Context Navigation

source: branches/samba-3.2.x/source/lib/smbldap.c@ 198

Visit:

Last change on this file since 198 was 141, checked in by Paul Smedley, 17 years ago
Update trunk to 3.2.1
File size: 52.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27
28	#ifndef LDAP_OPT_SUCCESS
29	#define LDAP_OPT_SUCCESS 0
30	#endif
31
32	/* Try not to hit the up or down server forever */
33
34	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
35	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
36
37	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
38
39
40	/* attributes used by Samba 2.2 */
41
42	ATTRIB_MAP_ENTRY attrib_map_v22[] = {
43	{ LDAP_ATTR_UID, "uid" },
44	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
45	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
46	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
47	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
48	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
49	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
50	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
51	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
52	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
53	{ LDAP_ATTR_CN, "cn" },
54	{ LDAP_ATTR_SN, "sn" },
55	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
56	{ LDAP_ATTR_HOME_PATH, "smbHome" },
57	{ LDAP_ATTR_HOME_DRIVE, "homeDrive" },
58	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
59	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
60	{ LDAP_ATTR_DESC, "description" },
61	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
62	{ LDAP_ATTR_USER_RID, "rid" },
63	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
64	{ LDAP_ATTR_LMPW, "lmPassword" },
65	{ LDAP_ATTR_NTPW, "ntPassword" },
66	{ LDAP_ATTR_DOMAIN, "domain" },
67	{ LDAP_ATTR_OBJCLASS, "objectClass" },
68	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
69	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
70	{ LDAP_ATTR_LIST_END, NULL }
71	};
72
73	ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
74	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
75	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
76	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
77	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
78	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
79	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
80	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
81	{ LDAP_ATTR_HOME_PATH, "smbHome" },
82	{ LDAP_ATTR_HOME_DRIVE, "homeDrives" },
83	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
84	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
85	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
86	{ LDAP_ATTR_USER_RID, "rid" },
87	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
88	{ LDAP_ATTR_LMPW, "lmPassword" },
89	{ LDAP_ATTR_NTPW, "ntPassword" },
90	{ LDAP_ATTR_DOMAIN, "domain" },
91	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
92	{ LDAP_ATTR_LIST_END, NULL }
93	};
94
95	/* attributes used by Samba 3.0's sambaSamAccount */
96
97	ATTRIB_MAP_ENTRY attrib_map_v30[] = {
98	{ LDAP_ATTR_UID, "uid" },
99	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
100	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
101	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
102	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
103	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
104	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
105	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
106	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
107	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
108	{ LDAP_ATTR_CN, "cn" },
109	{ LDAP_ATTR_SN, "sn" },
110	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
111	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
112	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
113	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
114	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
115	{ LDAP_ATTR_DESC, "description" },
116	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
117	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
118	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
119	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
120	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
121	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
122	{ LDAP_ATTR_OBJCLASS, "objectClass" },
123	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
124	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
125	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
126	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
127	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
128	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
129	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
130	{ LDAP_ATTR_LIST_END, NULL }
131	};
132
133	ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
134	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
135	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
136	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
137	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
138	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
139	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
140	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
141	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
142	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
143	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
144	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
145	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
146	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
147	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
148	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
149	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
150	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
151	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
152	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
153	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
154	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
155	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
156	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
157	{ LDAP_ATTR_LIST_END, NULL }
158	};
159
160	/* attributes used for allocating RIDs */
161
162	ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
163	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
164	{ LDAP_ATTR_NEXT_RID, "sambaNextRid" },
165	{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
166	{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
167	{ LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
168	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
169	{ LDAP_ATTR_OBJCLASS, "objectClass" },
170	{ LDAP_ATTR_LIST_END, NULL },
171	};
172
173	/* Samba 3.0 group mapping attributes */
174
175	ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
176	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
177	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
178	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
179	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
180	{ LDAP_ATTR_DESC, "description" },
181	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
182	{ LDAP_ATTR_CN, "cn" },
183	{ LDAP_ATTR_OBJCLASS, "objectClass" },
184	{ LDAP_ATTR_LIST_END, NULL }
185	};
186
187	ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
188	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
189	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
190	{ LDAP_ATTR_DESC, "description" },
191	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
192	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
193	{ LDAP_ATTR_LIST_END, NULL }
194	};
195
196	/* idmap_ldap sambaUnixIdPool */
197
198	ATTRIB_MAP_ENTRY idpool_attr_list[] = {
199	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
200	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
201	{ LDAP_ATTR_OBJCLASS, "objectClass" },
202	{ LDAP_ATTR_LIST_END, NULL }
203	};
204
205	ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
206	{ LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
207	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
208	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
209	{ LDAP_ATTR_OBJCLASS, "objectClass" },
210	{ LDAP_ATTR_LIST_END, NULL }
211	};
212
213	/**********************************************************************
214	perform a simple table lookup and return the attribute name
215	**********************************************************************/
216
217	const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
218	{
219	int i = 0;
220
221	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
222	if ( table[i].attrib == key )
223	return table[i].name;
224	i++;
225	}
226
227	return NULL;
228	}
229
230
231	/**********************************************************************
232	Return the list of attribute names from a mapping table
233	**********************************************************************/
234
235	const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
236	{
237	const char **names;
238	int i = 0;
239
240	while ( table[i].attrib != LDAP_ATTR_LIST_END )
241	i++;
242	i++;
243
244	names = TALLOC_ARRAY( mem_ctx, const char*, i );
245	if ( !names ) {
246	DEBUG(0,("get_attr_list: out of memory\n"));
247	return NULL;
248	}
249
250	i = 0;
251	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
252	names[i] = talloc_strdup( names, table[i].name );
253	i++;
254	}
255	names[i] = NULL;
256
257	return names;
258	}
259
260	/*******************************************************************
261	Search an attribute and return the first value found.
262	******************************************************************/
263
264	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
265	const char attribute, char value,
266	int max_len)
267	{
268	char **values;
269
270	if ( !attribute )
271	return False;
272
273	value[0] = '\0';
274
275	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
276	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278	return False;
279	}
280
281	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
282	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
283	attribute, values[0]));
284	ldap_value_free(values);
285	return False;
286	}
287
288	ldap_value_free(values);
289	#ifdef DEBUG_PASSWORDS
290	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
291	#endif
292	return True;
293	}
294
295	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
296	const char *attribute,
297	TALLOC_CTX *mem_ctx)
298	{
299	char **values;
300	char *result;
301
302	if (attribute == NULL) {
303	return NULL;
304	}
305
306	values = ldap_get_values(ldap_struct, entry, attribute);
307
308	if (values == NULL) {
309	DEBUG(10, ("attribute %s does not exist\n", attribute));
310	return NULL;
311	}
312
313	if (ldap_count_values(values) != 1) {
314	DEBUG(10, ("attribute %s has %d values, expected only one\n",
315	attribute, ldap_count_values(values)));
316	ldap_value_free(values);
317	return NULL;
318	}
319
320	if (pull_utf8_talloc(mem_ctx, &result, values[0]) == (size_t)-1) {
321	DEBUG(10, ("pull_utf8_talloc failed\n"));
322	ldap_value_free(values);
323	return NULL;
324	}
325
326	ldap_value_free(values);
327
328	#ifdef DEBUG_PASSWORDS
329	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
330	attribute, result));
331	#endif
332	return result;
333	}
334
335	static int ldapmsg_destructor(LDAPMessage **result) {
336	ldap_msgfree(*result);
337	return 0;
338	}
339
340	void talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
341	{
342	LDAPMessage **handle;
343
344	if (result == NULL) {
345	return;
346	}
347
348	handle = TALLOC_P(mem_ctx, LDAPMessage *);
349	SMB_ASSERT(handle != NULL);
350
351	*handle = result;
352	talloc_set_destructor(handle, ldapmsg_destructor);
353	}
354
355	static int ldapmod_destructor(LDAPMod ***mod) {
356	ldap_mods_free(*mod, True);
357	return 0;
358	}
359
360	void talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
361	{
362	LDAPMod ***handle;
363
364	if (mod == NULL) {
365	return;
366	}
367
368	handle = TALLOC_P(mem_ctx, LDAPMod **);
369	SMB_ASSERT(handle != NULL);
370
371	*handle = mod;
372	talloc_set_destructor(handle, ldapmod_destructor);
373	}
374
375	/************************************************************************
376	Routine to manage the LDAPMod structure array
377	manage memory used by the array, by each struct, and values
378	***********************************************************************/
379
380	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
381	{
382	LDAPMod **mods;
383	int i;
384	int j;
385
386	mods = *modlist;
387
388	/* sanity checks on the mod values */
389
390	if (attribute == NULL \|\| *attribute == '\0') {
391	return;
392	}
393
394	#if 0 /* commented out after discussion with abartlet. Do not reenable.
395	left here so other do not re-add similar code --jerry */
396	if (value == NULL \|\| *value == '\0')
397	return;
398	#endif
399
400	if (mods == NULL) {
401	mods = SMB_MALLOC_P(LDAPMod *);
402	if (mods == NULL) {
403	smb_panic("smbldap_set_mod: out of memory!");
404	/* notreached. */
405	}
406	mods[0] = NULL;
407	}
408
409	for (i = 0; mods[i] != NULL; ++i) {
410	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
411	break;
412	}
413
414	if (mods[i] == NULL) {
415	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
416	if (mods == NULL) {
417	smb_panic("smbldap_set_mod: out of memory!");
418	/* notreached. */
419	}
420	mods[i] = SMB_MALLOC_P(LDAPMod);
421	if (mods[i] == NULL) {
422	smb_panic("smbldap_set_mod: out of memory!");
423	/* notreached. */
424	}
425	mods[i]->mod_op = modop;
426	mods[i]->mod_values = NULL;
427	mods[i]->mod_type = SMB_STRDUP(attribute);
428	mods[i + 1] = NULL;
429	}
430
431	if (value != NULL) {
432	char *utf8_value = NULL;
433
434	j = 0;
435	if (mods[i]->mod_values != NULL) {
436	for (; mods[i]->mod_values[j] != NULL; j++);
437	}
438	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
439
440	if (mods[i]->mod_values == NULL) {
441	smb_panic("smbldap_set_mod: out of memory!");
442	/* notreached. */
443	}
444
445	if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
446	smb_panic("smbldap_set_mod: String conversion failure!");
447	/* notreached. */
448	}
449
450	mods[i]->mod_values[j] = utf8_value;
451
452	mods[i]->mod_values[j + 1] = NULL;
453	}
454	*modlist = mods;
455	}
456
457	/**********************************************************************
458	Set attribute to newval in LDAP, regardless of what value the
459	attribute had in LDAP before.
460	*********************************************************************/
461
462	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
463	LDAPMod ***mods,
464	const char attribute, const char newval)
465	{
466	char oldval[2048]; /* current largest allowed value is mungeddial */
467	bool existed;
468
469	if (attribute == NULL) {
470	/* This can actually happen for ldapsam_compat where we for
471	* example don't have a password history */
472	return;
473	}
474
475	if (existing != NULL) {
476	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
477	} else {
478	existed = False;
479	*oldval = '\0';
480	}
481
482	/* all of our string attributes are case insensitive */
483
484	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
485
486	/* Believe it or not, but LDAP will deny a delete and
487	an add at the same time if the values are the
488	same... */
489	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
490	return;
491	}
492
493	if (existed) {
494	/* There has been no value before, so don't delete it.
495	* Here's a possible race: We might end up with
496	* duplicate attributes */
497	/* By deleting exactly the value we found in the entry this
498	* should be race-free in the sense that the LDAP-Server will
499	* deny the complete operation if somebody changed the
500	* attribute behind our back. */
501	/* This will also allow modifying single valued attributes
502	* in Novell NDS. In NDS you have to first remove attribute and then
503	* you could add new value */
504
505	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
506	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
507	}
508
509	/* Regardless of the real operation (add or modify)
510	we add the new value here. We rely on deleting
511	the old value, should it exist. */
512
513	if ((newval != NULL) && (strlen(newval) > 0)) {
514	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
515	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
516	}
517	}
518
519	/**********************************************************************
520	Some varients of the LDAP rebind code do not pass in the third 'arg'
521	pointer to a void*, so we try and work around it by assuming that the
522	value of the 'LDAP *' pointer is the same as the one we had passed in
523	**********************************************************************/
524
525	struct smbldap_state_lookup {
526	LDAP *ld;
527	struct smbldap_state *smbldap_state;
528	struct smbldap_state_lookup prev, next;
529	};
530
531	static struct smbldap_state_lookup *smbldap_state_lookup_list;
532
533	static struct smbldap_state smbldap_find_state(LDAP ld)
534	{
535	struct smbldap_state_lookup *t;
536
537	for (t = smbldap_state_lookup_list; t; t = t->next) {
538	if (t->ld == ld) {
539	return t->smbldap_state;
540	}
541	}
542	return NULL;
543	}
544
545	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
546	{
547	struct smbldap_state_lookup *t;
548
549	for (t = smbldap_state_lookup_list; t; t = t->next) {
550	if (t->smbldap_state == smbldap_state) {
551	DLIST_REMOVE(smbldap_state_lookup_list, t);
552	SAFE_FREE(t);
553	return;
554	}
555	}
556	}
557
558	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
559	{
560	struct smbldap_state *tmp_ldap_state;
561	struct smbldap_state_lookup *t;
562
563	if ((tmp_ldap_state = smbldap_find_state(ld))) {
564	SMB_ASSERT(tmp_ldap_state == smbldap_state);
565	return;
566	}
567
568	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
569	ZERO_STRUCTP(t);
570
571	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
572	t->ld = ld;
573	t->smbldap_state = smbldap_state;
574	}
575
576	/********************************************************************
577	start TLS on an existing LDAP connection
578	*******************************************************************/
579
580	int smb_ldap_start_tls(LDAP *ldap_struct, int version)
581	{
582	int rc;
583
584	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
585	return LDAP_SUCCESS;
586	}
587
588	#ifdef LDAP_OPT_X_TLS
589	if (version != LDAP_VERSION3) {
590	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
591	return LDAP_OPERATIONS_ERROR;
592	}
593
594	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
595	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
596	ldap_err2string(rc)));
597	return rc;
598	}
599
600	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
601	return LDAP_SUCCESS;
602	#else
603	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
604	return LDAP_OPERATIONS_ERROR;
605	#endif
606	}
607
608	/********************************************************************
609	setup a connection to the LDAP server based on a uri
610	*******************************************************************/
611
612	int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
613	{
614	int rc;
615
616	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
617
618	#ifdef HAVE_LDAP_INITIALIZE
619
620	rc = ldap_initialize(ldap_struct, uri);
621	if (rc) {
622	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
623	}
624
625	return rc;
626	#else
627
628	/* Parse the string manually */
629
630	{
631	int port = 0;
632	fstring protocol;
633	fstring host;
634	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
635
636
637	/* skip leading "URL:" (if any) */
638	if ( strnequal( uri, "URL:", 4 ) ) {
639	uri += 4;
640	}
641
642	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
643
644	if (port == 0) {
645	if (strequal(protocol, "ldap")) {
646	port = LDAP_PORT;
647	} else if (strequal(protocol, "ldaps")) {
648	port = LDAPS_PORT;
649	} else {
650	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
651	}
652	}
653
654	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
655	DEBUG(0, ("ldap_init failed !\n"));
656	return LDAP_OPERATIONS_ERROR;
657	}
658
659	if (strequal(protocol, "ldaps")) {
660	#ifdef LDAP_OPT_X_TLS
661	int tls = LDAP_OPT_X_TLS_HARD;
662	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
663	{
664	DEBUG(0, ("Failed to setup a TLS session\n"));
665	}
666
667	DEBUG(3,("LDAPS option set...!\n"));
668	#else
669	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
670	return LDAP_OPERATIONS_ERROR;
671	#endif /* LDAP_OPT_X_TLS */
672	}
673	}
674	#endif /* HAVE_LDAP_INITIALIZE */
675
676
677	/* now set connection timeout */
678	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
679	{
680	int ct = lp_ldap_connection_timeout()*1000;
681	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
682	if (rc != LDAP_SUCCESS) {
683	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
684	ct, ldap_err2string(rc)));
685	}
686	}
687	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
688	{
689	struct timeval ct;
690	ct.tv_usec = 0;
691	ct.tv_sec = lp_ldap_connection_timeout();
692	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
693	if (rc != LDAP_SUCCESS) {
694	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
695	(int)ct.tv_sec, ldap_err2string(rc)));
696	}
697	}
698	#endif
699
700	return LDAP_SUCCESS;
701	}
702
703	/********************************************************************
704	try to upgrade to Version 3 LDAP if not already, in either case return current
705	version
706	*******************************************************************/
707
708	int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
709	{
710	int version;
711	int rc;
712
713	/* assume the worst */
714	*new_version = LDAP_VERSION2;
715
716	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
717	if (rc) {
718	return rc;
719	}
720
721	if (version == LDAP_VERSION3) {
722	*new_version = LDAP_VERSION3;
723	return LDAP_SUCCESS;
724	}
725
726	/* try upgrade */
727	version = LDAP_VERSION3;
728	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
729	if (rc) {
730	return rc;
731	}
732
733	*new_version = LDAP_VERSION3;
734	return LDAP_SUCCESS;
735	}
736
737	/*******************************************************************
738	open a connection to the ldap server (just until the bind)
739	******************************************************************/
740
741	int smb_ldap_setup_full_conn(LDAP *ldap_struct, const char uri)
742	{
743	int rc, version;
744
745	rc = smb_ldap_setup_conn(ldap_struct, uri);
746	if (rc) {
747	return rc;
748	}
749
750	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
751	if (rc) {
752	return rc;
753	}
754
755	rc = smb_ldap_start_tls(*ldap_struct, version);
756	if (rc) {
757	return rc;
758	}
759
760	return LDAP_SUCCESS;
761	}
762
763	/*******************************************************************
764	open a connection to the ldap server.
765	******************************************************************/
766	static int smbldap_open_connection (struct smbldap_state *ldap_state)
767
768	{
769	int rc = LDAP_SUCCESS;
770	int version;
771	LDAP **ldap_struct = &ldap_state->ldap_struct;
772
773	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
774	if (rc) {
775	return rc;
776	}
777
778	/* Store the LDAP pointer in a lookup list */
779
780	smbldap_store_state(*ldap_struct, ldap_state);
781
782	/* Upgrade to LDAPv3 if possible */
783
784	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
785	if (rc) {
786	return rc;
787	}
788
789	/* Start TLS if required */
790
791	rc = smb_ldap_start_tls(*ldap_struct, version);
792	if (rc) {
793	return rc;
794	}
795
796	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
797	return rc;
798	}
799
800	/*******************************************************************
801	a rebind function for authenticated referrals
802	This version takes a void* that we can shove useful stuff in :-)
803	******************************************************************/
804	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
805	#else
806	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
807	int methodp, int freeit, void arg)
808	{
809	struct smbldap_state *ldap_state = arg;
810
811	/** @TODO Should we be doing something to check what servers we rebind to?
812	Could we get a referral to a machine that we don't want to give our
813	username and password to? */
814
815	if (freeit) {
816	SAFE_FREE(*whop);
817	if (*credp) {
818	memset(credp, '\0', strlen(credp));
819	}
820	SAFE_FREE(*credp);
821	} else {
822	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
823	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
824
825	if (ldap_state->anonymous) {
826	*whop = NULL;
827	*credp = NULL;
828	} else {
829	*whop = SMB_STRDUP(ldap_state->bind_dn);
830	if (!*whop) {
831	return LDAP_NO_MEMORY;
832	}
833	*credp = SMB_STRDUP(ldap_state->bind_secret);
834	if (!*credp) {
835	SAFE_FREE(*whop);
836	return LDAP_NO_MEMORY;
837	}
838	}
839	*methodp = LDAP_AUTH_SIMPLE;
840	}
841
842	GetTimeOfDay(&ldap_state->last_rebind);
843
844	return 0;
845	}
846	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
847
848	/*******************************************************************
849	a rebind function for authenticated referrals
850	This version takes a void* that we can shove useful stuff in :-)
851	and actually does the connection.
852	******************************************************************/
853	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
854	static int rebindproc_connect_with_state (LDAP *ldap_struct,
855	LDAP_CONST char *url,
856	ber_tag_t request,
857	ber_int_t msgid, void *arg)
858	{
859	struct smbldap_state *ldap_state =
860	(struct smbldap_state *)arg;
861	int rc;
862	int version;
863
864	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
865	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
866
867	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
868	* itself) before rebinding to another LDAP server to avoid to expose
869	* our credentials. At least try to secure the connection - Guenther */
870
871	smb_ldap_upgrade_conn(ldap_struct, &version);
872	smb_ldap_start_tls(ldap_struct, version);
873
874	/** @TODO Should we be doing something to check what servers we rebind to?
875	Could we get a referral to a machine that we don't want to give our
876	username and password to? */
877
878	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
879
880	/* only set the last rebind timestamp when we did rebind after a
881	* non-read LDAP operation. That way we avoid the replication sleep
882	* after a simple redirected search operation - Guenther */
883
884	switch (request) {
885
886	case LDAP_REQ_MODIFY:
887	case LDAP_REQ_ADD:
888	case LDAP_REQ_DELETE:
889	case LDAP_REQ_MODDN:
890	case LDAP_REQ_EXTENDED:
891	DEBUG(10,("rebindproc_connect_with_state: "
892	"setting last_rebind timestamp "
893	"(req: 0x%02x)\n", (unsigned int)request));
894	GetTimeOfDay(&ldap_state->last_rebind);
895	break;
896	default:
897	ZERO_STRUCT(ldap_state->last_rebind);
898	break;
899	}
900
901	return rc;
902	}
903	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
904
905	/*******************************************************************
906	Add a rebind function for authenticated referrals
907	******************************************************************/
908	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
909	#else
910	# if LDAP_SET_REBIND_PROC_ARGS == 2
911	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
912	int *method, int freeit )
913	{
914	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
915
916	return rebindproc_with_state(ldap_struct, whop, credp,
917	method, freeit, ldap_state);
918
919	}
920	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
921	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
922
923	/*******************************************************************
924	a rebind function for authenticated referrals
925	this also does the connection, but no void*.
926	******************************************************************/
927	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
928	# if LDAP_SET_REBIND_PROC_ARGS == 2
929	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
930	ber_int_t msgid)
931	{
932	struct smbldap_state *ldap_state = smbldap_find_state(ld);
933
934	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
935	ldap_state);
936	}
937	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
938	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
939
940	/*******************************************************************
941	connect to the ldap server under system privilege.
942	******************************************************************/
943	static int smbldap_connect_system(struct smbldap_state ldap_state, LDAP ldap_struct)
944	{
945	int rc;
946	int version;
947
948	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
949
950	/* get the default dn and password only if they are not set already */
951	if (!fetch_ldap_pw(&ldap_state->bind_dn, &ldap_state->bind_secret)) {
952	DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
953	return LDAP_INVALID_CREDENTIALS;
954	}
955	}
956
957	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
958	(OpenLDAP) doesnt' seem to support it */
959
960	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
961	ldap_state->uri, ldap_state->bind_dn));
962
963	#ifdef HAVE_LDAP_SET_REBIND_PROC
964	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
965	# if LDAP_SET_REBIND_PROC_ARGS == 2
966	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
967	# endif
968	# if LDAP_SET_REBIND_PROC_ARGS == 3
969	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
970	# endif
971	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
972	# if LDAP_SET_REBIND_PROC_ARGS == 2
973	ldap_set_rebind_proc(ldap_struct, &rebindproc);
974	# endif
975	# if LDAP_SET_REBIND_PROC_ARGS == 3
976	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
977	# endif
978	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
979	#endif
980
981	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
982
983	if (rc != LDAP_SUCCESS) {
984	char *ld_error = NULL;
985	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
986	&ld_error);
987	DEBUG(ldap_state->num_failures ? 2 : 0,
988	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
989	ldap_state->uri,
990	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
991	ldap_err2string(rc),
992	ld_error ? ld_error : "(unknown)"));
993	SAFE_FREE(ld_error);
994	ldap_state->num_failures++;
995	return rc;
996	}
997
998	ldap_state->num_failures = 0;
999	ldap_state->paged_results = False;
1000
1001	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1002
1003	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1004	ldap_state->paged_results = True;
1005	}
1006
1007	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1008	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1009	ldap_state->paged_results ? "does" : "does not"));
1010	return rc;
1011	}
1012
1013	static void smbldap_idle_fn(struct event_context *event_ctx,
1014	struct timed_event *te,
1015	const struct timeval *now,
1016	void *private_data);
1017
1018	/**********************************************************************
1019	Connect to LDAP server (called before every ldap operation)
1020	*********************************************************************/
1021	static int smbldap_open(struct smbldap_state *ldap_state)
1022	{
1023	int rc, opt_rc;
1024	bool reopen = False;
1025	SMB_ASSERT(ldap_state);
1026
1027	#ifndef NO_LDAP_SECURITY
1028	if (geteuid() != 0) {
1029	DEBUG(0, ("smbldap_open: cannot access LDAP when not root\n"));
1030	return LDAP_INSUFFICIENT_ACCESS;
1031	}
1032	#endif
1033
1034	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
1035
1036	#ifdef HAVE_UNIXSOCKET
1037	struct sockaddr_un addr;
1038	#else
1039	struct sockaddr addr;
1040	#endif
1041	socklen_t len = sizeof(addr);
1042	int sd;
1043
1044	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1045	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1046	reopen = True;
1047
1048	#ifdef HAVE_UNIXSOCKET
1049	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1050	reopen = True;
1051	#endif
1052	if (reopen) {
1053	/* the other end has died. reopen. */
1054	ldap_unbind(ldap_state->ldap_struct);
1055	ldap_state->ldap_struct = NULL;
1056	ldap_state->last_ping = (time_t)0;
1057	} else {
1058	ldap_state->last_ping = time(NULL);
1059	}
1060	}
1061
1062	if (ldap_state->ldap_struct != NULL) {
1063	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1064	return LDAP_SUCCESS;
1065	}
1066
1067	if ((rc = smbldap_open_connection(ldap_state))) {
1068	return rc;
1069	}
1070
1071	if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
1072	ldap_unbind(ldap_state->ldap_struct);
1073	ldap_state->ldap_struct = NULL;
1074	return rc;
1075	}
1076
1077
1078	ldap_state->last_ping = time(NULL);
1079	ldap_state->pid = sys_getpid();
1080
1081	TALLOC_FREE(ldap_state->idle_event);
1082
1083	if (ldap_state->event_context != NULL) {
1084	ldap_state->idle_event = event_add_timed(
1085	ldap_state->event_context, NULL,
1086	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1087	"smbldap_idle_fn", smbldap_idle_fn, ldap_state);
1088	}
1089
1090	DEBUG(4,("The LDAP server is successfully connected\n"));
1091
1092	return LDAP_SUCCESS;
1093	}
1094
1095	/**********************************************************************
1096	Disconnect from LDAP server
1097	*********************************************************************/
1098	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1099	{
1100	if (!ldap_state)
1101	return NT_STATUS_INVALID_PARAMETER;
1102
1103	if (ldap_state->ldap_struct != NULL) {
1104	ldap_unbind(ldap_state->ldap_struct);
1105	ldap_state->ldap_struct = NULL;
1106	}
1107
1108	smbldap_delete_state(ldap_state);
1109
1110	DEBUG(5,("The connection to the LDAP server was closed\n"));
1111	/* maybe free the results here --metze */
1112
1113	return NT_STATUS_OK;
1114	}
1115
1116	static bool got_alarm;
1117
1118	static void (*old_handler)(int);
1119
1120	static void gotalarm_sig(int dummy)
1121	{
1122	got_alarm = True;
1123	}
1124
1125	static int another_ldap_try(struct smbldap_state ldap_state, int rc,
1126	int *attempts, time_t endtime)
1127	{
1128	time_t now = time(NULL);
1129	int open_rc = LDAP_SERVER_DOWN;
1130
1131	if (*rc != LDAP_SERVER_DOWN)
1132	goto no_next;
1133
1134	if (now >= endtime) {
1135	smbldap_close(ldap_state);
1136	*rc = LDAP_TIMEOUT;
1137	goto no_next;
1138	}
1139
1140	if (*attempts == 0) {
1141	got_alarm = False;
1142	old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1143	alarm(endtime - now);
1144
1145	if (ldap_state->pid != sys_getpid())
1146	smbldap_close(ldap_state);
1147	}
1148
1149	while (1) {
1150
1151	if (*attempts != 0)
1152	smb_msleep(1000);
1153
1154	*attempts += 1;
1155
1156	open_rc = smbldap_open(ldap_state);
1157
1158	if (open_rc == LDAP_SUCCESS) {
1159	ldap_state->last_use = now;
1160	return True;
1161	}
1162
1163	if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1164	/* The fact that we are non-root or any other
1165	* access-denied condition will not change in the next
1166	* round of trying */
1167	*rc = open_rc;
1168	break;
1169	}
1170
1171	if (got_alarm) {
1172	*rc = LDAP_TIMEOUT;
1173	break;
1174	}
1175
1176	if (open_rc != LDAP_SUCCESS) {
1177	DEBUG(1, ("Connection to LDAP server failed for the "
1178	"%d try!\n", *attempts));
1179	}
1180	}
1181
1182	no_next:
1183	CatchSignal(SIGALRM, old_handler);
1184	alarm(0);
1185	ldap_state->last_use = now;
1186	return False;
1187	}
1188
1189	/*********************************************************************
1190	********************************************************************/
1191
1192	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1193	const char base, int scope, const char filter,
1194	const char *attrs[], int attrsonly,
1195	LDAPControl sctrls, LDAPControl cctrls,
1196	int sizelimit, LDAPMessage **res)
1197	{
1198	int rc = LDAP_SERVER_DOWN;
1199	int attempts = 0;
1200	char *utf8_filter;
1201	time_t endtime = time(NULL)+lp_ldap_timeout();
1202	struct timeval timeout;
1203
1204	SMB_ASSERT(ldap_state);
1205
1206	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1207	"scope => [%d]\n", base, filter, scope));
1208
1209	if (ldap_state->last_rebind.tv_sec > 0) {
1210	struct timeval tval;
1211	SMB_BIG_INT tdiff = 0;
1212	int sleep_time = 0;
1213
1214	ZERO_STRUCT(tval);
1215	GetTimeOfDay(&tval);
1216
1217	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1218	tdiff /= 1000; /* Convert to milliseconds. */
1219
1220	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1221	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1222
1223	if (sleep_time > 0) {
1224	/* we wait for the LDAP replication */
1225	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1226	"for LDAP replication.\n",sleep_time));
1227	smb_msleep(sleep_time);
1228	DEBUG(5,("smbldap_search_ext: go on!\n"));
1229	}
1230	ZERO_STRUCT(ldap_state->last_rebind);
1231	}
1232
1233	if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) {
1234	return LDAP_NO_MEMORY;
1235	}
1236
1237	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
1238	timeout.tv_sec = lp_ldap_timeout();
1239	timeout.tv_usec = 0;
1240
1241	/* Setup alarm timeout.... Do we need both of these ? JRA.
1242	* Yes, I think we do need both of these. The server timeout only
1243	* covers the case where the server's operation takes too long. It
1244	* does not cover the case where the request hangs on its way to the
1245	* server. The server side timeout is not strictly necessary, it's
1246	* just a bit more kind to the server. VL. */
1247
1248	got_alarm = 0;
1249	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
1250	alarm(lp_ldap_timeout());
1251	/* End setup timeout. */
1252
1253	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1254	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1255	utf8_filter,
1256	CONST_DISCARD(char **, attrs),
1257	attrsonly, sctrls, cctrls, &timeout,
1258	sizelimit, res);
1259	if (rc != LDAP_SUCCESS) {
1260	char *ld_error = NULL;
1261	int ld_errno;
1262
1263	ldap_get_option(ldap_state->ldap_struct,
1264	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1265
1266	ldap_get_option(ldap_state->ldap_struct,
1267	LDAP_OPT_ERROR_STRING, &ld_error);
1268	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1269	"(%s)\n", base, ld_errno,
1270	ldap_err2string(rc),
1271	ld_error ? ld_error : "unknown"));
1272	SAFE_FREE(ld_error);
1273
1274	if (ld_errno == LDAP_SERVER_DOWN) {
1275	ldap_unbind(ldap_state->ldap_struct);
1276	ldap_state->ldap_struct = NULL;
1277	}
1278	}
1279	}
1280
1281	SAFE_FREE(utf8_filter);
1282
1283	/* Teardown timeout. */
1284	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
1285	alarm(0);
1286
1287	if (got_alarm != 0)
1288	return LDAP_TIMELIMIT_EXCEEDED;
1289
1290	return rc;
1291	}
1292
1293	int smbldap_search(struct smbldap_state *ldap_state,
1294	const char base, int scope, const char filter,
1295	const char *attrs[], int attrsonly,
1296	LDAPMessage **res)
1297	{
1298	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1299	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1300	}
1301
1302	int smbldap_search_paged(struct smbldap_state *ldap_state,
1303	const char base, int scope, const char filter,
1304	const char **attrs, int attrsonly, int pagesize,
1305	LDAPMessage res, void cookie)
1306	{
1307	LDAPControl pr;
1308	LDAPControl **rcontrols;
1309	LDAPControl *controls[2] = { NULL, NULL};
1310	BerElement *cookie_be = NULL;
1311	struct berval *cookie_bv = NULL;
1312	int tmp = 0, i, rc;
1313	bool critical = True;
1314
1315	*res = NULL;
1316
1317	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1318	"scope => [%d], pagesize => [%d]\n",
1319	base, filter, scope, pagesize));
1320
1321	cookie_be = ber_alloc_t(LBER_USE_DER);
1322	if (cookie_be == NULL) {
1323	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1324	"NULL\n"));
1325	return LDAP_NO_MEMORY;
1326	}
1327
1328	/* construct cookie */
1329	if (*cookie != NULL) {
1330	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1331	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1332	*cookie = NULL;
1333	} else {
1334	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1335	}
1336	ber_flatten(cookie_be, &cookie_bv);
1337
1338	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
1339	pr.ldctl_iscritical = (char) critical;
1340	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1341	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1342
1343	controls[0] = &pr;
1344	controls[1] = NULL;
1345
1346	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1347	0, controls, NULL, LDAP_NO_LIMIT, res);
1348
1349	ber_free(cookie_be, 1);
1350	ber_bvfree(cookie_bv);
1351
1352	if (rc != 0) {
1353	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1354	"failed with [%s]\n", filter, ldap_err2string(rc)));
1355	goto done;
1356	}
1357
1358	DEBUG(3,("smbldap_search_paged: search was successfull\n"));
1359
1360	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1361	NULL, NULL, &rcontrols, 0);
1362	if (rc != 0) {
1363	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1364	"with [%s]\n", ldap_err2string(rc)));
1365	goto done;
1366	}
1367
1368	if (rcontrols == NULL)
1369	goto done;
1370
1371	for (i=0; rcontrols[i]; i++) {
1372
1373	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1374	continue;
1375
1376	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1377	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1378	/* the berval is the cookie, but must be freed when it is all
1379	done */
1380	if (cookie_bv->bv_len)
1381	*cookie=ber_bvdup(cookie_bv);
1382	else
1383	*cookie=NULL;
1384	ber_bvfree(cookie_bv);
1385	ber_free(cookie_be, 1);
1386	break;
1387	}
1388	ldap_controls_free(rcontrols);
1389	done:
1390	return rc;
1391	}
1392
1393	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1394	{
1395	int rc = LDAP_SERVER_DOWN;
1396	int attempts = 0;
1397	char *utf8_dn;
1398	time_t endtime = time(NULL)+lp_ldap_timeout();
1399
1400	SMB_ASSERT(ldap_state);
1401
1402	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1403
1404	if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1405	return LDAP_NO_MEMORY;
1406	}
1407
1408	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1409	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1410	if (rc != LDAP_SUCCESS) {
1411	char *ld_error = NULL;
1412	int ld_errno;
1413
1414	ldap_get_option(ldap_state->ldap_struct,
1415	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1416
1417	ldap_get_option(ldap_state->ldap_struct,
1418	LDAP_OPT_ERROR_STRING, &ld_error);
1419	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1420	"(%s)\n", dn, ld_errno,
1421	ldap_err2string(rc),
1422	ld_error ? ld_error : "unknown"));
1423	SAFE_FREE(ld_error);
1424
1425	if (ld_errno == LDAP_SERVER_DOWN) {
1426	ldap_unbind(ldap_state->ldap_struct);
1427	ldap_state->ldap_struct = NULL;
1428	}
1429	}
1430	}
1431
1432	SAFE_FREE(utf8_dn);
1433	return rc;
1434	}
1435
1436	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1437	{
1438	int rc = LDAP_SERVER_DOWN;
1439	int attempts = 0;
1440	char *utf8_dn;
1441	time_t endtime = time(NULL)+lp_ldap_timeout();
1442
1443	SMB_ASSERT(ldap_state);
1444
1445	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1446
1447	if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1448	return LDAP_NO_MEMORY;
1449	}
1450
1451	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1452	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1453	if (rc != LDAP_SUCCESS) {
1454	char *ld_error = NULL;
1455	int ld_errno;
1456
1457	ldap_get_option(ldap_state->ldap_struct,
1458	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1459
1460	ldap_get_option(ldap_state->ldap_struct,
1461	LDAP_OPT_ERROR_STRING, &ld_error);
1462	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1463	"(%s)\n", dn, ld_errno,
1464	ldap_err2string(rc),
1465	ld_error ? ld_error : "unknown"));
1466	SAFE_FREE(ld_error);
1467
1468	if (ld_errno == LDAP_SERVER_DOWN) {
1469	ldap_unbind(ldap_state->ldap_struct);
1470	ldap_state->ldap_struct = NULL;
1471	}
1472	}
1473	}
1474
1475	SAFE_FREE(utf8_dn);
1476	return rc;
1477	}
1478
1479	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1480	{
1481	int rc = LDAP_SERVER_DOWN;
1482	int attempts = 0;
1483	char *utf8_dn;
1484	time_t endtime = time(NULL)+lp_ldap_timeout();
1485
1486	SMB_ASSERT(ldap_state);
1487
1488	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1489
1490	if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1491	return LDAP_NO_MEMORY;
1492	}
1493
1494	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1495	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1496	if (rc != LDAP_SUCCESS) {
1497	char *ld_error = NULL;
1498	int ld_errno;
1499
1500	ldap_get_option(ldap_state->ldap_struct,
1501	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1502
1503	ldap_get_option(ldap_state->ldap_struct,
1504	LDAP_OPT_ERROR_STRING, &ld_error);
1505	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1506	"(%s)\n", dn, ld_errno,
1507	ldap_err2string(rc),
1508	ld_error ? ld_error : "unknown"));
1509	SAFE_FREE(ld_error);
1510
1511	if (ld_errno == LDAP_SERVER_DOWN) {
1512	ldap_unbind(ldap_state->ldap_struct);
1513	ldap_state->ldap_struct = NULL;
1514	}
1515	}
1516	}
1517
1518	SAFE_FREE(utf8_dn);
1519	return rc;
1520	}
1521
1522	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1523	LDAP_CONST char reqoid, struct berval reqdata,
1524	LDAPControl serverctrls, LDAPControl clientctrls,
1525	char retoidp, struct berval retdatap)
1526	{
1527	int rc = LDAP_SERVER_DOWN;
1528	int attempts = 0;
1529	time_t endtime = time(NULL)+lp_ldap_timeout();
1530
1531	if (!ldap_state)
1532	return (-1);
1533
1534	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1535	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1536	reqdata, serverctrls,
1537	clientctrls, retoidp, retdatap);
1538	if (rc != LDAP_SUCCESS) {
1539	char *ld_error = NULL;
1540	int ld_errno;
1541
1542	ldap_get_option(ldap_state->ldap_struct,
1543	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1544
1545	ldap_get_option(ldap_state->ldap_struct,
1546	LDAP_OPT_ERROR_STRING, &ld_error);
1547	DEBUG(10, ("Extended operation failed with error: "
1548	"%d (%s) (%s)\n", ld_errno,
1549	ldap_err2string(rc),
1550	ld_error ? ld_error : "unknown"));
1551	SAFE_FREE(ld_error);
1552
1553	if (ld_errno == LDAP_SERVER_DOWN) {
1554	ldap_unbind(ldap_state->ldap_struct);
1555	ldap_state->ldap_struct = NULL;
1556	}
1557	}
1558	}
1559
1560	return rc;
1561	}
1562
1563	/*******************************************************************
1564	run the search by name.
1565	******************************************************************/
1566	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1567	const char filter, const char *search_attr,
1568	LDAPMessage ** result)
1569	{
1570	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1571	filter, search_attr, 0, result);
1572	}
1573
1574	static void smbldap_idle_fn(struct event_context *event_ctx,
1575	struct timed_event *te,
1576	const struct timeval *now,
1577	void *private_data)
1578	{
1579	struct smbldap_state state = (struct smbldap_state )private_data;
1580
1581	TALLOC_FREE(state->idle_event);
1582
1583	if (state->ldap_struct == NULL) {
1584	DEBUG(10,("ldap connection not connected...\n"));
1585	return;
1586	}
1587
1588	if ((state->last_use+SMBLDAP_IDLE_TIME) > now->tv_sec) {
1589	DEBUG(10,("ldap connection not idle...\n"));
1590
1591	state->idle_event = event_add_timed(
1592	event_ctx, NULL,
1593	timeval_add(now, SMBLDAP_IDLE_TIME, 0),
1594	"smbldap_idle_fn", smbldap_idle_fn,
1595	private_data);
1596	return;
1597	}
1598
1599	DEBUG(7,("ldap connection idle...closing connection\n"));
1600	smbldap_close(state);
1601	}
1602
1603	/**********************************************************************
1604	Housekeeping
1605	*********************************************************************/
1606
1607	void smbldap_free_struct(struct smbldap_state **ldap_state)
1608	{
1609	smbldap_close(*ldap_state);
1610
1611	if ((*ldap_state)->bind_secret) {
1612	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1613	}
1614
1615	SAFE_FREE((*ldap_state)->bind_dn);
1616	SAFE_FREE((*ldap_state)->bind_secret);
1617
1618	TALLOC_FREE((*ldap_state)->idle_event);
1619
1620	*ldap_state = NULL;
1621
1622	/* No need to free any further, as it is talloc()ed */
1623	}
1624
1625
1626	/**********************************************************************
1627	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1628	*********************************************************************/
1629
1630	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct event_context event_ctx,
1631	const char *location,
1632	struct smbldap_state **smbldap_state)
1633	{
1634	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1635	if (!*smbldap_state) {
1636	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1637	return NT_STATUS_NO_MEMORY;
1638	}
1639
1640	if (location) {
1641	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1642	} else {
1643	(*smbldap_state)->uri = "ldap://localhost";
1644	}
1645
1646	(*smbldap_state)->event_context = event_ctx;
1647
1648	return NT_STATUS_OK;
1649	}
1650
1651	/*******************************************************************
1652	Return a copy of the DN for a LDAPMessage. Convert from utf8 to CH_UNIX.
1653	********************************************************************/
1654	char smbldap_get_dn(LDAP ld, LDAPMessage *entry)
1655	{
1656	char utf8_dn, unix_dn;
1657
1658	utf8_dn = ldap_get_dn(ld, entry);
1659	if (!utf8_dn) {
1660	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1661	return NULL;
1662	}
1663	if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
1664	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 [%s]\n", utf8_dn));
1665	return NULL;
1666	}
1667	ldap_memfree(utf8_dn);
1668	return unix_dn;
1669	}
1670
1671	const char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1672	LDAPMessage *entry)
1673	{
1674	char utf8_dn, unix_dn;
1675
1676	utf8_dn = ldap_get_dn(ld, entry);
1677	if (!utf8_dn) {
1678	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1679	return NULL;
1680	}
1681	if (pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn) == (size_t)-1) {
1682	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
1683	"[%s]\n", utf8_dn));
1684	return NULL;
1685	}
1686	ldap_memfree(utf8_dn);
1687	return unix_dn;
1688	}
1689
1690	/*******************************************************************
1691	Check if root-dse has a certain Control or Extension
1692	********************************************************************/
1693
1694	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1695	{
1696	LDAPMessage *msg = NULL;
1697	LDAPMessage *entry = NULL;
1698	char **values = NULL;
1699	int rc, num_result, num_values, i;
1700	bool result = False;
1701
1702	if (!attrs[0]) {
1703	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1704	return False;
1705	}
1706
1707	if (!strequal(attrs[0], "supportedExtension") &&
1708	!strequal(attrs[0], "supportedControl") &&
1709	!strequal(attrs[0], "namingContexts")) {
1710	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1711	return False;
1712	}
1713
1714	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1715	"(objectclass=)", CONST_DISCARD(char *, attrs), 0 , &msg);
1716
1717	if (rc != LDAP_SUCCESS) {
1718	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1719	return False;
1720	}
1721
1722	num_result = ldap_count_entries(ld, msg);
1723
1724	if (num_result != 1) {
1725	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1726	goto done;
1727	}
1728
1729	entry = ldap_first_entry(ld, msg);
1730
1731	if (entry == NULL) {
1732	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1733	goto done;
1734	}
1735
1736	values = ldap_get_values(ld, entry, attrs[0]);
1737
1738	if (values == NULL) {
1739	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1740	goto done;
1741	}
1742
1743	num_values = ldap_count_values(values);
1744
1745	if (num_values == 0) {
1746	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1747	goto done;
1748	}
1749
1750	for (i=0; i<num_values; i++) {
1751	if (strcmp(values[i], value) == 0)
1752	result = True;
1753	}
1754
1755
1756	done:
1757	if (values != NULL)
1758	ldap_value_free(values);
1759	if (msg != NULL)
1760	ldap_msgfree(msg);
1761
1762	return result;
1763
1764	}
1765
1766	/*******************************************************************
1767	Check if LDAP-Server supports a certain Control (OID in string format)
1768	********************************************************************/
1769
1770	bool smbldap_has_control(LDAP ld, const char control)
1771	{
1772	const char *attrs[] = { "supportedControl", NULL };
1773	return smbldap_check_root_dse(ld, attrs, control);
1774	}
1775
1776	/*******************************************************************
1777	Check if LDAP-Server supports a certain Extension (OID in string format)
1778	********************************************************************/
1779
1780	bool smbldap_has_extension(LDAP ld, const char extension)
1781	{
1782	const char *attrs[] = { "supportedExtension", NULL };
1783	return smbldap_check_root_dse(ld, attrs, extension);
1784	}
1785
1786	/*******************************************************************
1787	Check if LDAP-Server holds a given namingContext
1788	********************************************************************/
1789
1790	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1791	{
1792	const char *attrs[] = { "namingContexts", NULL };
1793	return smbldap_check_root_dse(ld, attrs, naming_context);
1794	}
1795
1796	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1797	{
1798	ldap_state->anonymous = anon;
1799
1800	/* free any previously set credential */
1801
1802	SAFE_FREE(ldap_state->bind_dn);
1803	if (ldap_state->bind_secret) {
1804	/* make sure secrets are zeroed out of memory */
1805	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1806	SAFE_FREE(ldap_state->bind_secret);
1807	}
1808
1809	if ( ! anon) {
1810	ldap_state->bind_dn = SMB_STRDUP(dn);
1811	ldap_state->bind_secret = SMB_STRDUP(secret);
1812	}
1813
1814	return True;
1815	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: