry != NULL;
2897              entry = ldap_next_entry(ldap_struct, entry))
2898         {
2899                 fstring sid_str;
2900                 DOM_SID sid;
2901
2902                 if (!smbldap_get_single_attribute(ldap_struct, entry,
2903                                                   LDAP_ATTRIBUTE_SID,
2904                                                   sid_str,
2905                                                   sizeof(sid_str)-1))
2906                         continue;
2907
2908                 if (!string_to_sid(&sid, sid_str))
2909                         continue;
2910
2911                 add_sid_to_array_unique(&sid, aliases, num_aliases);
2912         }
2913
2914         ldap_msgfree(result);
2915         return NT_STATUS_OK;
2916 }
2917
2918 /**********************************************************************
2919  Housekeeping
2920  *********************************************************************/
2921
2922 static void free_private_data(void **vp) 
2923 {
2924         struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
2925
2926         smbldap_free_struct(&(*ldap_state)->smbldap_state);
2927
2928         if ((*ldap_state)->result != NULL) {
2929                 ldap_msgfree((*ldap_state)->result);
2930                 (*ldap_state)->result = NULL;
2931         }
2932
2933         *ldap_state = NULL;
2934
2935         /* No need to free any further, as it is talloc()ed */
2936 }
2937
2938 /**********************************************************************
2939  Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
2940  *********************************************************************/
2941
2942 static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, 
2943                                         const char *location)
2944 {
2945         NTSTATUS nt_status;
2946         struct ldapsam_privates *ldap_state;
2947
2948         if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
2949                 return nt_status;
2950         }
2951
2952         (*pdb_method)->name = "ldapsam";
2953
2954         (*pdb_method)->setsampwent = ldapsam_setsampwent;
2955         (*pdb_method)->endsampwent = ldapsam_endsampwent;
2956         (*pdb_method)->getsampwent = ldapsam_getsampwent;
2957         (*pdb_method)->getsampwnam = ldapsam_getsampwnam;
2958         (*pdb_method)->getsampwsid = ldapsam_getsampwsid;
2959         (*pdb_method)->add_sam_account = ldapsam_add_sam_account;
2960         (*pdb_method)->update_sam_account = ldapsam_update_sam_account;
2961         (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
2962
2963         (*pdb_method)->getgrsid = ldapsam_getgrsid;
2964         (*pdb_method)->getgrgid = ldapsam_getgrgid;
2965         (*pdb_method)->getgrnam = ldapsam_getgrnam;
2966         (*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
2967         (*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
2968         (*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
2969         (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
2970         (*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
2971
2972         /* TODO: Setup private data and free */
2973
2974         ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
2975         if (!ldap_state) {
2976                 DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
2977                 return NT_STATUS_NO_MEMORY;
2978         }
2979
2980         if (!NT_STATUS_IS_OK(nt_status = 
2981                              smbldap_init(pdb_context->mem_ctx, location, 
2982                                           &ldap_state->smbldap_state)));
2983
2984         ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
2985         if (!ldap_state->domain_name) {
2986                 return NT_STATUS_NO_MEMORY;
2987         }
2988
2989         (*pdb_method)->private_data = ldap_state;
2990
2991         (*pdb_method)->free_private_data = free_private_data;
2992
2993         return NT_STATUS_OK;
2994 }
2995
2996 /**********************************************************************
2997  Initialise the 'compat' mode for pdb_ldap
2998  *********************************************************************/
2999
3000 static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
3001 {
3002         NTSTATUS nt_status;
3003         struct ldapsam_privates *ldap_state;
3004
3005 #ifdef WITH_LDAP_SAMCONFIG
3006         if (!location) {
3007                 int ldap_port = lp_ldap_port();
3008                         
3009                 /* remap default port if not using SSL (ie clear or TLS) */
3010                 if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
3011                         ldap_port = 389;
3012                 }
3013
3014                 location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
3015                 if (!location) {
3016                         return NT_STATUS_NO_MEMORY;
3017                 }
3018         }
3019 #endif
3020
3021         if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
3022                 return nt_status;
3023         }
3024
3025         (*pdb_method)->name = "ldapsam_compat";
3026
3027         ldap_state = (*pdb_method)->private_data;
3028         ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
3029
3030         sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
3031
3032         return NT_STATUS_OK;
3033 }
3034
3035 /**********************************************************************
3036  Initialise the normal mode for pdb_ldap
3037  *********************************************************************/
3038
3039 static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
3040 {
3041         NTSTATUS nt_status;
3042         struct ldapsam_privates *ldap_state;
3043         uint32 alg_rid_base;
3044         pstring alg_rid_base_string;
3045         LDAPMessage *result = NULL;
3046         LDAPMessage *entry = NULL;
3047         DOM_SID ldap_domain_sid;
3048         DOM_SID secrets_domain_sid;
3049         pstring domain_sid_string;
3050
3051         if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
3052                 return nt_status;
3053         }
3054
3055         (*pdb_method)->name = "ldapsam";
3056
3057         (*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
3058         (*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
3059         (*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
3060         (*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
3061
3062         ldap_state = (*pdb_method)->private_data;
3063         ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
3064
3065         /* Try to setup the Domain Name, Domain SID, algorithmic rid base */
3066         
3067         nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result, 
3068                                                ldap_state->domain_name, True);