Context Navigation

source: branches/samba-3.0/source/libads/ldap.c@ 1031

Visit:

Last change on this file since 1031 was 312, checked in by Herwig Bauernfeind, 16 years ago
Update 3.0 to final 3.0.36 (source)
File size: 84.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	ads (active directory) utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7	Copyright (C) Guenther Deschner 2005
8	Copyright (C) Gerald Carter 2006
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 2 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program; if not, write to the Free Software
22	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23	*/
24
25	#include "includes.h"
26
27	#ifdef HAVE_LDAP
28
29	/**
30	* @file ldap.c
31	* @brief basic ldap client-side routines for ads server communications
32	*
33	* The routines contained here should do the necessary ldap calls for
34	* ads setups.
35	*
36	* Important note: attribute names passed into ads_ routines must
37	* already be in UTF-8 format. We do not convert them because in almost
38	* all cases, they are just ascii (which is represented with the same
39	* codepoints in UTF-8). This may have to change at some point
40	**/
41
42
43	#define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
44
45	static SIG_ATOMIC_T gotalarm;
46
47	/***************************************************************
48	Signal function to tell us we timed out.
49	****************************************************************/
50
51	static void gotalarm_sig(void)
52	{
53	gotalarm = 1;
54	}
55
56	LDAP ldap_open_with_timeout(const char server, int port, unsigned int to)
57	{
58	LDAP *ldp = NULL;
59
60	/* Setup timeout */
61	gotalarm = 0;
62	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
63	alarm(to);
64	/* End setup timeout. */
65
66	ldp = ldap_open(server, port);
67
68	if (ldp == NULL) {
69	DEBUG(2,("Could not open LDAP connection to %s:%d: %s\n",
70	server, port, strerror(errno)));
71	}
72
73	/* Teardown timeout. */
74	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
75	alarm(0);
76
77	return ldp;
78	}
79
80	static int ldap_search_with_timeout(LDAP *ld,
81	LDAP_CONST char *base,
82	int scope,
83	LDAP_CONST char *filter,
84	char **attrs,
85	int attrsonly,
86	LDAPControl **sctrls,
87	LDAPControl **cctrls,
88	int sizelimit,
89	LDAPMessage **res )
90	{
91	struct timeval timeout;
92	int result;
93
94	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
95	timeout.tv_sec = lp_ldap_timeout();
96	timeout.tv_usec = 0;
97
98	/* Setup alarm timeout.... Do we need both of these ? JRA. */
99	gotalarm = 0;
100	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
101	alarm(lp_ldap_timeout());
102	/* End setup timeout. */
103
104	result = ldap_search_ext_s(ld, base, scope, filter, attrs,
105	attrsonly, sctrls, cctrls, &timeout,
106	sizelimit, res);
107
108	/* Teardown timeout. */
109	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
110	alarm(0);
111
112	if (gotalarm != 0)
113	return LDAP_TIMELIMIT_EXCEEDED;
114
115
116	/*
117	* A bug in OpenLDAP means ldap_search_ext_s can return
118	* LDAP_SUCCESS but with a NULL res pointer. Cope with
119	* this. See bug #6279 for details. JRA.
120	*/
121
122	if (*res == NULL) {
123	return LDAP_TIMELIMIT_EXCEEDED;
124	}
125
126	return result;
127	}
128
129	/**********************************************
130	Do client and server sitename match ?
131	**********************************************/
132
133	BOOL ads_sitename_match(ADS_STRUCT *ads)
134	{
135	if (ads->config.server_site_name == NULL &&
136	ads->config.client_site_name == NULL ) {
137	DEBUG(10,("ads_sitename_match: both null\n"));
138	return True;
139	}
140	if (ads->config.server_site_name &&
141	ads->config.client_site_name &&
142	strequal(ads->config.server_site_name,
143	ads->config.client_site_name)) {
144	DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
145	return True;
146	}
147	DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
148	ads->config.server_site_name ? ads->config.server_site_name : "NULL",
149	ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
150	return False;
151	}
152
153	/**********************************************
154	Is this the closest DC ?
155	**********************************************/
156
157	BOOL ads_closest_dc(ADS_STRUCT *ads)
158	{
159	if (ads->config.flags & ADS_CLOSEST) {
160	DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag set\n"));
161	return True;
162	}
163
164	/* not sure if this can ever happen */
165	if (ads_sitename_match(ads)) {
166	DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag not set but sites match\n"));
167	return True;
168	}
169
170	if (ads->config.client_site_name == NULL) {
171	DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
172	return True;
173	}
174
175	DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
176	ads->config.ldap_server_name));
177
178	return False;
179	}
180
181
182	/*
183	try a connection to a given ldap server, returning True and setting the servers IP
184	in the ads struct if successful
185	*/
186	BOOL ads_try_connect(ADS_STRUCT ads, const char server )
187	{
188	char *srv;
189	struct cldap_netlogon_reply cldap_reply;
190
191	if (!server \|\| !*server) {
192	return False;
193	}
194
195	DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
196	server, ads->server.realm));
197
198	/* this copes with inet_ntoa brokenness */
199
200	srv = SMB_STRDUP(server);
201
202	ZERO_STRUCT( cldap_reply );
203
204	if ( !ads_cldap_netlogon( srv, ads->server.realm, &cldap_reply ) ) {
205	DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
206	SAFE_FREE( srv );
207	return False;
208	}
209
210	/* Check the CLDAP reply flags */
211
212	if ( !(cldap_reply.flags & ADS_LDAP) ) {
213	DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
214	srv));
215	SAFE_FREE( srv );
216	return False;
217	}
218
219	/* Fill in the ads->config values */
220
221	SAFE_FREE(ads->config.realm);
222	SAFE_FREE(ads->config.bind_path);
223	SAFE_FREE(ads->config.ldap_server_name);
224	SAFE_FREE(ads->config.server_site_name);
225	SAFE_FREE(ads->config.client_site_name);
226	SAFE_FREE(ads->server.workgroup);
227
228	ads->config.flags = cldap_reply.flags;
229	ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.hostname);
230	strupper_m(cldap_reply.domain);
231	ads->config.realm = SMB_STRDUP(cldap_reply.domain);
232	ads->config.bind_path = ads_build_dn(ads->config.realm);
233	if (*cldap_reply.server_site_name) {
234	ads->config.server_site_name =
235	SMB_STRDUP(cldap_reply.server_site_name);
236	}
237	if (*cldap_reply.client_site_name) {
238	ads->config.client_site_name =
239	SMB_STRDUP(cldap_reply.client_site_name);
240	}
241
242	ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain);
243
244	ads->ldap_port = LDAP_PORT;
245	ads->ldap_ip = *interpret_addr2(srv);
246	SAFE_FREE(srv);
247
248	/* Store our site name. */
249	sitename_store( cldap_reply.domain, cldap_reply.client_site_name );
250
251	return True;
252	}
253
254	/**********************************************************************
255	Try to find an AD dc using our internal name resolution routines
256	Try the realm first and then then workgroup name if netbios is not
257	disabled
258	**********************************************************************/
259
260	static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
261	{
262	const char *c_domain;
263	const char *c_realm;
264	int count, i=0;
265	struct ip_service *ip_list;
266	pstring domain;
267	pstring realm;
268	BOOL got_realm = False;
269	BOOL use_own_domain = False;
270	char *sitename;
271	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
272
273	/* if the realm and workgroup are both empty, assume they are ours */
274
275	/* realm */
276	c_realm = ads->server.realm;
277
278	if ( !c_realm \|\| !*c_realm ) {
279	/* special case where no realm and no workgroup means our own */
280	if ( !ads->server.workgroup \|\| !*ads->server.workgroup ) {
281	use_own_domain = True;
282	c_realm = lp_realm();
283	}
284	}
285
286	if (c_realm && *c_realm)
287	got_realm = True;
288
289	again:
290
291	/* we need to try once with the realm name and fallback to the
292	netbios domain name if we fail (if netbios has not been disabled */
293
294	if ( !got_realm && !lp_disable_netbios() ) {
295	c_realm = ads->server.workgroup;
296	if (!c_realm \|\| !*c_realm) {
297	if ( use_own_domain )
298	c_realm = lp_workgroup();
299	}
300	}
301
302	if ( !c_realm \|\| !*c_realm ) {
303	DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
304	return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
305	}
306
307	if ( use_own_domain ) {
308	c_domain = lp_workgroup();
309	} else {
310	c_domain = ads->server.workgroup;
311	}
312
313	pstrcpy( domain, c_domain );
314	pstrcpy( realm, c_realm );
315
316	/*
317	* In case of LDAP we use get_dc_name() as that
318	* creates the custom krb5.conf file
319	*/
320	if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
321	fstring srv_name;
322	struct in_addr ip_out;
323
324	DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
325	(got_realm ? "realm" : "domain"), realm));
326
327	if (get_dc_name(domain, realm, srv_name, &ip_out)) {
328	/*
329	* we call ads_try_connect() to fill in the
330	* ads->config details
331	*/
332	if (ads_try_connect(ads, srv_name)) {
333	return NT_STATUS_OK;
334	}
335	}
336
337	return NT_STATUS_NO_LOGON_SERVERS;
338	}
339
340	sitename = sitename_fetch(realm);
341
342	DEBUG(6,("ads_find_dc: (cldap) looking for %s '%s'\n",
343	(got_realm ? "realm" : "domain"), realm));
344
345	status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
346	if (!NT_STATUS_IS_OK(status)) {
347	/* fall back to netbios if we can */
348	if ( got_realm && !lp_disable_netbios() ) {
349	got_realm = False;
350	goto again;
351	}
352
353	SAFE_FREE(sitename);
354	return status;
355	}
356
357	/* if we fail this loop, then giveup since all the IP addresses returned were dead */
358	for ( i=0; i<count; i++ ) {
359	fstring server;
360
361	fstrcpy( server, inet_ntoa(ip_list[i].ip) );
362
363	if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
364	continue;
365
366	if (!got_realm) {
367	/* realm in this case is a workgroup name. We need
368	to ignore any IP addresses in the negative connection
369	cache that match ip addresses returned in the ad realm
370	case. It sucks that I have to reproduce the logic above... */
371	c_realm = ads->server.realm;
372	if ( !c_realm \|\| !*c_realm ) {
373	if ( !ads->server.workgroup \|\| !*ads->server.workgroup ) {
374	c_realm = lp_realm();
375	}
376	}
377	if (c_realm && *c_realm &&
378	!NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
379	/* Ensure we add the workgroup name for this
380	IP address as negative too. */
381	add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
382	continue;
383	}
384	}
385
386	if ( ads_try_connect(ads, server) ) {
387	SAFE_FREE(ip_list);
388	SAFE_FREE(sitename);
389	return NT_STATUS_OK;
390	}
391
392	/* keep track of failures */
393	add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
394	}
395
396	SAFE_FREE(ip_list);
397
398	/* In case we failed to contact one of our closest DC on our site we
399	* need to try to find another DC, retry with a site-less SRV DNS query
400	* - Guenther */
401
402	if (sitename) {
403	DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
404	"trying to find another DC\n", sitename));
405	SAFE_FREE(sitename);
406	namecache_delete(realm, 0x1C);
407	goto again;
408	}
409
410	return NT_STATUS_NO_LOGON_SERVERS;
411	}
412
413
414	/**
415	* Connect to the LDAP server
416	* @param ads Pointer to an existing ADS_STRUCT
417	* @return status of connection
418	**/
419	ADS_STATUS ads_connect(ADS_STRUCT *ads)
420	{
421	int version = LDAP_VERSION3;
422	ADS_STATUS status;
423	NTSTATUS ntstatus;
424
425	ads->last_attempt = time(NULL);
426	ads->ld = NULL;
427
428	/* try with a user specified server */
429
430	if (ads->server.ldap_server &&
431	ads_try_connect(ads, ads->server.ldap_server)) {
432	goto got_connection;
433	}
434
435	ntstatus = ads_find_dc(ads);
436	if (NT_STATUS_IS_OK(ntstatus)) {
437	goto got_connection;
438	}
439
440	return ADS_ERROR_NT(ntstatus);
441
442	got_connection:
443	DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip)));
444
445	if (!ads->auth.user_name) {
446	/* Must use the userPrincipalName value here or sAMAccountName
447	and not servicePrincipalName; found by Guenther Deschner */
448
449	asprintf(&ads->auth.user_name, "%s$", global_myname() );
450	}
451
452	if (!ads->auth.realm) {
453	ads->auth.realm = SMB_STRDUP(ads->config.realm);
454	}
455
456	if (!ads->auth.kdc_server) {
457	ads->auth.kdc_server = SMB_STRDUP(inet_ntoa(ads->ldap_ip));
458	}
459
460	#if KRB5_DNS_HACK
461	/* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
462	to MIT kerberos to work (tridge) */
463	{
464	char *env;
465	asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
466	setenv(env, ads->auth.kdc_server, 1);
467	free(env);
468	}
469	#endif
470
471	/* If the caller() requested no LDAP bind, then we are done */
472
473	if (ads->auth.flags & ADS_AUTH_NO_BIND) {
474	return ADS_SUCCESS;
475	}
476
477	/* Otherwise setup the TCP LDAP session */
478
479	if ( (ads->ld = ldap_open_with_timeout(ads->config.ldap_server_name,
480	LDAP_PORT, lp_ldap_timeout())) == NULL )
481	{
482	return ADS_ERROR(LDAP_OPERATIONS_ERROR);
483	}
484
485	/* cache the successful connection for workgroup and realm */
486	if (ads_closest_dc(ads)) {
487	saf_store( ads->server.workgroup, ads->config.ldap_server_name);
488	saf_store( ads->server.realm, ads->config.ldap_server_name);
489	}
490
491	ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
492
493	status = ADS_ERROR(smb_ldap_start_tls(ads->ld, version));
494	if (!ADS_ERR_OK(status)) {
495	return status;
496	}
497
498	/* fill in the current time and offsets */
499
500	status = ads_current_time( ads );
501	if ( !ADS_ERR_OK(status) ) {
502	return status;
503	}
504
505	/* Now do the bind */
506
507	if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
508	return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
509	}
510
511	if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
512	return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password));
513	}
514
515	return ads_sasl_bind(ads);
516	}
517
518	/*
519	Duplicate a struct berval into talloc'ed memory
520	*/
521	static struct berval dup_berval(TALLOC_CTX ctx, const struct berval *in_val)
522	{
523	struct berval *value;
524
525	if (!in_val) return NULL;
526
527	value = TALLOC_ZERO_P(ctx, struct berval);
528	if (value == NULL)
529	return NULL;
530	if (in_val->bv_len == 0) return value;
531
532	value->bv_len = in_val->bv_len;
533	value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
534	in_val->bv_len);
535	return value;
536	}
537
538	/*
539	Make a values list out of an array of (struct berval *)
540	*/
541	static struct berval *ads_dup_values(TALLOC_CTX ctx,
542	const struct berval **in_vals)
543	{
544	struct berval **values;
545	int i;
546
547	if (!in_vals) return NULL;
548	for (i=0; in_vals[i]; i++)
549	; /* count values */
550	values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
551	if (!values) return NULL;
552
553	for (i=0; in_vals[i]; i++) {
554	values[i] = dup_berval(ctx, in_vals[i]);
555	}
556	return values;
557	}
558
559	/*
560	UTF8-encode a values list out of an array of (char *)
561	*/
562	static char *ads_push_strvals(TALLOC_CTX ctx, const char **in_vals)
563	{
564	char **values;
565	int i;
566
567	if (!in_vals) return NULL;
568	for (i=0; in_vals[i]; i++)
569	; /* count values */
570	values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
571	if (!values) return NULL;
572
573	for (i=0; in_vals[i]; i++) {
574	push_utf8_talloc(ctx, &values[i], in_vals[i]);
575	}
576	return values;
577	}
578
579	/*
580	Pull a (char *) array out of a UTF8-encoded values list
581	*/
582	static char *ads_pull_strvals(TALLOC_CTX ctx, const char **in_vals)
583	{
584	char **values;
585	int i;
586
587	if (!in_vals) return NULL;
588	for (i=0; in_vals[i]; i++)
589	; /* count values */
590	values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
591	if (!values) return NULL;
592
593	for (i=0; in_vals[i]; i++) {
594	pull_utf8_talloc(ctx, &values[i], in_vals[i]);
595	}
596	return values;
597	}
598
599	/**
600	* Do a search with paged results. cookie must be null on the first
601	* call, and then returned on each subsequent call. It will be null
602	* again when the entire search is complete
603	* @param ads connection to ads server
604	* @param bind_path Base dn for the search
605	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
606	* @param expr Search expression - specified in local charset
607	* @param attrs Attributes to retrieve - specified in utf8 or ascii
608	* @param res ** which will contain results - free res* with ads_msgfree()
609	* @param count Number of entries retrieved on this page
610	* @param cookie The paged results cookie to be returned on subsequent calls
611	* @return status of search
612	**/
613	static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
614	const char *bind_path,
615	int scope, const char *expr,
616	const char *attrs, void args,
617	LDAPMessage **res,
618	int count, struct berval *cookie)
619	{
620	int rc, i, version;
621	char utf8_expr, utf8_path, **search_attrs;
622	LDAPControl PagedResults, NoReferrals, ExtendedDn, controls[4], *rcontrols;
623	BerElement *cookie_be = NULL;
624	struct berval *cookie_bv= NULL;
625	BerElement *extdn_be = NULL;
626	struct berval *extdn_bv= NULL;
627
628	TALLOC_CTX *ctx;
629	ads_control external_control = (ads_control ) args;
630
631	*res = NULL;
632
633	if (!(ctx = talloc_init("ads_do_paged_search_args")))
634	return ADS_ERROR(LDAP_NO_MEMORY);
635
636	/* 0 means the conversion worked but the result was empty
637	so we only fail if it's -1. In any case, it always
638	at least nulls out the dest */
639	if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) \|\|
640	(push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
641	rc = LDAP_NO_MEMORY;
642	goto done;
643	}
644
645	if (!attrs \|\| !(*attrs))
646	search_attrs = NULL;
647	else {
648	/* This would be the utf8-encoded version...*/
649	/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
650	if (!(str_list_copy(&search_attrs, attrs))) {
651	rc = LDAP_NO_MEMORY;
652	goto done;
653	}
654	}
655
656
657	/* Paged results only available on ldap v3 or later */
658	ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
659	if (version < LDAP_VERSION3) {
660	rc = LDAP_NOT_SUPPORTED;
661	goto done;
662	}
663
664	cookie_be = ber_alloc_t(LBER_USE_DER);
665	if (*cookie) {
666	ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
667	ber_bvfree(cookie); / don't need it from last time */
668	*cookie = NULL;
669	} else {
670	ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
671	}
672	ber_flatten(cookie_be, &cookie_bv);
673	PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
674	PagedResults.ldctl_iscritical = (char) 1;
675	PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
676	PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
677
678	NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
679	NoReferrals.ldctl_iscritical = (char) 0;
680	NoReferrals.ldctl_value.bv_len = 0;
681	NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
682
683	if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) {
684
685	ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control);
686	ExtendedDn.ldctl_iscritical = (char) external_control->critical;
687
688	/* win2k does not accept a ldctl_value beeing passed in */
689
690	if (external_control->val != 0) {
691
692	if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
693	rc = LDAP_NO_MEMORY;
694	goto done;
695	}
696
697	if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) {
698	rc = LDAP_NO_MEMORY;
699	goto done;
700	}
701	if ((ber_flatten(extdn_be, &extdn_bv)) == -1) {
702	rc = LDAP_NO_MEMORY;
703	goto done;
704	}
705
706	ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len;
707	ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val;
708
709	} else {
710	ExtendedDn.ldctl_value.bv_len = 0;
711	ExtendedDn.ldctl_value.bv_val = NULL;
712	}
713
714	controls[0] = &NoReferrals;
715	controls[1] = &PagedResults;
716	controls[2] = &ExtendedDn;
717	controls[3] = NULL;
718
719	} else {
720	controls[0] = &NoReferrals;
721	controls[1] = &PagedResults;
722	controls[2] = NULL;
723	}
724
725	/* we need to disable referrals as the openldap libs don't
726	handle them and paged results at the same time. Using them
727	together results in the result record containing the server
728	page control being removed from the result list (tridge/jmcd)
729
730	leaving this in despite the control that says don't generate
731	referrals, in case the server doesn't support it (jmcd)
732	*/
733	ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
734
735	rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
736	search_attrs, 0, controls,
737	NULL, LDAP_NO_LIMIT,
738	(LDAPMessage **)res);
739
740	ber_free(cookie_be, 1);
741	ber_bvfree(cookie_bv);
742
743	if (rc) {
744	DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
745	ldap_err2string(rc)));
746	goto done;
747	}
748
749	rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL,
750	NULL, &rcontrols, 0);
751
752	if (!rcontrols) {
753	goto done;
754	}
755
756	for (i=0; rcontrols[i]; i++) {
757	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
758	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
759	ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
760	&cookie_bv);
761	/* the berval is the cookie, but must be freed when
762	it is all done */
763	if (cookie_bv->bv_len) /* still more to do */
764	*cookie=ber_bvdup(cookie_bv);
765	else
766	*cookie=NULL;
767	ber_bvfree(cookie_bv);
768	ber_free(cookie_be, 1);
769	break;
770	}
771	}
772	ldap_controls_free(rcontrols);
773
774	done:
775	talloc_destroy(ctx);
776
777	if (extdn_be) {
778	ber_free(extdn_be, 1);
779	}
780
781	if (extdn_bv) {
782	ber_bvfree(extdn_bv);
783	}
784
785	/* if/when we decide to utf8-encode attrs, take out this next line */
786	str_list_free(&search_attrs);
787
788	return ADS_ERROR(rc);
789	}
790
791	static ADS_STATUS ads_do_paged_search(ADS_STRUCT ads, const char bind_path,
792	int scope, const char *expr,
793	const char attrs, LDAPMessage res,
794	int count, struct berval *cookie)
795	{
796	return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
797	}
798
799
800	/**
801	* Get all results for a search. This uses ads_do_paged_search() to return
802	* all entries in a large search.
803	* @param ads connection to ads server
804	* @param bind_path Base dn for the search
805	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
806	* @param expr Search expression
807	* @param attrs Attributes to retrieve
808	* @param res ** which will contain results - free res* with ads_msgfree()
809	* @return status of search
810	**/
811	ADS_STATUS ads_do_search_all_args(ADS_STRUCT ads, const char bind_path,
812	int scope, const char *expr,
813	const char *attrs, void args,
814	LDAPMessage **res)
815	{
816	struct berval *cookie = NULL;
817	int count = 0;
818	ADS_STATUS status;
819
820	*res = NULL;
821	status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
822	&count, &cookie);
823
824	if (!ADS_ERR_OK(status))
825	return status;
826
827	#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
828	while (cookie) {
829	LDAPMessage *res2 = NULL;
830	ADS_STATUS status2;
831	LDAPMessage msg, next;
832
833	status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
834	attrs, args, &res2, &count, &cookie);
835
836	if (!ADS_ERR_OK(status2)) break;
837
838	/* this relies on the way that ldap_add_result_entry() works internally. I hope
839	that this works on all ldap libs, but I have only tested with openldap */
840	for (msg = ads_first_message(ads, res2); msg; msg = next) {
841	next = ads_next_message(ads, msg);
842	ldap_add_result_entry((LDAPMessage **)res, msg);
843	}
844	/* note that we do not free res2, as the memory is now
845	part of the main returned list */
846	}
847	#else
848	DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
849	status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
850	#endif
851
852	return status;
853	}
854
855	ADS_STATUS ads_do_search_all(ADS_STRUCT ads, const char bind_path,
856	int scope, const char *expr,
857	const char attrs, LDAPMessage res)
858	{
859	return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
860	}
861
862	/**
863	* Run a function on all results for a search. Uses ads_do_paged_search() and
864	* runs the function as each page is returned, using ads_process_results()
865	* @param ads connection to ads server
866	* @param bind_path Base dn for the search
867	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
868	* @param expr Search expression - specified in local charset
869	* @param attrs Attributes to retrieve - specified in UTF-8 or ascii
870	* @param fn Function which takes attr name, values list, and data_area
871	* @param data_area Pointer which is passed to function on each call
872	* @return status of search
873	**/
874	ADS_STATUS ads_do_search_all_fn(ADS_STRUCT ads, const char bind_path,
875	int scope, const char expr, const char *attrs,
876	BOOL(fn)(char , void *, void ),
877	void *data_area)
878	{
879	struct berval *cookie = NULL;
880	int count = 0;
881	ADS_STATUS status;
882	LDAPMessage *res;
883
884	status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
885	&count, &cookie);
886
887	if (!ADS_ERR_OK(status)) return status;
888
889	ads_process_results(ads, res, fn, data_area);
890	ads_msgfree(ads, res);
891
892	while (cookie) {
893	status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
894	&res, &count, &cookie);
895
896	if (!ADS_ERR_OK(status)) break;
897
898	ads_process_results(ads, res, fn, data_area);
899	ads_msgfree(ads, res);
900	}
901
902	return status;
903	}
904
905	/**
906	* Do a search with a timeout.
907	* @param ads connection to ads server
908	* @param bind_path Base dn for the search
909	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
910	* @param expr Search expression
911	* @param attrs Attributes to retrieve
912	* @param res ** which will contain results - free res* with ads_msgfree()
913	* @return status of search
914	**/
915	ADS_STATUS ads_do_search(ADS_STRUCT ads, const char bind_path, int scope,
916	const char *expr,
917	const char attrs, LDAPMessage res)
918	{
919	int rc;
920	char utf8_expr, utf8_path, **search_attrs = NULL;
921	TALLOC_CTX *ctx;
922
923	*res = NULL;
924	if (!(ctx = talloc_init("ads_do_search"))) {
925	DEBUG(1,("ads_do_search: talloc_init() failed!"));
926	return ADS_ERROR(LDAP_NO_MEMORY);
927	}
928
929	/* 0 means the conversion worked but the result was empty
930	so we only fail if it's negative. In any case, it always
931	at least nulls out the dest */
932	if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) \|\|
933	(push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
934	DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
935	rc = LDAP_NO_MEMORY;
936	goto done;
937	}
938
939	if (!attrs \|\| !(*attrs))
940	search_attrs = NULL;
941	else {
942	/* This would be the utf8-encoded version...*/
943	/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
944	if (!(str_list_copy(&search_attrs, attrs)))
945	{
946	DEBUG(1,("ads_do_search: str_list_copy() failed!"));
947	rc = LDAP_NO_MEMORY;
948	goto done;
949	}
950	}
951
952	/* see the note in ads_do_paged_search - we must disable referrals */
953	ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
954
955	rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
956	search_attrs, 0, NULL, NULL,
957	LDAP_NO_LIMIT,
958	(LDAPMessage **)res);
959
960	if (rc == LDAP_SIZELIMIT_EXCEEDED) {
961	DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
962	rc = 0;
963	}
964
965	done:
966	talloc_destroy(ctx);
967	/* if/when we decide to utf8-encode attrs, take out this next line */
968	str_list_free(&search_attrs);
969	return ADS_ERROR(rc);
970	}
971	/**
972	* Do a general ADS search
973	* @param ads connection to ads server
974	* @param res ** which will contain results - free res* with ads_msgfree()
975	* @param expr Search expression
976	* @param attrs Attributes to retrieve
977	* @return status of search
978	**/
979	ADS_STATUS ads_search(ADS_STRUCT ads, LDAPMessage *res,
980	const char expr, const char *attrs)
981	{
982	return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
983	expr, attrs, res);
984	}
985
986	/**
987	* Do a search on a specific DistinguishedName
988	* @param ads connection to ads server
989	* @param res ** which will contain results - free res* with ads_msgfree()
990	* @param dn DistinguishName to search
991	* @param attrs Attributes to retrieve
992	* @return status of search
993	**/
994	ADS_STATUS ads_search_dn(ADS_STRUCT ads, LDAPMessage *res,
995	const char dn, const char *attrs)
996	{
997	return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
998	attrs, res);
999	}
1000
1001	/**
1002	* Free up memory from a ads_search
1003	* @param ads connection to ads server
1004	* @param msg Search results to free
1005	**/
1006	void ads_msgfree(ADS_STRUCT ads, LDAPMessage msg)
1007	{
1008	if (!msg) return;
1009	ldap_msgfree(msg);
1010	}
1011
1012	/**
1013	* Free up memory from various ads requests
1014	* @param ads connection to ads server
1015	* @param mem Area to free
1016	**/
1017	void ads_memfree(ADS_STRUCT ads, void mem)
1018	{
1019	SAFE_FREE(mem);
1020	}
1021
1022	/**
1023	* Get a dn from search results
1024	* @param ads connection to ads server
1025	* @param msg Search result
1026	* @return dn string
1027	**/
1028	char ads_get_dn(ADS_STRUCT ads, LDAPMessage *msg)
1029	{
1030	char utf8_dn, unix_dn;
1031
1032	utf8_dn = ldap_get_dn(ads->ld, msg);
1033
1034	if (!utf8_dn) {
1035	DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
1036	return NULL;
1037	}
1038
1039	if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
1040	DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
1041	utf8_dn ));
1042	return NULL;
1043	}
1044	ldap_memfree(utf8_dn);
1045	return unix_dn;
1046	}
1047
1048	/**
1049	* Get the parent from a dn
1050	* @param dn the dn to return the parent from
1051	* @return parent dn string
1052	**/
1053	char ads_parent_dn(const char dn)
1054	{
1055	char *p;
1056
1057	if (dn == NULL) {
1058	return NULL;
1059	}
1060
1061	p = strchr(dn, ',');
1062
1063	if (p == NULL) {
1064	return NULL;
1065	}
1066
1067	return p+1;
1068	}
1069
1070	/**
1071	* Find a machine account given a hostname
1072	* @param ads connection to ads server
1073	* @param res ** which will contain results - free res* with ads_msgfree()
1074	* @param host Hostname to search for
1075	* @return status of search
1076	**/
1077	ADS_STATUS ads_find_machine_acct(ADS_STRUCT ads, LDAPMessage *res,
1078	const char *machine)
1079	{
1080	ADS_STATUS status;
1081	char *expr;
1082	const char attrs[] = {"", "nTSecurityDescriptor", NULL};
1083
1084	*res = NULL;
1085
1086	/* the easiest way to find a machine account anywhere in the tree
1087	is to look for hostname$ */
1088	if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
1089	DEBUG(1, ("asprintf failed!\n"));
1090	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1091	}
1092
1093	status = ads_search(ads, res, expr, attrs);
1094	SAFE_FREE(expr);
1095	return status;
1096	}
1097
1098	/**
1099	* Initialize a list of mods to be used in a modify request
1100	* @param ctx An initialized TALLOC_CTX
1101	* @return allocated ADS_MODLIST
1102	**/
1103	ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1104	{
1105	#define ADS_MODLIST_ALLOC_SIZE 10
1106	LDAPMod **mods;
1107
1108	if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1109	/* -1 is safety to make sure we don't go over the end.
1110	need to reset it to NULL before doing ldap modify */
1111	mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1112
1113	return (ADS_MODLIST)mods;
1114	}
1115
1116
1117	/*
1118	add an attribute to the list, with values list already constructed
1119	*/
1120	static ADS_STATUS ads_modlist_add(TALLOC_CTX ctx, ADS_MODLIST mods,
1121	int mod_op, const char *name,
1122	const void *_invals)
1123	{
1124	const void invals = (const void )_invals;
1125	int curmod;
1126	LDAPMod modlist = (LDAPMod ) *mods;
1127	struct berval **ber_values = NULL;
1128	char **char_values = NULL;
1129
1130	if (!invals) {
1131	mod_op = LDAP_MOD_DELETE;
1132	} else {
1133	if (mod_op & LDAP_MOD_BVALUES)
1134	ber_values = ads_dup_values(ctx,
1135	(const struct berval **)invals);
1136	else
1137	char_values = ads_push_strvals(ctx,
1138	(const char **) invals);
1139	}
1140
1141	/* find the first empty slot */
1142	for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1143	curmod++);
1144	if (modlist[curmod] == (LDAPMod *) -1) {
1145	if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
1146	curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1147	return ADS_ERROR(LDAP_NO_MEMORY);
1148	memset(&modlist[curmod], 0,
1149	ADS_MODLIST_ALLOC_SIZEsizeof(LDAPMod ));
1150	modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1151	*mods = (ADS_MODLIST)modlist;
1152	}
1153
1154	if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
1155	return ADS_ERROR(LDAP_NO_MEMORY);
1156	modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1157	if (mod_op & LDAP_MOD_BVALUES) {
1158	modlist[curmod]->mod_bvalues = ber_values;
1159	} else if (mod_op & LDAP_MOD_DELETE) {
1160	modlist[curmod]->mod_values = NULL;
1161	} else {
1162	modlist[curmod]->mod_values = char_values;
1163	}
1164
1165	modlist[curmod]->mod_op = mod_op;
1166	return ADS_ERROR(LDAP_SUCCESS);
1167	}
1168
1169	/**
1170	* Add a single string value to a mod list
1171	* @param ctx An initialized TALLOC_CTX
1172	* @param mods An initialized ADS_MODLIST
1173	* @param name The attribute name to add
1174	* @param val The value to add - NULL means DELETE
1175	* @return ADS STATUS indicating success of add
1176	**/
1177	ADS_STATUS ads_mod_str(TALLOC_CTX ctx, ADS_MODLIST mods,
1178	const char name, const char val)
1179	{
1180	const char *values[2];
1181
1182	values[0] = val;
1183	values[1] = NULL;
1184
1185	if (!val)
1186	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1187	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1188	}
1189
1190	/**
1191	* Add an array of string values to a mod list
1192	* @param ctx An initialized TALLOC_CTX
1193	* @param mods An initialized ADS_MODLIST
1194	* @param name The attribute name to add
1195	* @param vals The array of string values to add - NULL means DELETE
1196	* @return ADS STATUS indicating success of add
1197	**/
1198	ADS_STATUS ads_mod_strlist(TALLOC_CTX ctx, ADS_MODLIST mods,
1199	const char name, const char *vals)
1200	{
1201	if (!vals)
1202	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1203	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1204	name, (const void **) vals);
1205	}
1206
1207	#if 0
1208	/**
1209	* Add a single ber-encoded value to a mod list
1210	* @param ctx An initialized TALLOC_CTX
1211	* @param mods An initialized ADS_MODLIST
1212	* @param name The attribute name to add
1213	* @param val The value to add - NULL means DELETE
1214	* @return ADS STATUS indicating success of add
1215	**/
1216	static ADS_STATUS ads_mod_ber(TALLOC_CTX ctx, ADS_MODLIST mods,
1217	const char name, const struct berval val)
1218	{
1219	const struct berval *values[2];
1220
1221	values[0] = val;
1222	values[1] = NULL;
1223	if (!val)
1224	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1225	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE\|LDAP_MOD_BVALUES,
1226	name, (const void **) values);
1227	}
1228	#endif
1229
1230	/**
1231	* Perform an ldap modify
1232	* @param ads connection to ads server
1233	* @param mod_dn DistinguishedName to modify
1234	* @param mods list of modifications to perform
1235	* @return status of modify
1236	**/
1237	ADS_STATUS ads_gen_mod(ADS_STRUCT ads, const char mod_dn, ADS_MODLIST mods)
1238	{
1239	int ret,i;
1240	char *utf8_dn = NULL;
1241	/*
1242	this control is needed to modify that contains a currently
1243	non-existent attribute (but allowable for the object) to run
1244	*/
1245	LDAPControl PermitModify = {
1246	CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
1247	{0, NULL},
1248	(char) 1};
1249	LDAPControl *controls[2];
1250
1251	controls[0] = &PermitModify;
1252	controls[1] = NULL;
1253
1254	if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
1255	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1256	}
1257
1258	/* find the end of the list, marked by NULL or -1 */
1259	for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1260	/* make sure the end of the list is NULL */
1261	mods[i] = NULL;
1262	ret = ldap_modify_ext_s(ads->ld, utf8_dn,
1263	(LDAPMod **) mods, controls, NULL);
1264	SAFE_FREE(utf8_dn);
1265	return ADS_ERROR(ret);
1266	}
1267
1268	/**
1269	* Perform an ldap add
1270	* @param ads connection to ads server
1271	* @param new_dn DistinguishedName to add
1272	* @param mods list of attributes and values for DN
1273	* @return status of add
1274	**/
1275	ADS_STATUS ads_gen_add(ADS_STRUCT ads, const char new_dn, ADS_MODLIST mods)
1276	{
1277	int ret, i;
1278	char *utf8_dn = NULL;
1279
1280	if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
1281	DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
1282	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1283	}
1284
1285	/* find the end of the list, marked by NULL or -1 */
1286	for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1287	/* make sure the end of the list is NULL */
1288	mods[i] = NULL;
1289
1290	ret = ldap_add_s(ads->ld, utf8_dn, (LDAPMod**)mods);
1291	SAFE_FREE(utf8_dn);
1292	return ADS_ERROR(ret);
1293	}
1294
1295	/**
1296	* Delete a DistinguishedName
1297	* @param ads connection to ads server
1298	* @param new_dn DistinguishedName to delete
1299	* @return status of delete
1300	**/
1301	ADS_STATUS ads_del_dn(ADS_STRUCT ads, char del_dn)
1302	{
1303	int ret;
1304	char *utf8_dn = NULL;
1305	if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
1306	DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
1307	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1308	}
1309
1310	ret = ldap_delete_s(ads->ld, utf8_dn);
1311	SAFE_FREE(utf8_dn);
1312	return ADS_ERROR(ret);
1313	}
1314
1315	/**
1316	* Build an org unit string
1317	* if org unit is Computers or blank then assume a container, otherwise
1318	* assume a / separated list of organisational units.
1319	* jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1320	* @param ads connection to ads server
1321	* @param org_unit Organizational unit
1322	* @return org unit string - caller must free
1323	**/
1324	char ads_ou_string(ADS_STRUCT ads, const char *org_unit)
1325	{
1326	char *ret = NULL;
1327
1328	if (!org_unit \|\| !*org_unit) {
1329
1330	ret = ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
1331
1332	/* samba4 might not yet respond to a wellknownobject-query */
1333	return ret ? ret : SMB_STRDUP("cn=Computers");
1334	}
1335
1336	if (strequal(org_unit, "Computers")) {
1337	return SMB_STRDUP("cn=Computers");
1338	}
1339
1340	/* jmcd: removed "\\" from the separation chars, because it is
1341	needed as an escape for chars like '#' which are valid in an
1342	OU name */
1343	return ads_build_path(org_unit, "/", "ou=", 1);
1344	}
1345
1346	/**
1347	* Get a org unit string for a well-known GUID
1348	* @param ads connection to ads server
1349	* @param wknguid Well known GUID
1350	* @return org unit string - caller must free
1351	**/
1352	char ads_default_ou_string(ADS_STRUCT ads, const char *wknguid)
1353	{
1354	ADS_STATUS status;
1355	LDAPMessage *res = NULL;
1356	char base, wkn_dn = NULL, ret = NULL, *wkn_dn_exp = NULL,
1357	**bind_dn_exp = NULL;
1358	const char *attrs[] = {"distinguishedName", NULL};
1359	int new_ln, wkn_ln, bind_ln, i;
1360
1361	if (wknguid == NULL) {
1362	return NULL;
1363	}
1364
1365	if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
1366	DEBUG(1, ("asprintf failed!\n"));
1367	return NULL;
1368	}
1369
1370	status = ads_search_dn(ads, &res, base, attrs);
1371	if (!ADS_ERR_OK(status)) {
1372	DEBUG(1,("Failed while searching for: %s\n", base));
1373	goto out;
1374	}
1375
1376	if (ads_count_replies(ads, res) != 1) {
1377	goto out;
1378	}
1379
1380	/* substitute the bind-path from the well-known-guid-search result */
1381	wkn_dn = ads_get_dn(ads, res);
1382	if (!wkn_dn) {
1383	goto out;
1384	}
1385
1386	wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
1387	if (!wkn_dn_exp) {
1388	goto out;
1389	}
1390
1391	bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
1392	if (!bind_dn_exp) {
1393	goto out;
1394	}
1395
1396	for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
1397	;
1398	for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
1399	;
1400
1401	new_ln = wkn_ln - bind_ln;
1402
1403	ret = SMB_STRDUP(wkn_dn_exp[0]);
1404	if (!ret) {
1405	goto out;
1406	}
1407
1408	for (i=1; i < new_ln; i++) {
1409	char *s = NULL;
1410
1411	if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
1412	SAFE_FREE(ret);
1413	goto out;
1414	}
1415
1416	SAFE_FREE(ret);
1417	ret = SMB_STRDUP(s);
1418	free(s);
1419	if (!ret) {
1420	goto out;
1421	}
1422	}
1423
1424	out:
1425	SAFE_FREE(base);
1426	ads_msgfree(ads, res);
1427	ads_memfree(ads, wkn_dn);
1428	if (wkn_dn_exp) {
1429	ldap_value_free(wkn_dn_exp);
1430	}
1431	if (bind_dn_exp) {
1432	ldap_value_free(bind_dn_exp);
1433	}
1434
1435	return ret;
1436	}
1437
1438	/**
1439	* Adds (appends) an item to an attribute array, rather then
1440	* replacing the whole list
1441	* @param ctx An initialized TALLOC_CTX
1442	* @param mods An initialized ADS_MODLIST
1443	* @param name name of the ldap attribute to append to
1444	* @param vals an array of values to add
1445	* @return status of addition
1446	**/
1447
1448	ADS_STATUS ads_add_strlist(TALLOC_CTX ctx, ADS_MODLIST mods,
1449	const char name, const char *vals)
1450	{
1451	return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
1452	(const void *) vals);
1453	}
1454
1455	/**
1456	* Determines the computer account's current KVNO via an LDAP lookup
1457	* @param ads An initialized ADS_STRUCT
1458	* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1459	* @return the kvno for the computer account, or -1 in case of a failure.
1460	**/
1461
1462	uint32 ads_get_kvno(ADS_STRUCT ads, const char machine_name)
1463	{
1464	LDAPMessage *res = NULL;
1465	uint32 kvno = (uint32)-1; /* -1 indicates a failure */
1466	char *filter;
1467	const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
1468	char *dn_string = NULL;
1469	ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1470
1471	DEBUG(5,("ads_get_kvno: Searching for host %s\n", machine_name));
1472	if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1473	return kvno;
1474	}
1475	ret = ads_search(ads, &res, filter, attrs);
1476	SAFE_FREE(filter);
1477	if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
1478	DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
1479	ads_msgfree(ads, res);
1480	return kvno;
1481	}
1482
1483	dn_string = ads_get_dn(ads, res);
1484	if (!dn_string) {
1485	DEBUG(0,("ads_get_kvno: out of memory.\n"));
1486	ads_msgfree(ads, res);
1487	return kvno;
1488	}
1489	DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
1490	ads_memfree(ads, dn_string);
1491
1492	/* ---------------------------------------------------------
1493	* 0 is returned as a default KVNO from this point on...
1494	* This is done because Windows 2000 does not support key
1495	* version numbers. Chances are that a failure in the next
1496	* step is simply due to Windows 2000 being used for a
1497	* domain controller. */
1498	kvno = 0;
1499
1500	if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
1501	DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
1502	DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
1503	ads_msgfree(ads, res);
1504	return kvno;
1505	}
1506
1507	/* Success */
1508	DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
1509	ads_msgfree(ads, res);
1510	return kvno;
1511	}
1512
1513	/**
1514	* This clears out all registered spn's for a given hostname
1515	* @param ads An initilaized ADS_STRUCT
1516	* @param machine_name the NetBIOS name of the computer.
1517	* @return 0 upon success, non-zero otherwise.
1518	**/
1519
1520	ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT ads, const char machine_name)
1521	{
1522	TALLOC_CTX *ctx;
1523	LDAPMessage *res = NULL;
1524	ADS_MODLIST mods;
1525	const char *servicePrincipalName[1] = {NULL};
1526	ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1527	char *dn_string = NULL;
1528
1529	ret = ads_find_machine_acct(ads, &res, machine_name);
1530	if (!ADS_ERR_OK(ret) \|\| ads_count_replies(ads, res) != 1) {
1531	DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
1532	DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
1533	ads_msgfree(ads, res);
1534	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1535	}
1536
1537	DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
1538	ctx = talloc_init("ads_clear_service_principal_names");
1539	if (!ctx) {
1540	ads_msgfree(ads, res);
1541	return ADS_ERROR(LDAP_NO_MEMORY);
1542	}
1543
1544	if (!(mods = ads_init_mods(ctx))) {
1545	talloc_destroy(ctx);
1546	ads_msgfree(ads, res);
1547	return ADS_ERROR(LDAP_NO_MEMORY);
1548	}
1549	ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1550	if (!ADS_ERR_OK(ret)) {
1551	DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
1552	ads_msgfree(ads, res);
1553	talloc_destroy(ctx);
1554	return ret;
1555	}
1556	dn_string = ads_get_dn(ads, res);
1557	if (!dn_string) {
1558	talloc_destroy(ctx);
1559	ads_msgfree(ads, res);
1560	return ADS_ERROR(LDAP_NO_MEMORY);
1561	}
1562	ret = ads_gen_mod(ads, dn_string, mods);
1563	ads_memfree(ads,dn_string);
1564	if (!ADS_ERR_OK(ret)) {
1565	DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
1566	machine_name));
1567	ads_msgfree(ads, res);
1568	talloc_destroy(ctx);
1569	return ret;
1570	}
1571
1572	ads_msgfree(ads, res);
1573	talloc_destroy(ctx);
1574	return ret;
1575	}
1576
1577	/**
1578	* This adds a service principal name to an existing computer account
1579	* (found by hostname) in AD.
1580	* @param ads An initialized ADS_STRUCT
1581	* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1582	* @param my_fqdn The fully qualified DNS name of the machine
1583	* @param spn A string of the service principal to add, i.e. 'host'
1584	* @return 0 upon sucess, or non-zero if a failure occurs
1585	**/
1586
1587	ADS_STATUS ads_add_service_principal_name(ADS_STRUCT ads, const char machine_name,
1588	const char my_fqdn, const char spn)
1589	{
1590	ADS_STATUS ret;
1591	TALLOC_CTX *ctx;
1592	LDAPMessage *res = NULL;
1593	char psp1, psp2;
1594	ADS_MODLIST mods;
1595	char *dn_string = NULL;
1596	const char *servicePrincipalName[3] = {NULL, NULL, NULL};
1597
1598	ret = ads_find_machine_acct(ads, &res, machine_name);
1599	if (!ADS_ERR_OK(ret) \|\| ads_count_replies(ads, res) != 1) {
1600	DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
1601	machine_name));
1602	DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
1603	spn, machine_name, ads->config.realm));
1604	ads_msgfree(ads, res);
1605	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1606	}
1607
1608	DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
1609	if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
1610	ads_msgfree(ads, res);
1611	return ADS_ERROR(LDAP_NO_MEMORY);
1612	}
1613
1614	/* add short name spn */
1615
1616	if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
1617	talloc_destroy(ctx);
1618	ads_msgfree(ads, res);
1619	return ADS_ERROR(LDAP_NO_MEMORY);
1620	}
1621	strupper_m(psp1);
1622	strlower_m(&psp1[strlen(spn)]);
1623	servicePrincipalName[0] = psp1;
1624
1625	DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1626	psp1, machine_name));
1627
1628
1629	/* add fully qualified spn */
1630
1631	if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
1632	ret = ADS_ERROR(LDAP_NO_MEMORY);
1633	goto out;
1634	}
1635	strupper_m(psp2);
1636	strlower_m(&psp2[strlen(spn)]);
1637	servicePrincipalName[1] = psp2;
1638
1639	DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1640	psp2, machine_name));
1641
1642	if ( (mods = ads_init_mods(ctx)) == NULL ) {
1643	ret = ADS_ERROR(LDAP_NO_MEMORY);
1644	goto out;
1645	}
1646
1647	ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1648	if (!ADS_ERR_OK(ret)) {
1649	DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1650	goto out;
1651	}
1652
1653	if ( (dn_string = ads_get_dn(ads, res)) == NULL ) {
1654	ret = ADS_ERROR(LDAP_NO_MEMORY);
1655	goto out;
1656	}
1657
1658	ret = ads_gen_mod(ads, dn_string, mods);
1659	ads_memfree(ads,dn_string);
1660	if (!ADS_ERR_OK(ret)) {
1661	DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1662	goto out;
1663	}
1664
1665	out:
1666	TALLOC_FREE( ctx );
1667	ads_msgfree(ads, res);
1668	return ret;
1669	}
1670
1671	/**
1672	* adds a machine account to the ADS server
1673	* @param ads An intialized ADS_STRUCT
1674	* @param machine_name - the NetBIOS machine name of this account.
1675	* @param account_type A number indicating the type of account to create
1676	* @param org_unit The LDAP path in which to place this account
1677	* @return 0 upon success, or non-zero otherwise
1678	**/
1679
1680	ADS_STATUS ads_create_machine_acct(ADS_STRUCT ads, const char machine_name,
1681	const char *org_unit)
1682	{
1683	ADS_STATUS ret;
1684	char samAccountName, controlstr;
1685	TALLOC_CTX *ctx;
1686	ADS_MODLIST mods;
1687	char *machine_escaped = NULL;
1688	char *new_dn;
1689	const char *objectClass[] = {"top", "person", "organizationalPerson",
1690	"user", "computer", NULL};
1691	LDAPMessage *res = NULL;
1692	uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT \|\
1693	UF_DONT_EXPIRE_PASSWD \|\
1694	UF_ACCOUNTDISABLE );
1695
1696	if (!(ctx = talloc_init("ads_add_machine_acct")))
1697	return ADS_ERROR(LDAP_NO_MEMORY);
1698
1699	ret = ADS_ERROR(LDAP_NO_MEMORY);
1700
1701	machine_escaped = escape_rdn_val_string_alloc(machine_name);
1702	if (!machine_escaped) {
1703	goto done;
1704	}
1705
1706	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
1707	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
1708
1709	if ( !new_dn \|\| !samAccountName ) {
1710	goto done;
1711	}
1712
1713	#ifndef ENCTYPE_ARCFOUR_HMAC
1714	acct_control \|= UF_USE_DES_KEY_ONLY;
1715	#endif
1716
1717	if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
1718	goto done;
1719	}
1720
1721	if (!(mods = ads_init_mods(ctx))) {
1722	goto done;
1723	}
1724
1725	ads_mod_str(ctx, &mods, "cn", machine_name);
1726	ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
1727	ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
1728	ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
1729
1730	ret = ads_gen_add(ads, new_dn, mods);
1731
1732	done:
1733	SAFE_FREE(machine_escaped);
1734	ads_msgfree(ads, res);
1735	talloc_destroy(ctx);
1736
1737	return ret;
1738	}
1739
1740	/*
1741	dump a binary result from ldap
1742	*/
1743	static void dump_binary(const char field, struct berval *values)
1744	{
1745	int i, j;
1746	for (i=0; values[i]; i++) {
1747	printf("%s: ", field);
1748	for (j=0; j<values[i]->bv_len; j++) {
1749	printf("%02X", (unsigned char)values[i]->bv_val[j]);
1750	}
1751	printf("\n");
1752	}
1753	}
1754
1755	static void dump_guid(const char field, struct berval *values)
1756	{
1757	int i;
1758	UUID_FLAT guid;
1759	for (i=0; values[i]; i++) {
1760	memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
1761	printf("%s: %s\n", field,
1762	smb_uuid_string_static(smb_uuid_unpack_static(guid)));
1763	}
1764	}
1765
1766	/*
1767	dump a sid result from ldap
1768	*/
1769	static void dump_sid(const char field, struct berval *values)
1770	{
1771	int i;
1772	for (i=0; values[i]; i++) {
1773	DOM_SID sid;
1774	sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
1775	printf("%s: %s\n", field, sid_string_static(&sid));
1776	}
1777	}
1778
1779	/*
1780	dump ntSecurityDescriptor
1781	*/
1782	static void dump_sd(const char filed, struct berval *values)
1783	{
1784	prs_struct ps;
1785
1786	SEC_DESC *psd = 0;
1787	TALLOC_CTX *ctx = 0;
1788
1789	if (!(ctx = talloc_init("sec_io_desc")))
1790	return;
1791
1792	/* prepare data */
1793	prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL);
1794	prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
1795	prs_set_offset(&ps,0);
1796
1797	/* parse secdesc */
1798	if (!sec_io_desc("sd", &psd, &ps, 1)) {
1799	prs_mem_free(&ps);
1800	talloc_destroy(ctx);
1801	return;
1802	}
1803	if (psd) ads_disp_sd(psd);
1804
1805	prs_mem_free(&ps);
1806	talloc_destroy(ctx);
1807	}
1808
1809	/*
1810	dump a string result from ldap
1811	*/
1812	static void dump_string(const char field, char *values)
1813	{
1814	int i;
1815	for (i=0; values[i]; i++) {
1816	printf("%s: %s\n", field, values[i]);
1817	}
1818	}
1819
1820	/*
1821	dump a field from LDAP on stdout
1822	used for debugging
1823	*/
1824
1825	static BOOL ads_dump_field(char field, void values, void data_area)
1826	{
1827	const struct {
1828	const char *name;
1829	BOOL string;
1830	void (handler)(const char , struct berval **);
1831	} handlers[] = {
1832	{"objectGUID", False, dump_guid},
1833	{"netbootGUID", False, dump_guid},
1834	{"nTSecurityDescriptor", False, dump_sd},
1835	{"dnsRecord", False, dump_binary},
1836	{"objectSid", False, dump_sid},
1837	{"tokenGroups", False, dump_sid},
1838	{"tokenGroupsNoGCAcceptable", False, dump_sid},
1839	{"tokengroupsGlobalandUniversal", False, dump_sid},
1840	{"mS-DS-CreatorSID", False, dump_sid},
1841	{NULL, True, NULL}
1842	};
1843	int i;
1844
1845	if (!field) { /* must be end of an entry */
1846	printf("\n");
1847	return False;
1848	}
1849
1850	for (i=0; handlers[i].name; i++) {
1851	if (StrCaseCmp(handlers[i].name, field) == 0) {
1852	if (!values) /* first time, indicate string or not */
1853	return handlers[i].string;
1854	handlers[i].handler(field, (struct berval **) values);
1855	break;
1856	}
1857	}
1858	if (!handlers[i].name) {
1859	if (!values) /* first time, indicate string conversion */
1860	return True;
1861	dump_string(field, (char **)values);
1862	}
1863	return False;
1864	}
1865
1866	/**
1867	* Dump a result from LDAP on stdout
1868	* used for debugging
1869	* @param ads connection to ads server
1870	* @param res Results to dump
1871	**/
1872
1873	void ads_dump(ADS_STRUCT ads, LDAPMessage res)
1874	{
1875	ads_process_results(ads, res, ads_dump_field, NULL);
1876	}
1877
1878	/**
1879	* Walk through results, calling a function for each entry found.
1880	* The function receives a field name, a berval * array of values,
1881	* and a data area passed through from the start. The function is
1882	* called once with null for field and values at the end of each
1883	* entry.
1884	* @param ads connection to ads server
1885	* @param res Results to process
1886	* @param fn Function for processing each result
1887	* @param data_area user-defined area to pass to function
1888	**/
1889	void ads_process_results(ADS_STRUCT ads, LDAPMessage res,
1890	BOOL(fn)(char , void *, void ),
1891	void *data_area)
1892	{
1893	LDAPMessage *msg;
1894	TALLOC_CTX *ctx;
1895
1896	if (!(ctx = talloc_init("ads_process_results")))
1897	return;
1898
1899	for (msg = ads_first_entry(ads, res); msg;
1900	msg = ads_next_entry(ads, msg)) {
1901	char *utf8_field;
1902	BerElement *b;
1903
1904	for (utf8_field=ldap_first_attribute(ads->ld,
1905	(LDAPMessage *)msg,&b);
1906	utf8_field;
1907	utf8_field=ldap_next_attribute(ads->ld,
1908	(LDAPMessage *)msg,b)) {
1909	struct berval **ber_vals;
1910	char str_vals, utf8_vals;
1911	char *field;
1912	BOOL string;
1913
1914	pull_utf8_talloc(ctx, &field, utf8_field);
1915	string = fn(field, NULL, data_area);
1916
1917	if (string) {
1918	utf8_vals = ldap_get_values(ads->ld,
1919	(LDAPMessage *)msg, field);
1920	str_vals = ads_pull_strvals(ctx,
1921	(const char **) utf8_vals);
1922	fn(field, (void **) str_vals, data_area);
1923	ldap_value_free(utf8_vals);
1924	} else {
1925	ber_vals = ldap_get_values_len(ads->ld,
1926	(LDAPMessage *)msg, field);
1927	fn(field, (void **) ber_vals, data_area);
1928
1929	ldap_value_free_len(ber_vals);
1930	}
1931	ldap_memfree(utf8_field);
1932	}
1933	ber_free(b, 0);
1934	talloc_free_children(ctx);
1935	fn(NULL, NULL, data_area); /* completed an entry */
1936
1937	}
1938	talloc_destroy(ctx);
1939	}
1940
1941	/**
1942	* count how many replies are in a LDAPMessage
1943	* @param ads connection to ads server
1944	* @param res Results to count
1945	* @return number of replies
1946	**/
1947	int ads_count_replies(ADS_STRUCT ads, void res)
1948	{
1949	return ldap_count_entries(ads->ld, (LDAPMessage *)res);
1950	}
1951
1952	/**
1953	* pull the first entry from a ADS result
1954	* @param ads connection to ads server
1955	* @param res Results of search
1956	* @return first entry from result
1957	**/
1958	LDAPMessage ads_first_entry(ADS_STRUCT ads, LDAPMessage *res)
1959	{
1960	return ldap_first_entry(ads->ld, res);
1961	}
1962
1963	/**
1964	* pull the next entry from a ADS result
1965	* @param ads connection to ads server
1966	* @param res Results of search
1967	* @return next entry from result
1968	**/
1969	LDAPMessage ads_next_entry(ADS_STRUCT ads, LDAPMessage *res)
1970	{
1971	return ldap_next_entry(ads->ld, res);
1972	}
1973
1974	/**
1975	* pull the first message from a ADS result
1976	* @param ads connection to ads server
1977	* @param res Results of search
1978	* @return first message from result
1979	**/
1980	LDAPMessage ads_first_message(ADS_STRUCT ads, LDAPMessage *res)
1981	{
1982	return ldap_first_message(ads->ld, res);
1983	}
1984
1985	/**
1986	* pull the next message from a ADS result
1987	* @param ads connection to ads server
1988	* @param res Results of search
1989	* @return next message from result
1990	**/
1991	LDAPMessage ads_next_message(ADS_STRUCT ads, LDAPMessage *res)
1992	{
1993	return ldap_next_message(ads->ld, res);
1994	}
1995
1996	/**
1997	* pull a single string from a ADS result
1998	* @param ads connection to ads server
1999	* @param mem_ctx TALLOC_CTX to use for allocating result string
2000	* @param msg Results of search
2001	* @param field Attribute to retrieve
2002	* @return Result string in talloc context
2003	**/
2004	char ads_pull_string(ADS_STRUCT ads, TALLOC_CTX mem_ctx, LDAPMessage msg,
2005	const char *field)
2006	{
2007	char **values;
2008	char *ret = NULL;
2009	char *ux_string;
2010	size_t rc;
2011
2012	values = ldap_get_values(ads->ld, msg, field);
2013	if (!values)
2014	return NULL;
2015
2016	if (values[0]) {
2017	rc = pull_utf8_talloc(mem_ctx, &ux_string,
2018	values[0]);
2019	if (rc != (size_t)-1)
2020	ret = ux_string;
2021
2022	}
2023	ldap_value_free(values);
2024	return ret;
2025	}
2026
2027	/**
2028	* pull an array of strings from a ADS result
2029	* @param ads connection to ads server
2030	* @param mem_ctx TALLOC_CTX to use for allocating result string
2031	* @param msg Results of search
2032	* @param field Attribute to retrieve
2033	* @return Result strings in talloc context
2034	**/
2035	char *ads_pull_strings(ADS_STRUCT ads, TALLOC_CTX *mem_ctx,
2036	LDAPMessage msg, const char field,
2037	size_t *num_values)
2038	{
2039	char **values;
2040	char **ret = NULL;
2041	int i;
2042
2043	values = ldap_get_values(ads->ld, msg, field);
2044	if (!values)
2045	return NULL;
2046
2047	*num_values = ldap_count_values(values);
2048
2049	ret = TALLOC_ARRAY(mem_ctx, char , num_values + 1);
2050	if (!ret) {
2051	ldap_value_free(values);
2052	return NULL;
2053	}
2054
2055	for (i=0;i<*num_values;i++) {
2056	if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
2057	ldap_value_free(values);
2058	return NULL;
2059	}
2060	}
2061	ret[i] = NULL;
2062
2063	ldap_value_free(values);
2064	return ret;
2065	}
2066
2067	/**
2068	* pull an array of strings from a ADS result
2069	* (handle large multivalue attributes with range retrieval)
2070	* @param ads connection to ads server
2071	* @param mem_ctx TALLOC_CTX to use for allocating result string
2072	* @param msg Results of search
2073	* @param field Attribute to retrieve
2074	* @param current_strings strings returned by a previous call to this function
2075	* @param next_attribute The next query should ask for this attribute
2076	* @param num_values How many values did we get this time?
2077	* @param more_values Are there more values to get?
2078	* @return Result strings in talloc context
2079	**/
2080	char *ads_pull_strings_range(ADS_STRUCT ads,
2081	TALLOC_CTX *mem_ctx,
2082	LDAPMessage msg, const char field,
2083	char **current_strings,
2084	const char **next_attribute,
2085	size_t *num_strings,
2086	BOOL *more_strings)
2087	{
2088	char *attr;
2089	char expected_range_attrib, range_attr;
2090	BerElement *ptr = NULL;
2091	char **strings;
2092	char **new_strings;
2093	size_t num_new_strings;
2094	unsigned long int range_start;
2095	unsigned long int range_end;
2096
2097	/* we might have been given the whole lot anyway */
2098	if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
2099	*more_strings = False;
2100	return strings;
2101	}
2102
2103	expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
2104
2105	/* look for Range result */
2106	for (attr = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &ptr);
2107	attr;
2108	attr = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, ptr)) {
2109	/* we ignore the fact that this is utf8, as all attributes are ascii... */
2110	if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
2111	range_attr = attr;
2112	break;
2113	}
2114	ldap_memfree(attr);
2115	}
2116	if (!attr) {
2117	ber_free(ptr, 0);
2118	/* nothing here - this field is just empty */
2119	*more_strings = False;
2120	return NULL;
2121	}
2122
2123	if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
2124	&range_start, &range_end) == 2) {
2125	*more_strings = True;
2126	} else {
2127	if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
2128	&range_start) == 1) {
2129	*more_strings = False;
2130	} else {
2131	DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
2132	range_attr));
2133	ldap_memfree(range_attr);
2134	*more_strings = False;
2135	return NULL;
2136	}
2137	}
2138
2139	if ((*num_strings) != range_start) {
2140	DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
2141	" - aborting range retreival\n",
2142	range_attr, (unsigned int)(*num_strings) + 1, range_start));
2143	ldap_memfree(range_attr);
2144	*more_strings = False;
2145	return NULL;
2146	}
2147
2148	new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
2149
2150	if (more_strings && ((num_strings + num_new_strings) != (range_end + 1))) {
2151	DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
2152	"strings in this bunch, but we only got %lu - aborting range retreival\n",
2153	range_attr, (unsigned long int)range_end - range_start + 1,
2154	(unsigned long int)num_new_strings));
2155	ldap_memfree(range_attr);
2156	*more_strings = False;
2157	return NULL;
2158	}
2159
2160	strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
2161	*num_strings + num_new_strings);
2162
2163	if (strings == NULL) {
2164	ldap_memfree(range_attr);
2165	*more_strings = False;
2166	return NULL;
2167	}
2168
2169	if (new_strings && num_new_strings) {
2170	memcpy(&strings[*num_strings], new_strings,
2171	sizeof(new_strings) num_new_strings);
2172	}
2173
2174	(*num_strings) += num_new_strings;
2175
2176	if (*more_strings) {
2177	*next_attribute = talloc_asprintf(mem_ctx,
2178	"%s;range=%d-*",
2179	field,
2180	(int)*num_strings);
2181
2182	if (!*next_attribute) {
2183	DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
2184	ldap_memfree(range_attr);
2185	*more_strings = False;
2186	return NULL;
2187	}
2188	}
2189
2190	ldap_memfree(range_attr);
2191
2192	return strings;
2193	}
2194
2195	/**
2196	* pull a single uint32 from a ADS result
2197	* @param ads connection to ads server
2198	* @param msg Results of search
2199	* @param field Attribute to retrieve
2200	* @param v Pointer to int to store result
2201	* @return boolean inidicating success
2202	*/
2203	BOOL ads_pull_uint32(ADS_STRUCT ads, LDAPMessage msg, const char *field,
2204	uint32 *v)
2205	{
2206	char **values;
2207
2208	values = ldap_get_values(ads->ld, msg, field);
2209	if (!values)
2210	return False;
2211	if (!values[0]) {
2212	ldap_value_free(values);
2213	return False;
2214	}
2215
2216	*v = atoi(values[0]);
2217	ldap_value_free(values);
2218	return True;
2219	}
2220
2221	/**
2222	* pull a single objectGUID from an ADS result
2223	* @param ads connection to ADS server
2224	* @param msg results of search
2225	* @param guid 37-byte area to receive text guid
2226	* @return boolean indicating success
2227	**/
2228	BOOL ads_pull_guid(ADS_STRUCT ads, LDAPMessage msg, struct GUID *guid)
2229	{
2230	char **values;
2231	UUID_FLAT flat_guid;
2232
2233	values = ldap_get_values(ads->ld, msg, "objectGUID");
2234	if (!values)
2235	return False;
2236
2237	if (values[0]) {
2238	memcpy(&flat_guid.info, values[0], sizeof(UUID_FLAT));
2239	smb_uuid_unpack(flat_guid, guid);
2240	ldap_value_free(values);
2241	return True;
2242	}
2243	ldap_value_free(values);
2244	return False;
2245
2246	}
2247
2248
2249	/**
2250	* pull a single DOM_SID from a ADS result
2251	* @param ads connection to ads server
2252	* @param msg Results of search
2253	* @param field Attribute to retrieve
2254	* @param sid Pointer to sid to store result
2255	* @return boolean inidicating success
2256	*/
2257	BOOL ads_pull_sid(ADS_STRUCT ads, LDAPMessage msg, const char *field,
2258	DOM_SID *sid)
2259	{
2260	struct berval **values;
2261	BOOL ret = False;
2262
2263	values = ldap_get_values_len(ads->ld, msg, field);
2264
2265	if (!values)
2266	return False;
2267
2268	if (values[0])
2269	ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
2270
2271	ldap_value_free_len(values);
2272	return ret;
2273	}
2274
2275	/**
2276	* pull an array of DOM_SIDs from a ADS result
2277	* @param ads connection to ads server
2278	* @param mem_ctx TALLOC_CTX for allocating sid array
2279	* @param msg Results of search
2280	* @param field Attribute to retrieve
2281	* @param sids pointer to sid array to allocate
2282	* @return the count of SIDs pulled
2283	**/
2284	int ads_pull_sids(ADS_STRUCT ads, TALLOC_CTX mem_ctx,
2285	LDAPMessage msg, const char field, DOM_SID **sids)
2286	{
2287	struct berval **values;
2288	BOOL ret;
2289	int count, i;
2290
2291	values = ldap_get_values_len(ads->ld, msg, field);
2292
2293	if (!values)
2294	return 0;
2295
2296	for (i=0; values[i]; i++)
2297	/* nop */ ;
2298
2299	if (i) {
2300	(*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
2301	if (!(*sids)) {
2302	ldap_value_free_len(values);
2303	return 0;
2304	}
2305	} else {
2306	(*sids) = NULL;
2307	}
2308
2309	count = 0;
2310	for (i=0; values[i]; i++) {
2311	ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
2312	if (ret) {
2313	fstring sid;
2314	DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count])));
2315	count++;
2316	}
2317	}
2318
2319	ldap_value_free_len(values);
2320	return count;
2321	}
2322
2323	/**
2324	* pull a SEC_DESC from a ADS result
2325	* @param ads connection to ads server
2326	* @param mem_ctx TALLOC_CTX for allocating sid array
2327	* @param msg Results of search
2328	* @param field Attribute to retrieve
2329	* @param sd Pointer to *SEC_DESC to store result (talloc()ed)
2330	* @return boolean inidicating success
2331	*/
2332	BOOL ads_pull_sd(ADS_STRUCT ads, TALLOC_CTX mem_ctx,
2333	LDAPMessage msg, const char field, SEC_DESC **sd)
2334	{
2335	struct berval **values;
2336	BOOL ret = False;
2337
2338	values = ldap_get_values_len(ads->ld, msg, field);
2339
2340	if (!values) return False;
2341
2342	if (values[0]) {
2343	prs_struct ps;
2344	prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
2345	prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
2346	prs_set_offset(&ps,0);
2347
2348	ret = sec_io_desc("sd", sd, &ps, 1);
2349	prs_mem_free(&ps);
2350	}
2351
2352	ldap_value_free_len(values);
2353	return ret;
2354	}
2355
2356	/*
2357	* in order to support usernames longer than 21 characters we need to
2358	* use both the sAMAccountName and the userPrincipalName attributes
2359	* It seems that not all users have the userPrincipalName attribute set
2360	*
2361	* @param ads connection to ads server
2362	* @param mem_ctx TALLOC_CTX for allocating sid array
2363	* @param msg Results of search
2364	* @return the username
2365	*/
2366	char ads_pull_username(ADS_STRUCT ads, TALLOC_CTX *mem_ctx,
2367	LDAPMessage *msg)
2368	{
2369	#if 0 /* JERRY */
2370	char ret, p;
2371
2372	/* lookup_name() only works on the sAMAccountName to
2373	returning the username portion of userPrincipalName
2374	breaks winbindd_getpwnam() */
2375
2376	ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
2377	if (ret && (p = strchr_m(ret, '@'))) {
2378	*p = 0;
2379	return ret;
2380	}
2381	#endif
2382	return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
2383	}
2384
2385
2386	/**
2387	* find the update serial number - this is the core of the ldap cache
2388	* @param ads connection to ads server
2389	* @param ads connection to ADS server
2390	* @param usn Pointer to retrieved update serial number
2391	* @return status of search
2392	**/
2393	ADS_STATUS ads_USN(ADS_STRUCT ads, uint32 usn)
2394	{
2395	const char *attrs[] = {"highestCommittedUSN", NULL};
2396	ADS_STATUS status;
2397	LDAPMessage *res;
2398
2399	status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2400	if (!ADS_ERR_OK(status))
2401	return status;
2402
2403	if (ads_count_replies(ads, res) != 1) {
2404	ads_msgfree(ads, res);
2405	return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2406	}
2407
2408	if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
2409	ads_msgfree(ads, res);
2410	return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
2411	}
2412
2413	ads_msgfree(ads, res);
2414	return ADS_SUCCESS;
2415	}
2416
2417	/* parse a ADS timestring - typical string is
2418	'20020917091222.0Z0' which means 09:12.22 17th September
2419	2002, timezone 0 */
2420	static time_t ads_parse_time(const char *str)
2421	{
2422	struct tm tm;
2423
2424	ZERO_STRUCT(tm);
2425
2426	if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
2427	&tm.tm_year, &tm.tm_mon, &tm.tm_mday,
2428	&tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
2429	return 0;
2430	}
2431	tm.tm_year -= 1900;
2432	tm.tm_mon -= 1;
2433
2434	return timegm(&tm);
2435	}
2436
2437	/********************************************************************
2438	********************************************************************/
2439
2440	ADS_STATUS ads_current_time(ADS_STRUCT *ads)
2441	{
2442	const char *attrs[] = {"currentTime", NULL};
2443	ADS_STATUS status;
2444	LDAPMessage *res;
2445	char *timestr;
2446	TALLOC_CTX *ctx;
2447	ADS_STRUCT *ads_s = ads;
2448
2449	if (!(ctx = talloc_init("ads_current_time"))) {
2450	return ADS_ERROR(LDAP_NO_MEMORY);
2451	}
2452
2453	/* establish a new ldap tcp session if necessary */
2454
2455	if ( !ads->ld ) {
2456	if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2457	ads->server.ldap_server )) == NULL )
2458	{
2459	goto done;
2460	}
2461	ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2462	status = ads_connect( ads_s );
2463	if ( !ADS_ERR_OK(status))
2464	goto done;
2465	}
2466
2467	status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2468	if (!ADS_ERR_OK(status)) {
2469	goto done;
2470	}
2471
2472	timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
2473	if (!timestr) {
2474	ads_msgfree(ads_s, res);
2475	status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2476	goto done;
2477	}
2478
2479	/* but save the time and offset in the original ADS_STRUCT */
2480
2481	ads->config.current_time = ads_parse_time(timestr);
2482
2483	if (ads->config.current_time != 0) {
2484	ads->auth.time_offset = ads->config.current_time - time(NULL);
2485	DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
2486	}
2487
2488	ads_msgfree(ads, res);
2489
2490	status = ADS_SUCCESS;
2491
2492	done:
2493	/* free any temporary ads connections */
2494	if ( ads_s != ads ) {
2495	ads_destroy( &ads_s );
2496	}
2497	talloc_destroy(ctx);
2498
2499	return status;
2500	}
2501
2502	/********************************************************************
2503	********************************************************************/
2504
2505	ADS_STATUS ads_domain_func_level(ADS_STRUCT ads, uint32 val)
2506	{
2507	const char *attrs[] = {"domainFunctionality", NULL};
2508	ADS_STATUS status;
2509	LDAPMessage *res;
2510	ADS_STRUCT *ads_s = ads;
2511
2512	*val = DS_DOMAIN_FUNCTION_2000;
2513
2514	/* establish a new ldap tcp session if necessary */
2515
2516	if ( !ads->ld ) {
2517	if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2518	ads->server.ldap_server )) == NULL )
2519	{
2520	goto done;
2521	}
2522	ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2523	status = ads_connect( ads_s );
2524	if ( !ADS_ERR_OK(status))
2525	goto done;
2526	}
2527
2528	/* If the attribute does not exist assume it is a Windows 2000
2529	functional domain */
2530
2531	status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2532	if (!ADS_ERR_OK(status)) {
2533	if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
2534	status = ADS_SUCCESS;
2535	}
2536	goto done;
2537	}
2538
2539	if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
2540	DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
2541	}
2542	DEBUG(3,("ads_domain_func_level: %d\n", *val));
2543
2544
2545	ads_msgfree(ads, res);
2546
2547	done:
2548	/* free any temporary ads connections */
2549	if ( ads_s != ads ) {
2550	ads_destroy( &ads_s );
2551	}
2552
2553	return status;
2554	}
2555
2556	/**
2557	* find the domain sid for our domain
2558	* @param ads connection to ads server
2559	* @param sid Pointer to domain sid
2560	* @return status of search
2561	**/
2562	ADS_STATUS ads_domain_sid(ADS_STRUCT ads, DOM_SID sid)
2563	{
2564	const char *attrs[] = {"objectSid", NULL};
2565	LDAPMessage *res;
2566	ADS_STATUS rc;
2567
2568	rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
2569	attrs, &res);
2570	if (!ADS_ERR_OK(rc)) return rc;
2571	if (!ads_pull_sid(ads, res, "objectSid", sid)) {
2572	ads_msgfree(ads, res);
2573	return ADS_ERROR_SYSTEM(ENOENT);
2574	}
2575	ads_msgfree(ads, res);
2576
2577	return ADS_SUCCESS;
2578	}
2579
2580	/**
2581	* find our site name
2582	* @param ads connection to ads server
2583	* @param mem_ctx Pointer to talloc context
2584	* @param site_name Pointer to the sitename
2585	* @return status of search
2586	**/
2587	ADS_STATUS ads_site_dn(ADS_STRUCT ads, TALLOC_CTX mem_ctx, const char **site_name)
2588	{
2589	ADS_STATUS status;
2590	LDAPMessage *res;
2591	const char dn, service_name;
2592	const char *attrs[] = { "dsServiceName", NULL };
2593
2594	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2595	if (!ADS_ERR_OK(status)) {
2596	return status;
2597	}
2598
2599	service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
2600	if (service_name == NULL) {
2601	ads_msgfree(ads, res);
2602	return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2603	}
2604
2605	ads_msgfree(ads, res);
2606
2607	/* go up three levels */
2608	dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
2609	if (dn == NULL) {
2610	return ADS_ERROR(LDAP_NO_MEMORY);
2611	}
2612
2613	*site_name = talloc_strdup(mem_ctx, dn);
2614	if (*site_name == NULL) {
2615	return ADS_ERROR(LDAP_NO_MEMORY);
2616	}
2617
2618	return status;
2619	/*
2620	dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
2621	*/
2622	}
2623
2624	/**
2625	* find the site dn where a machine resides
2626	* @param ads connection to ads server
2627	* @param mem_ctx Pointer to talloc context
2628	* @param computer_name name of the machine
2629	* @param site_name Pointer to the sitename
2630	* @return status of search
2631	**/
2632	ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT ads, TALLOC_CTX mem_ctx, const char computer_name, const char *site_dn)
2633	{
2634	ADS_STATUS status;
2635	LDAPMessage *res;
2636	const char parent, config_context, *filter;
2637	const char *attrs[] = { "configurationNamingContext", NULL };
2638	char *dn;
2639
2640	/* shortcut a query */
2641	if (strequal(computer_name, ads->config.ldap_server_name)) {
2642	return ads_site_dn(ads, mem_ctx, site_dn);
2643	}
2644
2645	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2646	if (!ADS_ERR_OK(status)) {
2647	return status;
2648	}
2649
2650	config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
2651	if (config_context == NULL) {
2652	ads_msgfree(ads, res);
2653	return ADS_ERROR(LDAP_NO_MEMORY);
2654	}
2655
2656	filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
2657	if (filter == NULL) {
2658	ads_msgfree(ads, res);
2659	return ADS_ERROR(LDAP_NO_MEMORY);
2660	}
2661
2662	ads_msgfree(ads, res);
2663
2664	status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, filter, NULL, &res);
2665	if (!ADS_ERR_OK(status)) {
2666	return status;
2667	}
2668
2669	if (ads_count_replies(ads, res) != 1) {
2670	ads_msgfree(ads, res);
2671	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2672	}
2673
2674	dn = ads_get_dn(ads, res);
2675	if (dn == NULL) {
2676	ads_msgfree(ads, res);
2677	return ADS_ERROR(LDAP_NO_MEMORY);
2678	}
2679
2680	/* go up three levels */
2681	parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
2682	if (parent == NULL) {
2683	ads_msgfree(ads, res);
2684	ads_memfree(ads, dn);
2685	return ADS_ERROR(LDAP_NO_MEMORY);
2686	}
2687
2688	*site_dn = talloc_strdup(mem_ctx, parent);
2689	if (*site_dn == NULL) {
2690	ads_msgfree(ads, res);
2691	ads_memfree(ads, dn);
2692	return ADS_ERROR(LDAP_NO_MEMORY);
2693	}
2694
2695	ads_memfree(ads, dn);
2696	ads_msgfree(ads, res);
2697
2698	return status;
2699	}
2700
2701	/**
2702	* get the upn suffixes for a domain
2703	* @param ads connection to ads server
2704	* @param mem_ctx Pointer to talloc context
2705	* @param suffixes Pointer to an array of suffixes
2706	* @param num_suffixes Pointer to the number of suffixes
2707	* @return status of search
2708	**/
2709	ADS_STATUS ads_upn_suffixes(ADS_STRUCT ads, TALLOC_CTX mem_ctx, char **suffixes, size_t num_suffixes)
2710	{
2711	ADS_STATUS status;
2712	LDAPMessage *res;
2713	const char config_context, base;
2714	const char *attrs[] = { "configurationNamingContext", NULL };
2715	const char *attrs2[] = { "uPNSuffixes", NULL };
2716
2717	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2718	if (!ADS_ERR_OK(status)) {
2719	return status;
2720	}
2721
2722	config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
2723	if (config_context == NULL) {
2724	ads_msgfree(ads, res);
2725	return ADS_ERROR(LDAP_NO_MEMORY);
2726	}
2727
2728	ads_msgfree(ads, res);
2729
2730	base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
2731	if (base == NULL) {
2732	return ADS_ERROR(LDAP_NO_MEMORY);
2733	}
2734
2735	status = ads_search_dn(ads, &res, base, attrs2);
2736	if (!ADS_ERR_OK(status)) {
2737	return status;
2738	}
2739
2740	if (ads_count_replies(ads, res) != 1) {
2741	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2742	}
2743
2744	(*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
2745	if ((*suffixes) == NULL) {
2746	ads_msgfree(ads, res);
2747	return ADS_ERROR(LDAP_NO_MEMORY);
2748	}
2749
2750	ads_msgfree(ads, res);
2751
2752	return status;
2753	}
2754
2755	/**
2756	* pull a DOM_SID from an extended dn string
2757	* @param mem_ctx TALLOC_CTX
2758	* @param flags string type of extended_dn
2759	* @param sid pointer to a DOM_SID
2760	* @return boolean inidicating success
2761	**/
2762	BOOL ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
2763	const char *dn,
2764	enum ads_extended_dn_flags flags,
2765	DOM_SID *sid)
2766	{
2767	char p, q;
2768
2769	if (!dn) {
2770	return False;
2771	}
2772
2773	/*
2774	* ADS_EXTENDED_DN_HEX_STRING:
2775	* <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2776	*
2777	* ADS_EXTENDED_DN_STRING (only with w2k3):
2778	<GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2779	*/
2780
2781	p = strchr(dn, ';');
2782	if (!p) {
2783	return False;
2784	}
2785
2786	if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
2787	return False;
2788	}
2789
2790	p += strlen(";<SID=");
2791
2792	q = strchr(p, '>');
2793	if (!q) {
2794	return False;
2795	}
2796
2797	*q = '\0';
2798
2799	DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
2800
2801	switch (flags) {
2802
2803	case ADS_EXTENDED_DN_STRING:
2804	if (!string_to_sid(sid, p)) {
2805	return False;
2806	}
2807	break;
2808	case ADS_EXTENDED_DN_HEX_STRING: {
2809	pstring buf;
2810	size_t buf_len;
2811
2812	buf_len = strhex_to_str(buf, strlen(p), p);
2813	if (buf_len == 0) {
2814	return False;
2815	}
2816
2817	if (!sid_parse(buf, buf_len, sid)) {
2818	DEBUG(10,("failed to parse sid\n"));
2819	return False;
2820	}
2821	break;
2822	}
2823	default:
2824	DEBUG(10,("unknown extended dn format\n"));
2825	return False;
2826	}
2827
2828	return True;
2829	}
2830
2831	/**
2832	* pull an array of DOM_SIDs from a ADS result
2833	* @param ads connection to ads server
2834	* @param mem_ctx TALLOC_CTX for allocating sid array
2835	* @param msg Results of search
2836	* @param field Attribute to retrieve
2837	* @param flags string type of extended_dn
2838	* @param sids pointer to sid array to allocate
2839	* @return the count of SIDs pulled
2840	**/
2841	int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
2842	TALLOC_CTX *mem_ctx,
2843	LDAPMessage *msg,
2844	const char *field,
2845	enum ads_extended_dn_flags flags,
2846	DOM_SID **sids)
2847	{
2848	int i;
2849	size_t dn_count;
2850	char **dn_strings;
2851
2852	if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
2853	&dn_count)) == NULL) {
2854	return 0;
2855	}
2856
2857	(*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1);
2858	if (!(*sids)) {
2859	TALLOC_FREE(dn_strings);
2860	return 0;
2861	}
2862
2863	for (i=0; i<dn_count; i++) {
2864
2865	if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
2866	flags, &(*sids)[i])) {
2867	TALLOC_FREE(*sids);
2868	TALLOC_FREE(dn_strings);
2869	return 0;
2870	}
2871	}
2872
2873	TALLOC_FREE(dn_strings);
2874
2875	return dn_count;
2876	}
2877
2878	/********************************************************************
2879	********************************************************************/
2880
2881	char* ads_get_dnshostname( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
2882	{
2883	LDAPMessage *res = NULL;
2884	ADS_STATUS status;
2885	int count = 0;
2886	char *name = NULL;
2887
2888	status = ads_find_machine_acct(ads, &res, global_myname());
2889	if (!ADS_ERR_OK(status)) {
2890	DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
2891	global_myname()));
2892	goto out;
2893	}
2894
2895	if ( (count = ads_count_replies(ads, res)) != 1 ) {
2896	DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
2897	goto out;
2898	}
2899
2900	if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
2901	DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
2902	}
2903
2904	out:
2905	ads_msgfree(ads, res);
2906
2907	return name;
2908	}
2909
2910	/********************************************************************
2911	********************************************************************/
2912
2913	char* ads_get_upn( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
2914	{
2915	LDAPMessage *res = NULL;
2916	ADS_STATUS status;
2917	int count = 0;
2918	char *name = NULL;
2919
2920	status = ads_find_machine_acct(ads, &res, global_myname());
2921	if (!ADS_ERR_OK(status)) {
2922	DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
2923	global_myname()));
2924	goto out;
2925	}
2926
2927	if ( (count = ads_count_replies(ads, res)) != 1 ) {
2928	DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
2929	goto out;
2930	}
2931
2932	if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
2933	DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
2934	}
2935
2936	out:
2937	ads_msgfree(ads, res);
2938
2939	return name;
2940	}
2941
2942	/********************************************************************
2943	********************************************************************/
2944
2945	char* ads_get_samaccountname( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
2946	{
2947	LDAPMessage *res = NULL;
2948	ADS_STATUS status;
2949	int count = 0;
2950	char *name = NULL;
2951
2952	status = ads_find_machine_acct(ads, &res, global_myname());
2953	if (!ADS_ERR_OK(status)) {
2954	DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
2955	global_myname()));
2956	goto out;
2957	}
2958
2959	if ( (count = ads_count_replies(ads, res)) != 1 ) {
2960	DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
2961	goto out;
2962	}
2963
2964	if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
2965	DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
2966	}
2967
2968	out:
2969	ads_msgfree(ads, res);
2970
2971	return name;
2972	}
2973
2974	#if 0
2975
2976	SAVED CODE - we used to join via ldap - remember how we did this. JRA.
2977
2978	/**
2979	* Join a machine to a realm
2980	* Creates the machine account and sets the machine password
2981	* @param ads connection to ads server
2982	* @param machine name of host to add
2983	* @param org_unit Organizational unit to place machine in
2984	* @return status of join
2985	**/
2986	ADS_STATUS ads_join_realm(ADS_STRUCT ads, const char machine_name,
2987	uint32 account_type, const char *org_unit)
2988	{
2989	ADS_STATUS status;
2990	LDAPMessage *res = NULL;
2991	char *machine;
2992
2993	/* machine name must be lowercase */
2994	machine = SMB_STRDUP(machine_name);
2995	strlower_m(machine);
2996
2997	/*
2998	status = ads_find_machine_acct(ads, (void **)&res, machine);
2999	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3000	DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
3001	status = ads_leave_realm(ads, machine);
3002	if (!ADS_ERR_OK(status)) {
3003	DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
3004	machine, ads->config.realm));
3005	return status;
3006	}
3007	}
3008	*/
3009	status = ads_add_machine_acct(ads, machine, account_type, org_unit);
3010	if (!ADS_ERR_OK(status)) {
3011	DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
3012	SAFE_FREE(machine);
3013	return status;
3014	}
3015
3016	status = ads_find_machine_acct(ads, (void *)(void )&res, machine);
3017	if (!ADS_ERR_OK(status)) {
3018	DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
3019	SAFE_FREE(machine);
3020	return status;
3021	}
3022
3023	SAFE_FREE(machine);
3024	ads_msgfree(ads, res);
3025
3026	return status;
3027	}
3028	#endif
3029
3030	/**
3031	* Delete a machine from the realm
3032	* @param ads connection to ads server
3033	* @param hostname Machine to remove
3034	* @return status of delete
3035	**/
3036	ADS_STATUS ads_leave_realm(ADS_STRUCT ads, const char hostname)
3037	{
3038	ADS_STATUS status;
3039	void *msg;
3040	LDAPMessage *res;
3041	char hostnameDN, host;
3042	int rc;
3043	LDAPControl ldap_control;
3044	LDAPControl * pldap_control[2] = {NULL, NULL};
3045
3046	pldap_control[0] = &ldap_control;
3047	memset(&ldap_control, 0, sizeof(LDAPControl));
3048	ldap_control.ldctl_oid = (char *)LDAP_SERVER_TREE_DELETE_OID;
3049
3050	/* hostname must be lowercase */
3051	host = SMB_STRDUP(hostname);
3052	strlower_m(host);
3053
3054	status = ads_find_machine_acct(ads, &res, host);
3055	if (!ADS_ERR_OK(status)) {
3056	DEBUG(0, ("Host account for %s does not exist.\n", host));
3057	SAFE_FREE(host);
3058	return status;
3059	}
3060
3061	msg = ads_first_entry(ads, res);
3062	if (!msg) {
3063	SAFE_FREE(host);
3064	return ADS_ERROR_SYSTEM(ENOENT);
3065	}
3066
3067	hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
3068
3069	rc = ldap_delete_ext_s(ads->ld, hostnameDN, pldap_control, NULL);
3070	if (rc) {
3071	DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
3072	}else {
3073	DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
3074	}
3075
3076	if (rc != LDAP_SUCCESS) {
3077	const char *attrs[] = { "cn", NULL };
3078	LDAPMessage *msg_sub;
3079
3080	/* we only search with scope ONE, we do not expect any further
3081	* objects to be created deeper */
3082
3083	status = ads_do_search_retry(ads, hostnameDN,
3084	LDAP_SCOPE_ONELEVEL,
3085	"(objectclass=*)", attrs, &res);
3086
3087	if (!ADS_ERR_OK(status)) {
3088	SAFE_FREE(host);
3089	ads_memfree(ads, hostnameDN);
3090	return status;
3091	}
3092
3093	for (msg_sub = ads_first_entry(ads, res); msg_sub;
3094	msg_sub = ads_next_entry(ads, msg_sub)) {
3095
3096	char *dn = NULL;
3097
3098	if ((dn = ads_get_dn(ads, msg_sub)) == NULL) {
3099	SAFE_FREE(host);
3100	ads_memfree(ads, hostnameDN);
3101	return ADS_ERROR(LDAP_NO_MEMORY);
3102	}
3103
3104	status = ads_del_dn(ads, dn);
3105	if (!ADS_ERR_OK(status)) {
3106	DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
3107	SAFE_FREE(host);
3108	ads_memfree(ads, dn);
3109	ads_memfree(ads, hostnameDN);
3110	return status;
3111	}
3112
3113	ads_memfree(ads, dn);
3114	}
3115
3116	/* there should be no subordinate objects anymore */
3117	status = ads_do_search_retry(ads, hostnameDN,
3118	LDAP_SCOPE_ONELEVEL,
3119	"(objectclass=*)", attrs, &res);
3120
3121	if (!ADS_ERR_OK(status) \|\| ( (ads_count_replies(ads, res)) > 0 ) ) {
3122	SAFE_FREE(host);
3123	ads_memfree(ads, hostnameDN);
3124	return status;
3125	}
3126
3127	/* delete hostnameDN now */
3128	status = ads_del_dn(ads, hostnameDN);
3129	if (!ADS_ERR_OK(status)) {
3130	SAFE_FREE(host);
3131	DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
3132	ads_memfree(ads, hostnameDN);
3133	return status;
3134	}
3135	}
3136
3137	ads_memfree(ads, hostnameDN);
3138
3139	status = ads_find_machine_acct(ads, &res, host);
3140	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3141	DEBUG(3, ("Failed to remove host account.\n"));
3142	SAFE_FREE(host);
3143	return status;
3144	}
3145
3146	SAFE_FREE(host);
3147	return status;
3148	}
3149
3150	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: